1 IQCS AGM November 2009 IQCS Data Protection Workshop 12 th November 2009

2 IQCS AGM November 2009 David Evans, Information Commissioner’s Office Overview of International data protection Workshop / Answers Information sources Agenda

3 IQCS AGM November 2009 European Economic Area International transfer EU Members Austria Belgium Denmark Finland France Germany Greece Ireland Italy Luxembourg Netherlands Portugal Spain Sweden UK EEA is the EU plus: Iceland Norway Liechtenstein Cyprus Czech Republic Estonia Hungary Lithuania Latvia Malta Poland Slovakia Slovenia

4 IQCS AGM November 2009 Argentina Hungary Canada Guernsey Isle of Man Switzerland US Safe Harbor Binding Corporate Rules (BCR) Australia / Japan - pending Model Contracts / Binding Corporate Rules Israel under consideration as is Andorra, followed by New Zealand and Uruguay International transfer Other mechanisms

5 IQCS AGM November 2009 US Safe Harbor Notice Choice Onward Transfer Access Security Data Integrity Enforcement

6 IQCS AGM November 2009 Binding Corporate Rules Multinational companies transferring personal data from the EEA to their affiliates Choose a Data Protection Authority (DPA) – the EU country where HO is based Approval from the DPA BCR Safeguarding personal data across the organisation Provides a framework for a variety inter- group transfers

7 IQCS AGM November 2009 Model Contract Data Importer Data Subjects Purpose of transfer Categories of data (sensitive data) Recipients Storage limit Purpose limitation Data quality and proportionality Transparency Security and Confidentiality Rights of access, rectification, erasure, and blocking of data Restrictions on onward transfers Encryption, e.g., if sensitive personal data Direct marketing Automated individual decisions

8 IQCS AGM November 2009 Transfer – issues arising Client contracts restricting transfer outside of the EEA Client contracts restricting transfer outside of the UK! Security of the actual transfer Contractual issues – have you got one? Security of the receiving party – have you checked? Prove it! Is there a transfer?

9 IQCS AGM November 2009 Country specific peculiarities Germany cannot ask the respondent consent to pass details back to the client cannot ask the respondent consent to be re-contacted ADM have a centralised “do not call for market research” list which members of the ADM are supposed to clean sample files against Call Line ID requirements all calls the phone is not permitted to ring for less than 20 seconds and the contact attempt must be terminated after 40 seconds Data losses required to be reported It’s not just legal issues, but local industry guidelines that matter

10 IQCS AGM November 2009 Country specific peculiarities Italy – companies have the same protection under data protection as individuals Sweden – for healthcare research with medical professionals the respondents must first invite the interviewer to call them US Maine— The Marketing Research Association is lobbying to exempt research from a law in Maine that prohibits the sale or transfer of personal data about state residents under the age of 18. UK— Ofcom has tweaked its rules around silent calls to give businesses more time to present homeowners with a recorded information message if an operator is not available when a cold call is made. US— Almost one third of physicians say they will be put off participating in market research studies if a law is passed requiring them to disclose all survey incentives worth more than $20 from drug or medical device companies. What other examples do you have? Let’s share that information.

11 IQCS AGM November 2009 Common problems MRS Revisions - re-contact questions is too general Re-contact question wasn’t asked Incentives processed by a third party or a client Updating client databases – contact details Adverse Event reporting and doctors privacy Lack of onward compliance between you and third parties Contractual restrictions on transfer outside of UK /EU The human element – data disclosure! There are many other common issues that we are all facing today, I hope these are covered in the workshop session. Please raise anything you would like to discuss.

12 IQCS AGM November 2009 Workshop In the following scenarios, identify the key data protection issues that arise and list the actions that need to be taken by all concerned to ensure that data protection requirements are met.

13 IQCS AGM November 2009 Scenario 1 Energy UK has commissioned ABC Research to undertake a quantitative face-to-face survey Sample – customers and lapsed customers ABC Research has commissioned Fieldwork Unlimited to conduct the in-home interviews Results will be shared with Mobiles Connect, a third party partner of Energy UK Pre-screen sample file against Mobiles Connect customer database Paper-based survey ABC has commissioned Coding & Analysis Services in the UK and Mumbai to do the data processing

14 IQCS AGM November 2009 Scenario 2 Freelance qualitative research recruiter Holding completed requirement questionnaires at home Holding details of respondents – notebooks, index cards, database

15 IQCS AGM November 2009 Scenario 3 US based international client Commissioned Research The Globe Ltd based in London to do customer satisfaction with PC owners across same and large companies across Europe Client provided sample (individuals and business, but not always clear which) Client wants to re-interview some key respondents Client wants dissatisfied customer identified and traced back to the European service database holding their details – specifically UK, Germany and France. All interviewing will be conducted from the UK Client wants to remotely monitor some of the interviews

16 IQCS AGM November 2009 Scenario 4 Central Bank briefed QMR and Co to undertake programme of group discussions about internet banking QMR want to commission another company to recruit respondents and hold groups in centralised viewing facilities. Groups recruited from customer list. Client will attend group. Client requesting recordings. Client wants to remain anonymous.

17 IQCS AGM November 2009 Scenarios Points to consider

18 IQCS AGM November 2009 Scenario 1 Points to consider What does the contract from Energy UK require (have you got one?) in terms of use of data, security, transfer, etc Details on destruction and return of sample should be understood Has Energy UK notified Research as a purpose with ICO Does Energy UK have permission from customers to disclose personal data to Mobiles Connect How does the transfer take place Is there any agreement to prevent the personal information being used for purposes other than screening by Mobiles Connect What contracts are in place with the fieldwork and data processing agencies Results shared by Energy UK should be limited to de- personalised data unless consent has been obtained What else…………….

19 IQCS AGM November 2009 There needs to be a written contract with Fieldwork Unlimited and Coding & Analysis Services as data processors – including any possible processing by C&AS in Mumbai. Data security is a key issue, plus ensuring that interviewers do not use the client’s customer details for other purposes. If asked, interviewers must provide respondents with the source of the contact details. Feedback on “goneaways” must not include new addresses. Complaints can be fed back – but the client must not use this information for any purpose other than resolving complaints. The client needs to provide a contact that will deal with these issues. Outcome of calls can only identify numbers used, not whether they are refusals or not, unless you have consent. Scenario 1 Points to consider

20 IQCS AGM November 2009 Scenario 2 Points to consider If recruiters develop lists of potential respondents, then they will become data controllers and need to adhere to all the principles of the 1998 Act (including Notification and identifying purposes). Recruiters need to be fully trained in data privacy issues. Each project briefing needs to include coverage of any DP related factors. Contracts throughout the research process need to include specific references to handling client owned data – responsibilities for security (and what is necessary); not using the information for other purposes (list building, etc); destruction or return of samples. Interviewers need to keep personal data secure (to specified standards – the client may be responsible for any breaches) and need advice and guidance on this.

21 IQCS AGM November 2009 Scenario 3 Points to consider USA based company needs to adhere to European legislation (Directive and at national levels) when dealing with EU domiciled customers. Ensuring that the clients’ European databases are notified, and include market research as a purpose. The legislation only covers living individuals. Interviews if solely concerned with role rather than person will not be covered (except in Italy). The client’s identity must be disclosed at some point in the interview if a respondent asks. If personal data drawn from the survey is to be used for other purposes, such as enhancing a database, then it will be a regulations for non-research categories must be considered. If this does become a “mixed” project, then the sample files must be screened firstly to exclude all opt-outs for marketing on the customer file, and secondly against Preference Service files (TPS in the UK). Can’t re-interview for German market unless it’s carried out as a on- research activity. What else………

22 IQCS AGM November 2009 Scenario 3 – Points to consider Transfer of personal data to the USA must conform to one of the required mechanisms – this may need the respondents’ permission within the interview (and for each purposes). If re-interviews are likely, then this needs to be built into the first interview. It would be better to ask all respondents. Dissatisfactions could be passed back to the client, but any transfers of data outside of the EEA (e.g., to the USA) must conform to the necessary mechanisms, and may require consent. The client must only use the data for that specific purpose and no other. The link with Phoenix for monitoring interviews needs to be for confidential survey research purposes only and these conversations should not be recorded in any way. Respondents would need to be advised first and have consented.

23 IQCS AGM November 2009 Scenario 4 – Points to consider Advising respondents about any recording of the proceedings when recruiting, and about the presence of observers. Normally, bank customers have been asked to opt-in or out of activities such as marketing under the banking code of practice. Whilst there is no requirement to screen out these customers (apart from Category 6 projects), in certain types of research it might be beneficial in terms of customer goodwill to screen out such customers. Recruiters must be clearly briefed about returning/destroying sample data, and about not miss-using the information for other purposes (list building). The name of the client company must be disclosed at some point in the research process (recruitment or group discussion) if respondents request the source of the contact details. What else…….

24 IQCS AGM November 2009 Scenario 4 – Points to consider Agencies should produce a guideline for those observing group discussions as best practice. If tapes are supplied then it is preferable if they are de- personalised – in any event, the client must understand that they are provided solely for market research purposes. Usage in any other way (e.g., training sessions, sales conferences, etc.,) would break the law (unless Category 6 projects). Particular care is needed in B2B qualitative research where it is more likely that respondents can be recognized (perhaps by their opinions, voice, etc.,) by client people observing groups, viewing tapes or reading transcripts.

25 IQCS AGM November 2009 Information sources  Information Commissioner’s Office   MRS Frequently Asked Questions / Codeline   DataGuidance, alerts and a global data protection and privacy compliance platform.   Privacy and Data Protection (PDP) – journal and   Dechert Legal Update - ?pg=legal_update&pa_id=39&pn=1

26 IQCS AGM November 2009 IQCS Annual General Meeting 2009 Thank you for coming