Date updated: 18.8.20
Prepared by: Catherine Doran
Adoption date: 18.8.20
Review date: 25.1.21
Data privacy and security is of the utmost importance to Ruth Melville Research. We use it as part of our client- commissioned projects, often in collaboration with other parties, and we use it for our
own marketing and communications. We respect the wishes of the people who provide us with personal data, and we wish to be open and transparent about how and why we process personal data. We therefore have policies which share information on how data which comes to us is processed and protected.
2. What personal data do we collect and why?
As a research consulting company which specialises in evaluation and research development, we provide strategic insight and insight into research design and analysis to our clients within the cultural, regeneration, environment, and social inclusion sectors. We use many ways to generate this insight. Some projects call for secondary research including, for instance, evidence and literature reviews, statistical analysis of both existing datasets and publicly available data. However, many of our projects involve primary research with businesses, visitors, audiences, practitioners, participants, and policymakers (among others). We capture this personal data in ways which can be in-person or online and can include consultations and public meetings, focus groups, interviews and discussions. We also prepare, organise and analyse online and paper surveys.
In addition, we hold personal data on third party organisations and individuals and on client organisations with whom we carry out projects and communicate in the line of our work. This personal data includes name, address and contact details,
Lastly, we like to keep in touch with our clients and we may store, with consent, some limited personal data in order to send updates via email.
We may collect, hold and process certain types of ‘special category’ information in the course of our work. More detailed information on how this is handled can be found in section 5 but includes ethnicity, sexual orientation, trade union and political affiliations, and health & mental health.
3. Who is the Controller of your personal data?
This depends on who you are and the context in which you have provided personal data to us.
For personal data captured in relation to our own marketing and communications, RMR is the Controller of your data. This is also true if you are someone who has taken part in a public consultation with us and chosen to share personal data as a result. In addition, this would be true if you are a third party freelance worker providing research or administration support, for example, or a third party organisation with whom we work to carry out projects (for example, a University or a research consultancy).
If you are a client , or a research participant in a client-commissioned project, then when we conduct research on your behalf RMR acts instead as a Data Processor on behalf of you, our client, and you would be the Data Controller.
4. How and where is personal data stored, protected and used?
There are a number of general principles and processes that we use across all the activities for which we collect and hold personal data (as described above in 1). In particular, these cover what we will (and will not) use your data for, how your data is protected, and how you can contact us regarding the data that we may hold on you.
Purposes: We will collect the personal data that you volunteer while using our services, and we will specify the purposes for which your personal data will be used at the point at which it is collected. We will not collect or use your personal data for any purpose other than those indicated at the time of collection. RMR is committed to keeping personal data safe and secure. We will maintain all necessary physical, electronic and procedural security measures to help safeguard client data and personal information.
Protection: The data that we collect is stored within the European Economic Area (“EEA”) on a secure server in the UK. Our security measures include using IT companies and platforms that protect our IT infrastructure from external attack and unauthorised access, as well as proactively guaranteeing to meet the requirements of the EU General Data Protection Regulation. The computers used to access, and process personal data will be password protected and disc encrypted, protected by firewalls, and operated by RMR associates only.
Data handling protocols: We have additional internal policies setting out our data protection approach. Data will not be transferred outside the RMR team which comprises Ruth Melville and a small number of researchers who work on a freelance basis as RMR associates. Anyone who handles personal data on behalf of RMR will have committed to an Acceptable Use policy requiring them to use security measures with respect to personal data. This policy is available on request to CathRMResearch@gmail.com.
Third party programs: We may also make use of third-party programs which enable data collection, for example survey platforms. Where data is collected or stored by third party companies, they may have servers located in the UK, Ireland or the EU or they may use servers located in the U.S. Any such transfer of your personal data for storage will be carried out in compliance with applicable laws. For transfers outside the EEA, RMR will use third parties which use Standard Contractual Clauses and Privacy Shield (e.g. the EU-US Privacy Shield Program) as safeguards for countries without an ‘adequacy decision’ from the European Commission.
Data maintenance: RMR will take reasonable steps to ensure personal data is accurate, complete, current and relevant, and being used only to fulfil the pre-stated obligations to our clients. Upon request, we are very happy to provide people with access to the personal information that we have collected about them. We will routinely check and correct any information that is inaccurate or incomplete, change their consent status, or delete their personal information all upon request – this can be done by contacting Catherine Doran at CathRMResearch@gmail.com.
From time to time, we may need to update this Privacy Notice. The latest version of the Privacy Notice will always be available on our website. We will communicate any material changes to the Privacy Notice, for example the purpose of why we use your personal data or your rights.
5. ‘Special category’ personal data
Where we act as data controllers on behalf of a third party data controller, for example when we collect and process survey information in order to conduct an evaluation on behalf of an arts organisation, we may on occasion collect personal data in surveys which includes ‘special category’ personal information, such as ethnicity, sexual orientation, trade union and political affiliations, and health & mental health.
We process ‘special category’ personal information under the legal basis of a. public task (when deemed appropriate by organisations as their data processor) and b. under our own legitimate interest in all other occasions. We will collect consent for personal data to be used in relation to a specific project covered by a contract between RMR and a client for each project.
We collect this data to determine whether and to what extent the projects of our clients support all demographics amongst audiences, participants and artists in these projects, and to report this information back to our clients. We will do this in a fair, transparent, and lawful manner. We will collect such data in a manner proportionate to the project needs and will minimise the amount of data we do collect wherever we can. We will not override the fundamental rights and freedoms of data providers when collecting survey data, and the way we handle data , how we intend to process it and the individual’s data rights will be made clear in a privacy notice on paper and electronic surveys and on our website. This statement will include why we ask for data, how it will be used, how it will be stored, how long it will be stored for and how to contact us about it. Individual responses provided by participants in our research work are held in strict confidence. By default, they will not be shared directly with our clients, nor published for public consumption.
All survey data will be anonymised before further processing. We will not retain respondents’ details and/or use them for follow-up activity not connected to the initial research work (for example, to register interest in follow-up research opportunities, to register to receive a copy of the subsequent research report, or to receive future information from either the relevant client on whose behalf we are conducting the research, or directly from RMR) except where ‘explicit consent’ has been sought from all research participants for any and each additional use of data that is sought.
Children and surveys: We do not collect, hold or process the data from children under the age of 18 without consent from a parent, guardian, or organisation working with children who are also responsible for their safekeeping while in their care (e.g. a school, youth club, arts organisation) and who have complied with relevant statutory safeguards.
6. RMR website visitors
At RMR, we may sometimes take part in projects which require us to manage an email newsletter on behalf of a project we are participating as part of. In future, it is possible that we will operate our own email newsletters. We currently do this through a password protected Mailchimp account (see previous statement on third party programs), which only RMR can access. The email newsletters are only available to people who proactively opt-in and give their explicit consent to receive it.
We do not lease, sell or give this personal information to any third parties. We will contact any such email newsletter subscribers regularly to check-in with them and re-establish their consent for us to contact them. We also give our subscribers the option to opt-out at the bottom of every newsletter we send to them.
7. The documents below detail how we comply with GDPR.
RPR Privacy Notice 2020, RMR Website Terms and Conditions 2020, RMR Acceptable Use Policy 2020,
RMR Survey Data Disclosure.
Your rights to your personal information
You have a right to request a copy of the personal information that we hold about you and to have any inaccuracies in this data corrected. Please contact us at CathRMResearch@gmail.com if you would like to exercise this right.