Data Protection and Security Policy
Updated February 2019
The General Data Protection Regulation (GDPR) is a European wide law on data protection and privacy for all individuals residing within the European Economic Area and the European Union. It asks companies and individuals working with the ‘processing’ (meaning the obtaining, holding, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) of personal and sensitive data to meet certain requirements regarding the collection, processing, security and destruction of personal information, whether the information is processed in manual or electronic form.
GDPR also provides rules for addressing the export of personal data outside of the EEA. The main purpose is to give individuals the majority of control as to what happens with their personal data, as well as unifying regulations within the EU so that all companies are on the same page.
Individuals providing their personal data are called Data Subjects under GDPR, and the rules apply regardless of the citizenship of the Data Subject.
As QualiProjects (VAT registered Sole Trader often working with a network of other research professionals) undertakes research that may collect and/or evaluates personal information about a living person who can sometimes be identified from the information they have provided, we aim to ensure that individuals feel in control of their personal data at all times and provide transparency about how data will be used and when and how it will be transferred, destroyed or otherwise processed.
Purpose of Privacy Notice
This policy sets out how QualiProjects and its Network (Recruiters, Agencies, Clients, Freelancers) will seek to ensure compliance with the new GDPR legislation.
Full name of legal entity: Jennifer Whittaker trading as QualiProjects
Email address: Jennifer at QualiProjects dot com
Postal address: Chapel Road, Galway, ROI, H54 KN77
Data Protection Officer
QualiProjects does not at this time meet the requirements for a dedicated Data Protection Officer but this is kept under review as the type of work and range of clients/respondent’s changes. We are committed to meeting the needs of the General Data Protection Regulation and if our business requires a DPO, we will seek to appoint one.
GDPR in Practice: Our Commitment
This policy applies to the dealings of QualiProjects with research respondents online and offline, with clients and with third parties that may be involved in processing personal information for research and business purposes. It covers the way personal information will be obtained, used, shared, physically stored and eventually destroyed.
QualiProjects (Sole Trader) fully supports the key principles of GDPR for businesses, which are that:
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the individual. Individuals will be fully informed about how we intend to use any information we collect, for what purposes and how we will share it.
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes – further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Personal data shall be adequate, relevant and limited to what is necessary
- We will only collect the information we need to provide the services required – this data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. We will not hold information for longer than is necessary.
- Personal data shall be processed in a manner that ensures appropriate security of the data. We will make sure that the personal information we hold is held securely to ensure that it does not become inadvertently available to other organisations or individuals
Rights of Individuals
The General Data Protection Regulation creates specific rights of individuals. These include:
- – The right to be informed
- – The right of access
- – The right to rectification
- – The right to erasure
- – The right to restrict processing
- – The right to data portability
- – The right to object
- – Rights in relation to automated decision making and profiling, as well as handling personal information, lawfully, fairly and transparently
The first and second principles require QualiProjects. to acquire and process personal information lawfully, fairly and in a transparent way. QualiProjects. therefore is clear at the outset about the purpose for which information is obtained and processed.
QualiProjects. aims to ensure that respondents and potential respondents are aware of the purpose or purposes for which the information is to be used and they have a choice as to whether to provide the information – we work with experienced and trustworthy recruiters to ensure this is the case and have agreements in place with recruiters and recruiting bodies to abide by the rules of GDPR.
Where QualiProjects is the key agency, we inform all respondents that they have the right to ask for confirmation of the source of their personal information as well as the manner in which it will be used and for how long. We do this through easy to read and understand statements and contracts. Personal information is not used in ways that would have adverse effects on individuals
We do not directly market services to respondents for client projects nor provide clients with respondent lists that give identifying personal data. Where clients provide lists for recruitment, we ensure that they or we have the rights (permission) under GDPR to contact these respondents for interview.
Any marketing undertaken by us for the furthering of our own business will be undertaken in a manner that complies with the General Data Protection Regulation;
Where QualiProjects is the agency dealing with clients, recruiters or respondents, appropriate records will be maintained to demonstrate compliance with the above-mentioned requirements.
Consent from Individuals
Consent will be required for certain types of information usage – for example videos, ‘day in the life’ biographies and imagery.
When consent is required, it must be freely given, specific, informed and unambiguous. Requests for consent will be separate from other terms, and be in clear and plain language. The consent will be “explicit” where it relates to sensitive data. QualiProjects is required to be able to demonstrate that consent was given. We therefore maintain records of client and respondent consent to meet the accountability requirements for both the profession and the requirements of the General Data Protection Regulation.
We are required, under the guidelines of Fair Treatment, to be transparent and open with individuals about why information is being collected and how it will be used. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
Given the above, QualiProjects commits to ensuring that in all cases Consent and Privacy Statements will be clear and transparent, provide a place to direct any remaining questions that individuals may have, explain any consequences of providing the required information and give the duration for which the information will be kept. QualiProjects will also explain if the information is to be anonymised at any point and if so how and when, and if the information will be transferred overseas at any point – including who it will be shared with and how they will use it. If individuals are to be contacted, we will state exactly how and the rights of individuals to obtain copies of personal information as well as to decline to answer questions (if questions are voluntary). We will provide contact details for QualiProjects on all forms so that individuals can opt-out or ask for more information about how their data is held or used or to inform of a complaint to the Information Commissioner’s Office.
On all communication, we communicate the following to respondents:
- Our business identity;
- The purpose(s) for which we intend to process the respondent’s personal information and if the information is to be shared or disclosed to other organisations.
- the process for anonymising the information prior to it being shared with the commissioning organisation and
- How respondents can access the information held about them (as this may help them to spot inaccuracies or omissions in their records)
It is important to ensure that all information held by QualiProjects, whether for the duration of a singular project or longer term for other business purposes such as contacting recruiters overseas, is accurate and up to date. Accuracy is not only important for the individuals concerned, but also for clients and for sampling purposes to ensure accuracy of project results. We will therefore:
- take reasonable steps to ensure the accuracy of any data held; ensure that the source of any personal information is clear (including the request for such evidence for example when recruiting participants online who need to meet a certain sample specification); establish if the individual has challenged the accuracy of the information; evaluate and record any challenges carefully and consider whether it is necessary to update the information
Consent for Marketing and Prospecting Purposes
Under the Privacy and Electronic Communication Regulations (PECR) there are specific requirements relating to unsolicited direct marketing communications. A solicited communication is one that is actively invited, either directly by the customer or via a third party. An unsolicited communication is one that the customer has not invited but they have indicated that they do not, for the time being, object to receiving it. If challenged, businesses would need to demonstrate that an individual has positively opted in to receiving further information from us following an initial contact from us.
QualiProjects. understands that it is unlawful to contact customers or organisations that have already informed us that they do not wish to receive unsolicited marketing material. Therefore, QualiProjects. are aware of and comply with the following:
- Telesales – QualiProjects does not currently directly market its services through telephone calls. If it chose to do so in the future, we would ensure that the parties targeted are not registered in the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) respectively and have not requested that QualiProjects and affiliates does not call.
- Emails and texts– QualiProjects will not contact respondents by email or text message without obtaining prior consent unless the messages are relating to a project currently underway. Potential clients are never contacted by text, but where emails or LinkedIn messages are sent, individuals will be given the opportunity to opt out of receiving further marketing emails or texts each time that such contact is made.
- Post – QualiProjects does not market itself by traditional post. Unsolicited marketing material will not be sent by post to individuals that have informed QualiProjects they do not wish to receive such information or they have registered with the MPS.
- Logs – QualiProjects will maintain internal logs of individuals and organisations that have indicated that they do not wish to receive unsolicited marketing information and conduct checks against the TPS, CTPS, FPS, eMPS and MPS databases as appropriate.
- Prospecting from Third Parties – When data is purchased from third parties for prospecting purposes, QualiProjects ensures that the data has been acquired by the third party through fair and lawful means, that the data can be used for the purposes of unsolicited marketing activities and that the data has been cross-checked by the third party against the appropriate preference service databases.
- Memberships – QualiProjects is a member of the ICG https://theicg.co.uk/ and as such may from time to time recommend other researchers, recruiters and agencies in our private members only Email Group. These recommendations will be withdrawn and not repeated if and when this is requested by the individuals and agencies concerned.
Computer Equipment, Security and updates
We have security measures in place to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. We will notify you and any applicable regulator of a personal data breach if we are legally required to do so.
We only allow access to your personal data to those people in our network who have a business need to know such data. They will only process your personal data on our instructions and they must keep it confidential.
We make sure that the correct physical and technical security is in place, backed up by robust processes and procedures. QualiProjects recognises that information security breaches may cause real harm and distress to the individuals if their personal information is lost or abused (this is sometimes linked to identity fraud).
We are aware of the vulnerability of laptops, phones and removable media and the business owners takes steps to ensure the security of these devices.
We ensure that all equipment used as part of our business processes is appropriately protected and secured. The equipment we use has up to date Malware and anti-virus software. When updates are notified because of a software patch, these are applied as they become available.
The PC and laptop that are used for business purposes are encrypted and password protected to ensure that any personal information contained within is appropriately secured.
Respondent details are not stored in business phones and when calls are required, numbers are deleted as soon as project has ended.
Any removable media used such as an external hard drive or USB pen drive are encrypted.
A “cookie” is a piece of information that is stored on your computer’s hard drive and which records how you move your way around a website so that, when you revisit, it can present tailored options based on the information already stored. Cookies can also be used to analyse traffic and for advertising and marketing purposes, such as working with Google Analytics. Cookies are used by nearly all websites and do not harm your system. Session cookies are never written on the hard drive and they do not collect any information from the user’s computer. Session cookies expire at the end of the user’s browser session.
If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings. You can block cookies at any time, by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, some cookies are essential for accessing full websites.
QualiProjects is responsible for ensuring that the company website and any client websites comply with the PECR and that, where necessary, appropriate information is disclosed to website users.
Minimum amount of personal data
Under the principles of GDPR, QualiProjects identifies the minimum amount of personal data we need to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more. QualiProjects. does not hold personal data on the off-chance that it might be useful in the future.
Subject Access Requests
An individual has the right to see the information that QualiProjects. holds about them and can make a request to access this information. Requests must be responded to within 30 days of receipt. Those requesting access have the right to attach a read receipt to any emails or to request an acknowledgement.
In line with the GDPR, QualiProjects. will request certain information before responding to a request:
- Enough information to judge whether the person making the request is the individual to whom the personal information relates to avoid personal information about one individual being sent to another, accidentally or as a result of deception.
- Sufficient information that would reasonably be required to find the personal information amongst the records held by the company and covered by the request.
In the event of an individual making a subject access request via a third party, QualiProjects. will request written consent from the individual to confirm that the third party can request and receive information on the individual’s behalf.
An individual who makes a request is entitled to be:
told whether any personal information is held and being used; given a description of the personal information, the reasons it is being processed, and whether it will be shared with any other organisations or individuals; given a copy of the information; and given details of the source of the information (where this is available)
Requests for information from law enforcement agencies
The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. QualiProjects. will release personal information to law enforcement agencies if required to do so.
QualiProjects has procedures in place if we use third parties to process information, such as Recruiters and Online Platform Providers, to ensure that we:
- Only choose a data processor that provides sufficient guarantees about its security measures to protect the information and the processing it will carry out;
- Take reasonable steps to check that those security measures are working effectively in practice; and
- Put in place a written contract setting out what the data processor is allowed to do with the personal information or business information.
- Notify any data controllers with whom we are working, who the proposed data processor will be.
- QualiProjects requires third parties that it works with to ensure that there are adequate security measures in place to secure the information that is being held.
Data Transfer Overseas
The European Commission has published data transfer methods that offer sufficient safeguards on data protection for personal data to be transferred from EEA to third countries. The clauses contain contractual obligations on the EEA data exporter and the data importer, and rights for the individuals whose personal data is transferred. Importantly, individuals can directly enforce those rights. Since 2010, EEA based controllers wishing to rely on Standard Contractual Clauses to legitimise international data transfers to processors outside the EEA, have had to use the updated clauses for new processing operations.
If data is made anonymous so that it is never possible to identify individuals (even when combined with other information which is available to the receiver), this is not classified as personal data. This means that the restrictions do not apply and companies are free to transfer the anonymised data outside the EEA and the EU. Anonymization is information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information
In order to be truly anonymised under the GDPR, personal data must be stripped of sufficient elements that mean the individual can no longer be identified. However, the receiving company or individual could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised, meaning that the data is still personal.
QualiProjects is subject to the provisions of the General Data Protection Regulations that protect personal data. Where we transfer data to third parties outside of the EEA, we will ensure that certain safeguards are in place to ensure a similar degree of security for your personal data. As such:
- We may transfer personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by; or
- If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as they have equivalent safeguards in place; or
- Where we use certain service providers who are established outside of the EEA, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe.
- If none of the above safeguards is available, we may request explicit consent to the specific transfer. Individuals will have the right to withdraw this consent at any time.
There are no restrictions on moving personal information within EEA countries. We are open and transparent with our clients and potential clients about where their information is processed and accessed.
QualiProjects. considers the following factors when deciding whether or not to transfer information overseas:
- the nature of the personal information being transferred;
- how the information will be used and for how long; and
- the laws and practices of the country where information is being transferred to and whether there is a way to make sure the standards are achieved in practice; and
If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard QualiProjects consider the following:
- Risk Assessment – assess any risks and adverse consequences associated with the breach, as these are likely to affect how the breach needs to be contained.
- Notification of breaches – informing the Information Commissioner’s Office or other relevant Supervising Authority as necessary (within 72 hours), law enforcement agencies, data controllers on whose behalf we are working and individuals (whose personal information is affected) about the security breach
- Evaluation – it is important to investigate the causes of the breach
- Revising Procedures – implementation of new controls to prevent recurrence in the future.
Retention periods for different categories of personal information are based on individual business needs and contractual obligations. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Any personal information that is no longer required will either be archived or deleted in a secure manner.
QualiProjects understands the difference between permanently deleting a record and archiving it. If a record is archived or stored offline, it will reduce its availability and the risk of misuse or mistake. If it is appropriate to delete a record from a live system, such as an Online Platform, QualiProjects will also delete the record from any back-up of the information on that system, unless there are business reasons to retain back- ups or compensating controls in place.
When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.
For tax and accountancy purposes, the law requires us to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they stop being clients.
In some circumstances we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
All electronic files are destroyed by deletion and then the use of an electronic file shredder. This ensures that all electronic information is deleted permanently and cannot be recovered. All physical files are destroyed by use of a physical shredder.
This policy will be reviewed every 6 months, considering changing business priorities and practices and to consider any changes in legislation.
Third Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
You can see more about your rights under this Notice at
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights. You will not have to pay a fee to access your personal data (or to exercise any of the other rights described in this document). However, we may charge a fee if your request is clearly unfounded, repetitive or excessive and we may seek outside/outsourced help in dealing with the request if this is found to be the case.
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Data Protection Commission (DPC), the Irish supervisory authority for data protection issues https://www.dataprotection.ie/ We would be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you without this step being necessary.