Compliance with data protection legislation and industry codes of conduct
Citrine Research Ltd is:
• registered with the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) 2018 – registration number: ZA829307.
• certified for Cyber Essentials and GDPR in line with IASME Governance Standard. The company subscribes to the MRS Quality Commitment. The company and its Directors (who are full members of the MRS) operate in compliance with the MRS Code of Conduct and the ICC/ESOMAR International Code of Marketing and Social Research Practice for the protection of our clients, their customers and the general public. These codes require that all respondent data is used only for market research purposes and is to be treated as strictly confidential.
Respondent Data is held and used only for specific research projects in accordance with specifications agreed with the client for each project and is stored only in directories and files relating to the project as defined by the Citrine Research project number. No data may be transferred from one project file to another or to any other file or used for any purpose other than the project to which it relates.
Data relating to customers or other individuals used for a survey (but excluding additional data collected by Citrine Research from the individual in the course of the research project) will be securely erased from our systems a maximum of six months after completion of the project for which it was provided by the client unless that client instructs us otherwise in writing. Citrine Research maintain a data asset register to ensure all client data is erased in this timeframe.
Paper records of additional data collected by Citrine Research from an individual in the course of the research project (the respondent) will be securely destroyed two years after project completion while electronic records of such additional data will be accessed through two factor authentication and filed appropriately in specific job files; they may be securely destroyed on receipt of instructions from the project client. Where permission has been obtained from the respondent that Citrine Research may contact him or her to participate in future research, relevant paper or electronic records may be retained for this purpose.
Where additional data is collected by Citrine Research from a respondent who has consented, such additional data will be aggregated with data from other individuals and/or anonymised in research findings presented to the project client.
Such additional data will not be provided to the project client about any respondent unless that respondent has been notified of such data transfer in writing before agreeing to participate in the research and has signified agreement to the transfer of data in writing, in accordance with the codes of conduct above.
The research studies that we conduct typically involve both Citrine Research and our clients acting in the capacity of both data processors and data controllers. As such, risks are shared between Citrine Research and our clients and risk management is a collaborative exercise in which we need to work closely with our clients. Typically, this means that we will need our clients to:
• Establish that they have consent, or legitimate public interest, as a basis for sharing customer contact details with us for research purposes.
• Ensure clients only provide us with client data details that are strictly necessary for the market research project.
• Agree with us, at the start of each project, a date by which we will destroy any data files of customer contact details that we used as the starting point for conducting fieldwork.
• Agree with us, at the start of each project, a date by which we will fully anonymise any research datasets so that individuals cannot be identified.
• Be transparent about the purposes for which any permissions to re-contact research participants will be used; and agree an expiry date for these permissions.
• Cooperate with risk assessments around sensitive personal data; and planning steps to minimise any risks identified.
The legal basis for Citrine Research processing personal data varies according to the project and the data being collated, but is typically based on:
• It being used for market research purposes in the public interest; and/or
• Explicit consent of the data subject.
Explicit consent of the data subject is established and documented at the start of each research interview or qualitative discussion. This will be explicitly and separately obtained in relation to sensitive categories of personal data*, in addition to our obtaining consent to participate in general.
*sensitive data has a very specific definition: i.e. when we have data on someone who can be identified, or guessed at, to do with their: racial or ethnic origin; political opinions; religious beliefs; membership of a trade union; physical or mental health/conditions; sexual life; or sexual orientation.
Our approach to establishing consent, and our processes for handling, collecting and processing personal (and sometimes sensitive) data is tailored to each project, in agreement with our client. Typically, this will include:
• Asking for clear consent from research participants at the start of interviews and discussions, and before asking for any sensitive data. This will involve us saying how we will use their data, and for how long;
• Explaining research participants’ rights to see the personally-identifiable data we hold on them, to change this data, or to have it deleted;
• Agreeing with clients, at the start of each project, a date by which we will fully anonymise any research datasets so that individuals cannot be identified;
• Agreeing with clients the purposes for which any permissions to re-contact research participants will be used; and agree an expiry date for these permissions – so that we can be transparent about this with research participants;
• Storing personal and sensitive data on an encrypted server, with access restricted to the Citrine Directors, on a ‘need to access’ basis.
All of our storage, handling and processing or personal and sensitive data is conducted within the EU.
For more information contact Julie Irwin, Director, email firstname.lastname@example.org