The purpose of this policy is to:
- Set out ORB International’s position on privacy and data protection; and
- Set out our responsibilities, and the responsibilities of those working for us, in maintaining and upholding this position.
We value the privacy of all those who participate in our work and we are committed to protecting personal data. This policy explains how we look after personal data in general and covers a broad range of stakeholders including:
- Individuals who provide information in response to our research, for example as a participant in a survey or a focus group;
- Individuals who visit our website (regardless of where they visit it from);
- Individuals who contact us to request further information or to apply for a position with ORB either as an employee or as a consultant on one of our projects.
Personal data, or personal information, means any information about a person from which that person can be identified. It does not include data from which a person’s identity has been removed (anonymous data).
Legitimate interest means our interest in conducting and managing our business in such a way that we are able to provide the best service/product and the best, most secure experience. We make sure that we consider and balance any potential impact on external stakeholders (both positive and negative) and their rights before we process their personal data for our legitimate interests. We do not use their personal data for activities where our interests are eclipsed by the potential impact that processing this data may have on them (unless we have their consent or are otherwise required or permitted to do so by law).
Performance of contract means processing people’s data where it is necessary for the performance of a contract to which they are a party.
Compliance with a legal or regulatory obligation means processing personal data in those instances where it is necessary for us to comply with a legal or regulatory obligation that we are subject to.
Data we may collect
We may collect, use, store and transfer the following kinds of personal data:
Identity Data including first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data including address, email address and telephone numbers.
Financial Data including bank account details.
Transaction Data including details about payments to and from the individual concerned and other details of products and services that they may have purchased from us.
Technical Data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access a webpage.
Profile Data including any information provided by survey respondents on their interests and preferences.
Usage Data including information about how individuals use our website, products and services.
Special Categories of Personal Data: We may collect certain Special Categories of Personal Data about research respondents (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health and genetic and biometric data). We may also collect information about criminal convictions and offences, or carry out psychometric testing as part of a recruitment process.
Legal requirements and provision of personal data
Where we need to collect personal data by law, or under the terms of a contract we have with individuals and those individuals fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with them (for example, to provide them with goods or services). In this case, we may have to cancel the service that we are offering to these individuals but will provide timely notice of cancellation, if this course of action is pursued.
How we collect data
We use different methods to collect personal data, or personal information about an individual. These include:
Individuals may give us their Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone or email. This information includes personal data that they may provide when:
- Applying to work with us as an employee or as a consultant on one of our projects;
- Applying for our services;
- Requesting marketing material;
- Taking part in a survey; or
- Giving us feedback.
Automated technologies or interactions
When users interact with our website, we may automatically collect Technical Data about their device, browsing actions and patterns. We collect this personal data by using cookies, and similar technologies.
Third parties or publicly available sources
We may receive personal data about individuals from various third parties and public sources, including Technical Data from the following parties:
- Analytics and search providers such as Google (based outside the EU); and
- Recruitment agencies and online job messaging boards.
How we use personal data
We will only use personal data when the law permits under the 2018 Data Protection Act, the UK’s implementation of the General Data Protection Regulation (GDPR). Most commonly, we will use personal data in the following circumstances:
- Where we need to perform the contract that we are about to enter into or have entered into with certain individuals.
- Where it is necessary for our legitimate interests (or those of a third party) and where the interests and fundamental rights of the individuals concerned do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Purposes for which we will use personal data
The table below sets out the various purposes for which we may use personal data as well as the legal bases for doing so. We have also identified what our legitimate interests are, where appropriate.
|Purpose/activity||Type of data||Legal basis for processing data including basis for legitimate interest|
|To register individuals as a new customer or supplier||(a) Identity
|Performance of a contract with the individual concerned|
|To process and deliver an order including:
(a) Managing payments, fees and charges
(b) Collecting and recovering money owed to us
(e) Marketing & Communications
|(a) Performance of a contract with the individual concerned (b) Necessary for our legitimate interests (to recover debts due to us)|
|To manage our relationship with individuals which will include:
|(a) Performance of a contract with the individual concerned
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||(a) Technical
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform the public of our marketing strategy)|
|To make suggestions and recommendations to individuals about goods or services that may be of interest to them||(a) Identity
|Necessary for our legitimate interests (to develop our products/services and grow our business)|
Change of purpose
We will only use personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We encourage individuals wishing to know how processing the data for the new purpose is compatible with the original purpose to contact us.
If we need to use personal data for an unrelated purpose, we notify the individuals concerned and explain the legal basis which allows us to do so. We may process personal data without the knowledge or consent of the subject, in compliance with the above rules, where this is required or permitted by law.
We may have to share personal data with the following parties for the purposes set out in the table presented above:
External third parties, including:
- Service providers acting as processors based in the UK and overseas which provide IT and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK, USA and all countries in which we operate who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom and overseas territories who require processing activities to be reported in certain circumstances.
We require all third parties to respect the security of personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with our instructions.
We have put appropriate security measures in place to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. ORB has Cyber Essentials Plus accreditation. Cyber Essentials is a UK Government-backed and industry-supported scheme that helps businesses protect themselves against the growing threat of cyber attacks and provides a clear statement of the basic controls organisations should have in place to protect themselves.
Cyber Essentials Plus accreditation, is the highest level of certification offered under the Cyber Essentials scheme. Cyber Essentials Plus requires a more rigorous test of an organisation’s cyber security systems where our cyber security experts carry out vulnerability tests to make sure that your organisation is protected against basic hacking and phishing attacks.
Much of our work involves collecting data from the field using tablets. Our approach to data protection during this process is set out in our Data and Tablet Security Statement:
Tablet & Data Security Statement
Purpose of this Document
This statement provides an overview of our approach to ensuring the security of the data we collect during fieldwork. This includes security aspects software we use to collect data, how the data is securely stored and deleted after use, back-ups and interviewer training.
Sending and Receiving Data
Our tablets for data collection are programmed with SurveyToGo Software. SurveyToGo enables our interviewers in the field to collect data and send it remotely to the SurveyToGo Data Centre. This involves two-way communications over the internet to both send survey data to the tablet and receive collected data from the tablet. Network security measures are in place to ensure network communication both to and from the Data Centre is secure along with communications between servers in the Data Centre. SurveyToGo uses SSL encryption to encrypt the tablet/server communications and management app/server communications. The Data Centre uses certified SSL Certificates to ensure tablets can validate and authenticate the server they are communicating with to prevent ‘man in the middle’ attacks along with eavesdropping risks. Any incoming communication to the Data Centre passes through a dedicated Check Point Firewall product to prevent network attacks.
Uploading Data and Data Storage
The SurveyToGo Data Centre servers are hosted by Amazon AWS. All servers include a mandatory antivirus protection and are configured to receive any security OS update as required. Our general approach to the security of the collected data is to upload the data to the servers and remove it from the device as quickly as possible. Shorter time on the device means lower data security risks. The tablet application stores all data in a special storage segment provided by the Operating System. This segment is secured from access by other applications. Even accessing the device through USB mass-storage interface will not allow the operator access to this storage area. Through this enhanced security mechanism, the data is saved in a local database on this secured storage segment. Whenever a network is detected, all data is uploaded from the tablet application to the server and deleted from the device. The last user who used the app is cached locally to allow for quick access and continue to collect data even in offline scenarios, however the password is encrypted. Communication to and from the server is secured by SSL Encryption.
Data stored in the SurveyToGo system, is redundantly stored in multiple physical locations as part of normal operation of those services. Data removed from the system by ORB are physically deleted from the servers and backups.
All access to the SurveyToGo system is done with a user and a password. Each project member who will use the software is assigned a role which controls their access to the system. The role contains the permissions to the data contained within the different project components. For each component, the user’s access is configured as either none / read / write or full access.
All interviewers and supervisors are assigned a tablet, assigned a username and password and provided with training on using the software to collect and upload the data. Interviewers are instructed not to use the tablets for any other purposes, to only use the devise they have been assigned and not to let anyone else use their tablet.
Lost / Stolen Tablets
In the event that a device is lost or stolen interviewers are instructed to inform their supervisor immediately who will inform the fieldwork manager and ORB. The tablet is then disabled which prevents any access from the device to the account and any tampering with the data
We will only retain personal data for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of this data, the purposes for which we process the data and whether we can achieve these same purposes through other means, and the applicable legal requirements.
By law and for tax purposes, we have to keep basic information about our customers and suppliers (including Contact, Identity, Financial and Transaction Data) for at least six years after they cease being customers or suppliers. In some circumstances, customers and suppliers can ask us to delete their data: see ‘Request erasure’ below for further information.
In some circumstances we may anonymise personal data (so that it can no longer be associated with the individuals concerned) for research or statistical purposes in which case we may use this information indefinitely without further notice to the data subjects.
Under certain circumstances, individuals have rights under data protection laws in relation to their personal data. These include the right to:
Request access to personal data (commonly known as a “data subject access request”). This enables individuals to receive a copy of the personal data we hold about them and to check that we are lawfully processing it.
Request correction of the personal data that we hold. This enables petitioners to have any incomplete or inaccurate data corrected, although we may need to verify the accuracy of the new data provided.
Request erasure of personal data. This enables individuals to ask us to delete or remove personal data where there is no good reason for us to continue processing it. Data subjects also have the right to ask us to delete or remove their personal data in cases where:
- They have successfully exercised their right to object to processing (see below);
- We may have processed their information unlawfully;
- We are required to erase their personal data in order to comply with local law.
We may not always be able to comply with a request for erasure for specific legal reasons which will be communicated to the individuals concerned, if applicable, at the time of their request.
Object to processing personal data where we are relying on a legitimate interest (or those of a third party) and there is something about a person’s particular situation which makes them want to object to processing on this ground since they feel that it impacts on their fundamental rights and freedoms. Individuals also have the right to object when we are processing personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process this information which override these rights and freedoms.
Request the processing of personal data to be restricted. This enables individuals to ask us to suspend the processing of their personal data in the following scenarios:
a) They want us to establish the accuracy of the data;
b) Our use of the data is unlawful but they do not want us to erase it;
c) They need us to hold the data even if we no longer require it as they need it to establish, exercise or defend a legal claim; or
d) They have objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of personal data to the individual concerned or to a third party. We will provide individuals, or designated third parties, with personal data in a structured, commonly used, machine-readable format. This right applies only to automated information which the data subjects initially gave us consent to use or where we used the information to perform a contract with the individuals concerned.
Withdraw consent at any time where we are relying on consent to process personal data. However, this does not affect the lawfulness of any processing carried out before consent is withdrawn.
Individuals who wish to exercise any of the rights set out above are encouraged to contact us at firstname.lastname@example.org
Petitioners will not usually be asked to pay a fee to access their personal data (or to exercise any of their other rights). However, we may charge a reasonable fee if a request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with a request in these circumstances.
We may need to request specific information from individuals in order to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who does not have the right to receive it. We may also contact individuals to ask for further information about their request in order to expedite our response.
We try to respond to all legitimate requests within one month. This timeframe may be exceeded if a request is particularly complex or if an individual has made a number of requests. In these cases, we will notify the individuals concerned and keep them updated.
ORB’s Managing Director and senior managers take responsibility for implementing this policy statement and its objectives and for providing adequate resources (training, etc.) to ensure that ORB complies with the policy.