Privacy & Data Security Policy
Version 2: 7th Sept 2018
Plus Four Market Research Limited (Plus Four) is a Company Partner of the Market Research Society (MRS) and abides by Codes of Conduct of the MRS and ESOMAR (the worldwide association of research professionals).
Plus Four is registered with the Information Commissioner’s Office (ICO) for the processing of personal data: registration Z83888920.
Plus Four are fully committed to safe-guarding the privacy/personal data of our clients, prospective clients, suppliers and research participants in line with General Data Protection Regulation (GDPR).
Personal data is defined as anything that may identify an individual e.g. full name (if in addition to any of the following….), address, telephone number, email, national insurance number, ID/membership numbers of any kind, ISP addresses etc. Plus Four also include photos/recordings in their definition of personal data (but only when combined with identifiable information).
1. CLIENT, PROSPECTIVE CLIENT, SUPPLIER PERSONAL DATA
It you have commissioned a project or made an enquiry with Plus Four, we will retain your details for future communications. If you have sent details of your services to Plus Four, we may also retain your details.
If you do not wish for us to retain your details, simply reply to any received communication (or email firstname.lastname@example.org) with the title ‘DELETE ME’.
2. RESEARCH PARTICIPANT PERSONAL DATA - CONSENT
It is the responsibility of our clients/suppliers to ensure that where they supply research participant personal data, they have complied with the requirements of GDPR – specifically, informed consent (also concerning recordings) - before sharing any personal data with us.
Where we supply research materials to clients/suppliers who are collecting personal data/obtaining consent on our behalf - or where we collect personal data ourselves - we will have designed these research materials with GDPR/consent in mind e.g. recruitment screener, questionnaire, online surveys, profile sheets etc.,
Consent must include the name of the company(s) collecting data, the subject and purpose of the research, the type of organisation on whose behalf we are working, how we will use the data, the time commitment involved, any tasks required/costs incurred by the participant, any recordings being made, how long we will retain any personal data, reference to the MRS or ESOMAR Codes of Conduct and the right to withdraw at any time.
We will only use the personal data for the purpose for which consent has been obtained.
Anyone collecting personal data on our behalf will have signed contracts with us, agreeing that they (their employees and any individuals acting on their behalf) will strictly adhere to the GDPR/consent elements of research materials supplied.
3. RETENTION OF RESEARCH PARTICIPANT PERSONAL DATA
We will retain participant personal data until the related project invoice has been paid by our client (completion) plus six months. After this time, we will use a physical or digital file shredder service to destroy the personal data held. This six-month period enables quality control to be completed and any project queries to be answered.
Anyone collecting personal data on our behalf will have signed contracts with us, agreeing that they will also securely destroy any personal data after this same six-month period.
Should the research materials include a ‘permission to recontact’ question, any follow-up will only relate to the project/client concerned, and we will specify the time-period concerned at the consent stage i.e. at the point of collecting personal data (in most cases, this will not be longer than the six-month time-period to which consent already applies).
For qualitative methodologies e.g. focus groups, depth interviews, bulletin boards etc., research materials may include consent to extend Plus Four’s retention of personal data for up to 24 months. This allows us to monitor repeat participation / maintain quality research recruitment.
Photos/recordings – only when containing no identifying information - may be kept indefinitely, as they could for example, be included in research reports used/retained by our clients for internal use.
Any exception to the above retention procedures will have been agreed at the consent stage, this includes the Plus Four Panel, for which retention of personal data is indefinite (unless deleted as an ‘inactive’ panellist).
If at any point a participant wishes to withdraw from research they have agreed to participate in, they are advised to immediately contact their recruiter or Plus Four directly (details included in their ‘invitation’ / introduction email).
If a participant or panellist would like to revoke their consent and wishes for us not to retain their personal data, they can simply reply to any received communication (or email email@example.com) with the title ‘DELETE ME’, or write to: Plus Four Market Research Ltd, Brook House, 35a South Park Rd, Wimbledon, London SW19 8RR.
4. TRANSFER OF PERSONAL DATA
In most cases personal data is not shared outside of Plus Four/Plus Four employees … where personal data is not needed to complete the task required, then it must be removed prior to sharing the data.
In the case that personal data is shared with a third party, participant consent must be obtained. Even where such consent exists, it will only relate to the project concerned, and Plus Four will have GDPR compliant contracts in place with, for example, viewing facilities, online qualitative software providers etc.
Such contracts also require that any third party must have systems in place to securely protect personal data, that the data must be used only for the purpose agreed and not shared with additional parties, and that personal data must be securely destroyed once Plus Four has all necessary feedback at conclusion of the project concerned e.g. attendance records, recordings of groups etc.
If password protected personal data is shared, this must be done using an encrypted email/transfer service (password provided separately).
Personal data may be stored or transferred to servers outside of the EU or US, but only where the organisation complies with GDPR and/or the EU-US Privacy Shield Framework. If personal data is to be stored or transferred to servers falling outside of the EU-US Privacy Shield Framework, then explicit consent must be obtained.
5. STORAGE OF PERSONAL DATA
Any physical records - photos/recordings/files - that contain personal data, must be stored in a secure/locked location. We operate a clear-desk policy for personal data.
Any digital records - photos/recordings/files - that contain personal data, must be stored password protected on a secure server/secure cloud server and NEVER on personal hard drives (unless the device is kept in locked storage when not in use). All devices that can be used to access personal data must be password protected with a screen-out of a maximum of 5 minutes.
Our own servers run up-to-date IT security software and continual virus/malicious scanning software.
Our own servers run a securely encrypted continual cloud-based back-up.This cloud server is operated by iDrive based in the US who comply with the EU-US Privacy Shield Framework.
6. LEGAL DEMANDS
Only where we are obliged by law or an order of the court will otherwise confidential information be released.
We may update this policy … the associated procedures are monitored and reviewed on a regular basis and altered in line with technological advances and updated guidelines.
We encourage you to periodically review this page for the latest information on our procedures - including what we require of you – to ensure you continue to comply.