Navigating the Data Protection Minefield - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Navigating the Data Protection Minefield

Description:

How the Act affects market research. Data Protection Checklist. Questions ... Came into force in October 2001 ... No IID or Freephone must be used ... – PowerPoint PPT presentation

Number of Views:91
Avg rating:3.0/5.0
Slides: 36
Provided by: debrahh
Category:

less

Transcript and Presenter's Notes

Title: Navigating the Data Protection Minefield


1
Navigating the Data Protection Minefield
  • Debrah Harding
  • MRS Director, Standards Policy

2
Agenda
  • Introduction to the Act
  • How the Act affects market research
  • Data Protection Checklist
  • Questions

3
Introduction to the DPA
  • Came into force in October 2001
  • Covers all data collection and processing methods
    including audio video computers CATI CCTV
    etc.
  • Awareness required for all processing personal
    data

4
Key Definitions
  • Personal Data any information relating to an
    identifiable, living person
  • Processing obtaining, recording, holding,
    transferring, altering,retrieval etc
  • A living, individual, natural person about whom
    data is held

5
Key Definitions
  • Data Controller a legal or living person that
    determines the purposes for which, and the manner
    in which, personal data will be processed
  • Notification requirement for data controllers to
    register with the Information Commissioner about
    the classes of personal data held

6
Data Controllers
  • Data controllers have prime responsibility
  • Clients with customer databases Data controllers

7
Data Controllers
  • Market research data controllers when
  • acquire rights to list
  • create databases from scratch
  • merge client-supplied lists with survey results
  • retain data that is linked to an individual
  • data collected in the name of the agency

8
Key Principles
  • Must be processed fairly lawfully
  • Can only be used for the specified and lawful
    purposes for which it was collected
  • Shall be adequate, relevant and not excessive
  • Shall be accurate and up to date

9
Key Principles
  • Must not be kept beyond fulfilling the purpose
    for which it was collected
  • Shall be processed in accordance with the rights
    of the data subject
  • Must be kept secure
  • Shall not be transferred outside the EEA unless
    adequate precautions are in place

10
Transferring data
  • Transferring includes electronic access from
    outside the UK to data held in the UK
  • EEA (EU Norway, Iceland and Liechtenstein) is
    okay

11
Transferring data
  • Other areas must
  • adequate safeguards - contractually
  • respondents consent
  • special arrangements in place (US Safe Harbor)
  • approval from the EU
  • Hungary, Switzerland, Canada and Argentina
  • Australia, Japan and Guernsey - pending

12
Informed Consent
  • Transparency ensuring individuals have a clear
    and unambiguous understanding of the purpose for
    collecting data and how it will be used
  • Consent individual consent to data being
    collected and given the opportunity to opt out of
    any subsequent uses of the data

13
Informed Consent
  • Ensuring that it is clearly spelt out to
    respondents at the beginning of the interview
    that the information collected will only be used
    for confidential survey research purposes

14
Informed Consent - Implications
  • Permission to re-interview must be gained at the
    initial interview
  • If they ask, respondents must be told at an
    appropriate point in the interview the source
    of their details and/or the name of the data
    controller
  • Web-site privacy notice
  • Prior permission (opt-in) must be gained before
    data is transferred to another agency

15
Informed Consent - Primary Data
  • Researchers must get respondent permission before
    transferring to a third party including
  • to whom it will be passed
  • who will see it
  • what it will be used for

16
The Benefits
  • Gives weight to the MRS Code
  • Lends authority and professionalism
  • Establishes respondent rights as paramount
  • Informed consent should improve the quality of
    the data

17
Market Research Categories
18
Category 1
  • Classic confidential survey/market research
    feedback only to those involved in a specific
    project all agree to be covered by the Code
    data only used for research purposes

19
Category 2
  • Classic research with samples drawn from client
    databases/other lists notify where individual
    has died or is no longer at this address
    (without supplying the new address)

20
Category 3
  • Classic research with client databases used for
    sampling feedback by agency to clients of names
    of those contacted solely for setting do not
    select for research markers on their customer
    database

21
Category 4
  • Classic research with feedback on
    complaints/dissatisfaction respondent consents
    to complaint details and name to be feedback
    (all other responses remain anonymous)

22
Category 5
  • Classic research with client findings at an
    individual level to only be used for research
    purposes

23
Category 6
  • Attributable data collection projects client
    receives some or all of the data at an individual
    level the data is used for purpose in addition
    to or instead of research

24
Category 6 conditions
  • Respondents must give informed consent and given
    opportunity to opt out of any follow-up
    activities
  • Client notification must include addition purpose
  • Data must be screened (TPS, FPS etc)
  • No IID or Freephone must be used

25
Data Protection Checklist
26
Notification
  • Do I need to notify? Probably!
  • Notification helpline - 01625 545 740
  • 35 a year
  • Notify purpose data subjects data classes
    recipients of the data
  • Check the notification register - www.dpr.gov.uk

27
Data Protection Checklist
  • Everyone
  • Do I have someone responsible for data
    protection?
  • Do my contracts or terms of business cover data
    protection?
  • Does everyone else in the organisation and among
    my clients and suppliers know what they are doing?

28
Data Protection Checklist
  • Agencies
  • Have I notified and have I notified in full?
  • How is my data security?
  • Are my invitations, introductions, consent
    wordings, re-interview questions and so on
    adequate?

29
Data Protection Checklist
  • Clients
  • What does the DP policy say about market
    research?
  • What am I notified for?
  • Is my database clean?

30
Other Legislation
  • Human Rights Act 1998
  • EU Directive on Privacy Electronic
    Communications
  • Employees
  • RIPA 2000
  • Employment Practices Data Protection Code

31
MRS Data Protection Guidelines
  • The Data Protection Act 1998 and Market Research
    Guidance for MRS Members
  • Market Research Processes and the Data Protection
    Act (DPA) 1998
  • Basic Guide to the Data Protection Act 1998

32
MRS General Guidelines
  • All updated to include data protection
    requirements
  • Qualitative
  • Mystery shopping
  • Employee

33
Other Guidelines
  • AEB (Alliance for Electronic Business) Website
    guidelines
  • Quality standards e.g. ISO17799 for security

34
Useful Websites
  • MRS - www.mrs.org.uk
  • Information Commissioner - www.dataprotection.gov.
    uk
  • BSI/ISO - www.bsi-global.com
  • AEB guidelines - www.out-law.com

35
Questions?
Write a Comment
User Comments (0)
About PowerShow.com