Best Practices for Transferring Participant Data Securely
The title of this blog is slightly misleading, the word ‘transferring’ implies that data security is an action or process which is brought out at a discrete phase during a client-agency relationship, applied and then put away again. The truth is data security is more than this. For it to be effective, security should be treated as a constant which is addressed continually and reviewed regularly both within your own organisation and specifically in terms of your relationships with others.
When choosing an agency to work with, their ability to secure your participant data should be a key assessment criteria before committing to a relationship and always before sharing any information assets. We will get to how you do that in a moment but first let’s consider why data security is so important.
Data is a Commodity
In our digital economy, data has value like never before. For legitimate organisations, data is big business — a strategic asset that allows companies to stay one step ahead of their nearest competitors. Then there’s the murkier side — data is big business here to! The media is littered with reports of organisations large and small experiencing breaches in their security and personal data being lost. Whether it be for identity theft, credit card fraud or simply causing reputational damage to an organisation — there is clearly considerable interest among hackers and the like for obtaining personal data.
Consumers are increasingly aware of these facts too. A recent survey of data protection attitudes in the UK by the Information Commissioners Office (ICO) showed that people are concerned about their personal data want to protect it.
Trust in businesses is low with only 1 in 4 adults stating that they trust businesses with their personal data. In this same study only 21% of those surveyed agreed that online businesses collect and keep personal data in a secure way. 75% also expressed concern about personal information being stolen by criminals when businesses collect and use personal data. (ICO Annual Track April 2016).
The Implications for Market Research
Against this backdrop, applying strong data security practices are essential — after all, market research thrives on data. More than this, market research is built on the concepts of anonymity and informed consent. As researchers we pride ourselves on protecting participants’ well-being. Data security is therefore a natural part of our role.
If we are to keep the good name of market research in tact we must do our upmost to ensure that the data that comes into our possession as part of the research process (be that personal data or otherwise ) remains protected so it does not fall into the wrong hands. Not doing so would be falling short of our participants’ expectations and our professional obligations, not to mention breaking Principle 7 of the Data Protection Act!
5 Best Practices
The ICO states on their website “Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur.” So as a research buyer, how do you go about ensuring your agency is able to keep your data protected? There are many ways that this could be done, but here are a few of the most important.
1. You can only protect what you know you have. The Data Protection Act does not stipulate exactly how data must be protected. Principle 7 of the act states that:“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage, personal data.”
A fundamental starting point is to look inward at your own organisation and determine the types of data you hold; its value and impact should it be lost, destroyed or altered. Compiling an ‘inventory’ of the types of assets you have and their location really brings home to you the volume and variety of information that matters to your organisation. Only by doing this are you able to determine the appropriate level of protection and what you require of those you share it with.
2. Due diligence. Security should never be assumed. Before sharing data, ask questions of your agency to understand the measures they have at their disposal to secure your data. This should cover the formats in which data is held, where these are stored, the access controls both physical and logical to restrict access to authorised persons, and the mechanisms in place to alert unauthorised access.
Access control is at its strongest when it is based on the principles of ‘need to know’ and ‘forbidden unless expressly authorised’ — crucially it must be documented, authorised and reviewed regularly.
Remember, the due diligence process should also extend to the agency’s supply chain. Be sure to find out if they outsource any services and if this results in your data being accessed by 3rd parties. Also use this process to communicate your expectations or needs for security.
3. Less is more. You’ve heard the phrase ‘less is more’ — this is true of many things, including data. When working with an agency it is wise to only share that data (in terms of type and volume) which is necessary for the task at hand. Avoid providing data just for the sake of it, or just in case it’s useful. Should the worst happen exercising data control in this way can significantly limit the scale of the problem. For the same reason, as part of the due diligence process you should be clear how long your agency will retain data you share with them and their standard for secure destruction.
4. Encryption (rest and transit). Encryption is an effective method of achieving data security. Many agencies are already adopting encryption to protect data stored (at rest) on servers and mobile storage devices. When choosing an agency, research buyers should also consider if and how the agency secures personal data in transit.
Sending personal data by standard email is not appropriate — email is like a postcard, the email body and any attachments are accessible to any unintended recipient or person who intercepts it. There are many different options for encrypting data in transit the most common being via a secure encrypted email service. An agency who recognises the importance of securing data at rest and in transit is demonstrating a good awareness of security.
5. Training, Awareness and Accountability. Information security is a dynamic subject — new threats and attacks are constantly being created, similarly the responses to protect against these are constantly changing. It is important that all involved in the processing or handling of personal data are aware of this. An agency should engage in a regular program of data protection and info sec awareness training, for new and existing staff to avoid complacency.
Responsibility for information security should be assigned to a specific individual within the company — they don’t have to be an information security industry expert — but it is important to have someone responsible for overseeing day-to-day security matters as this creates accountability — without which an organisations security can easily become out-dated and ineffective.
What best practices for transferring, storing and using participant data do you adhere to? And how important is it that your research agency partners take data security seriously? Join the conversation in the comments below.