Research Consulting (also referred to as “we” or “us”) is serious about protecting your privacy and maintaining the security of any personal information collected or received from you. When you submit information to us, this is kept confidential and used to support our activities as required (including but not limited to the delivery of client projects, recruitment of staff and associates, business development and marketing, and human resource management). The General Data Protection Regulation (GDPR) and, in the UK context, the Data Protection Act (DPA) 2018 allow us to process your data (i) when it is necessary for the performance of a contract to which you are party; (ii) in order to take steps at your request prior to entering into a contract; (iii) to carry out research after you have signed a consent form; (iv) to carry out any activity at your explicit request (e.g. you may email us to ask to be kept up to date with the outcomes of a project). The GDPR applies directly to EU member states, while the UK DPA 2018 deals with the application of the GDPR to the UK context and its transposition into UK law. For the purposes of our policy and considering the types of processing carried out by Research Consulting, the GDPR and the UK DPA 2018 have the same implications. It should be noted that the UK DPA 2018 covers the role of the Information Commissioner’s Office (ICO) with respect to the collection, management and processing of personal data, including its duties, functions, powers and enforcement provisions. When we process personal data, the conditions outlined below apply.
This Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Research Consulting. We are committed to processing data lawfully, fairly and transparently, to retain data only until it is necessary, and to protect it from unauthorised use.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
“Personal Data”: Any information related to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data Controller”: The natural or legal person, public authority, agency or any other body which alone, or jointly with others, determines the purposes and means for the processing of Personal Data; where the purposes and means of processing are determined by EU or national laws, the Controller (or the criteria for nominating the Controller) may be designated by those laws.
Data Processor”: A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1. With respect to projects, Research Consulting only collects personal data necessary to provide consulting services to client, stores personal data only in so far as required to provide its services to clients, and seeks to obtain informed consent from the data subjects prior to collecting personal information.
2. With respect to our other activities, such as recruitment, business development, marketing and human resource management, we collect personal data necessary to conduct and grow our business and to fulfil our legal obligations. All personal information we gather for activities other than projects is held only after seeking consent (verbal or written, based on the situation) from the data owner. Note that we do not need consent to process data when we are fulfilling a legal obligation.
3. Research Consulting is committed to honesty and transparency: we will endeavour to communicate what personal information we collect and how this will be used in a simple manner.
4. When Research Consulting projects involve interviews or surveys, they adhere to the MRS Code of Conduct. For the purposes of the GDPR, Research Consulting is a data controller and processor. We are registered as a data controller with the Information Commissioner’s Office (ICO): our registration number is ZA000054 and you can check our entry details on the ICO’s website: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/.
5. Research Consulting may collect personal data when undertaking a number of activities related to the provision of its services.
8. Client feedback:
9. Before asking you to share personally identifiable information, we will seek to obtain your consent.
10. In the case of interviews, consent will be sought verbally, and this will be logged in our notes. In surveys, consent will be sought via the questionnaire, and the survey itself will clearly detail why we seek to obtain personally identifiable information, what information we collect and what we will do with the data.
11. You may withdraw your consent or restrict data processing at a later stage by visiting this page.
12. We might get in touch with you to ask for participation in a survey. When we do so, we genuinely believe that you could strongly contribute to our research and we would normally contact you following a recommendation from a client.
13. Participation in our surveys is always optional and voluntary. Should you wish to opt out of the research, you are welcome to do so by getting in touch with the contact person named in the first screen of the survey or by following the instructions in the invitation email.
14. When we conduct research, this is always for the benefit of our clients, either directly, or by informing the development of a new product or service. Normally, the information we collect is used to improve services, develop strategies, or produce reports and/or infographics.
15. When participating in our research projects, we will ask for opinions and occasionally personal information. Research participants can refuse to answer any questions or discontinue involvement in a study at any time.
16. Should we wish to quote you verbatim, we will inform you and seek your consent.
17. We may collect and process the following information about respondents:
18. Our website does not track you in any way, nor do our email messages (i.e. we do not track whether you click links). We occasionally use GlobiMail, which attaches emails we exchange with you to our Podio project management system. Such emails, however, are simple copies of what you sent us and are used for internal project communications only.
19. If you follow a shortened link (‘shortlink’) in the form ‘links.research-consulting.com/SampleTitle’ we will track the click for statistical purposes, but no other information associated with you (i.e., we will not collect data on who clicked the link, just the fact that the link was followed).
20. Our website uses web analytics (Google Analytics), however, it only collects anonymised statistical data that does not allow the identification of any individual.
21. In the course of our research, we often collate large amounts of qualitative findings (e.g., notes from interviews) and analyse these as part of our research. This is required to develop insights, and, at this stage, qualitative information may be traceable back to the individual(s) who provided it. However, when reporting to our clients, information is anonymised and cannot be traced back to single respondents.
22. Our work also involves the use of quantitative information. When reporting based on quantitative information, we do not identify or single out specific respondents or participants.
23. The findings of our research are typically reported to a third-party organisation (the Client) that commissioned the study. Our Client would normally receive anonymised information, so your privacy is preserved. In the rare cases where we have to share personal information with a Client, note that you have the right to withdraw your consent to data sharing and processing.
24. In some cases, the findings of our research are released publicly. When such findings contain personally identifiable information, we will explicitly seek consent from you before publishing the findings. You have the right to withdraw your consent at any point prior to the findings being made public.
25. We will not share personal information with any third-party organisation, except as outlined in paragraph 26, unless we are obliged to do so by contract, by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, or we have your consent.
26. Research Consulting often works with associates to conduct research and consultancy projects. When this happens, access to the information we collect may be granted to them for the duration of the project. Should this be the case, our interactions with associates will be regulated by a contract, and they will be considered data processors, who are therefore obliged to comply with the relevant obligations outlined in the GDPR. Associates’ access to project data will be terminated once the project ends.
27. When conducting research on a behalf of a client we will be clear about who has commissioned the research and how we plan to share information with them.
29. All information is handled and managed in compliance with the GDPR.
30. Any information we hold is protected through our secure systems and processes.
31. Information we collect through surveys is generally stored on cloud servers managed by our survey software provider SurveyGizmo. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. Our survey software provider is responsible for preventing data breaches by maintaining and updating the security of their IT system.
32. Personally identifiable information collected in the course of work may also be stored on cloud servers managed by our project management software Podio. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. Our project management software provider is responsible for preventing data breaches by maintaining and updating the security of their IT systems.
33. All information you provide to us is stored on Microsoft OneDrive cloud servers, which are a part of the Microsoft Office 365 package. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. Our project management software provider is responsible for preventing data breaches by maintaining and updating the security of their IT systems.
34. We limit access to the information we collect by our own employees and, whenever relevant, project associates and clients. We request that they follow similar standards of security and confidentiality in their role as data processors (where appropriate).
35. We may retain some information indefinitely for research purposes. However, this information will be fully anonymised so as to prevent identification of the data subjects. For more information on anonymised data see: Regulation (EU) 2016/679, Preamble, paragraph (26).
36. Research Consulting will not keep personal data longer than necessary to fulfil its legal or contractual obligations. This means that, unless otherwise indicated when seeking consent from project participants, we will delete personal data no later than 24 months after the conclusion of a project. Should we wish to prepare an academic article including information used in a project, we would hold the information collected until the article’s publication date. This is permitted by the GDPR, which allows organisations that process personal data under a lawful basis to process it for a secondary research purpose, too, if appropriate safeguards are implemented.
37. Where the lawful basis to process personal information is contractual rather than by consent, we will delete the personal information once the objective(s) stated in the contract have been achieved.
38. This policy does not apply to data about legal entities, which does not constitute personally identifiable information.
39. In all cases where we collect and/or process data arising from more than one country (‘Cross-border processing of personal data’), the lead supervisory authority for the purposes of the GDPR shall be the United Kingdom’s Information Commissioner’s Office.
40. Cross-border processing of personal data will be agreed in all relevant contracts and when seeking consent from project participants.
41. Research Consulting does not read, share or keep a copy of unsolicited Curriculum Vitae. Please refrain from sending these to us as they will be promptly deleted.
42. When applying for an open position at Research Consulting, we will process your information (e.g. CV, cover letter) and use your personal data in ways that would be reasonably expected. All CVs and cover letters will be deleted within 90 days from your application.
43. Should we wish to keep your CV and cover letter for future job opportunities, we shall seek consent via email or post (as appropriate). In the case of no response, we will delete the CV and cover letter within two weeks from the date we sought consent.
44. As a prospective employee, please note that failure to provide data necessary to prepare a contract will result in our job offer being withdrawn.
45. Whether you are an employee or job applicant, you have the following rights with respect to your personal data: access, rectification, erasure, withdrawal of consent, objection to processing and lodging of complaints to supervisory authority.
46. Employee data will be kept for a period of six years after cessation of employment, unless otherwise requested by the employee. Ex-employee data will be periodically reviewed and deleted when appropriate.
49. Research Consulting does not have a data protection officer. Article 37 of the GDPR details the cases where one is needed and Research Consulting does not fit within any of the cases mentioned: we do not carry out systematic monitoring of data subjects nor do we process special categories of personal data.
50. When you participate in our research, you have a legal right under the GDPR to request access to any information that we hold that can be identified as yours (right to information and access). This request should be put in writing to the details below:
Research Consulting Limited
The Ingenuity Centre
University of Nottingham Innovation Park
Triumph Road, Nottingham
We will respond within no more than 30 days of receiving your message. The GDPR details a number of exemptions from disclosure and, should we be unable to fulfil your request, we will provide a full explanation in writing.
51. You have a right to data portability. Therefore, when providing data to you, we will do so in a commonly-used and machine-readable format (e.g. a csv spreadsheet).
52. You have the right to ask us not to process your personal data for marketing purposes. Should we wish to do so, or should we wish to disclose your information to third parties for such purposes, we shall inform you before collecting your data. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
53. The GDPR also gives you the right to erase your data and/or restrict its processing. Please get in touch at email@example.com should you wish to exercise these rights.
54. Research Consulting recognises that, at times, ‘things go wrong’ and breaches of security may occur. In most cases, the digital systems we use (e.g. Office 365, Podio, SurveyGizmo) are responsible for ensuring suitable security measures are in place and for notifying the ICO; however, Research Consulting recognises its responsibilities to:
55. The individual responsible for the implementation of the procedure detailed below is Rob Johnson (Director), but the procedure applies to all team members, including consultants, researchers and administrative staff.
56. Incidents are defined by the GDPR as a “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. We therefore consider the following three scenarios:
57. Whenever an incident is identified, Rob Johnson (Director) is notified, and the issue is dealt with as a priority. Our incident flowchart is as follows:
58. Based on the level of risk, Research Consulting will decide how to address the incident. Risk is assessed considering a number of factors, including:
59. The following risk levels are considered when addressing incidents:
60. Please note that this Policy is subject to change from time to time – it was last updated in December 2019. Any changes to this Policy made in the future will be reflected on the Research Consulting website and, where appropriate, notified to you by email.