Strategic Research and Insight Ltd (SRI) Data Protection and Security Policy

Introduction

Strategic Research and Insight Ltd has full confidentiality procedures which are rigorously enforced. The company is registered under the Data protection Act (ref. Z7890875) and in complying with the requirement laid down in the act and other Data Protection Law, will ensure that data collected is not processed in such a way to cause damage or distress to any data subject.

‘Data Protection Law’ includes the General Data Protection Regulation 2016/679; the UK Data Protection Act 2018 and all relevant EU and UK data protection legislation.

SRI also works to the data security codes of conduct as detailed in the Market Research Society Code of Conduct.

The Project Manager/Project Director of any given project remains responsible for ensuring that material is held in a secure and confidential manner.

SRI offices are secure. There is access control to the building limited to relevant members of staff, as recorded on the keyholder log.

Data will be kept securely in locked cupboards/drawers and locked offices. Electronic data will be kept in encrypted password protected folders with access restricted to relevant key staff.

Our IT design and support is outsourced to Certus IT - a Microsoft Certified Partner. We have remote real time monitoring of system performance, security with additional telephone and on-site service as required.

Server and PCs have Firewall and Anti Virus software.

There is secure individual log in on all PCs.

There is daily and weekly back up of all computer files – on and off site as part of our overall Back-up and Disaster Recovery (BUDR) system. On site back up tapes are kept in a fireproof safe.

We have next day server replacement for a disaster recovery situation and should a complete server failure occur, our BUDR system and plan allows us to be back up and running again (even in a remote location if needed, for example in the case of fire or flood at our offices) within 2 working days.

All data gathered during the course of a contract will normally be vested in the Client and will only be used for the purpose as required by a study and not passed on to any other party. After the end of projects, hard copy material is generally held in project specific storage for a set period (usually 5 years) after which it is passed to an approved subcontractor for secure and formal destruction. All electronic database and survey files are kept as long as is deemed necessary for completion of the project and to allow for any post-survey queries to be resolved. This will typically be for a period of one year but this can be varied according to Client requirements.

Any data provided by the Client shall only be used for the purpose required by a study: neither the data nor any information extracted from it will be passed to any other party.

We are familiar with the Code of Practice on Public Access of Information and would be pleased to support the Client in meeting their responsibilities under the Freedom of Information Act 2000.

Specific details in relation to data purchased to conduct research

As of 31/01/2020 the relevant person with responsibility for data under the GDPR within our organisation is:

Data Controller: Suzanne Pritchard, Director, suzanne@strategic-research.co.uk

What is Personal Data?

For the purposes of the GDPR Data is identified under two categories:

Personal data is a term used to describe the data relating to an individual held by Strategic Research and Insight from which they are identified or can be identified in conjunction with other information that is in, or is likely to come into, the possession of Strategic Research and Insight. Examples of personal data includes forename, surname and online identifiers e.g. email address.

Special Categories of Personal Data is a term used to describe personal data of a sensitive nature such as data relating to a person’s racial or ethnic origin, political opinions or religious or other philosophical beliefs, physical or mental health, sexual life, criminal convictions, your genetic or biometric data or the alleged commission of an offence and/or trade union membership.

What are the legal bases for processing Data?

We may collect personal data either from individuals directly or from a third party supplier.

To control and process data requires one of six recognised legal bases under GDPR to do so. The six bases are as follows:

(1) Consent: the individual has given clear consent to process their personal data for a specific purpose.

(2) Contract: the processing is necessary for a contract we have with the individual, or because the individual has asked us to take specific steps before entering into a contract.

(3) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

(4) Vital interests: the processing is necessary to protect someone’s life.

(5) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(6) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legitimate Interest is determined by a three-part test as follows:

Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

Rights of Individuals

The GDPR provides the following rights for individuals:

More detail on these rights can be found here – https://ico.org.uk/your-data-matters/

In addition a Data Subject has the right to make a complaint to the Information Commissioner’s Office online, by phone or in writing at the following:

https://ico.org.uk/concerns/

Tel: 0303 123 1113

Information Commissioner’s Office, Wycliffe house, Water Lane, Wilmslow, Cheshire. SK9 5AF.

The following identifies the types of data purchased for research purposes that we collect, control and process; and the legal basis we rely upon for doing so:

Type of information collected: Data Subject’s name, address, telephone number and email address.

Purpose: Market Research

Legal basis for processing: Legitimate interest. The Data Subject may object at any time and will be informed accordingly.

Data Retention and Minimisation Policy

Strategic Research and Insight will not retain personal data for longer than is necessary to fulfil the purpose it is being processed for. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means.

Strategic Research and Insight applies a data minimisation policy in relation to personal data. This means that we will only collect and process personal data that is adequate, relevant and necessary to achieve our commitments in relation to the purposes stated above and will not process data that is not required or excessive to those purposes.

Data Security

Strategic Research and Insight will protect the data we collect in the following ways:

The Data Subject’s data will not be transferred outside the European Economic Area [EEA] without the explicit consent of the Data Subject;

We follow strict security procedures in the storage and disclosure of personal data, and to protect it against accidental loss, destruction or damage. Strategic Research and Insight protects the confidentiality and integrity of personal data by having appropriate security measures in place including cyber security, securing IT systems and maintaining a high level of confidentiality.

Any breach of data which may pose a serious risk will be notified to the Data Subject without delay.

Sharing of Personal Data

Personal data will only be provided to third parties on the strict understanding that it is to be used only for the purposes as set out above, or in accordance with law, and that the data is not to be used for any other purpose and that for the duration of their access to such personal data they shall ensure that adequate security measures are in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of personal data.

Strategic Research and Insight will not sell, pass on or contract with third parties Data Subject’s data without prior written [withdrawable] consent other than where required to by law; or otherwise provided for in the above table.

Anthony Lydall, Director, Strategic Research and Insight Ltd

January 2020