Data security is a top priority for many businesses, but in particular market research firms. The data we collect is valuable to our clients, but even more valuable to our participants. We have a responsibility to our participants to keep their data safe and secure – ensuring it only stays within trusted hands. But with horror stories about lost customer data rife in the media, how can research participants be sure their information will remain secure and confidential?
Data security is about being aware of and prepared for the unpredictable; whether it is a natural disaster, data breach or worse. So what precautions can we as researchers take to ensure that the data we collect is safe, secure and confidential? This guide breaks down five of the most important measures and precautions that we take to ensure our participant’s data is as safe as possible.
1. Understanding the Law
The law surrounding data security and privacy is a complex issue. In short, the Data Protection Act is designed to ensure data is processed in a way which minimises risk to privacy. A full copy of the guidelines is available for download from the Information Commissioners Office. The guidelines centre on seven core principles that are key to information security:
- Fair and lawful processing of data
- Processing purpose – ensures data must only be used for the stated & intended purpose
- Adequacy of collection – only data that is accurate & relevant can be collected, and so long as it is not excessive for the intended purpose
- Accuracy of information – personal data must be accurate and up-to-date
- Retention of data – personal information cannot be kept longer than is necessary to achieve its intended purpose
- Rights of individuals – participants have the right to request access to their personal data at any time, it must not be used in a way which causes distress and must avoid direct marketing
- Security measures – sufficient and detailed security measures must be in place
- Data tranfer - data cannot be transferred outside the European Economic Area without adequate protection
2. Anonymising Content
The first step to ensuring data is secure is to anonymise the content. In face-to-face research this can involve redacting the names of participants in transcripts and replacing them with non-personally identifiable descriptors. For example codes for demographic, age or behavioural patterns. In online research the process is much easier, and can be achieved by replacing participants’ names with chosen screen names in research transcripts, reports and presentations.
The reason for anonymising content is twofold. The first is to ensure that clients & managers cannot associate responses with particular customers. In turn, this helps to prevent sugging (selling under the guise of research) and prevents organisations from treating customers differently dependant on their responses. The second reason for anonymising data is in case the worst should happen. If a security breach were to occur & data was stolen or released, then even though the perpetrators may have access to the research, they will still be unable to attach it to the individuals involved in the project.
3. Controlling Access
A secondary precaution that we, as researchers, take to guard our research participants & data is by controlling exactly who has access to it and when. For this reason, we ensure that the minimum number of people possible have access to the full data. More than this, controlling access to data means access is only be given to those who actually need to use it. Where data is disseminated throughout the organisation and to end clients, it has already been through an anonymising process. Only the front line researchers are able to access the research and participant data at any one time.
4. Encrypting Files
Encryption is one of the most common, but also most effective methods of achieving data security. It is the mathematical science of codes and ciphers. In essence, it is the process of scrambling data into an unreadable, incomprehensive format. This protects information and files as they are transferred across networks and devices. Without access to the ‘encryption key’ the data cannot be understood. However, if both the sender and receiver have the same cipher, the data can be processed through the cipher back into its original form.
A very simple form of encryption is to shift all letters in the alphabet one step to the right. In this example the word ‘alphabet’ would become ‘bmqibcfu’. To the naked eye, the output is nonsensical. But knowing the cipher (letter +1) allows the output to be decoded. Of course, modern encryption is far more sophisticated than this crude example. However the basic principle works the same – only the sender & receiver can access the participant data, keeping it away prying eyes.
5. Backups & Copies
Central to any data security policy is ensuring that any backups and copies of participant data are controlled and secure. To this end, all backup copies of market research data are stored on a dedicated server with a separate power supply. In addition to this, the process of making copies is tightly controlled. Our policy dictates that all customer data must be stored on-site. Staff are not able to take research data off-site and, most importantly, all paper copies must be shredded at the end of the working day. These policies ensure that only the minimal amount of copies are held at any one time, and their location is tightly controlled.
Finally, it is always worth remembering that the simplest way to protect data is to make sure you are not keeping anything that you do not need. While it can be tempting to hold on to data just in case it is needed, if the worst happens then having more data than necessary will only increase the scale of the problem. It is for this reason that we have retention policies in place and are conscious about deleting or anonymising data once its usefulness has passed.
These are just a taste of the ways in which we (and many other market researchers) keep participant data safe and secure. Of course we take the topic very seriously and are always looking to improve our methods. For that reason we adhere to the Market Research Society (MRS) code of conduct and guidelines for data protection. But we want to hear your views too – do you think market researchers do enough to protect personal information? What would you change if you could? Let us know in the comments below and join the discussion.
