If you’ve read my blog or website (or business cards or LinkedIn page) you’ll know that Neil Sharman Ltd is a business that deals with market research data and, sometimes, other forms of data such as digital analytics.
Data security is a hot topic these days (not least because of the arrival of GDPR) so this blog piece is my public statement about my use of data – and my privacy information notice.
Please read on if you’re someone who is considering taking part in research for Neil Sharman Ltd or if you have a general interest in what I do. Anyone considering taking part will need to freely and specifically give his or her consent – and feel informed (this blog piece should help with the latter).
Firstly I should say that, as a research consultant, I work on very varied projects so I’ve based this statement on projects I’ve done in the five years that I’ve been working for myself.
When a company employ my services they typically hire me to do one or a few of several things.
They might employ me to do desk research (pulling together information in the public sphere e.g. in articles and books) or to interrogate research or data they already own.
They might employ me to generate new primary market research data, which I do by employing a research agency to conduct research with the general public or amongst business audiences.
One client company employs me to do employee research, which I do through an external research agency.
Finally, a client company might ask me to conduct qualitative research, which means I conduct depth interviews with individuals or focus groups with a handful of people in a room.
In the majority of cases I am the recipient of anonymous data. I get figures to analyse and individuals cannot be identified from the data. For example, I might see a figure that tells me, “15% of people surveyed read a certain publication in the last year” but I’ve no way of knowing who they actually are as individuals.
However, because I am involved in commissioning the production of some of the anonymous data I receive I do have responsibilities relating to the rights of the people whose data has helped build the output that I see. For these reasons I ensure all the suppliers I work with (and any companies they might outsource to) have a sensible approach to GDPR, identifying, mitigating and addressing data risk.
As research companies collecting the data they have access to identifiable data and pseudonymous data, which means they can identify individuals either directly or by using additional information (e.g. a list of respondent names and ID numbers).
They, like me, take on the role of Data Processors in the projects we work on. My client, who I am ultimately commissioning the project for, has the role of Data Controller as they determine the parameters of a project and pay me to deliver the data as specified.
Both roles (Data Processor and Data Controller) carry legal obligations and both have legal liability for any breaches. For example, Data Processors will report any breach to the Data Controller and they will report it to the ICO within 72 hours of the breach if they determine it to be a significant breach. Any individuals concerned will also be informed, where appropriate.
As a Data Processor I’m obligated to ensure the tools I use (cloud based tools, for example) are compliant with data law.
The research agencies I work with, as the holders of identifiable data and pseudonymous data, will typically undertake a privacy risk impact assessment, which may involve my clients and I if necessary, in order to determine the type and level of risks and how such risks might be mitigated and addressed. They are also well placed to write the log of what is processed, do any necessary audit relating to the project and be the point of contact if a respondent has queries.
Earlier in this blog I say that individuals cannot be identified from the information I receive. However, I should add that sometimes I receive ‘open ended responses’. This means that a respondent might have typed a response to a question into a questionnaire, rather than ticking a box.
From a researcher’s point of view it is interesting to read people describe something in their own words and open-ended responses often tell us what we didn’t know we didn’t know. When I read these open ended responses I can’t usually tell who wrote what but sometimes a respondent might give away information within their reply that might identify them.
For example, someone might write, “I’m the last remaining male in St Cuthbert’s church choir”; information from which a keen sleuth might find them.
For this reason, and for reasons of general security, I password protect all the data I receive in spreadsheet form and I keep all hard copies in a locked cupboard. I use encryption software and Secure Transfer Protocol sites too. I also delete or otherwise destroy data (e.g. by shredding) a year after collection.
Similarly, when I conduct qualitative research (like depth interviews and focus groups) I collect a lot of ‘open ended’ responses from respondents. Qualitative research is effectively a structured conversation with people and I can’t predict what they will tell me within the conversation. Again, what they say can identify them.
Also, when I conduct qualitative research I’m in possession of names and contact details of the people recruited for the research (typically by a qualitative research recruitment agency). I know their names and, of course, refer to them by name during the focus groups and interviews. I keep these details password protected and delete them once the work is done. Hard copies are destroyed.
I do record the conversations (and recorded voices can be even more easily identified than written quotes) and transcribe them later. I password protect the transcriptions (keeping hard copies and recordings in a locked cupboard) and destroy the transcriptions within a year. Recordings are deleted in less time; they are destroyed soon after transcription.
For such qualitative projects, where Neil Sharman Ltd is the main body collecting the data (i.e. there is no research firm employed to collect the data), I write the risk assessment, identifying the level of risk and how I might mitigate and address it. In these instances I am, again, the Data Processor and my client is the Data Controller.
When I’m hired to work on employee research a list of employees with an ID number allocated to each employee as well as an email address is typically sent to the research company and they send out the questionnaires to the email addresses. I shouldn’t receive this data (I’ve no need to see it) and, if I am copied in, I delete it.
However, when I receive the responses to the questionnaires I see the ‘big picture’ data and don’t see the responses at an individual level. In fact, I can’t see responses to any question where fewer than five people have responded, so that it is unlikely that an individual can be identified from the quantitative part of the results.
Therefore the main risk of someone being identified is from open-ended responses. Being employees, they might be identified by either a piece of information that can pinpoint them (“I’m the only member of marketing with a window seat”) or a turn of phrase or opinion familiar to people who know them (“as I often say to my boss, our strategy is like the 1998 FA Cup Final game”).
Consequently I apply the same processes of passwording, locking and deleting. It is noted in the risk assessment that the familiarity that bosses have with employees means there is a slightly higher risk of open-ended responses leading to identification of individuals. To mitigate and address this risk, employees are also reminded of this risk by the research agency when they are approached to take part in the research before they commit to participating.
So, there we are. I hope this explains clearly what I do and how I work with data. I hope it also demonstrates that privacy by design is my default culture. If you are a potential respondent thinking of taking part in research for Neil Sharman Ltd then agreeing to take part will be agreeing to me dealing with your data in the manner described.
If you’re interested in finding out more you request my Data Protection Policy. Also, here are the Market Research Society’s Code of Conduct and GDPR research guidance. Additionally you can contact me at firstname.lastname@example.org