Understanding Society and the GDPR

Find out how the Understanding Society team is conforming to the General Data Protection Regulation (GDPR), which was enforced on 25th May 2018.

What is the GDPR?

The GDPR is the General Data Protection Regulation. It was approved by the European Parliament on 14th April 2016 and came into enforcement on 25th May 2018. The GDPR is enshrined in British law through the Data Protection Act 2018.

How does Understanding Society currently keep data safe?

We are already governed by the current Data Protection Act and all of our procedures have data protection at the centre. In addition to the Data Protection Act, the Institute for Social and Economic Research, which hosts Understanding Society, has ISO-27001 certification. This is the international standard that describes best practice for an Information Security Management System. This requires the study  to have a wide set of rules and regulations about how we manage data.

As well as having our information security management procedures documented, we are also independently audited annually and have to undergo re-certification every three years to make sure that we are following the requirements of the standard. Our fieldwork partners – Kantar Public and NatCen Social Research – have also achieved ISO-27001 certification. These procedures ensure that all efforts are taken to maintain the security of your data.

How will the GDPR affect Understanding Society?

The GDPR is slightly different – it is focused more on the rules under which we process and use your personal details. It sets out the duties and responsibilities we have to you, and your rights regarding the data that we hold and process.

The Institute for Social and Economic Research at the University of Essex is the data controller for the study. The fieldwork for the study is contracted to Kantar Public and NatCen Social Research, who act as the data processors.

Since the Understanding Society study is funded by the Economic and Social Research Council (ESRC) and both the ESRC and the University of Essex are Public Bodies, we use Public Task as the lawful basis for processing this data. Data are not transferred outside the European Economic Area (EEA), to ensure that they are protected by the strong EEA data protection laws.  Our compliance with all the relevant legislation, and our externally certified accreditation to the international ISO27001 standard, provide you with assurance that your data is secured and protected in the strongest possible manner.

What happens to my  personal data?

Your personal details (name, address, telephone numbers, email addresses) are only used so that we can contact you during the year to send you information on how the survey is being used by researchers, and so that we can send an interviewer to you each year. These details are never made available to researchers or to any other companies who might use them for marketing purposes.

The answers you give us to the survey are securely transferred from Kantar Public to ISER, using an encrypted online portal. To preserve your anonymity, personal details (your name, date of birth, address) are removed from the survey data and held securely in an encrypted database to which only a small number of people have access. Your survey answers are put together with the answers from thousands of other participants and, in an anonymised format, are deposited with the UK Data Service. There is no information on the data which can identify you.

Any analysis is done on the whole sample, and results are often quoted in terms of specific percentages of people, and are not reported as individual answers. The collected survey responses are made available, through the UK Data Service, to academic researchers who must register with the Data Service.

Why do you need to know about “Stable contacts”?                                                            

We do also ask you to give us the contact details of someone outside the household so that if you move house during the year and we’re not able to contact you, we can send a letter to that person and ask them to contact you to let you know we would like to interview you. We only hold the contact details of this other person for that purpose – this is the only reason we would contact them. You should let them know that you have given their details to us.

What happens if I withdraw from the Study?

You are under no statutory or contractual obligation to provide us with your personal data. You have the right at any time to withdraw from the Study. If you do this, you will no longer be contacted by us. Any survey responses you have given us in the past, and which have already been made available from the UK Data Service will remain, but no additional information about you will be deposited. Your contact details will no longer be used, but will be kept archived to ensure that we do not contact you again on the occasion that there is an additional sample added to the study, or we start a new study.

Any questions?

If you have any questions about the security of your personal details, you may contact our Information Technology and Security Manager – Ray Ware – by email r.ware@essex.ac.uk