1 iqcs agm november 2009 iqcs data protection workshop 12 th november 2009

1IQCS AGM November 2009

IQCS Data Protection Workshop

12th November 2009


David Evans, Information Commissioner’s Office

Overview of International data protection

Workshop / Answers

Information sources

Agenda


European Economic AreaInternational transfer

EU Members

Austria

Belgium

Denmark

Finland

France

Germany

Greece

Ireland

Italy

Luxembourg

Netherlands

Portugal

Spain

Sweden

UK

EEA is the EU plus:

Iceland

Norway

Liechtenstein

Cyprus

Czech Republic

Estonia

Hungary

Lithuania

Latvia

Malta

Poland

Slovakia

Slovenia


Argentina Hungary Canada Guernsey Isle of Man Switzerland US Safe Harbor Binding Corporate Rules (BCR) Australia / Japan - pending Model Contracts / Binding Corporate Rules Israel under consideration as is Andorra, followed by

New Zealand and Uruguay

International transferOther mechanisms


US Safe Harbor

http://www.export.gov/safeharbor/ Notice Choice Onward Transfer Access Security Data Integrity Enforcement


Binding Corporate Rules

Multinational companies transferring personal data from the EEA to their affiliates

Choose a Data Protection Authority (DPA) – the EU country where HO is based

Approval from the DPA BCR Safeguarding personal data across

the organisation Provides a framework for a variety inter-

group transfers


Model Contract

Data ImporterData SubjectsPurpose of transferCategories of data

(sensitive data)RecipientsStorage limit

Purpose limitation Data quality and proportionality Transparency Security and Confidentiality Rights of access, rectification,

erasure, and blocking of data Restrictions on onward transfers Encryption, e.g., if sensitive personal

data Direct marketing Automated individual decisions


Transfer – issues arising

Client contracts restricting transfer outside of the EEA

Client contracts restricting transfer outside of the UK!

Security of the actual transfer Contractual issues – have you got one? Security of the receiving party – have

you checked?

Prove it!

Is there a transfer?


Country specific peculiarities

Germany

cannot ask the respondent consent to pass details back to the client

cannot ask the respondent consent to be re-contacted

ADM have a centralised “do not call for market research” list which members of the ADM are supposed to clean sample files against

Call Line ID requirements all calls

the phone is not permitted to ring for less than 20 seconds and the contact attempt must be terminated after 40 seconds

Data losses required to be reported

It’s not just legal issues, but local industry guidelines that matter


Country specific peculiarities Italy – companies have the same protection under data protection as

individuals

Sweden – for healthcare research with medical professionals the respondents must first invite the interviewer to call them

US Maine— The Marketing Research Association is lobbying to exempt research from a law in Maine that prohibits the sale or transfer of personal data about state residents under the age of 18.

UK— Ofcom has tweaked its rules around silent calls to give businesses more time to present homeowners with a recorded information message if an operator is not available when a cold call is made.

US— Almost one third of physicians say they will be put off participating in market research studies if a law is passed requiring them to disclose all survey incentives worth more than $20 from drug or medical device companies .

What other examples do you have? Let’s share that information.


Common problems

MRS Revisions - re-contact questions is too general

Re-contact question wasn’t asked

Incentives processed by a third party or a client

Updating client databases – contact details

Adverse Event reporting and doctors privacy

Lack of onward compliance between you and third parties

Contractual restrictions on transfer outside of UK /EU

The human element – data disclosure!

There are many other common issues that we are all facing today, I hope these are covered in the workshop session.

Please raise anything you would like to discuss.


Workshop

In the following scenarios, identify the key data protection issues that arise and list the actions that need to be taken by all concerned to ensure that data protection requirements are met.


Scenario 1

Energy UK has commissioned ABC Research to undertake a quantitative face-to-face survey

Sample – customers and lapsed customers ABC Research has commissioned Fieldwork Unlimited

to conduct the in-home interviews Results will be shared with Mobiles Connect, a third

party partner of Energy UK Pre-screen sample file against Mobiles Connect

customer database Paper-based survey ABC has commissioned Coding & Analysis Services in

the UK and Mumbai to do the data processing


Scenario 2

Freelance qualitative research recruiter Holding completed requirement questionnaires at

home Holding details of respondents – notebooks, index

cards, database


Scenario 3

US based international client Commissioned Research The Globe Ltd based in London

to do customer satisfaction with PC owners across same and large companies across Europe

Client provided sample (individuals and business, but not always clear which)

Client wants to re-interview some key respondents Client wants dissatisfied customer identified and traced

back to the European service database holding their details – specifically UK, Germany and France.

All interviewing will be conducted from the UK Client wants to remotely monitor some of the interviews


Scenario 4

Central Bank briefed QMR and Co to undertake programme of group discussions about internet banking

QMR want to commission another company to recruit respondents and hold groups in centralised viewing facilities.

Groups recruited from customer list. Client will attend group. Client requesting recordings. Client wants to remain anonymous.


ScenariosPoints to consider


Scenario 1 Points to consider What does the contract from Energy UK require (have you got

one?) in terms of use of data, security, transfer, etc Details on destruction and return of sample should be

understood Has Energy UK notified Research as a purpose with ICO Does Energy UK have permission from customers to disclose

personal data to Mobiles Connect How does the transfer take place Is there any agreement to prevent the personal information

being used for purposes other than screening by Mobiles Connect

What contracts are in place with the fieldwork and data processing agencies

Results shared by Energy UK should be limited to de-personalised data unless consent has been obtained

What else…………….


There needs to be a written contract with Fieldwork Unlimited and Coding & Analysis Services as data processors – including any possible processing by C&AS in Mumbai.

Data security is a key issue, plus ensuring that interviewers do not use the client’s customer details for other purposes.

If asked, interviewers must provide respondents with the source of the contact details.

Feedback on “goneaways” must not include new addresses.

Complaints can be fed back – but the client must not use this information for any purpose other than resolving complaints.

The client needs to provide a contact that will deal with these issues.

Outcome of calls can only identify numbers used, not whether they are refusals or not, unless you have consent.

Scenario 1 Points to consider



If recruiters develop lists of potential respondents, then they will become data controllers and need to adhere to all the principles of the 1998 Act (including Notification and identifying purposes).

Recruiters need to be fully trained in data privacy issues. Each project briefing needs to include coverage of any DP

related factors. Contracts throughout the research process need to include

specific references to handling client owned data – responsibilities for security (and what is necessary); not using the information for other purposes (list building, etc); destruction or return of samples.

Interviewers need to keep personal data secure (to specified standards – the client may be responsible for any breaches) and need advice and guidance on this.



USA based company needs to adhere to European legislation (Directive and at national levels) when dealing with EU domiciled customers.

Ensuring that the clients’ European databases are notified, and include market research as a purpose.

The legislation only covers living individuals. Interviews if solely concerned with role rather than person will not be covered (except in Italy).

The client’s identity must be disclosed at some point in the interview if a respondent asks.

If personal data drawn from the survey is to be used for other purposes, such as enhancing a database, then it will be a regulations for non-research categories must be considered.

If this does become a “mixed” project, then the sample files must be screened firstly to exclude all opt-outs for marketing on the customer file, and secondly against Preference Service files (TPS in the UK).

Can’t re-interview for German market unless it’s carried out as a on-research activity.

What else………


Scenario 3 – Points to consider

Transfer of personal data to the USA must conform to one of the required mechanisms – this may need the respondents’ permission within the interview (and for each purposes).

If re-interviews are likely, then this needs to be built into the first interview. It would be better to ask all respondents.

Dissatisfactions could be passed back to the client, but any transfers of data outside of the EEA (e.g., to the USA) must conform to the necessary mechanisms, and may require consent. The client must only use the data for that specific purpose and no other.

The link with Phoenix for monitoring interviews needs to be for confidential survey research purposes only and these conversations should not be recorded in any way. Respondents would need to be advised first and have consented.



Advising respondents about any recording of the proceedings when recruiting, and about the presence of observers.

Normally, bank customers have been asked to opt-in or out of activities such as marketing under the banking code of practice. Whilst there is no requirement to screen out these customers (apart from Category 6 projects), in certain types of research it might be beneficial in terms of customer goodwill to screen out such customers.

Recruiters must be clearly briefed about returning/destroying sample data, and about not miss-using the information for other purposes (list building).

The name of the client company must be disclosed at some point in the research process (recruitment or group discussion) if respondents request the source of the contact details.

What else…….



Agencies should produce a guideline for those observing group discussions as best practice.

If tapes are supplied then it is preferable if they are de-personalised – in any event, the client must understand that they are provided solely for market research purposes. Usage in any other way (e.g., training sessions, sales conferences, etc.,) would break the law (unless Category 6 projects).

Particular care is needed in B2B qualitative research where it is more likely that respondents can be recognized (perhaps by their opinions, voice, etc.,) by client people observing groups, viewing tapes or reading transcripts.


Information sources

Information Commissioner’s Office http://www.ico.gov.uk/

MRS Frequently Asked Questions / Codeline http://www.mrs.org.uk/standards/faqs.htm

DataGuidance, email alerts and a global data protection and privacy compliance platform.

http://www.dataguidance.com/Privacy and Data Protection (PDP) – journal and email

http://www.pdpjournals.com/privacy_data_protection/Dechert Legal Update - email

http://www.dechert.com/practiceareas/practiceareas.jsp?pg=legal_update&pa_id=39&pn=1


IQCS Annual General Meeting

2009

Thank you for coming

1 iqcs agm november 2009 iqcs data protection workshop 12 th november 2009

Documents