Skip to content

Getting GDPR answers (phew!) and how I’m dealing with special category data

May 7, 2018

Well I have to say I’m extremely grateful to my professional body the Market Research Society who have proved the worth of their annual fee by providing me with a whole host of industry-specific GDPR advice.  Thanks MRS. I’ve read a tonne of articles and I’ve attended a webinar and a roadshow session.  I have asked questions.

The main thing I’ve taken from these is that if you comply with the MRS Code of Conduct you are 80% there with GDPR.  The remaining 20% is documentation internally and what you tell the data subjects.  Good.  That’s pretty much what I thought.  Phew.

I was, and still am, concerned about the ‘special category data’ given that barely a working day goes by without someone telling me about their personal circumstances, both solicited and unsolicited.

I’m delighted to say that OF COURSE I don’t need to worry about special categories if my data is otherwise anonymous.  Stop being paranoid and over-literal Ruth.

But but but.  If there’s audio, or video, or a photo, or handwriting, or they say their name or job title or something else identifying… then it is NOT ANONYMOUS.  Some of that I can control.  Some of that I can’t control.  So I’m resigned to treating most data-collection circumstances as if they are identifying, in case they become identifying.

Happily, I’m told that most of the battle is in anticipating and mitigating the risk to the data subject.  And honestly, the risk seems so minimal in what I do.  I keep my files secure, and anything that goes outwith that is anonymised.

Here’s what I’ve done though.  I’ve acknowledged it is a thing and I’ve thought it through and I’ve prepared a policy on the subject.  Could be overkill, not sure, but as I’ve said before I’m trying to do these things properly.

Here it is, in case you are interested:

Ruthless Research GDPR Special category data policy, with specific reference to mental health

Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation are considered special categories under GDPR and any information about special category data which can be linked to other identifying data must therefore be treated with particular care. 

Key places where special category data will be routinely collected, processed and stored are questionnaires and audio recordings.  It is noted that questionnaires may or may not be anonymous, but audio recordings are always considered identifying. 

Based on past experience, Ruthless Research feels it is likely that the subject of mental health will arise in all charity research projects – whether through direct questioning or whether the subject arises organically.  As a subject expert in mental health Ruthless Research is well placed to work with this special category of data in an appropriate and respectful way and, if anything, is likely to apply a broader than usual classification of what falls under this category (including, for example, wellbeing and non-medical definitions).

Ruthless Research takes ethics and data protection seriously, and has identified special category data and specifically mental health data as an area of particular risk outwith the standard practice of market research.  As such, Ruthless Research will take the following steps to minimise this risk:      

  • Creation of this Policy, respecting the importance of this issue.
  • Ruthless Research will abide by the Market Research Society Code of Conduct to ensure that all research is conducted ethically.
  • Ruthless Research will follow standard GDPR compliant procedures relating to data collection, storage and processing.
  • All data will be collected in a manner that is as anonymous as the project methodology allows, and/or pseudonymised at the earliest opportunity.
  • In the unusual circumstance where special category data will be identifiable and made public (e.g. case studies or through particular kinds of reporting) explicit GDPR-compliant consent will be sought from the data subject well in advance of data collection, and documented, and plans for this will be made, discussed with the client, and documented accordingly at the earliest opportunity in the project.
  • Data will be securely destroyed at the earliest appropriate opportunity (6 months after the close of the project as standard) as per the Ruthless Research Data Storage Policy.

It is however noted that the risk of any data breech and the risk to individual data subjects is extremely low.

 

 

 

 

 

a

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: