Research Consulting (also referred to as “we” or “us”) is serious about protecting your privacy and maintaining the security of any personal information collected or received from you. When you submit information to us, this is kept confidential and used to support our activities as required (including but not limited to the delivery of client projects, recruitment of staff and associates, business development and marketing, and human resource management). The General Data Protection Regulation (GDPR) and, in the UK context, the Data Protection Act (DPA) 2018 allow us to process your data (i) when it is necessary for the performance of a contract to which you are party; (ii) in order to take steps at your request prior to entering into a contract; (iii) to carry out research after you have signed a consent form; (iv) to carry out any activity at your explicit request (e.g. you may email us to ask to be kept up to date with the outcomes of a project). The GDPR applies directly to EU member states, while the UK DPA 2018 deals with the application of the GDPR to the UK context and its transposition into UK law. For the purposes of our policy and considering the types of processing carried out by Research Consulting, the GDPR and the UK DPA 2018 have the same implications. It should be noted that the UK DPA 2018 covers the role of the Information Commissioner’s Office (ICO) with respect to the collection, management and processing of personal data, including its duties, functions, powers and enforcement provisions. When we process personal data, the conditions outlined below apply.
This Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Research Consulting. We are committed to processing data lawfully, fairly and transparently, to retain data only until it is necessary, and to protect it from unauthorised use.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
1. With respect to projects, Research Consulting only collects personal data necessary to provide consulting services to client, stores personal data only in so far as required to provide its services to clients, and seeks to obtain informed consent from the data subjects prior to collecting personal information.
2. With respect to our other activities, such as recruitment, business development, marketing and human resource management, we collect personal data necessary to conduct and grow our business and to fulfil our legal obligations. All personal information we gather for activities other than projects is held only after seeking consent (verbal or written, based on the situation) from the data owner. Note that we do not need consent to process data when we are fulfilling a legal obligation.
3. Research Consulting is committed to honesty and transparency: we will endeavour to communicate what personal information we collect and how this will be used in a simple manner.
4. When Research Consulting projects involve interviews or surveys, they adhere to the MRS Code of Conduct. For the purposes of the GDPR, Research Consulting is a data controller and processor. We are registered as a data controller with the Information Commissioner’s Office (ICO): our registration number is ZA000054 and you can check our entry details on the ICO’s website: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/.
Business activities where we collect personal data
5. Research Consulting may collect personal data when undertaking a number of activities related to the provision of its services.
- All surveys created and/or managed by Research Consulting (either for internal use or on behalf of our clients) will be identifiable by our company name and contact details in the survey’s first page.
- Our surveys will clearly explain the purpose of the research and how the information will be used (e.g., for the preparation of a report, infographics, etc.).
- Surveys created and/or managed by Research Consulting never require you to enter your personal details (e.g. your name or email address). You may have the option to enter these voluntarily in some cases, e.g. if you are happy for us to contact you with follow-up questions or research or if you would like to enter a prize draw advertised in the survey (where available). In all cases where you do not voluntarily provide your personal data, we will only have access to the IP address of the computer you used to complete the survey.
- Research Consulting carries out interviews in person and by telephone, email, or videoconferencing software (e.g., GoToMeeting, Skype). In all such cases, we ask interview participants to identify themselves, state the purpose of the interaction, and any pertinent details for how the interview will be conducted (i.e., if it will be recorded and/or notes will be taken). Interviewees have the option of remaining anonymous in the interview. In such cases, any personal data in the transcript will be removed before sharing interview data with our client, whilst recordings will not be shared.
- Prior to undertaking interviews, we are committed to sending information on the research being conducted, a list of questions (and/or an agenda, whenever relevant), and the specific terms and conditions for the interaction.
- Where interviews are recorded, we will delete any recordings within 24 months of the end of the project they referred to. In some cases, interview recordings might be shared with our clients (if you have provided consent for us to do so). Should this happen, please be aware that we cannot be held liable for the way(s) third parties manage and protect your personal information.
8. Client feedback:
- All client feedback provided will be treated in confidence. Client feedback will only be shared externally in aggregated and anonymised form, except where testimonials are voluntarily provided for marketing purposes.
- All client feedback is securely stored on our project management system (for more information on the software’s security standards, please see this page).
9. Before asking you to share personally identifiable information, we will seek to obtain your consent.
10. In the case of interviews, consent will be sought verbally, and this will be logged in our notes. In surveys, consent will be sought via the questionnaire, and the survey itself will clearly detail why we seek to obtain personally identifiable information, what information we collect and what we will do with the data.
11. You may withdraw your consent or restrict data processing at a later stage by visiting this page.
Unsolicited emails and opt-out
12. We might get in touch with you to ask for participation in a survey. When we do so, we genuinely believe that you could strongly contribute to our research and we would normally contact you following a recommendation from a client.
13. Participation in our surveys is always optional and voluntary. Should you wish to opt out of the research, you are welcome to do so by getting in touch with the contact person named in the first screen of the survey or by following the instructions in the invitation email.
The information we collect
14. When we conduct research, this is always for the benefit of our clients, either directly, or by informing the development of a new product or service. Normally, the information we collect is used to improve services, develop strategies, or produce reports and/or infographics.
15. When participating in our research projects, we will ask for opinions and occasionally personal information. Research participants can refuse to answer any questions or discontinue involvement in a study at any time.
16. Should we wish to quote you verbatim, we will inform you and seek your consent.
17. We may collect and process the following information about respondents:
- Contact details (normally, these include name, email address, telephone number, affiliation, and job title) and information on any services used where relevant.
- The data submitted when expressing opinions, attitudes, experiences, and usage of products or services.
18. Our website does not track you in any way, nor do our email messages (i.e. we do not track whether you click links). We occasionally use GlobiMail, which attaches emails we exchange with you to our Podio project management system. Such emails, however, are simple copies of what you sent us and are used for internal project communications only.
19. If you follow a shortened link (‘shortlink’) in the form ‘links.research-consulting.com/SampleTitle’ we will track the click for statistical purposes, but no other information associated with you (i.e., we will not collect data on who clicked the link, just the fact that the link was followed).
20. Our website uses web analytics (Google Analytics), however, it only collects anonymised statistical data that does not allow the identification of any individual.
How we use the information
21. In the course of our research, we often collate large amounts of qualitative findings (e.g., notes from interviews) and analyse these as part of our research. This is required to develop insights, and, at this stage, qualitative information may be traceable back to the individual(s) who provided it. However, when reporting to our clients, information is anonymised and cannot be traced back to single respondents.
22. Our work also involves the use of quantitative information. When reporting based on quantitative information, we do not identify or single out specific respondents or participants.
23. The findings of our research are typically reported to a third-party organisation (the Client) that commissioned the study. Our Client would normally receive anonymised information, so your privacy is preserved. In the rare cases where we have to share personal information with a Client, note that you have the right to withdraw your consent to data sharing and processing.
24. In some cases, the findings of our research are released publicly. When such findings contain personally identifiable information, we will explicitly seek consent from you before publishing the findings. You have the right to withdraw your consent at any point prior to the findings being made public.
25. We will not share personal information with any third-party organisation, except as outlined in paragraph 26, unless we are obliged to do so by contract, by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, or we have your consent.
26. Research Consulting often works with associates to conduct research and consultancy projects. When this happens, access to the information we collect may be granted to them for the duration of the project. Should this be the case, our interactions with associates will be regulated by a contract, and they will be considered data processors, who are therefore obliged to comply with the relevant obligations outlined in the GDPR. Associates’ access to project data will be terminated once the project ends.
27. When conducting research on a behalf of a client we will be clear about who has commissioned the research and how we plan to share information with them.
Security of information and data storage
29. All information is handled and managed in compliance with the GDPR.
30. Any information we hold is protected through our secure systems and processes.
31. Information we collect through surveys is generally stored on cloud servers managed by our survey software provider SurveyGizmo. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. Our survey software provider is responsible for preventing data breaches by maintaining and updating the security of their IT system.
32. Personally identifiable information collected in the course of work may also be stored on cloud servers managed by our project management software Podio. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. Our project management software provider is responsible for preventing data breaches by maintaining and updating the security of their IT systems.
33. All information you provide to us is stored on Microsoft OneDrive cloud servers, which are a part of the Microsoft Office 365 package. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. Our project management software provider is responsible for preventing data breaches by maintaining and updating the security of their IT systems.
34. We limit access to the information we collect by our own employees and, whenever relevant, project associates and clients. We request that they follow similar standards of security and confidentiality in their role as data processors (where appropriate).
35. We may retain some information indefinitely for research purposes. However, this information will be fully anonymised so as to prevent identification of the data subjects. For more information on anonymised data see: Regulation (EU) 2016/679, Preamble, paragraph (26).
36. Research Consulting will not keep personal data longer than necessary to fulfil its legal or contractual obligations. This means that, unless otherwise indicated when seeking consent from project participants, we will delete personal data no later than 24 months after the conclusion of a project. Should we wish to prepare an academic article including information used in a project, we would hold the information collected until the article’s publication date. This is permitted by the GDPR, which allows organisations that process personal data under a lawful basis to process it for a secondary research purpose, too, if appropriate safeguards are implemented.
37. Where the lawful basis to process personal information is contractual rather than by consent, we will delete the personal information once the objective(s) stated in the contract have been achieved.
38. This policy does not apply to data about legal entities, which does not constitute personally identifiable information.
39. In all cases where we collect and/or process data arising from more than one country (‘Cross-border processing of personal data’), the lead supervisory authority for the purposes of the GDPR shall be the United Kingdom’s Information Commissioner’s Office.
40. Cross-border processing of personal data will be agreed in all relevant contracts and when seeking consent from project participants.
Employees and job applicants
41. Research Consulting does not read, share or keep a copy of unsolicited Curriculum Vitae. Please refrain from sending these to us as they will be promptly deleted.
42. When applying for an open position at Research Consulting, we will process your information use the personal data contained therein in the way that would be reasonably expected. All CVs will be deleted within 30 days from the end of the hiring period.
43. Should we wish to keep your CV for future job opportunities, we shall seek consent via email or post (as appropriate). In the case of no response, we will delete the CV within two weeks from the date we sought consent.
44. As a prospective employee, please note that failure to provide data necessary to prepare a contract will result in our job offer being withdrawn.
45. Whether you are an employee or job applicant, you have the following rights with respect to your personal data: access, rectification, erasure, withdrawal of consent, objection to processing and lodging of complaints to supervisory authority.
46. Employee data will be kept for a period of six years after cessation of employment, unless otherwise requested by the employee. Ex-employee data will be periodically reviewed and deleted when appropriate.
Data Protection Officer
49. Research Consulting does not have a data protection officer. Article 37 of the GDPR details the cases where one is needed and Research Consulting does not fit within any of the cases mentioned: we do not carry out systematic monitoring of data subjects nor do we process special categories of personal data.
Your legal rights
50. When you participate in our research, you have a legal right under the GDPR to request access to any information that we hold that can be identified as yours (right to information and access). This request should be put in writing to the details below:
Research Consulting Limited
The Ingenuity Centre
University of Nottingham Innovation Park
Triumph Road, Nottingham
NG7 2TU, United Kingdom
We will respond within no more than 30 days of receiving your message. The GDPR details a number of exemptions from disclosure and, should we be unable to fulfil your request, we will provide a full explanation in writing.
51. You have a right to data portability. Therefore, when providing data to you, we will do so in a commonly-used and machine-readable format (e.g. a csv spreadsheet).
52. You have the right to ask us not to process your personal data for marketing purposes. Should we wish to do so, or should we wish to disclose your information to third parties for such purposes, we shall inform you before collecting your data. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
53. The GDPR also gives you the right to erase your data and/or restrict its processing. Please get in touch at email@example.com should you wish to exercise these rights.
Data breaches and information security incident procedure
54. Research Consulting recognises that, at times, ‘things go wrong’ and breaches of security may occur. In most cases, the digital systems we use (e.g. Office 365, Podio, SurveyGizmo) are responsible for ensuring suitable security measures are in place and for notifying the ICO; however, Research Consulting recognises its responsibilities to:
- provide advice to employees and associates to contain breaches and manage the risks related to these;
- determine whether any control actions are needed;
- consider whether Research Consulting has a responsibility to notify the ICO and the individual(s) affected by the breach or incident; and
- evaluate any lessons learnt and areas for improvement.
55. The individual responsible for the implementation of the procedure detailed below is Rob Johnson (Director), but the procedure applies to all team members, including consultants, researchers and administrative staff.
56. Incidents are defined by the GDPR as a “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. We therefore consider the following three scenarios:
- Breach of confidentiality, where there is an unauthorised or accidental disclosure of, or access to, personal data;
- Breach of availability, where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
- Breach of integrity: where there is an unauthorised or accidental alteration of personal data.
57. Whenever an incident is identified, Rob Johnson (Director) is notified, and the issue is dealt with as a priority. Our incident flowchart is as follows:
58. Based on the level of risk, Research Consulting will decide how to address the incident. Risk is assessed considering a number of factors, including:
- the type of breach, as per clause 56 above;
- the nature, sensitivity and volume of personal data;
- ease of identification of individuals;
- severity of consequences for individuals;
- special characteristics of people that may be affected;
- the number of affected individuals;
- nature of breach (e.g. error, mistake or intentional action and malicious); and
- financial or legal implications.
59. The following risk levels are considered when addressing incidents:
- Low risk – Breach of personal or business data but low risk and impact to individuals: in this case, the incident is addressed directly by Research Consulting’s Director Rob Johnson (with support from other staff if appropriate), and any systems or processes/procedures are updated based on lessons learned.
- Medium risk – Breach of sensitive personal or confidential personal or confidential business data and medium risk and impact to individuals: in this case, the incident is addressed internally, under the assumption that it is unlikely to result in a risk to the rights and freedoms of natural persons. The entire company is made aware of the incident or breach, and any systems or processes/procedures are updated based on lessons learned.
- High risk – Breach of sensitive personal or confidential personal or business data and high risk and impact to individuals: in this case, the personal data breach is likely to result in a risk to the rights and freedoms of natural persons. The same considerations as in the ‘Medium risk’ scenario apply; however, a decision is made on whether the incident must be reported to data subject, the ICO or both, as appropriate.
60. Please note that this Policy is subject to change from time to time – it was last updated in December 2019. Any changes to this Policy made in the future will be reflected on the Research Consulting website and, where appropriate, notified to you by email.