Non-traceable one way hash encryption

Im working on a project and am stumped.  My question is: 1) is my solution (below) the best way to go about this?  2) If so, how to restore the linking in the case of lost passwords (see below)?  Thanks!

The project is a secure internal (employee) survey application:  
-      The User will login, answer the questions of the survey and save.  
     o      User will not be able to submit multiple surveys per year.
-      The Manager will be able to run a report which can report:
     o      On a survey basis, showing the Q & As for an individual survey.
     o      On a group of surveys (their subordinates), showing average scores, etc.
     o      On a users surveys over a period of years to determine trends in that users answers.
-      It will not be possible for anyone (including the original app developer) at any point to determine who exactly submitted any given survey.
-      Logon ID for users will be through System Logon ID and are widely known.

The crux of issue is that the system must be able to link surveys over the years to surveys submitted by the same user (for the third report), but may not have a traceable link between a survey and a specific user.

 My first thought was to have the user provide a password.  Use a one-way hash algorithm to encrypt it and store it in the user table (for user authentication).  Then, use a different, distinct one-way hash algorithm to seperately encrypt it and store that with the survey.  Thus, surveys by the same user will have the same p/w hash value yet that value will not have a traceable link to the saved p/whash value in the user table.

The obvious problem with that solution is lost passwords.  If the user forgets their p/w and needs to reset, their new surveys will have a different p/w hash value and the link b/w the new surveys and the surveys of past years will be lost.  Since the users password isnt stored in any retrievable way, I cant figure out how that linkage could be restored.

Thanks in advance for your help!