Date updated: 23.7.20
Prepared by: Catherine Doran
Data privacy and security is of the utmost importance to Ruth Melville Research. We use it as part of our client- commissioned projects, often in collaboration with other parties, and we use it for our own marketing and communications. We respect the wishes of the people who provide us with personal data, and we wish to be open and transparent about how and why we process personal data. We therefore have policies which share information on how data which comes to us is processed and protected.
2. What personal data do we collect and why?
Personal information we collect may include:
- your name, title;
- date of birth;
- postal address, email address and phone number;
- current interests and activities;
- details of correspondence sent to you, or received from you;
- employment information and professional activities (in some cases)
- any other information provided by yourself at the request of Ruth Melville Research;
- gender and sexual orientation (where you choose to provide this, as survey information)
- racial or ethnic origin (where you choose to provide this, as survey information)
- health-related information (where you choose to provide this, as survey information).
Why do we collect this information?
As a research consulting company which specialises in evaluation and research development, we provide strategic insight and insight into research design and analysis to our clients within the cultural, regeneration, environment, and social inclusion sectors. We use many ways to generate this insight.
Some projects call for secondary research including, for instance, evidence and literature reviews, statistical analysis of both existing datasets and publicly available data. However, many of our projects involve primary research with businesses, visitors, audiences, practitioners, participants, and policymakers (amongst others). We capture this personal data in ways which can be in-person or online and can include:
- consultations and public meetings
- focus groups
- interviews and discussions
- online and paper surveys
In addition, we hold personal data on third party organisations and individuals and on client organisations with whom we carry out projects and communicate in the line of our work.
Lastly, we like to keep in touch with our clients and we may store some limited personal data in order to send updates via email.
Some of the data we may collect, hold and process includes certain types of ‘special category’ information. More information on how we process this can be found below.
3. Who is the Controller of your personal data?
This depends on who you are and the context in which you have provided personal data to us.
For personal data captured in relation to our own marketing and communications, RMR is the Controller of your data. This is also true if you are someone who has taken part in a public consultation with us and chosen to share personal data as a result. In addition, this would be true if you are a third party freelance worker providing research or administration support, for example, or a third party organisation with whom we work to carry out projects (for example, a University or a research consultancy).
If you are a client , or a research participant in a client-commissioned project, then when we conduct research on your behalf RMR acts instead as a Data Processor on behalf of you, our client, and you would be the Data Controller.
4. How and where is personal data stored, protected and used?
There are a number of general principles and processes that we use across all the activities for which we collect and hold personal data. In particular, these cover what we will (and will not) use your data for, how your data is protected, and how you can contact us regarding the data that we may hold on you.
Clear purposes: If we collect the personal data that you volunteer while using our services, we will specify the purposes for which your personal data will be used at the point at which it is collected. We will not collect or use your personal data for any purpose other than those indicated at the time of collection.
Protection: RMR is committed to keeping personal data safe and secure. We will maintain all necessary physical, electronic and procedural security measures to help safeguard client data and personal information.
The digital personal data that we collect is stored on a secure server in the UK. Our security measures include firewall and password protection of the server itself, using IT companies and platforms that protect our IT infrastructure from external attack and unauthorised access. The computers used to access and process personal data will be password protected and disc encrypted, protected by firewalls, and operated by RMR associates only.
Any paper-based data we collect, such as survey forms, is stored in locked filing cabinets.
Data handling protocols: We have additional internal policies setting out our data protection approach. Personal data will also be held files which require passwords within the server and on disc encrypted computers. Data will not be transferred outside the RMR team which comprises Ruth Melville and a small number of Associate researchers, and will only be available to a limited number of appropriate staff who will undertake initial processing to endure that subsequent data files do not allow any individual to be identified.
Anyone who handles personal data on behalf of RMR will have committed to an Acceptable Use policy requiring them to use security measures to ourselves with respect to personal data. This policy is available on request to CathRMResearch@gmail.com. In addition, their computers will be protected as described above.
Third party programs: Where necessary, we may also make use of third-party programs which enable data collection and for administrative organisation, for example survey platforms, email programs or event booking websites.
Where data is collected or stored by third party companies, they may have servers located in the UK, Ireland or the EU or they may use servers located in the U.S. We will use companies with servers located in the UK, Ireland or the EU where at all possible.
Any such transfer of your personal data for storage will be carried out in compliance with applicable laws. For transfers outside the EEA, RMR may use third party programs which use Standard Contractual Clauses and Privacy Shield (e.g. the EU-US Privacy Shield Program) as safeguards for countries without an ‘adequacy decision’ from the European Commission. These websites privacy policies and terms of service are also available on their own websites.
We may also sometimes take part in projects which require us to manage an email newsletter on behalf of a project we are participating as part of. In future, it is possible that we will operate our own email newsletters. We currently do this through a password protected Mailchimp account which only RMR can access. The email newsletters are only available to people who proactively opt-in and give their explicit consent to receive it. By consenting to being added to an email list here, you consent to your data being shared with relevant members of the RMR team.
We do not lease, sell or give this personal information to any further third parties. We will contact any such email newsletter subscribers regularly to check-in with them and re-establish their consent for us to contact them, and will give them the option to opt-out at the bottom of every communication we send to them.
Data maintenance: RMR will take reasonable steps to ensure personal data is accurate, complete, current and relevant, and being used only to fulfil the pre-stated obligations to our clients. Upon request, we are very happy to provide people with access to the personal information that we have collected about them. We will routinely check and correct any information that is inaccurate or incomplete, change their consent status, or delete their personal information all upon request. If you would like to request this, please contact us using the details at the end of the policy.
From time to time, we may need to update this Privacy Notice. The latest version of the Privacy Notice will always be available on our website. We will communicate any material changes to the Privacy Notice, for example the purpose of why we use your personal data or your rights.
Legal basis for processing data.
We process ‘special category’ personal information under the legal basis of
a. Public task (when deemed appropriate by other organisations as their data processor). The processing is necessary for you to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
The legal basis on other occasions would be:
b. Under our own legitimate interest. This means the data processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which would overrides those legitimate interests. We only do this if there is no overriding prejudice to you by using your personal information this way. We will describe all situations where we may use this basis for processing.
c. Explicit consent: For any situations where the two bases above are not appropriate, we will instead ask for your explicit consent before using your personal information in that specific situation.
Our surveys are legally understood to be providing ‘implicit consent’ for personal data to be used in relation to a specific project covered by a contract between RMR and a client.
5. ‘Special category’ personal data
Where we act as data controllers on behalf of a third party data controller, for example when we collect and process data in order to conduct an evaluation on behalf of an arts organisation, we may on occasion collect personal data in surveys which includes ‘special category’ personal information. This may include ethnicity, sexual orientation, trade union and political affiliations, and health information.
We collect this data to determine whether and to what extent the projects of our clients support all demographics amongst audiences, participants and artists in these projects, and to report this information back to our clients.
We will do this in a fair, transparent, and lawful manner. We will collect such data in a manner proportionate to the project needs, and will minimise the amount of data we do collect wherever we can. We will not override the fundamental rights and freedoms of data providers when collecting survey data. The way we handle data, how we intend to process it and the individual’s data rights will be made clear in a Data Statement on paper and electronic surveys and on our website. This statement will include why we ask for data, how it will be used, how it will be stored, how long it will be stored for and how to contact us about it. Individual responses provided by participants in our research work are held in strict confidence. By default, they will not be shared directly with our clients, nor published for public consumption.
All survey data will be pseudo-anonymised before further processing. We will not retain respondents’ details and/or use them for follow-up activity not connected to the initial research work (for example, to register interest in follow-up research opportunities, to register to receive a copy of the subsequent research report, or to receive future information from either the relevant client on whose behalf we are conducting the research, or directly from RMR) except on where ‘explicit consent’ has been sought from all research participants for any and each additional use of data that is sought.
Children and surveys: We do not collect, hold or process the data from children under the age of 18 without consent from a parent, guardian, or organisation working with children who are also responsible for their safekeeping while in their care (e.g. a school, youth club, arts organisation) and who have complied with relevant statutory safeguards.
6. RMR website cookies
7. The documents below detail how we comply with GDPR.
- Acceptable use policy
Your rights to your personal information
You have a right to request a copy of the personal information that we hold about you and to have any inaccuracies in this data corrected. Please contact us at CathRMResearch@gmail.com if you would like to exercise this right.