No Image Available

googletag.cmd.push(function() { googletag.display(‘div-gpt-ad-1705321608055-0’); });

GDPR and Kirkpatrick Levels of Evaluation 3 & 4


Hi there, I was wondering if someone could help me. We run voluntary return-to-work (after training) Kirkpatrick evaluations 3-4 in our organization. We distribute a link to an e-feedback form, but the data collected is anonymous. No email addresses, no person-identifying information, no location identifying information is collected. In other words, it is impossible to definitively connect a single piece of feedback to a natural person. The most that can be generically assumed is someone, at some point, who participated in the training, gave a feedback. The names of the training participants are kept separately from the feedback form. The question therefore - to what extent do anonymous, voluntary Training feedback evaluations on work performance (Kirkpatrick level 3-4) fall under GDPR? I did a GDPR audit, and cannot find a single question in the questionnaire that is personal data, since no person is ever referenced. Yet, I cannot believe it is that simple, and I am starting to second guess myself. Anyone have any tips on this? How have you handled training evaluation? With or without person-identifying information? Many thanks in advance.

4 Responses

  1. Great question first of all
    Great question first of all but I am a little confused. Level 3 and 4 are behaviour and results and should be answered by the organisation based on actual improvements in performance or achieving results so you would normally be collecting personal data, for example, improvements in performance and increased customer satisfaction but I don’t know what the equivalent would be in your situation. I can’t see how you can collate level 3 and 4 evaluation without linking it to an individual.
    Are you sure you aren’t talking about level 1 and 2 which is reaction and learning?

  2. Maybe I should explain –
    Maybe I should explain – behaviour at level 3 could be in 2 parts – self-reported and observed by others (often managers). We collect data anonymously as self-reported, bypassing the time, expense (and works council complications) of observing

    Our Level 3 Is self-reported change in behaviour (anonymous questionnaire) months after training for most topics. Plus, in case of train the trainer, self-reported improvements in trainer’s own class feedback forms. Anonymous. Voluntary.

    Level 3-4 component is aggregated number of trouble tickets raised on topic xyz after training etc… From that we get to person hours, anonymous data quality samples etc…

    1. right, don’t think I fully
      right, don’t think I fully get the context but no matter. If the q’s are anonymous but they e-mail them back to you, can’t you identify who sent them that way? In addition, what do you actually do with the information they supply and do you share it with any other agencies or third parties.? Also, what do you do with the e-mails, how long do you hold onto the forms, how long do you store them?
      You may still have to let these people know specifically what you use them for, if you can identify who they are by their e-mail addresses you need to address that too.

  3. sorry mis-read your post, I
    sorry mis-read your post, I know you don’t e-mail them out but presumably if you e-mail out the link, someone could still identify the IP address of responders, if they wanted to. You may need to seek some further advice, try these ……..
    Hope that helps.

No Image Available

Get the latest from TrainingZone.

Elevate your L&D expertise by subscribing to TrainingZone’s newsletter! Get curated insights, premium reports, and event updates from industry leaders.


Thank you!