Data Protection Act Pitfalls
The Data Protection Act is now a familiar part of the market research scene, yet practitioners have yet to come to grips with many of its more obscure requirements. Sandrine Monnier-McClure highlights some aspects to watch out for
The Data Protection Act may be an integral part of market research and as such affects all of us but this doesnt necessarily mean that we understand it. The DPA is a complex and opaque document that relies very much on ones interpretation of many of its terms.
The Act, which came into effect in October 2001, covers all aspects of our industry, from organised data collection, processing methods, video/ audio recordings, computers (e.g. personnel information transfers from one country to another), to CCTV, even.
More than enough time, one would have thought, to iron out all the wrinkles. Sadly, there is still confusion as to the practical implications, while the lack of clear and implementable guidelines from the relevant bodies doesnt help matters.
The MRS has had a stab at clarifying it, yet the editing deadline keeps on being pushed back. An additional problem is that dealing with the DPA is not just complex but also legally binding. Hence my reluctance to give any actual advice with regards to how it should be dealt with. As they say, the point of this document is to inform only, it is not legal advice and should not be relied upon as such!
If the DPA were a brand, I feel that opaqueness and subjectivity would be its key values. The pivotal thought behind it is to protect people: consumers, clients, research agencies, recruiters... everyone. It basically requires personal data to be processed fairly and lawfully. Fairly? Sounds more like the topic of a philosophy A-Level. Lawfully? Thats when the jargon comes in.
Lawfully means that, for a start, qualitative researchers and recruiters need to go through the process of notification, replacing the process of registration with the OIC (Office of Information Commissioner). This is because we are likely to have electronically held personal data that are identifiable.
Identifiable? Well, this is a key term. Identifiability, for example, is a persons surname or address that should not be communicated by us to any third parties, the client being one. But thats just the tip of the iceberg. Lets take the made-up example of a business-to-business depth on wine.
The respondent introduces himself as Paul. Fine. Later in the conversation snippets come up such as as the owner of a wine shop, I feel... and later because were based on X High Street... . So what price confidentiality?
The respondent has now become identifiable to anybody in the industry, including the client. Are we in breach of the DPA? Does it mean that the tape cannot be circulated anymore? Yes, it does. And what about ethnography? What is more identifiable than ones home? Safeguarding ones anonymity is not as straightforward as it seems.
This is when homework comes in, or prevention rather than cure. The respondent should have signed off a form that allows us to use his data regardless of identification (that includes clients viewing behind the mirror). Maybe he should have signed on the dotted line of a document that highlights that he has been notified the data may be circulated and he is waving his right to withdraw data with regards to that specific interview.
The problem is actually even worse when recruiting from lists. Hands up who always checks whether the clients providing lists are registered with the OIC? And what about checking out with our recruiters? Dont we just take it for granted that they are registered and never go so far as to check it out?
The upshot of this is that a key set of points needs to be grasped at each stage of the research process. They are hygiene factors in the matter, entry points into complying fully with the DPA. They do not fully encompass all that is required (e.g. when dealing with what is considered sensitive data).
- Whoever is involved in the process should be registered as someone who handles data with the OIC (at £35 p.a., its silly not to). This covers the client if they provide us with lists for recruitment.
- Respondents have to give informed consent regarding participation
- It means they must be made aware of the purpose of the research (yes, even the clients name if they ask), that they are going to be taped (video/audio), if there are clients attending, where and when and for how long the group is going to be taking place.
- Respondents also need to be made aware that they are allowed to withdraw consent at any time or can demand access to data. One individual has the right to jeopardize a whole group by deciding to withdraw consent.
- Finally they should sign off a form that mentions that they know the client may want to circulate data, prior to walking into the group or the depth. This is a simple extra step to take for us, with the design of a standard form alongside the incentive form
- When analysis is conducted we should ensure that we remove any personal identifiers from the data collected. This is another sticky point as much of what qualitative research does is gaining data related to individuals which automatically makes it personal data
Research findings and related information
- Finally, we need to ensure that when we transfer identifiable data we should do it only within countries with equal or higher data protection standards. This, in a nutshell, allows us to transfer data within the EEA... but thats about all.
These seem to be the pillars of DPA compliance. Yet the nuts and bolts of the aforementioned fairly and lawfully requirement are a lot more complex. Maybe I should add complexity to my DPA brand values.
This article was first published in InBrief magazine, February 2003
Copyright © Association for Qualitative Research, 2003