1.1 Identity and contact details of the data controller
Mustard Research processes personal data on some occasions as the data controller and on other occasions as the data processor.
Mustard Research’s identity and contact details:
Name: Mustard Research Limited
Company registration number: 06706816
Address: 56 Princess Street, Manchester, M1 6HS
Telephone number: 0161 235 5270
1.2 Purpose of the data processing and the lawful basis for the processing
Mustard Research processes personal data for the purpose of conducting independent market and social research.
This is most often on behalf of another/other organisation(s), when they have a need for their research to be conducted independently. However, on occasion Mustard Research also conducts its own research. Conducting research independently reduces the risk of the results of the research being affected by a bias that does not allow respondents to be honest and open.
Mustard Research may also conduct research on behalf of another organisation because we have specific research expertise or resource that the other organisation may not hold to conduct the research sufficiently.
Lawful basis for the processing:
Where personal data is collected by Mustard Research for research purposes, it is always collected and processed with informed consent as the lawful basis for processing. Informed consent is always transparent, ensuring the data subject is fully informed before they take part in the research about what, how and where their data will be used before they begin to give their data. This information is always available in the introduction to the research task before you take part. Informed consent is always collected by way of an affirmative action such as selecting ‘next’ to continue with a survey, a recorded verbal agreement when taking part in an in-depth interview, or an agreement in writing indicating that you would like to proceed with the research. Data is not processed in any way that is incompatible with the information given when the data subject gave their informed consent. Where we ask data subjects for sensitive data – defined by the GDPR as: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation – Mustard Research’s condition for processing such special category data is the data subject giving explicit informed consent to the processing of this personal data for one or more specified purposes. Mustard Research collects this type of data only where necessary. Mustard Research informs data subjects why we are asking for their sensitive data and what it will be used for; data is not processed in any way that is inconsistent with the information which was given when data subjects gave their explicit informed consent. Data subjects are also given the option to tick ‘prefer not to say’ to any questions that ask for sensitive data.
Where personal data has been shared with Mustard Research by a data controller for research purposes, and Mustard Research is acting as the data processor, we process that data under the lawful basis of ‘legitimate interest’. It is within Mustard Research’s legitimate interest to receive personal data from our clients to invite data subjects to take part in independent research on behalf of our clients, as this is Mustard Research’s core business and purpose. If research is not conducted independently, results of the research could be affected by a bias that does not allow respondents to be honest and open. The data controller must identify its own lawful basis for sharing the personal data with Mustard Research and ensure a data processing agreement is in place for Mustard Research to process that data. This lawful basis is always given in the introduction to the research task that you take part in. Where a data controller shares personal data with Mustard Research, we will process only personal data that has been shared securely and lawfully according to the GDPR. If Mustard Research collects further data linked to the shared personal data, we always do so under the lawful basis of informed consent.
Categories of personal data:
Through our research, Mustard Research may collect the following types of personal data: Name, Email address, Telephone number, ID/Membership number, Postcode, Demographics.
This personal data may be linked to your responses to our research questions, which may include but are not limited to: experiences, perceptions, behaviours and attitudes. However, your responses will not be linked to your personal data when reported unless we get specific consent from you to do this. Your responses may be linked to your demographic details when reported, but we will take our best action to ensure that these demographics do not make you identifiable.
Who will personal data be shared with?
Information that you provide will not be associated with your name, identity or contact details when reported. Anonymised information and raw data may be shared with the organisation that the research is being conducted on behalf of (please see the introduction to the research task which you are completing), including demographic information if you provide it, and/or used in research reports that may or may not be available to the public. If you give open-ended responses, quotes from these responses may be used alongside broad demographic information in reports and raw data sets. Mustard Research may share your data with a GDPR-compliant third-party data processor for research purposes, though only for the purposes of this research. If Mustard Research is going to share personal data with a third-party data processor, we always ensure that a data processing agreement is signed first, which means your data cannot be used for anything outside the purposes of the project that you consented for it to be collected for, and that we have a lawful basis for transferring the data to the third party. If you disclose any information during this research that leads Mustard Research to believe that you are at risk of harm to yourself or others, we have a safeguarding obligation to report this to the appropriate authority. Details of third-party software providers that we may store your personal data on or using include:
Qualzy is an online community platform that Mustard Research sometimes uses to host online discussions and research tasks. To find out more about Qualzy’s security and privacy; please click the following links: https://qualzy.co.uk/home/privacypolicy/
Skype / TEAMS:
Mustard Research sometimes uses Skype / TEAMS to complete online focus groups and in-depth interviews. When we use these for online focus groups we provide participants with account login details and ask them not to give any of their personally identifiable information. For in-depth interviews, participants either use their own personal accounts or we provide them with one of ours, though again we ask that they do not type any of their personally identifiable information into the account.
Skype uses the AES (Advanced Encryption Standard*), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype has for some time always used strong 256-bit encryption. User public keys are certified by the Skype server at login using 1536- or 2048-bit RSA certificates. To find out more about Skype’s security, please click the following link: https://support.skype.com/en/faq/FA31/does-skype-use-encryption
Teams enforces team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest. Files are stored in SharePoint and are backed by SharePoint encryption. Notes are stored in OneNote and are backed by OneNote encryption. The OneNote data is stored in the team SharePoint site. The Wiki tab can also be used for note taking and its content is also stored within the team SharePoint site. https://learn.microsoft.com/en-us/microsoftteams/security-compliance-overview
If Mustard Research use any software that will have access to personal data for research purposes, we will inform you of the software being used and provide a link to their GDPR/privacy/data protection/security policy. Mustard Research will always ensure that the organisations running the software comply with the GDPR.
Transfer of personal data to another country:
Mustard Research uses only software or third-party data processors that do not transfer personal data outside of the EEA, or that have the Privacy Shield to be compliant with the GDPR and ensure the security of your personal data.
Retention period or criteria used to determine the retention period:
Mustard Research does not keep personal data longer than is necessary and anonymises data where possible, securely deleting personal data associated with it at the earliest possible point. As a minimum, Mustard Research reviews whether it is necessary to keep personal data one year after data is collected and deletes any personal data which it is not necessary to keep
1.7 The existence of each of data subject’s rights
The right to be informed:
The processing of personal data for research purposes by Mustard Research is transparent. Where we are collecting personal data from data subjects, they are always informed of or have access to the following information in order to make sure they are provided with their individual rights and are fully informed about the data that Mustard Research is or will be processing about them. Personal data is not processed in any way which is incompatible with that which they have been informed about, without further consent.
Before taking part in research, data subjects are informed:
- Who Mustard Research is, and the contact details of a Mustard Research researcher related to the research being conducted;
- What Mustard Research is asking them to take part in and give Mustard Research their data for; who the data is being collected for; why we are collecting the data; what the data will be used for; and the lawful basis for processing their personal data;
- If Mustard Research, is acting as a third-party data processor, and is contacting people whose data has been shared with Mustard Research, we inform the data subject which organisation has shared their data with Mustard Research along with their contact details. In this case, we inform them why their data has been shared and what we are using it for;
- That Mustard Research complies with the GDPR;
- Mustard Research does not keep personal data for longer than is necessary for the purposes which the data is being collected. As a minimum, Mustard Research reviews whether it is necessary to keep personal data one year after data is collected and deletes any personal data that it is not necessary to keep;
- If the data subject’s personal data may be shared with a third-party data processor, data subjects will be informed;
- That they have a right to lodge a complaint with the data controller (a Mustard Research researcher if Mustard Research is the data controller, or Mustard Research’s client if Mustard Research is the data processor – contact details are provided) and, if they are still not satisfied, with the Information Commissioner should they wish, using the Information Commissioner helpline: 0303 123 1113.
In situations when we are conducting research with anyone under the age of 13, we always obtain parents’ or guardians’ consent.
The information that we supply about the processing of personal data is concise, transparent, intelligible and easily accessible; it is written in clear and plain language.
The right of access:
For data of which Mustard Research is the data controller, data subjects have a right to request access to any information that Mustard Research holds about them if it is linked to their personal data in any way. If Mustard Research receives a subject access request, it is Mustard Research’s policy to record the request, respond within two weeks and provide the data to the individual within one month, to comply with the GDPR standards. However, Mustard Research strives to respond to requests and provide information as soon as possible, which tends to be sooner than the GDPR standard. The identity of the individual is confirmed before personal data is shared, by asking data subjects to confirm at least two pieces of personal information that we hold (or one if only one piece is held). If data which is held is no longer personally identifiable in any way, then subject access requests may be denied. If data subjects request access to data of which Mustard Research is the data processor, we will inform the data controller and it will deal with the subject access request. Mustard Research will share relevant personal data that we hold with the data controller to comply with the request.
The right to rectification:
For personal data of which Mustard Research is the data controller, data subjects have a right for their data to be rectified if they believe it is inaccurate or incomplete. If Mustard Research receives a request to rectify personal data from an individual who we hold data about, it is Mustard Research’s policy to record the request, respond to that request within two weeks and make the rectification within one month, to comply with the GDPR standards. However, Mustard Research strives to respond to rectification requests as soon as possible, which tends to be sooner than the GDPR standard. The identity of the individual is confirmed before personal data is rectified, by asking data subjects to confirm at least two pieces of personal information that we hold (or one if only one piece is held). If data that is held is no longer personally identifiable in any way, then rectification requests may be denied. If data subjects request rectification to data of which Mustard Research is the data processor, we will inform the data controller and it will deal with the request. Mustard Research will rectify data at the request of the data controller.
The right to erasure, the right to object and the right to restrict processing:
For personal data of which Mustard Research is the data controller, data subjects have a right to object to the processing of their personal data and/or withdraw their consent to their data being processed at any point. This can include asking Mustard Research to erase any personal data that we hold, restrict processing of that personal data, or object to a type of processing that Mustard Research is completing where the data has been collected with consent or legitimate interest as the lawful basis for processing. Data subjects are given details of how to withdraw their consent and/or request any of the above. If a request for erasure, an objection or a request to restrict processing is received by Mustard Research, it is Mustard Research’s policy to record the request, respond to that request within one week where necessary (responses will not be made to straightforward unsubscribe requests) and ensure the request is dealt with within two weeks. Mustard Research strives to respond to these requests as soon as possible. If data which is held is no longer personally identifiable in any way, then requests may be denied. If a request for erasure is made, this also involves erasing data from our suppression lists which does mean that subjects are at risk of being contacted in the future if their data is received by Mustard Research at a later data by other means. If data subjects object or withdraw their consent to Mustard Research processing data of which we are the data processor, we will cease communication with the data subject and inform the data controller. We will then act upon the request at the instruction of the data controller.
1.8 The right to lodge a complaint with a supervisory authority
You have a right to lodge a complaint with the data controller (a Mustard Research researcher if Mustard Research is the data controller, or Mustard Research’s client if Mustard Research is the data processor – contact details are provided in the introduction to the research task that you are completing) and, if you are still not satisfied, with the Information Commissioner should you wish, using the Information Commissioner helpline: 0303 123 1113.
1.9 The source of the personal data If Mustard Research has received your personal data from a third party (the data controller) and is acting as a data processor, the introduction to the research task which you are taking part in will always state where we have received your personal data from and the contact details for them.