Introduction
This privacy policy applies to Progress Scotland and is based on principles of the EU’s General Data Protection Regulation (“GDPR”) as the standard to which Progress Scotland, its employees and suppliers adhere.
This policy describes the minimum standards of how Personal Data is processed, collected, handled and stored by Progress Scotland demonstrating how it adheres to the GDPR standards.
In addition to this Policy, for its market research business Progress Scotland adheres to the requirements of the ICC/Esomar International Code on Market, Opinion and Social Research and Data Analytics.
Principles for Processing Personal Data
All Personal Data must be dealt with properly, irrespective of how it is collected, recorded and processed – whether on paper, in a computer file, database, or recorded on other material.
Progress Scotland regards the lawful and correct treatment of Personal Data and maintaining the confidence of those with whom it deals as a vital component of its business operations.
Progress Scotland respects the following principles, which are explained in more detail later, concerning Personal Data and that they are:
- Processed fairly and lawfully.
- Processed for limited purposes and in an appropriate way.
- Adequate, relevant and not excessive for the purpose.
- Accurate.
- Not kept longer than necessary for the purpose.
- Processed in line with participants’ rights.
- Secure.
- Not transferred to third parties without adequate protection.
2.1. Lawfulness, Fairness and Transparency
Personal data must be processed and collected lawfully, fairly and in a transparent manner. Furthermore, the participant must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. Typically, we have a specific data privacy policy relating to individual research projects that specifies how we have obtained contact details of the participant, the purposes of the research, how we will handle and process personal data, reassurances that data is reported in the form of aggregated statistics or thematically in qualitative research, and details of data retention and destruction.
2.2. Data Minimisation
Personal data must be adequate, relevant and limited to the purpose for which it is processed. It must be determined whether and to what extent the processing of Personal Data is necessary to achieve the purpose for which the processing is undertaken.
2.3. Accuracy
Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal data is accurate, having regard for the purpose for which it is processed and is erased or rectified without delay.
2.4. Storage Limitation
Personal Data must not be retained in a form which permits identification of participants for longer than is necessary for the purpose for which the Personal Data is processed. Progress Scotland will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. Progress Scotland will take all reasonable steps to destroy, or erase from its systems, all Personal Data which is no longer required. This will involve pseudonymsing personal data.
2.5. Integrity and Confidentiality
Personal Data must be processed in a manner that ensures appropriate security of the personal data from being revealed, disseminated, accessed or manipulated. Our information security processes avoid personal data being accessed by those who do not have a legal right to /process the data.
Legal Grounds for Data Processing
3.1.1. Consent to Data Processing
Personal data can be processed following consent by the research participant. Before giving consent, the participant must be informed about the full purposes of the research and how the data will be managed. Consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone surveys, consent can be given verbally. In all cases, the granting of consent must be documented.Any consent will only be valid if it constitutes a freely given, specific, informed and unambiguous indication of the participants wishes.
3.1.2. User Data and Internet
If personal data is collected, processed and used on websites or in apps, the participant will be informed of this in a privacy statement including, if applicable, information about cookies or similar technical measures. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible, easily understandable and consistently available.
3.1.3. Personal Data Provided by Clients
Transfer of personal data to Progress Scotland by its clients to provide us with sample or to enhance existing sample can be enabled if a Data Processor Agreement is in place. This agreement will stipulate that Progress Scotland will be the data processor and may only process the Personal Data in accordance with the instructions agreed with or received from the client. The client is the data controller under this contract.
Irrespective of any client requirements, any personal data provided by a client may only be:a) Processed for the purpose they were provided for;b) Not be kept for longer than is required for the purpose;c) Subject to the same security requirements applicable to Progress Scotland’s own personnel.
3.1. Marketing Contacts
Generally marketing contacts are no different than respondents in respect of the privacy protections accorded to them. Their contact details constitute Personal Data, even if they are business related. Only if the contact details are truly generic like “contact@acme.com”, will they not fall under this Policy.
Any subsequent communication with marketing contacts will include the option to refuse marketing content, and if they don’t opt out at this point, they are given a simple way to do so in all future messages.
Outsourced/Third Party Data Processing
In many cases Progress Scotland is using external providers to process personal data. In these cases, an agreement on data processing on behalf of Progress Scotland must be concluded with such provider. This can be done either by way of including appropriate provisions in the agreement governing the overall relationship with the provider or in a separate and specific document.
Rights of the participant
Every participant has the following rights:Right of access: The participant may request information on which Personal Data relating to him/her have been stored, how the data was collected and for what purpose. If Personal Data is transmitted to 3rd parties, information must be given about the identity of the recipient or the categories of recipients.
Right to rectification: If Personal Data is incorrect or incomplete, the participant can demand that they are corrected or supplemented.
Right to withdraw consent: Where the Personal Data is processed on the basis of Consent the participant can object to the processing at any time. These Personal Data must be blocked from the processing that has been objected to.
Right to erasure. The participant may request his or her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
Right to object: The participants generally has a right to object to his/her data being processed and this must be taken into account if the protection of his/her interest takes precedence over the interests of the data controller.
Right to data portability. The participant has the right to request for the Personal Data provided by him/her to be made available to such participant in an easily readable format, like a Word or Excel document.
Confidentiality of Processing
Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as in limitation, of roles and responsibilities. A data flow is produced on each project to determine who will have access to personal data throughout the lifetime of a project.Employees are forbidden to use Personal Data for their own private or commercial purposes, to disclose them to unauthorised persons, or to make them available in any other way.
Privacy by Design and Default
Progress Scotland will use a Privacy by Design and Default approach in all its work. Our IT processes are compliant with the information security standards ISO27001 and all our documents containing personal identifiable data are encrypted.
Data Protection Audit
Compliance with this Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of the externally hired auditors. On request, the results of data protection audits will be made available to the responsible data protection authorities.
9. Privacy specifically in relation to www.progressscotland.org
9.1 What personal data we collect and why we collect it
Feedback
When visitors leave comments on the site we collect the data shown in the Feedback form, and also the visitor’s IP address and browser user agent string to help spam detection.
Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
Embedded content from other websitesArticles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.
9.2 How long we retain your data
If you leave Feedback, the details and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
9.3 What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
If you have any questions at all or would like to request information about your data please email us at : mail@progressscotland.org
This privacy policy was last updated on 1 February 2019 and will be reviewed annually.