260 likes | 489 Views
IQCS Data Protection Workshop 12 th November 2009. Agenda. David Evans, Information Commissioner’s Office Overview of International data protection Workshop / Answers Information sources. European Economic Area International transfer. EU Members Austria Belgium Denmark
E N D
IQCS Data Protection Workshop 12th November 2009
Agenda • David Evans, Information Commissioner’s Office • Overview of International data protection • Workshop / Answers • Information sources
European Economic Area International transfer EU Members Austria Belgium Denmark Finland France Germany Greece Ireland Italy Luxembourg Netherlands Portugal Spain Sweden UK Cyprus Czech Republic Estonia Hungary Lithuania Latvia Malta Poland Slovakia Slovenia EEA is the EU plus: Iceland Norway Liechtenstein
International transfer Other mechanisms • Argentina • Hungary • Canada • Guernsey • Isle of Man • Switzerland • US Safe Harbor • Binding Corporate Rules (BCR) • Australia / Japan - pending • Model Contracts / Binding Corporate Rules • Israel under consideration as is Andorra, followed by New Zealand and Uruguay
US Safe Harbor • http://www.export.gov/safeharbor/ • Notice • Choice • Onward Transfer • Access • Security • Data Integrity • Enforcement
Binding Corporate Rules • Multinational companies transferring personal data from the EEA to their affiliates • Choose a Data Protection Authority (DPA) – the EU country where HO is based • Approval from the DPA • BCR Safeguarding personal data across the organisation • Provides a framework for a variety inter-group transfers
Model Contract • Purpose limitation • Data quality and proportionality • Transparency • Security and Confidentiality • Rights of access, rectification, erasure, and blocking of data • Restrictions on onward transfers • Encryption, e.g., if sensitive personal data • Direct marketing • Automated individual decisions • Data Importer • Data Subjects • Purpose of transfer • Categories of data (sensitive data) • Recipients • Storage limit
Transfer – issues arising Is there a transfer? • Client contracts restricting transfer outside of the EEA • Client contracts restricting transfer outside of the UK! • Security of the actual transfer • Contractual issues – have you got one? • Security of the receiving party – have you checked? • Prove it!
Country specific peculiarities It’s not just legal issues, but local industry guidelines that matter Germany • cannot ask the respondent consent to pass details back to the client • cannot ask the respondent consent to be re-contacted • ADM have a centralised “do not call for market research” list which members of the ADM are supposed to clean sample files against • Call Line ID requirements all calls • the phone is not permitted to ring for less than 20 seconds and the contact attempt must be terminated after 40 seconds • Data losses required to be reported
Country specific peculiarities • Italy – companies have the same protection under data protection as individuals • Sweden – for healthcare research with medical professionals the respondents must first invite the interviewer to call them • US Maine— The Marketing Research Association is lobbying to exempt research from a law in Maine that prohibits the sale or transfer of personal data about state residents under the age of 18. • UK— Ofcom has tweaked its rules around silent calls to give businesses more time to present homeowners with a recorded information message if an operator is not available when a cold call is made. • US— Almost one third of physicians say they will be put off participating in market research studies if a law is passed requiring them to disclose all survey incentives worth more than $20 from drug or medical device companies . What other examples do you have? Let’s share that information.
Common problems There are many other common issues that we are all facing today, I hope these are covered in the workshop session. • MRS Revisions - re-contact questions is too general • Re-contact question wasn’t asked • Incentives processed by a third party or a client • Updating client databases – contact details • Adverse Event reporting and doctors privacy • Lack of onward compliance between you and third parties • Contractual restrictions on transfer outside of UK /EU • The human element – data disclosure! Please raise anything you would like to discuss.
Workshop In the following scenarios, identify the key data protection issues that arise and list the actions that need to be taken by all concerned to ensure that data protection requirements are met.
Scenario 1 • Energy UK has commissioned ABC Research to undertake a quantitative face-to-face survey • Sample – customers and lapsed customers • ABC Research has commissioned Fieldwork Unlimited to conduct the in-home interviews • Results will be shared with Mobiles Connect, a third party partner of Energy UK • Pre-screen sample file against Mobiles Connect customer database • Paper-based survey • ABC has commissioned Coding & Analysis Services in the UK and Mumbai to do the data processing
Scenario 2 • Freelance qualitative research recruiter • Holding completed requirement questionnaires at home • Holding details of respondents – notebooks, index cards, database
Scenario 3 • US based international client • Commissioned Research The Globe Ltd based in London to do customer satisfaction with PC owners across same and large companies across Europe • Client provided sample (individuals and business, but not always clear which) • Client wants to re-interview some key respondents • Client wants dissatisfied customer identified and traced back to the European service database holding their details – specifically UK, Germany and France. • All interviewing will be conducted from the UK • Client wants to remotely monitor some of the interviews
Scenario 4 • Central Bank briefed QMR and Co to undertake programme of group discussions about internet banking • QMR want to commission another company to recruit respondents and hold groups in centralised viewing facilities. • Groups recruited from customer list. • Client will attend group. • Client requesting recordings. • Client wants to remain anonymous.
Scenario 1 Points to consider • What does the contract from Energy UK require (have you got one?) in terms of use of data, security, transfer, etc • Details on destruction and return of sample should be understood • Has Energy UK notified Research as a purpose with ICO • Does Energy UK have permission from customers to disclose personal data to Mobiles Connect • How does the transfer take place • Is there any agreement to prevent the personal information being used for purposes other than screening by Mobiles Connect • What contracts are in place with the fieldwork and data processing agencies • Results shared by Energy UK should be limited to de-personalised data unless consent has been obtained • What else…………….
Scenario 1 Points to consider • There needs to be a written contract with Fieldwork Unlimited and Coding & Analysis Services as data processors – including any possible processing by C&AS in Mumbai. • Data security is a key issue, plus ensuring that interviewers do not use the client’s customer details for other purposes. • If asked, interviewers must provide respondents with the source of the contact details. • Feedback on “goneaways” must not include new addresses. • Complaints can be fed back – but the client must not use this information for any purpose other than resolving complaints. • The client needs to provide a contact that will deal with these issues. • Outcome of calls can only identify numbers used, not whether they are refusals or not, unless you have consent.
Scenario 2 Points to consider • If recruiters develop lists of potential respondents, then they will become data controllers and need to adhere to all the principles of the 1998 Act (including Notification and identifying purposes). • Recruiters need to be fully trained in data privacy issues. • Each project briefing needs to include coverage of any DP related factors. • Contracts throughout the research process need to include specific references to handling client owned data – responsibilities for security (and what is necessary); not using the information for other purposes (list building, etc); destruction or return of samples. • Interviewers need to keep personal data secure (to specified standards – the client may be responsible for any breaches) and need advice and guidance on this.
Scenario 3 Points to consider • USA based company needs to adhere to European legislation (Directive and at national levels) when dealing with EU domiciled customers. • Ensuring that the clients’ European databases are notified, and include market research as a purpose. • The legislation only covers living individuals. Interviews if solely concerned with role rather than person will not be covered (except in Italy). • The client’s identity must be disclosed at some point in the interview if a respondent asks. • If personal data drawn from the survey is to be used for other purposes, such as enhancing a database, then it will be a regulations for non-research categories must be considered. • If this does become a “mixed” project, then the sample files must be screened firstly to exclude all opt-outs for marketing on the customer file, and secondly against Preference Service files (TPS in the UK). • Can’t re-interview for German market unless it’s carried out as a on-research activity. • What else………
Scenario 3 – Points to consider • Transfer of personal data to the USA must conform to one of the required mechanisms – this may need the respondents’ permission within the interview (and for each purposes). • If re-interviews are likely, then this needs to be built into the first interview. It would be better to ask all respondents. • Dissatisfactions could be passed back to the client, but any transfers of data outside of the EEA (e.g., to the USA) must conform to the necessary mechanisms, and may require consent. The client must only use the data for that specific purpose and no other. • The link with Phoenix for monitoring interviews needs to be for confidential survey research purposes only and these conversations should not be recorded in any way. Respondents would need to be advised first and have consented.
Scenario 4 – Points to consider • Advising respondents about any recording of the proceedings when recruiting, and about the presence of observers. • Normally, bank customers have been asked to opt-in or out of activities such as marketing under the banking code of practice. Whilst there is no requirement to screen out these customers (apart from Category 6 projects), in certain types of research it might be beneficial in terms of customer goodwill to screen out such customers. • Recruiters must be clearly briefed about returning/destroying sample data, and about not miss-using the information for other purposes (list building). • The name of the client company must be disclosed at some point in the research process (recruitment or group discussion) if respondents request the source of the contact details. • What else…….
Scenario 4 – Points to consider • Agencies should produce a guideline for those observing group discussions as best practice. • If tapes are supplied then it is preferable if they are de-personalised – in any event, the client must understand that they are provided solely for market research purposes. Usage in any other way (e.g., training sessions, sales conferences, etc.,) would break the law (unless Category 6 projects). • Particular care is needed in B2B qualitative research where it is more likely that respondents can be recognized (perhaps by their opinions, voice, etc.,) by client people observing groups, viewing tapes or reading transcripts.
Information sources • Information Commissioner’s Office • http://www.ico.gov.uk/ • MRS Frequently Asked Questions / Codeline • http://www.mrs.org.uk/standards/faqs.htm • DataGuidance, email alerts and a global data protection and privacy compliance platform. • http://www.dataguidance.com/ • Privacy and Data Protection (PDP) – journal and email • http://www.pdpjournals.com/privacy_data_protection/ • Dechert Legal Update - email http://www.dechert.com/practiceareas/practiceareas.jsp?pg=legal_update&pa_id=39&pn=1
IQCS Annual General Meeting 2009 Thank you for coming