RM Insight processes personal data for the purpose of conducting independent social research.
This research is conducted on behalf of another/other organisation(s), when they have a need for their research to be conducted independently. RM Insight may also conduct research on behalf of another organisation because we have specific research expertise or resource that the other organisation may not hold to conduct the research sufficiently.
Lawful basis for the processing:
Where personal data is collected by RM Insight for research purposes, it is always collected and processed with informed consent as the lawful basis for holding that data. Informed consent is always transparent, ensuring the data subject is fully informed before they take part in the research about what, how and where their data will be used before they begin to give their data. This information is always available in the introduction to the research task before you take part. Informed consent is always collected by way of an affirmative action such as selecting ‘next’ to continue with a survey, a recorded verbal agreement when taking part in an in-depth interview, or an agreement in writing indicating that you would like to proceed with the research.
Data is not processed in any way that is incompatible with the information given when the data subject gave their informed consent. Where we ask data subjects for sensitive data – defined by the GDPR as: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation – RM Insight’s condition for processing such special category data is the data subject giving explicit informed consent to the processing of this personal data for one or more specified purposes. RM Insight collects this type of data only where necessary. RM Insight informs data subjects why we are asking for their sensitive data and what it will be used for. Data is not processed in any way that is inconsistent with the information which was given when data subjects gave their explicit informed consent. Data subjects are also given the option to tick ‘prefer not to say’ to any questions that ask for sensitive data.
Where personal data has been shared with RM Insight by a data controller for research purposes, and RM Insight is acting as the data processor, we process that data under the lawful basis of ‘legitimate interest’. It is within RM Insight’s legitimate interest to receive personal data from our clients to invite data subjects to take part in independent research on behalf of our clients, as this is RM Insight’s core business and purpose. If research is not conducted independently, results of the research could be affected by a bias that does not allow respondents to be honest and open. The data controller must identify its own lawful basis for sharing the personal data with RM Insight and ensure a data processing agreement is in place for RM Insight to process that data. This lawful basis is always given in the introduction to the research task that you take part in. Where a data controller shares personal data with RM Insight, we will process only personal data that has been shared securely and lawfully according to the GDPR. If RM Insight collects further data linked to the shared personal data, we always do so under the lawful basis of informed consent.
Categories of personal data:
Through our research, RM Insight may collect various types of personal data including: Name, Email address, Telephone number, ID/Membership number, Postcode, Demographics etc.
This personal data may be linked to your responses to our research questions, which may include but are not limited to: experiences, perceptions, behaviours and attitudes. However, your responses will not be linked to your personal data when reported unless we get specific consent from you to do this. Your responses may be linked to your demographic details when reported, but we will take our best action to ensure that these demographics do not make you identifiable.
Who will personal data be shared with?
Information that you provide will not be associated with your name, identity or contact details when reported. Anonymised information and raw data may be shared with the organisation that the research is being conducted on behalf of (please see the introduction to the research task which you are completing), including demographic information if you provide it, and/or used in research reports that may or may not be available to the public. If you give open-ended responses, quotes from these responses may be used alongside broad demographic information in reports and raw data sets.
RM Insight may share your data with a GDPR-compliant third-party data processor for research purposes, though only for the purposes of this research. If RM Insight is going to share personal data with a third-party data processor, we always ensure that a data processing agreement is signed first, which means your data cannot be used for anything outside the purposes of the project that you consented for it to be collected for, and that we have a lawful basis for transferring the data to the third party.
If you disclose any information during this research that leads RM Insight to believe that you are at risk of harm to yourself or others, we have a safeguarding obligation to report this to the appropriate authority.
Details of third-party software providers that we may store your personal data on or using include: