Knowledge Partnership - Our Approach
Privacy & GDPR
Privacy Notice
Established in 2004, Knowledge Partnership is a UK market research company. Our offices are at Pure Offices, Anderson Place, Edinburgh, EH6 5NP . As a provider of market research services, we process personal data, and as such, are required to abide by the terms and conditions set out in the General Data Protection Act (GDPR). The GDPR, which came into effect on 25th May 2018, sets out the principles and practices which we must adopt when handling any personal data associated with research participants.
This document is Knowledge Partnership’s Privacy Information Notice and it explains how we comply with GDPR in terms of using the information that we collect from research participants, and who we share this information with. It also explains the rights of research participants in relation to our processing of their personal data.
GDPR Principles
When processing the personal data of research participants, we will apply the following principles:
- - Personal data will be processed lawfully, fairly and in a transparent manner
- - Personal data will only be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- - Personal data that is processed will be adequate, relevant and limited to what is necessary
- - Personal data will be accurate and, where necessary, kept up to date
- - Personal data will not be kept longer than is necessary
- - Appropriate technical and organisational measures will be put in place to guard against unauthorised or unlawful processing, loss, damage or destruction.
Protecting your personal information
As a supplier of market research services, we have a responsibility to all individuals who participate in our research. This responsibility extends to how we process personal data and ensure participant privacy.
- - We are members of the UK Market Research Society
- - We are registered with the UK Information Commissioner
- - We comply with the General Data Protection Regulations 2018
- - We utilise in-house IT procedures to safeguard individual’s personal data
- - We have appointed an in-house Data Protection Officer who is responsible for ensuring strict adherence to GDPR across the organisation
- - We ensure that all staff are trained in the details of data protection and the GDPR.
Information we collect
As a market research agency, we are commissioned by public bodies and private companies to collect participant information. Most of the information we collect is opinion and attitude, but some of it is also personal and identifiable such as name, address, ID number, age, gender, telephone number etc.
We use different methods to collect this information from participants such as face to face surveys, telephone surveys, online surveys and postal questionnaires. We also obtain information from group research such as workshops and focus groups.
All of the information we obtain from research participants is treated in the strictest confidence and when reporting this information, participant data is pseudonymised, (or anonymised) and aggregated so that no individual can be linked or associated with the research.
In complying with the GDPR, we only ask research participants for the minimum amount of personal data that is required to achieve the research output. For surveys and focus groups, the personal information we ask for may comprise demographic details such as age and household composition. Asking for this data allows us to gain a fuller understanding of how our client’s services are perceived by different ‘customer’ segments. We may also ask participants for identifying personal information e.g. name and phone number to allow us to carry out quality control checks on the data that has been collected. As members of the UK Market Research Society we must carry out random quality control checks to comply with the Society’s Code of Conduct for Market Research. Some of our research will include participant prize draws and for these situations, we require information such as participant name, address and telephone number to alert individuals to the fact that they have won a prize. During research projects, potential participants may also contact us with queries e.g. to be asked to be removed from sample lists, and to allow us to facilitate this and other types of request, we will record the respondent’s name and address details.
Consent and using participant information
It is important to note that we do not obtain any information from research participants without their prior consent; this consent may be asked for verbally or given in writing at the start of or during any stage of the survey activity. As part of the process of giving consent, we will clearly explain who has commissioned our research, its purpose, the type of information being asked for, who will have access to the data, how long the data will be held for, and give an assurance that the data is being collected in accordance with the UK Market Research Society Code of Conduct. Any participant can withdraw their consent at any stage of the data collection activity e.g. interview. Where we need to collect special category information e.g. health or sexual orientation from participants, we will request an additional consent at this stage of the survey. We will not obtain information from any person aged under 16 years of age without first obtaining consent from a parent or responsible adult.
Any information collected from participants is only used for research purposes. We will never sell, rent or share participant’s personal information with any party. We will supply the information we obtain from participants to our clients e.g. a public body or business, but only in aggregated form e.g. statistics. All personally identifiable information is removed from any data we supply to our customers. The only exception to this is where a participant has consented (specifically requested) that their personal information is supplied to the customer e.g. for the purpose of re-contact.
We will provide participants with a unique consent statement for each project that we carry out as the nature of consent may vary from project to project.
Legal basis for processing
Under the terms of the GDPR, we require a basis for processing the personal information supplied to us by research participants. In relation to the work we do, there are two basis for processing participant’s information. The first is consent which as discussed above, is the process of respondents agreeing to take part in research once they are fully informed of the terms of this participation. The second legal basis for our processing is the ‘legitimate interest’ of our customer where the data being collected is being used in a way that individuals would reasonably expect, and where processing is unlikely to have significant impact on their privacy. Legitimate interest would for example allow your supplier to provide us with their customer database for the purpose of carrying out a survey. On a project to project basis, we will make available on request to participants, a summary of the legitimate interest basis of our data processing.
Transferring data outside of the European Economic Area
There are no circumstances under which we will transfer any participant data outside of the EEA
Securing participant data
We take appropriate measures to guard against unlawful processing or loss of any personal data supplied to us. We use the following methods for this purpose:
- - Encryption of all research data files e.g. customer sample lists that are held on local PCs, servers, or mobile data such as USBs
- - Limiting access to personal data to those staff whose role it is to process data
- - Password protecting systems access and files access
- - Physical safeguarding of the locations where data sets are held by means of alarms, and locked premises/files
- - Where contractors have access to data, having contracts in place that require personal information to be kept confidential
- - Anonymisation or pseudonymisation of data so that cross matching with identifiable information (personal data) becomes impossible or requires access to special, password protected codes.
In addition, we train and update our employees on our privacy rules and emphasise the important of complying with these rules at all times. Employees of the company must also sign a Confidentially Agreement which compels them to keep all project data and personal data confidential.
Retention of personal data
We only retain personal information for as long as necessary which is typically 2 months after the completion of our research report. The duration of this period will be communicated to participants as part of the research consent.
The rights of research participants
Research participants have specific rights in relation to any personal information they provide to us by way of surveys, focus groups etc. These rights are as follows:
- - The right to know about any personal information that we hold about them, together with information on how we have processed that information
- - The right to request that any personal information we hold about them is correct and up to date
- - The right to request that any personal data we hold about them be deleted
- - The right to request that we no longer process personal information about them
- - The right to request that any personal data we hold be provided in a machine-readable format
- - The right, at any time, to withdraw consent to process their personal information.