Amended Sept 7, 2020
The Insight Business Ltd (The Insight Business/TIB) is a Company Partner of the Market Research Society (MRS) and abides by Codes of Conduct of the MRS and ESOMAR (the worldwide association of research professionals).
The Insight Business is registered with the Information Commissioner’s Office (ICO) for the processing of personal data: registration Z7235165.
The Insight Business is fully committed to safeguarding the privacy/personal data of our clients, prospective clients, suppliers and research participants in line with General Data Protection Regulation (GDPR).
Personal data is defined as anything that may identify an individual e.g. full name (if in addition to any of the following….), address, telephone number, email, national insurance number, ID/membership numbers of any kind, ISP addresses etc. The Insight Business also includes photos/recordings in their definition of personal data (but only when combined with identifiable information).
1. CLIENT, PROSPECTIVE CLIENT, SUPPLIER PERSONAL DATA
It you have commissioned a project or made an enquiry with The Insight Business, we will retain your details for future communications. If you have sent details of your services to The Insight Business, we may also retain your details.
If you do not wish for us to retain your details, simply reply to any received communication (or email firstname.lastname@example.org) with the title ‘DELETE ME’.
2. RESEARCH PARTICIPANT PERSONAL DATA – CONSENT
It is the responsibility of our clients/suppliers to ensure that where they supply research participant personal data, they have complied with the requirements of GDPR – specifically, informed consent (also concerning recordings) – before sharing any personal data with us.
Where we supply research materials to clients/suppliers who are collecting personal data/obtaining consent on our behalf – or where we collect personal data ourselves – we will have designed these research materials with GDPR/consent in mind e.g. recruitment screener, questionnaire, online surveys, profile sheets etc.
Consent must include the name of the company(s) collecting data, the subject and purpose of the research, the type of organisation on whose behalf we are working, how we will use the data, the time commitment involved, any tasks required/costs incurred by the participant, any recordings being made, how long we will retain any personal data, reference to the MRS or ESOMAR Codes of Conduct and the right to withdraw at any time.
We will only use the personal data for the purpose for which consent has been obtained.
Anyone collecting personal data on our behalf will have signed contracts with us, agreeing that they (their employees and any individuals acting on their behalf) will strictly adhere to the GDPR/consent elements of research materials supplied.
3. RETENTION OF RESEARCH PARTICIPANT PERSONAL DATA
We will retain participant personal data until the related project invoice has been paid by our client (completion) plus six months. After this time, we will use a physical or digital file shredder service to destroy the personal data held. This six-month period enables quality control to be completed and any project queries to be answered.
Anyone collecting personal data on our behalf will have signed contracts with us, agreeing that they will also securely destroy any personal data after this same six-month period.
Should the research materials include a ‘permission to recontact’ question, any follow-up will only relate to the project/client concerned, and we will specify the time-period concerned at the consent stage i.e. at the point of collecting personal data (in most cases, this will not be longer than the six-month time-period to which consent already applies).
For qualitative methodologies e.g. focus groups, depth interviews, bulletin boards etc., research materials may include consent to extend TIB’s retention of personal data for up to 24 months. This allows us to monitor repeat participation / maintain quality research recruitment.
Photos/recordings – only when containing no identifying information – may be kept indefinitely, as they could for example, be included in research reports used/retained by our clients for internal use.
Any exception to the above retention procedures will have been agreed at the consent stage.
If at any point a participant wishes to withdraw from research they have agreed to participate in, they are advised to immediately contact their recruiter or The Insight Business directly (details included in their ‘invitation’ / introduction email).
If a participant would like to revoke their consent and wishes for us not to retain their personal data, they can simply reply to any received communication (or email email@example.com) with the title ‘DELETE ME’, or write to: Data Protection, The Insight Business Ltd., 14 Woodfield Road, London W5 1SJ
4. TRANSFER OF PERSONAL DATA
In most cases personal data is not shared outside of The Insight Business and our employees/sub contractors, where personal data is not needed to complete the task required, then it must be removed prior to sharing the data.
In the case that personal data is shared with a third party, participant consent must be obtained. Even where such consent exists, it will only relate to the project concerned, and The Insight Business will have GDPR compliant contracts in place with, for example, viewing facilities, transcribers etc.
Such contracts also require that any third party must have systems in place to securely protect personal data, that the data must be used only for the purpose agreed and not shared with additional parties, and that personal data must be securely destroyed once The Insight Business has all necessary feedback at conclusion of the project concerned e.g. attendance records, recordings of groups etc.
If password protected personal data is shared, this must be done using an encrypted email/transfer service (password provided separately).
Personal data may be stored or transferred to servers outside of the EU or US, but only where the organisation complies with GDPR and/or the EU-US Privacy Shield Framework. If personal data is to be stored or transferred to servers falling outside of the EU-US Privacy Shield Framework, then explicit consent must be obtained.
5. STORAGE OF PERSONAL DATA
Any physical records – photos/recordings/files – that contain personal data, must be stored in a secure/locked location.
Any digital records – photos/recordings/files – that contain personal data, must be stored password protected on a secure server/secure cloud server and NEVER on personal hard drives (unless the device is kept in locked storage when not in use). All devices that can be used to access personal data are password protected and have an automatic screen lock activated.
Our own servers run up-to-date IT security software and virus/malicious scanning software.
Our own servers run a securely encrypted daily cloud-based back-up. This cloud server is operated by iDrive based in the US who comply with the EU-US Privacy Shield Framework.
6. LEGAL DEMANDS
Only where we are obliged by law or an order of the court will otherwise confidential information be released.
We may update this policy … the associated procedures are monitored and reviewed on a regular basis and altered in line with technological advances and updated guidelines.
We encourage you to periodically review this page for the latest information on our procedures – including what we require of you – to ensure you continue to comply.