The objective of FMR is to carry out Market Research involving Health Care Professionals, patients or consumers.
Context
The General Data Protection Regulation issued by the European Union (“GDPR”) and effective 25 May, 2018, refers to the protection of the privacy rights of individuals (for example, tighter restrictions around consent, the right to be forgotten, the type and amount of personal data that can be utilized, data access and security, etc.) beyond those protections that have already been in place for some time in the European Union and in many other countries around the world.
As such, the protection of personal data is a top priority.
FMR GLOBAL HEALTH is compliant with the guidance and requirements of the professional code of conduct applicable to all registered market research companies (ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics) and all current existing local regulations, especially as far as the protection of respondents’ data is concerned.
In addition, FMR has adopted the Cyber security code of conduct with IT Security and Information Management policies to ensure the safeguarding and protection of the personal data of its customers, respondents and employees.
Its mandate is:
- To ensure that personal data are appropriately treated and protected.
- Anonymised data and access security – For respondents anonymization techniques are used to protect respondents’ personal data as part of its data collection operations so that access is restricted to its fieldwork teams in its operations units solely on a need to know basis.*
- The same policy applies for customer provided samples, online panellists and off-line respondents.
*ICC/Esomar International Code on Market, Opinion and Social Research and Data Analytics (https://www.esomar.org/what-we-do/code-guidelines)
For our employees The access to employees’ personal data is strictly limited to the relevant staff in charge of human resources management.
FMR GLOBAL HEALTH implemented various encryption solutions, notably on all employees’ laptops as well as databases containing special (sensitive) categories of personal data such as data concerning health, political opinions, etc.
For Partners or Suppliers FMR GLOBAL HEALTH enforces procedures in order to select Partners processing personal data based on their capacity to comply with data protection requirements. This means that all Partners must sign an agreement including data protection clauses and that no supplier can transfer any personal data unless they agree to appropriate safeguards and obtain customer consent. Additionally, our Partners cannot subcontract part of the personal data processing services to sub-processors without prior approval.
Data transfers
Contractual measures were put in place for cross border data transfers. When a data transfer is required in a country recognized as not having an adequate level of data protection, FMR ensures that EU Standard Contractual Clauses are in place, implementing appropriate technical and organisational measures for the protection of the personal data.
Depending on the services required the following actions will be undertaken:
- Health Care Professionals, patients, caregivers and consumers recruitment
- Carry out interviews, face-to-face, in studio, online (web-assisted), over the phone or in-field
- Simultaneous translation or voice-over
- Compensation of the respondents
- Transcription or delivery of the information collected during the interviews, such as filled in questionnaires
- Translation of materials
- Consolidated data analysis
FMR will ensure that data delivered are totally anonymized and that the process abides to the laws and rules applying to data protection as laid out by the General Data Protection Regulation (GDPR) as of May 25th 2018.
Data Protection Principles
The GDPR imposes significant requirements for organisational compliance measures and safeguards such as enshrining privacy by design and default; use of data protection impact assessments (DPIA’s); keeping comprehensive data processing records and mandatory reporting of data breaches. Most importantly is accountability, requiring that data controllers are responsible for, and are able to demonstrate compliance with, the following six general privacy principles:
- Lawfulness, fairness and transparency – Personal data is processed lawfully, fairly and in a transparent manner. Purpose limitation – Personal data is obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing is allowed for archiving, scientific, statistical and historical research purposes.
- Data minimisation – Personal data processed is adequate, relevant and limited to what is necessary.
- Accuracy – Personal data is accurate and, where necessary, kept up to date.
- Storage limitation– Personal data is not kept longer than is necessary (but data processed for archiving,scientific, statistical and historical research purposes can be kept longer subject to safeguards).
- Integrity and confidentiality – Appropriate technical and organisational measures are put in place to guard against unauthorised or unlawful processing, loss, damage or destruction.
Personal Data
GDPR covers personal data i.e. information relating to an identified or identifiable natural person; who can be identified directly or indirectly by that data on its own or together with other data.
Personal data is categorised as special data and this essentially is sensitive personal data covering religious or philosophical beliefs, health, racial or ethnic origin, trade union membership, political beliefs, sex life or sexual orientation, genetic data and biometric data (including photos when used for the purpose of uniquely identifying a natural person) of individuals. The collection and use of special data are subject to greater restrictions than other types of personal data.
In the research context it is important to recognise that there is a difference between data that identifies a participant in a market, opinion and social research project from data obtained from participants during fieldwork such as responses provided, opinions expressed, etc. The first category of identifiable demographic details (personal data) but the responses of participants will only be considered as personal data when they can be linked to the demographic details (or if the responses themselves have identifiable details within them). Sound and video recordings and still images should always be considered as personal data in light of the ease of linking these to a person.
Ease of technology in doing this means that there is a higher risk of re-identification of this type of materials. Transcripts of recordings are used in order to properly anonymise them. Researchers separate these different categories of information and resort to anonymisation of personal data as working with anonymised data (i.e. participant responses which cannot identify an individual), the requirements of the data protection rules are no longer applicable. Data can also be “pseudonymised”. Pseudonymised data is personal data that has been processed so that it can no longer be attributed to a specific data subject without the use of additional information such as a unique identifier which can make the data identifiable. An original string of data even without the identifier can still be personal data (in the hands of an organisation that holds both the dataset and the identifier) since it can be matched again with the original database to make the data in a string identifiable. In order to become pseudonymised data the additional 4 Article 4 (1) GDPR. 5 Information about criminal convictions and offences is treated separately and is subject to tighter controls. Conducting Research under the GDPR: Legal Bases June 2017 v.1.4 7 information must be kept separately and held subject to adequate technical and organisational measures. The data can then be considered as pseudonymised data even where the identifier is kept within the same organisation.6 Pseudonymised data is still personal data but pseudonymisation of the data is a security technique that provides a mechanism for reducing the level of exposure under the GDPR. The transition from personal data sets held by researchers through to pseudonymised and anonymised datasets is set out in Figure 1.