MRS

Search Site Map A-Z Directory Contact Us Home


What's New Membership Company Partner Service Awards
Members' Area Professional Standards Qualifications Training
Events Networking Publications Media Info Market Research


 

Standards & Guidelines

Guidelines Complaints Products & Services Activities People




Data protection and privacy issues


Data protection: some key points

  • Treat the personal data in the manner described to the respondent.
  • Always get permission for personal data usage.
  • Always get permission to transfer personal data to a 'third party'.

Privacy and electronic communications: some key points

  • Only relevant for commercial communications ie marketing not market research.
  • No unsolicited emails or SMS can be sent without prior consent.
  • There are exemptions for existing relationships.


Find out more

A Basic Guide to the Data Protection Act 1998 (PDF 223KB, PDF Help)
(Word format, 124KB)
Updated October 2002

The Data Protection Act 1998 and Market Research: Guidance for MRS Members (PDF 302KB, PDF Help)
(Word format, 230KB)
Updated September 2003

Data Protection Act 1998 - Who's Who? (PDF 31KB, PDF Help)
(Word format, 107KB)
January 2006

Data Protection Act 1998: Guidelines for Social Research (PDF 175KB, PDF Help)
(Word format, 667KB)
Published by MRS and SRA, October 2005

Data Protection Categories (PDF 117KB, PDF Help)
(Word format, 97KB)
Updated October 2002

Freedom of Information Act 2000: Guidance (PDF 54KB, PDF Help)
(Word format, 126KB)
January 2006

Guidance on the Privacy and Electronic Communications Regulations 2003 (PDF 100KB, PDF Help)
(Word format, 93KB)
Published September 2003

Market Research Processes and the Data Protection Act 1998 (PDF 89KB, PDF Help)
(Word format, 163KB)
Published by MRS and BMRA, October 2002

Market Research Processes (Client) and the Data Protection Act (DPA) 1998 (PDF 103KB, PDF Help)
(Word format, 209KB)
Published by MRS and AURA, January 2004

This material is provided for information only. It is not legal advice and should not be relied upon as such. Specific legal advice should be taken in relation to specific issues.

See also:


Presentation Series: The Data Protection Act 1998

This Powerpoint presentation covers issues such as whether your recruiters need to register with the Information Commissioner's Office and how the DPA 98 affects recorded interviews. The presentation costs £50+VAT for each copy. To order a copy please use the order form (PDF 20KB, PDF Help).


Freedom of Information

A series of frequently asked questions on the Freedom of Information Act.


Monitoring interviews

Some frequently asked questions on RIPA 2000 (The Regulation of Investigatory Powers Act 2000).

Frequently asked questions

Question An agency has recommended in a proposal to a client that the most appropriate sampling frame would be the client customer database. The client is concerned about the position under the Data Protection Act 1998.

Answer The client needs to ensure that their notification (registration) with the Information Commissioner concerning the use of the data covers market research purposes. If this is not the case then the notification will need to be amended. If the client's notification includes market research, then there should be no problem. The notification register can be checked on the Information Commissioner's website at www.informationcommissioner.gov.uk.
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: 4.1.

Question My client has asked that at the end of respondent interviews, specific information be captured so that they can update their databases. The client is only asking for bland data such as occupation. Is this OK?

Answer Updating a customer database is an important activity for any data controller to do on a regular basis but this is not market research. In any case, the client should be updating all of their database and not just the small proportion of those sampled as research respondents. If the client wishes to continue with this approach the project must be positioned as a mixed purpose exercise ie market research and database building, making it clear to the respondents how the data is to be used.
See: MRS Code of Conduct: Rule B48 and separate regulations Using Research Techniques for Non-research Purposes

Question Agency A has been bought by Agency B. Agency B now want to combine the personal data held by Agency A for running a panel of adults with their own access panel and use these additional respondents for generating future samples for other surveys. Does this have any data protection implications?

Answer Agency B will need to contact each person on Agency A's panel and ask their permission to use their data as part of the access panel. Only those who give their consent can be used. Non-response cannot be treated as implied consent.

Question My agency has conducted a survey for a client who supplied the database from which the sample of respondents was drawn. The client now wishes to invite all respondents to a big 'thank you' event and is upset because I will not tell him which of the database contacts were respondents in order to invite them. The client says it is ridiculous that he cannot have the respondents' names from his own database, even though I have offered to thank the respondents on his behalf.

Answer The client may only wish to say thank you but whatever the purpose, the client cannot have respondent details without the respondents' consent.

Question I'm conducting a business to business survey with respondents drawn from an industry list provided by the client. In order to validate the industrial profile of the companies interviewed, the client would like the names of the companies contacted (but not the names of the respondents). Is this OK?

Answer Providing the names of companies contacted, but not respondents within the companies, is permitted for validation purposes as long as the respondent is neither directly nor indirectly identified. This will depend on the job title of the respondent, e.g. if all respondents were managing directors then the name of the company could not be identified as to do so would indirectly identify the respondent.
See: Draft Business to Business Guidelines: section 2

Question Can a loyalty card database be used for sampling purposes where cardholders have given their permission for the data to be used for marketing purposes but with no specific mention of market research.

Answer If cardholders have given this permission then there is no problem in using the details for market research purpose, as long as this is a notified use of the database. Opt out/in conditions do not have to legally include market research, so you will only need to check these if the client who runs the loyalty card scheme has decided to include market research in the conditions.
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: categories section.

Question A shopping centre client has a popular website, which it wishes to use to find out more about customers and non-customers, eventually going on to build a marketing database, can my client do this?

Answer In view of the difficulty of obtaining a statistically valid sample and the eventual desire to build a database, this should be positioned from the start as a marketing rather than market research exercise - giving interesting but not necessarily representative results.
See: MRS Code of Conduct: Rule B48 and separate regulations Using Research Techniques for Non-research Purposes

Question I conduct 'business to business' research. Is data on organisations or their employees covered by the 1998 Act in the context of market research?

Answer Under the Data Protection Act 1998 the definition of 'individuals' includes sole traders and partnerships in England and Wales, and sole traders in Scotland. Therefore all the rights available to individuals will be available to business organisations of this type. In addition most business data collected during a survey will include personal opinions from the respondents and as such will be defined as personal data (irrespective of the type of organisation). A simple test is whether, if the job holder changes, the data (other than the individual's name) will change in any way. If it does the Data Protection Act 1998 is likely to apply. This would also apply to databases/sampling frames that contain details of individuals. Employee data is covered by the Data Protection Act 1998. The Information Commissioners Office has produced a specific code to cover this issue see www.informationcommissioner.gov.uk.
See: Draft Business to Business Guidelines: introduction.

Question Is it acceptable to ask additional questions for non-research purposes (ie database building) at the end of a market research survey?

Answer This would be unacceptable under the MRS Code of Conduct. The whole project would need to be undertaken as a mixed purpose project and not positioned as 'classic' market research. Respondents would also need to have consented to this additional purpose and have the opportunity to opt-out.
See: MRS Code of Conduct: Rule B48 and separate regulations Using Research Techniques for Non-research Purposes

Question A client has requested details of respondent's names and address details to use for profiling purposes. Can this request be met?

Answer If the information is passed back (eg to an in-house market research department) for use solely for research purposes, then this would be acceptable with the consent of the respondent. However, if used for non-research purposes, then this would be unacceptable if positioned as a market research project. It would be acceptable if the data were provided in a form that did not enable individuals to be identified - eg by out-bound postcode level (ie the average of fifteen households in the out bound section of the postcode, the 9RY in the following example - RG18 9RY). The data can only be used for the purposes for which it was collected and for which respondents have consented.
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: categories section.
See: a detailed description of the postcode breakdown can be found in the document Postcode Format (PDF 9KB, PDF Help).

Question A client has asked an agency conducting a survey on their behalf using a client supplied database extract as a sampling frame if it will feedback updates of wrong names, addresses, telephone numbers and any other amendments. The agency is concerned about the legality of using a market research survey opportunity to help clean-up a client database.

Answer Whilst database cleaning is not compatible with 'classic' market research, the agency may provide certain amendments to the data controller for the database extract (the client) - limited to feedback on instances where the named person was either no longer living at the address given but not where they have moved to or had died. The Data Controller ie the client has an obligation under the 1998 Act to keep their database up to date. If the agency finds lots of incorrect records they should advise the client to conduct a separate data cleansing exercise.
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: categories section.

Question A client has asked for feedback from a customer satisfaction survey in two ways. Firstly, they want the names and addresses of all those interviewed, or who refused to be interviewed, so they can mark the database to prevent over researching of their customers; secondly they want to be able to follow-up instances where the service was deemed by the respondent to have been unsatisfactory.

Answer The first request can be met under the rules for 'classic' research provided that the client undertakes to use the information solely for that purpose. The second request can only be met under 'classic' research rules in cases where the respondent himself has consented to the information about a service experience being passed back to the client specifically for the purpose of enabling the case to be investigated, and this feedback must be separated from the data collected in the survey.
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: categories section.

Question A sample provided by a client from their customer database was found to be full of errors when contact was attempted with individuals. Can I provide the amended information back to the client?

Answer All you can do is notify to the client instances where the customer was no longer at an address or had died. The best course of action is to discuss the general issues with the client as in their capacity as data controller of the database they are probably breaching the fourth principle of the 1998 Act (keeping personal data accurate and up to date).
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: categories section.

Question I'm recruiting respondents from a client-supplied list of benefit claimants. Some of the details on the list turn out to be inaccurate or false and the client is insisting on being notified of which entries are incorrect. I'm unhappy about this. What should I do?

Answer Information about incorrect addresses and deaths can be passed back but the correct addresses can only be supplied with the express permission of the respondent. In future it may be worthwhile for social researchers to include in their contracts a clause to the effect that they will not pass back any information on individuals or the lists. Equally the 4th principle of the Data Protection Act 1998 stipulates that personal data should be accurate and up to date. Therefore if a large number of inaccuracies are found the client should conduct a data cleansing exercise.
See: The Data Protection Act 1998 and Market Research: Guidance for MRS Members: category 2.

 

Client's rights to research data

Question Can I send my client full respondent postcodes?

Answer It depends on the respondent's address. If they live in a rural area where there may be only a few homes in the area you could only give the first set of characters of the postcode. This is because these reference the area, anything more provides information on the particular sector where the home is situated and it is possible in rural areas for there to be only one home in a sector, and thus a respondent may be identified. If the home is situated in a town or city then it would be possible to provide the first set of characters plus one from the second set of characters. A detailed description of the postcode breakdown can be found in the document Postcode Format (PDF 9KB, PDF Help).

Question Can we include video-clips from consumer group discussions in agency presentations to clients and for their further use on the client's internal network?

Answer Video-clips from group discussions can be shown to clients as long as written permission for such clearly specified uses has been given by each respondent in the groups before the video recording begins. If they were to be used later on the client's internal network/intranet then permission for that would have to be sought as well, but this permission must be sought prior to or at the time of interview and not post the event unless you have permission to re-contact the respondent to gain additional consent. The agency should at the same time obtain written assurance from the client that the use of such video-clips would be limited to the uses specified to respondents.

Question An agency conducted Internet groups for a client who now wants respondent names in order to track their future website use. The client believes that seeking consent from respondents might change their web behaviour, as they would be aware that they were being monitored. Can they proceed without consent?

Answer As you would be collecting personal data without the consent of the respondent you would be in breach of the Data Protection Act 1998 as you would be using the data for purposes that the respondent is not aware of, hence in breach of the 1st data protection principle regarding fair processing. Data must only be used for the purposes stated at the time of the recruitment and research.

Question A number of group discussions on customer service were conducted by an agency in viewing facilities and the client has now requested copies of the video tapes to use for internal training purposes. Can this request be met?

Answer If the study was positioned as market research and not 'market research with a training element' then it would not be possible to fulfil the client's request. This is an example of a mixed purpose project (for more information on a mixed purpose project please see the Data Protection Guidelines). These can be carried out by researchers, however during such projects no reference can be made to the MRS IID cards or the Freephone service as to do so would confuse the respondents and lead to associating market research with other activities. Respondent's permission must be sought before any personal details are passed on to a third party and the purposes for which the data will be used must be consistent with the consent gained from the respondent.


Record retention

Question How long should tapes and questionnaires be kept for?

Answer As the Data Protection Act 1998 does not specify data retention, it should form part of a contract between the research supplier and the client. The key issue is that data is kept securely whilst in an supplier's care and only kept for a reasonable length of time. You should be aware that respondents have the right of access to any identifiable personal data held.

Question How should I destroy records, can they be put in the bin?

Answer Whether recorded data or paper based questionnaires, all personal data must be destroyed confidentially. This may mean confidential shredding for paper questionnaires and wiping tapes clear. All personal data must be kept securely before it is destroyed.

See also Frequently asked questions: Telephone Preference Service

 

Reporting of adverse medical events

Question Can adverse medical events be reported to a client where they are revealed in the course of a research project?

AnswerThe answer to this question will depend on a number of factors:

  • Is the project designed to seek out these adverse events?
  • Will the respondent have to be re-contacted for further interview on this point?
  • What detail of reporting does the client require?
  • Are the patient’s personal data required?

If one of the purposes is to identify adverse events for reporting to regulatory authorities, then this would have to be stated in the introduction to the interview. Any further interview would require the asking of a re-contact question. Under MRS rules, the respondent must be told who will be making re-contact. In the present case it would probably be the client.

Question Do the rules differ where the respondent is (a) a doctor and (b) a patient?

AnswerIf the project is with a doctor and it is known that they may refer to adverse events, researchers should :

  • ask for permission for the client to see their answers
  • ask for permission for the client to contact the doctor if they have any queries arising from their answers.

The client would then be able to discuss the adverse event directly with the doctor, though the doctor could not reveal the identity of the particular patient. If the project is with a patient, then researchers should be aware that personal data relating to a physical or mental condition is sensitive personal data. Sensitive personal data can only be only processed with the express permission of the data subject.

If the client requires information for reporting to regulatory authorities then:

  • the respondent must be told each of the purposes for which their data will be processed ( research and regulation)
  • ask for permission for the client to be passed the answers
  • ask for permission for the client to re-contact the respondent in relation to any adverse events.

 

Your query not answered? Contact Codeline
 

  GUIDELINES COMPLAINTS    PRODUCTS & SERVICES    ACTIVITIES    PEOPLE 


What's New - Membership - Company Partner Service - Members' Area - Code/Guidelines - Qualifications - Training - Awards
Events - Networking - Publications - Media Info - Market Research - Search - Site Map - A-Z Directory - Contact Us - Home

© Copyright 2008 MRS - Privacy Statement - Terms and Conditions - Legal Information