Introduction
Purpose
Application
General Data Protection Regulation (GDPR)
Rights of Individuals
Handling personal information, lawfully, fairly and transparently
Consent for respondents
Consent for Marketing and Prospecting Purposes
Computer Equipment, Security and updates
Removable Media
PECR and cookies
Fair treatment
Minimum amount of personal data
Accurate and kept up-to-date
Subject Access Requests
Requests for information from law enforcement agencies
Data security
Outsourcing
Restrictions on transferring information to non EEA countries
Data loss
Data retention
Destruction of Electronic Records
Secure disposal of records and computer equipment
Training
Data Protection Officer
Review
The General Data Protection Regulation (GDPR) is European wide data protection legislation that requires organisations working with individuals based in the European Economic Area to meet certain requirements regarding the collection, processing, security and destruction of personal information.
As we undertake research that collects or evaluates personal information about a living person who can be identified from the information they have provided we aim to ensure compliance with the General Data Protection Regulation.
This policy sets out how Sam Neill Research seek to ensure compliance with the legislation.
This policy applies to Sam Neill Research’s dealings with respondents, clients and third parties that may be involved in processing personal information. It covers the way personal information will be obtained, used, shared, physically stored and destroyed.
The General Data Protection Regulation (GDPR) governs the processing (i.e. obtaining, holding, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) of personal and sensitive data (i.e. information relating to a living individual – the data subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system. There are six principles that describe the legal obligations of organisations that handle personal information about individuals. These Principles are:
Sam Neill Research fully supports these principles.
The General Data Protection Regulation creates specific rights of individuals. These include:
The first and second principles require Sam Neill Research to acquire and process personal information lawfully, fairly and in a transparent way. Sam Neill Research is clear at the outset about the purpose for which information is obtained and processed. Sam Neill Research aims to ensure that:
Appropriate records will be maintained to demonstrate compliance with the above-mentioned requirements.
Consent will be required for certain types of information usage.
When consent is required, it must be freely given, specific, informed and unambiguous. Requests for consent will be separate from other terms, and be in clear and plain language. The individuals consent will be “explicit” where it relates to sensitive data. Sam Neill Research is required to be able to demonstrate that consent was given. We therefore maintain records of clients consent to meet the accountability requirements for both the profession and the requirements of the General Data Protection Regulation.
Under the Privacy and Electronic Communication Regulations (PECR) there are specific requirements relating to unsolicited direct marketing communications. A solicited communication is one that is actively invited, either directly by the customer or via a third party. An unsolicited communication is one that the customer has not invited but they have indicated that they do not, for the time being, object to receiving it. If challenged, businesses would need to demonstrate that an individual has positively opted in to receiving further information from us.
Sam Neill Research understands that it is unlawful to contact customers or organisations that have informed us that they do not wish to receive unsolicited marketing material. Therefore, [Sam Neill Research are aware of and comply with the following:
Telesales – Sam Neill Research ensure that individuals and organisations they wish to contact are not registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) respectively. If they are registered or have directly notified [Insert Company Name] not to call, then unsolicited direct marketing calls will not be made to them.
Emails and text message – Sam Neill Research will not contact individuals by email or via text message without obtaining prior consent unless the individual’s details have been obtained in the course of a sale or negotiations of a sale. Individuals will be given the opportunity to opt out of receiving further marketing emails or texts each time that such contact is made.
The Mailing Preference Service (MPS) is managed by the Direct Marketing Association and supported by Royal Mail to enable individuals to register their names and addresses to limit the amount of direct mail they receive. Unsolicited marketing material will not be sent by post to individuals that have informed Sam Neill Research they do not wish to receive such information or they have registered with the MPS.
Sam Neill Research maintains internal logs of individuals and organisations that have indicated that they do not wish to receive unsolicited marketing information and conduct checks against the TPS, CTPS, FPS, eMPS and MPS databases as appropriate.
When data is purchased from third parties for prospecting purposes, Sam Neill Research ensures that the data has been acquired by the third party through fair and lawful means, the data can be used for the purposes of unsolicited marketing activities and that the data has been cross-checked by the third party against the appropriate preference service databases.
We are aware of the vulnerability of laptops, phones and removable media and the business owners takes steps to ensure the security of these devices.
We ensure that all equipment used as part of our business processes is appropriately protected and secured. The equipment we use has up to date Malware and anti-virus software. When updates are notified because of a software patch, these are applied as they become available.
The laptops that are used for business purposes are encrypted and password protected to ensure that any personal information contained within them is appropriately secured.
It is not our practice to use unsecured phones for business purposes. If a phone is used for personal information then two factor authentication is applied to the handset.
Any removable media used such as an external hard drive or USB pen drive are encrypted.
Under the PECR, as from 26 May 2011, businesses must seek consent before any cookie is set on an individual’s computer.
Cookies are small, often encrypted text files, located in browser directories. They are used by companies to help users navigate websites efficiently and perform certain functions. Cookies are also used to keep computer users logged in and their personal details private or for tracking their activity so that companies can improve the website. Cookies can be used by third parties to track information about individuals and spam them with adverts. By themselves, cookies pose no risk since they do not contain viruses.
Session cookies enable the website to track user movement from page to page so that the user does not get asked for the same information again. The most common example of this functionality is the shopping cart feature of an e-commerce website. Session cookies are never written on the hard drive and they do not collect any information from the user’s computer. Session cookies expire at the end of the user’s browser session.
Persistent cookies are stored on the user’s computer and are not deleted when the browser is closed. Such cookies can retain user identities and preferences, allowing those preferences to be used in future browsing sessions.
Sam Neill Research are responsible for ensuring that the websites comply with the PECR and that, where necessary, appropriate information is disclosed to website users and consent is obtained from users before cookies are set.
Fairness generally requires us to be transparent, i.e. clear at outset and open with individuals about why the information is being collected and how it will be used. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
Sam Neill Research aim to ensure that, in all cases, consent and privacy statements will:
Sam Neill Research is responsible for ensuring that the following details are communicated to respondents:
Under the principles of GDPR, Sam Neill Research identifies the minimum amount of personal data we need to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more.
Sam Neill Research will:
An individual has the right to see the information that Sam Neill Research holds about them and can make a request to access this information. Requests must be responded to within 30 days of receipt.
In line with the GDPR, Sam Neill Research will request certain information before responding to a request:
In the event of an individual making a subject access request via a third party, Sam Neill Research will request written consent from the individual to confirm that the third party can request and receive information on the individual’s behalf.
An individual who makes a request is entitled to be:
The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. Sam Neill Research will release personal information to law enforcement agencies if required to do so.
Sam Neill Research has appropriate security measures to prevent personal information held being accidentally or deliberately compromised. In particular, Sam Neill Research:
Sam Neill Research have procedures in place if we use third parties to process information to ensure that we:
Sam Neill Research requires third parties that it works with to ensure that there are adequate security measures in place to secure the information that is being held.
There are no restrictions on moving personal information within EEA countries. As Sam Neill Research uses cloud services, we know that personal information may be transferred outside the EEA. We are open and transparent with our clients and potential clients about where their information is processed and accessed.
Sam Neill Research considers the following factors when deciding whether or not to transfer information overseas:
We also consider additional factors such as:
If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard Sam Neill Research consider the following:
To comply with information retention best practice, Sam Neill Research establish standard retention periods for different categories of information, keeping in mind any professional rules or regulatory requirements that apply and ensuring that those retention periods are being applied in practice. Any personal information that is no longer required will either be archived or deleted in a secure manner.
Sam Neill Research’s retention periods for different categories of personal information are based on individual business needs and contractual obligations.
Sam Neill Research understands the difference between permanently deleting a record and archiving it. If a record is archived or stored offline, it will reduce its availability and the risk of misuse or mistake. If it is appropriate to delete a record from a live system, Sam Neill Research will also delete the record from any back-up of the information on that system, unless there are business reasons to retain back-ups or compensating controls in place.
All electronic files are destroyed by deletion and then the use of an electronic file shredder. This ensures that all electronic information is deleted permanently and cannot be recovered.
Once the retention period expires or, if appropriate, the customer or business information is no longer required; paper records should be disposed of in a secure manner. All paper records containing customer or business information are disposed of by shredding. This includes all archived records.
All used computers, fax machines, printers and any other electronic equipment that may contain or that will have stored customer or corporate information in electronic format must be disposed of in an appropriate manner after the information has been completely wiped off. An external provider will be used to ensure that the memory on the devices is completely clean of information before the item is disposed of.
All training is documented and reviewed regularly.
Sam Neill Research does not at this time meet the requirements for a dedicated Data Protection Officer but this is kept under review as the type of work and range of clients/respondent’s changes. We are committed to meeting the needs of the General Data Protection Regulation and if our business requires a DPO, we will seek to appoint one.
This policy will be reviewed periodically considering changing business priorities and practices and to consider any changes in legislation.