This Policy sets out the obligations of The Nest Research Ltd (“we”, “us”, “our”, “the Company”) regarding data protection and the rights of consumers, customers and business contacts (“data subjects”) in respect of their personal data under the Data Protection Act 2018.
The procedures set out in this Policy must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Data Protection Officer is responsible for ensuring implementation and compliance with the requirements of the Data Protection Act 2018 and this Policy. That role is held by Chloe Fowler (Tel: 07771 610 765, Email: chloe@thenestresearch.co.uk). Any questions or concerns about this Policy should be referred in the first instance to the Data Protection Officer.
Our commitment to data protection
The Nest Research takes the issues of data protection and information security very seriously. We are committed not only to the letter of the law, but also to the spirit of the law. We place high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals we work with.
The Nest Research is registered with Information Commissioner’s Office as a data controller (registration reference ZA772199).
We abide by the requirements of the Data Protection Act 2018 and by professional codes of conduct established by the Market Research Society (MRS) and by the Association of Qualitative Researchers (AQR).
DEFINITIONS
Data is information which is stored electronically on a computer, telephone, voice recorder or other device, or in the cloud, or in paper-based filing systems.
Data subjects for the purposes of this policy include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal data.
Personal data is data which relates to a living individual who can be identified from that data (or from that data and other information in our possession, or which is likely to come into our possession). Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as a performance appraisal).
Special category data (or sensitive personal data) includes information about the data subject’s racial or ethnic origin; their political opinions; their religious or similar beliefs; trade union membership; their physical or mental health condition; their sexual life; their genetics; their biometrics (if used for ID purposes); the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, usually with the express consent of the data subject.
Data controllers are the people or the organisation which determine the purposes for which, and the manner in which, any personal data is processed.
Data users include employees whose work involved using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
The information we collect
The Nest Research is a market research agency. We conduct qualitative and quantitative research on behalf of our clients. As part of our business activities, we will collect, store and process personal information about consumers and customers of our clients. This data can be collected directly from data subjects or obtained from third parties.
Research data
We conduct qualitative research to explore consumer opinions in detail, in both face-to-face sessions (group and individual) and in online communities and forums. As part of this, we collect personal data during the screening and interviewing processes. Our quantitative survey work involves the sizing and validation of personal level data in large scale surveys, where we collect responses from the general public. This data is aggregated and anonymised, and not attributable to an individual respondent; this type of data therefore does not count as personal data.
Client supplied customer data
We are occasionally required to use client supplied customer data to identify and reach eligible research sample for both qualitative and quantitative research projects. This typically includes customer name and contact details, and occasionally previous purchase behaviours/identified relationship with the client. We use third party recruitment agencies to process this personal data for screening and recruitment. In these cases, an agreement on data processing is concluded with each agency.
Information about our clients
We collect, store and process personal information about our clients, typically in the form of name, job title, email addresses, telephone numbers.
Information about our employees
For our staff, the types of information that we may be required to handle include details of current, past and prospective employees, address and telephone number, and bank account details for payment of salary. This information, which may be held on paper or on computer, is subject to certain safeguards specified in the Data Protection Act 1998 (“the Act”). The Act imposes restrictions on how we may use that information.
Regardless of the source and type of personal data, we will:
- only use and process personal data for purposes that we have informed individuals about and obtained consent for;
- always be transparent about the personal data we collect and how we use it; and
- always store and transfer personal data securely.
Data protection principles
When processing personal data, we comply with the principles set out in the Data Protection Act 2018. According to the Data Protection Act 2018, all personal data must be:
- Processed lawfully, fairly, and in a transparent manner. Data subjects should be kept informed at all times of the purpose(s) for which their personal data will be used.
- Collected for specified, explicit, and legitimate purposes only. In limited circumstances, personal data may also be further processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- Adequate, relevant, and limited to what is necessary for the purposes for which data is processed.
- Accurate and, where necessary, up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay.
- Kept only for as long as is necessary for the purpose(s) for which that personal data was originally collected, held and processed. All such retention is fully compliant with the requirements of the Data Protection Act 2018.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Your rights
The Data Protection Act 2018 sets out the following rights applicable to data subjects:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure (also known as the ‘right to be forgotten’);
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights with respect to automated decision-making and profiling.
Keeping you informed
Whenever we collect personal information directly from data subjects, we inform them of its purpose at the time of collection through our Notices and Privacy Policy. Where personal data is obtained from a third party, the data subject will be informed of the purpose when communication is first made, before the data is transferred to us, or as soon as reasonably possible after the personal data is obtained (whichever is most relevant to the purpose).
This Data Protection Policy, our Privacy Policy and our Data Retention Policy provide full information about your rights and our responsibilities under the Data Protection Act 2018.
Subject access requests
Any individual whose data is held by The Nest Research may make a subject access request (“SAR”) at any time to find out more about the personal data we hold about them, what we are doing with that personal data, and why. All requests must be made in writing to the Data Protection Officer, at The Nest Research, 1 Brides Place, De Beauvoir Road, London, N1 5AW. Any member of staff who receives a written request should forward it to the Data Protection Officer immediately.
Responses to SARs will normally be made within one month of receipt, however this may be extended is the SAR is complex and/or numerous requests are made. We will inform the data subject if we need more time to respond to the request.
We do not charge a fee for the handling of SARs. We reserve the right to charge reasonable fees for additional copies of information that have already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
Rectification of your personal data
Data subjects have the right to require us to rectify any of their personal data that is accurate or incomplete. In such instances, we will rectify the data in question, and inform the data subject of the rectification, within one month of the data subject informing us of the issue. This may be extended in the case of complex requests. We will inform the data subject if we need more time to respond.
If any affected personal data has been disclosed to third parties, they shall be informed of any rectification that must be made.
Erasure of your personal data
Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) when:
- Personal data is no longer required for the purpose for which it was originally collected and processed;
- They withdraw their consent;
- They object to the processing of their personal data, and we have no overriding legitimate interest;
- Personal data is processed unlawfully (i.e. in breach of the Data Protection Act 2018;
- Personal data has to be erased to comply with a legal obligation.
Unless we have reasonable grounds to refuse the request, all requests for erasure will be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. This may be extended in the case of complex requests. We will inform the data subject if we need more time to respond.
If any personal data that is requested to be erased has been disclosed to third parties, they shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
Restriction of personal data processing
Data subjects may request that we cease processing the personal data it holds about them. If a data subject makes such a request, we will retain only the amount of personal data concerning that data subject that is necessary to ensure that the personal data in question is not processed further.
If any affected personal data has been disclosed to third parties, they shall be informed of the applicable restrictions (unless it is impossible or would require disproportionate effort to do so).
Objections to personal data processing
Data subjects have the right to object to us processing their personal data based on legitimate interests, direct marketing (including profile), and processing for scientific and/or historical research and statistics purposes.
If a data subject objects to our processing their personal data based on its legitimate interests, we shall cease such processing immediately, unless it can be demonstrated that our legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
Where a data subject objects to our processing of their personal data for direct marketing purposes, we shall cease such processing immediately.
Data retention
When personal data is no longer required (either upon the expiry of stated data retention periods, or when a data subject exercises their right to have their personal data erased), all reasonable steps will be taken to erase or otherwise dispose of it without delay.
For full details of our approach to data retention, including retention periods for specific types of personal data, please refer to our Data Retention Policy.
Data security
We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Data security — transferring and handling personal data
We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
We ensure the following measures are taken with respect to all communications and other transfers involving personal data:
- All emails containing personal data are password protected and marked ‘confidential’;
- Personal data is transmitted over secure networks only;
- Personal data contained in the body of an email, whether sent or received, is copied from the body of the email and stored securely. The email and associated temporary files are deleted;
- Where personal data is to be transferred in hardcopy form it is passed directly to the recipient, or sent via a reputable delivery firm using a tracked and signed-for delivery service;
- All personal data is handled with care at all times. It is never left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time, whether in physical hardcopy (i.e. on paper) or viewed electronically) i.e. on a computer screen.
Data security — storage
We ensure that the following measures are taken with respect to the storage of personal data:
- All electronic copies of personal data are stored securely using password protection.
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media is stored securely in a locked box, drawer, cabinet, or similar;
- All personal data stored electronically is backed up three times day with backups stored securely off-site. All backups should be encrypted [using 256 bits encryption and re-encrypted at rest].
- No personal data is stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones). When it is unavoidable, storage is strictly in accordance with all instructions and limitations above, and for no longer than is absolutely necessary; and
- No personal data is transferred to any device personally belonging to an employee. Personal data may only be transferred to devices belonging to agents, contractors, or other parties working on our behalf when the party in question is fully compliant with the letter and spirit of this Policy and of the Data Protection Act 2018 (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
Data security — IT security
We ensure that the following measures are taken with respect to IT and information security:
- All passwords used to protect personal data are changed regularly and do not use words or phrases that can be easily guessed or otherwise compromised;
- Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on our behalf.
- All software (including, but not limited to, applications and operating systems) is kept up-to-date. Any and all security-related updates are installed as soon as reasonably and practically possible after the updates are made available by the publisher or manufacturer.
Data security — disposal
- When any personal data is to be erased for any reason, it is securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to our Data Retention Policy.
Organisational measures
All employees are fully trained and supervised to ensure their compliance with the Policy (i.e. via spot checks). They are reminded to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise. Employees will only have access to, and use of, personal data when required to carry out their assigned duties.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the Data Protection Act 2018 and this Policy. Where any agent, contractor or other party working on behalf of The Nest Research handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Transferring personal data to a country outside the EEA
From time to time we may transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. If we do transfer data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK under the Data Protection Act 2018. This could include (but is not restricted to) asking for your informed consent or determining that the transfer is to a country (or international organisation), or that the European Commission has determined ensures an adequate level of protection for personal data).
Data protection impact assessments
We will carry out data protection impact assessments for new projects or new uses of personal data that involve the use of new approaches, technologies and/or third-party suppliers, and the processing involved is likely high risk in terms of the rights and freedoms of data subjects under the Data Protection Act 2018. Data protection impact assessments will be overseen by the Data Protection Officer.
Data breach notification
All personal data breaches must be reported immediately to the Data Protection Officer.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described above) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Implementation of policy
This policy is effect as of July 2020. No part of this Policy shall have a retroactive effect and shall thus apply only to matters occurring on or after this date.