IFF Research fully supports the aims of the General Data Protection Regulation (GDPR).
The work that we do inevitably involves us handling individuals’ personal data, including contact details; and sometimes involves us asking for data from individuals that is classed as sensitive.
Collecting and processing this personal (and sometimes sensitive) data is an inherent part of our core business, and we are committed to reducing the risk of such data being misused, exposing stakeholders in our research to potential detriment.
The research studies that we conduct typically involve both IFF Research and our clients acting in the capacity of both data processors and data controllers. As such, risks are shared between IFF Research and our clients and risk management is a collaborative exercise in which we need to work closely with our clients. Typically, this means that we will need our clients to:
- Establish that they have consent, or legitimate public interest, as a basis for sharing customer contact details with us for research purposes;
- Agree with us, at the start of each project, a date by which we will destroy any data files of customer contact details that we used as the starting point for conducting fieldwork;
- Agree with us, at the start of each project, a date by which we will fully anonymise any research datasets so that individuals cannot be identified;
- Be transparent about the purposes for which any permissions to re-contact research participants will be used; and agree an expiry date for these permissions;
- Cooperate with risk assessments around sensitive personal data; and planning steps to minimise any risks identified.
The legal basis for IFF Research processing personal data varies according to the project and the data being collated, but is typically based on:
- It being used for research purposes in the public interest; and/or
- Explicit consent of the data subject.
Explicit consent of the data subject is established and documented at the start of each survey interview or qualitative discussion. This will be explicitly and separately obtained in relation to sensitive categories of personal data*, in addition to our obtaining consent to participate in general.
*sensitive data has a very specific definition: i.e. when we have data on someone who can be identified, or guessed at, to do with their: racial or ethnic origin; political opinions; religious beliefs; membership of a trade union; physical or mental health/conditions; sexual life; or sexual orientation. Photos of someone and information on criminal convictions/offences are also treated as sensitive.
Our approach to establishing consent, and our processes for handling, collecting and processing personal (and sometimes sensitive) data is tailored to each project, in agreement with our client. Typically, this will include:
- Asking for clear consent from research participants at the start of interviews and discussions, and before asking for any sensitive data. This will involve us saying how we will use their data, and for how long;
- Explaining research participants’ rights to see the personally-identifiable data we hold on them, to change this data, or to have it deleted;
- Agreeing with clients, at the start of each project, a date by which we will fully anonymise any research datasets so that individuals cannot be identified;
- Agreeing with clients the purposes for which any permissions to re-contact research participants will be used; and agree an expiry date for these permissions – so that we can be transparent about this with research participants;
- Storing personal and sensitive data on an encrypted server, with access restricted to key members of the IFF research team, on a ‘need to access’ basis – with the need for access confirmed by the Director, Associate Director or Research Manager on the study.
All of our storage, handling and processing or personal and sensitive data is conducted within the UK; and in line with ISO27001 (the international data security standard, with which IFF Research is accredited). We assess our relevant suppliers to ensure they are GDPR-compliant.