Explanation of Key Principles
C. Data Protection and Privacy
Definition of Personal Data3.15
National and international data protection and privacy requirements MUST be adhered to.
Personal data or personally identifiable information (PII) as it is sometimes known includes postal codes, cell phone numbers and email addresses as well as full names and postal addresses. Personal data may be a single piece of information or a series of pieces of information including other information or data sets available to the holder, which together would allow identification of an individual or infer their identity.
An IP address might constitute personal data in combination with other identifiable data but there is no international consensus about the status of IP addresses (which can generally identify a unique computer, but may or may not identify a unique user). If national law/regulations classifies IP addresses as personal data and it is not possible to differentiate between those IP addresses which are linked to an individual and those that are not, all the information collected should be treated as if it were personal data. In Germany an IP address is considered by law to be personally identifiable information. In the Netherlands this is the case if an IP address can be traced back to a unique user.
In the United States the definition of personal data may depend upon the nature and/or subject matter of the information, the way it is collected, other information that may be collected and combined with it, and the use and disclosure of the information by the collector.
Personal data covered by the EU Data Protection Directive includes data "be it alphabetical, numerical, graphical, photographical or acoustic. It includes information kept on paper, as well as information stored in a computer memory by means of binary code, or on a videotape, for instance. In particular, sound and image data qualify as personal data from this point of view, insofar as they may represent information on an individual." (Article 29 DP working party opinion on the concept of personal data of 20 June 2007) Personal data includes video-streams (relayed live or delayed and non-anoymised recordings. Whether an audio recording is considered personal data may depend on whether the surnames of the individuals are recorded or whether the voice alone could lead to the identification of the individual.
Once all identifiers linking data to a MR subject have been removed then it is no longer personal data (it has been anonymised) and is not covered by the EU Data Protection Directive. Researchers may use a unique identifier (e.g. a serial number) to identify a MR subject (a process referred to a pseudonymisation) but the file linking personal data to the unique identifier MUST be stored entirely separately from the anonymised MR subject data.
Defintion of Processing Personal Data3.18
The processing of "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life" is forbidden unless one or more of the exceptions specified in the Directive have been met. The most important of these exceptions, in the case of market research is where the MR subject has given his/her explicit consent to the processing of such data. Explicit consent refers to a MR subject’s specific and unambiguous agreement based upon adequate information (see Section 8, Informed Consent).
The ‘processing’ of personal data includes the collection, recording, organisation, storage, alteration, retrieval, use, disclosure, dissemination, alignment or combination, blocking, erasure or destruction, of personal data.
Researchers must limit the collection and/or processing of personal data to the minimum required to meet the needs of the market research.
Researchers are responsible for the safe handling, processing, storage and disposal of market research and personal contact data.
Adequate precautions MUST be taken to protect personal data, any sensitive data and confidential information against unauthorised access. This would include using the appropriate technologies to protect data stored on web sites or servers when the data is transferred e.g. reliable encryption systems, firewall and users identification and password access.
In addition to the EU Data Protection and US HIPAA (Health Insurance Portability and Accountability Act) requirements that personal data be appropriately protected, in the USA certain states have legislation requiring specific security safeguards (e.g. Massachusetts) for any organisation in the state or holding data of a state resident, and various regulators (including the Federal Trade Commission and, recently, the Federal Communications Commission), impose broad overall security safeguards subject to enforcement within their jurisdiction.
Storing Agreements about Access to Personal Data3.23
It is good practice for researchers to keep copies of e-mails and other documents received from MR subjects agreeing to, or restricting, the use of or access to their personal information. This is a legal requirement in some countries, amongst others, all European Union member states.
Protection of Personal Data when Transferred3.24
Personal data is protected by the provisions of the Data Protection Directive even when taken out of the country where the MR subject lives.
If personal data is to be transferred from one country to another, the data protection requirements of both countries MUST be met. The transfer of personal data to non-EEA countries is forbidden unless there is adequate privacy protection and specific data protection contractual arrangements in place.
In Japan (in accordance to Articles 16 and 23 of The Act on the Protection of Personal Information), personal data cannot be processed or passed to a third party unless the individual has given prior consent. Consent must be given for specific purposes and processing or transfer must be for these purposes alone.
In Mexico the data protection authority differentiates between transmission and transfer of personal data. Transmission is defined as the passing on of personal data for a restricted range of uses and the transmitting party continues to be responsible for the personal data. Transfers of personal data allow a broad range of processing/uses. In both cases, the individuals consent is required.
In Russia (in accordance with Federal Law of the Russian Federation #266-FZ on personal data, article 12, Trans-border transfer of personal data), the MR subject must be made aware if their personal data is to be transferred to a foreign customer and give a written consent to this.
MR Subjects's Rights to their Personal Data3.27
MR subjects MUST be provided with a privacy notice which tells them clearly what their rights are. It must include information such as what personal data is collected, how it is used, how it will be managed and the conditions under which it will be shared, as well as how to get more information or make a compliant. The privacy notice must be made available by the individual/organisation collecting the personal data and must be honoured by all parties that process the personal data (whether or not they are the originator of the privacy notice).
Data Localisation Law in Russia3.30
Data operators processing data of Russian citizens, whether collected online or offline, are obliged to record, systematize, accumulate, store, update, change and retrieve such data in databases located within the territory of the Russian Federation.
Privacy Rule in the USA - HIPAA3.31
In the USA, that part of HIPAA known as the HIPAA Privacy Rule, is a federal regulation which gives the individual rights over their health information (i.e. name, address, health status and other information that can be linked to an individual) and sets limits upon how this information can be used or disclosed by "covered entities” (primarily health care providers and health insurers). This regulation also now applies directly to "business associates,” which are service providers to these covered entities. Unless a use or disclosure is permitted by the HIPAA Privacy Rule, it can only be made subject to an individual’s authorization. There is no restriction upon the use or disclosure of this "protected health information” if it has been de-identified in accordance with the standards set by the Privacy Rule (see 19.3). The US Marketing Research Association’s Best Practice Guidelines on HIPAA state that "As a general matter, survey research entities are NOT covered entities under HIPAA, but may be business associates. The HIPAA Privacy Rule applies when a business associate collects, uses or maintains personal health information for a covered entity.”