GDPR, Covid-19 and face-to face interviewing

Introduction:

The Market Research Society (MRS) in the UK has recently reminded us that face-to-face interviewing remains a legal activity, provided all government restrictions appropriate to the location of the interview are adhered to. The justification is that interviewing is work and, of course, the government is anxious to maintain as much economic activity as possible, whilst maintaining the fight against the pandemic. Details of the revised guidance from the MRS can be found here.

Nevertheless the fact is that face- to-face interviews are increasingly difficult to get and that more and more such work is moving either to the telephone or online. The result is that many of the benefits of face-to-face work are being lost and the jobs of those interviewers conducting such work are disappearing. Meanwhile a significant proportion of such work is moving to video with one or other of Microsoft Teams, Google Hangouts, Zoom and others, including nVision, the special market research video platform provided by Sample Answers.

The question that arises is what are the GDPR implications for those interviewers who are moving from genuine face-to-face to video work?

Background:

The primary framework of the UK privacy law has been in operation for more than 20 years, ever since the 1998 Data Protection Act, and most of the requirements for compliance have been second nature to research companies and their employees since that time. Nevertheless the introduction of the General Data Protection Regulations (GDPR) in 2018 imposed a number of additional, specific obligations to ensure compliance by recording how personal data is collected, stored and used.

In particular, the act has imposed an obligation across the research process that makes everyone involved responsible for ensuring that they are acting in compliance with the act. So if an employee were to steal a file of sensitive private data, it is not only the employee that will be held responsible but also the company holding that data will be subject to prosecution. Likewise, in theory at least, if a company were to set up procedures that were in breach of the act then any employee following those procedures could be liable to personal prosecution. “I was only obeying orders” is not an excuse!

Key points:

The primary purpose behind GDPR is to place personal data under the control of the individual that is the subject of the data; indeed the official term for individuals, as used in the act, is data subjects. So, the objective is that the data subject’s personal, private data shall not be exploited by any third party, without their permission.

Accordingly, data subjects have their personal data fully protected against any form of use, other than if one (or more) of the following three conditions is satisfied:

1. They have given specific permission for their data to be used in the manner suggested and by the entity proposing to use it; this is termed informed consent.

2. There is a legitimate interest in the data being used as proposed by the entity planning the use – such usage is normally subject to a risk analysis. With most bona fide research projects the risk analysis is almost a formality but whenever the topic is sensitive or the sample is specific (e.g. the elderly) then it becomes an important concern.

3. There is a legal requirement for the proposed use.

In fact consideration of what is lawful is even more precisely defined for online video work, because Zoom and the others are electronic communications platforms and are therefore also covered by the Privacy and Electronic Communications Regulations (PECR). These regulations specify that use of email, cookies and other electronic means are ONLY acceptable with informed consent.

It is therefore important that any research agency providing interviewers with personal email addresses or individual telephone numbers shall have the appropriate permissions to pass them on. Also, the interviewers should always assure themselves of the origin of the sample, not only to ensure their compliance with the act but also to inform the respondent, if asked.

Finally, interviewers engaged in online video interviews must re-confirm that the respondent gives their permission for the interview and that the permission is clearly recorded in some way. Without that explicit permission the interview is in breach of GDPR.

For information on nVision and GDPR click here.