Information is our business – we look after it.
Firefish Ltd (Firefish, The Numbers Lab and The Pineapple Lounge) is known for excellence and quality and strives to be a trusted business partner. Integral to this is meeting our data protection responsibilities.
When we are acting as a Data Controller and Joint Data Controller we have some key privacy related responsibilities. For you as a research participant this means:
- Contacting you in connection with the research and administering your consent
- Securely storing your personal data
- Analysing the information that you provide during your market research activity
- Securely sharing recordings and footage with carefully selected partners who assist us with the research
- Responding to your privacy related requests
- Deleting your personal data when it is time to
Each of these processing activities is described further below.
What personal data do we process?
The type of personal data we process will vary with each research project. Along with attitudes and opinions this will typically include:
- Name and contact details (phone and email) to confirm attendance or for re-contact such as:
- To discuss activity related to a project
- To discuss input / answers
- To discuss the further processing of personal data
- Age, gender and location to ensure we speak to a demographically representative group of people
- Address, if any research is to be conducted in a home
- Bank details for incentives paid via BACS
- Audio recordings and video footage
- for the purposes of transcription, research analysis and reporting
- to demonstrate and bring to life research findings for internal business uses
- to update people connected to the research
- All personal data is collected with your consent, this may include special category data.
How do we collect and use personal data?
There are several ways we may collect or have access to personal data.
- Directly from research participants
- From a client, or other third party, database we have access to
- From a panel provided by a client or other third party
We, like other organisations, have to process personal data lawfully. The way we do this is to ensure we meet at least one of the following:
- We have consent for research purposes, including parental consent for under 16s. Details of the personal data we will collect and how it will be used are explained before the research
- We have established legitimate interests for the collection and use of personal data. This would include our internal quality control purposes, consent audits or any activities where it is not practical or possible to get consent
- We are required by law or public interest to collect or disclose your personal data
How long do we keep your personal data?
We will only hold your personal data for as long as there is a legitimate business need or legal requirement to retain it.
- Personal data we collect and use for research purposes will be held by us for 6 months after the project has finished, unless has been otherwise specified
- Personal data that is included in the final research output will be held by us for a period of 7 years for our internal record keeping and archiving processes
- Personal data files may exist for up to 6 months in our IT back-up system before being naturally overwritten
- Name and attendance are recorded for a 2-year window for our internal quality control purposes. This is held by our research partner, Ayda, (https://www.helloayda.com/). This excludes personal data that has originated from a client/third party database
- Where we have paid the research incentive, we will hold a record of transaction or signature for 7 years, for tax audit purposes
How do we look after your personal data?
It is important to us that you know your personal data is safe and we have a number of security policies and procedures to ensure that we protect your information at all times. We employ a specialist IT provider to ensure our systems are regularly monitored and maintained with up to date security software to protect against threats.
- Only authorised people have access to your personal data and on a needs-only basis
- Your personal data is stored on secure servers hosted by us or third parties providing hosting services to us
- We take steps to encrypt your personal data when it is stored and to prevent unauthorised access or loss
- Secure transfer methods are used so your personal data is safe whenever it is shared
- Secure destruction methods are used when we dispose of your personal data
Who do we share your personal data with?
As well as with the commissioning client, we will need to share your personal data with partners, suppliers, agents and subcontractors as these third parties are essential to helping make a research project happen. We work with trusted third parties and ensure these relationships are managed using agreements that set out clear terms and handling instructions.
These third parties will include:
- Recruiters who find participants for research
- Partner research agencies
- Research viewing facilities
- Web-streaming providers
- Online platform partners
- Filming providers
- Expert and specialist advisors
Where else does your personal data go?
In the course of conducting our research activities, it may sometimes be necessary for us to transfer your personal data outside of the U.K. and EU to carefully selected partner and providers. Some countries have different standards of data protection and may not be as strict as those in the U.K. or in the EU. We ensure that these organisations meet the necessary compliance with data protection and have appropriate and adequate safeguards in place. These transfers will be governed such as; by data processing agreements; standard contractual clause contracts; adequacy measures or other legal mechanisms. In addition, our clients receiving personal data from research outputs may share this data with other parties connected with the research, for research purposes only.
What we won’t do with your personal data
Your personal data will not be broadcast, put in the public domain, used for direct marketing purposes, automated profiling, sold to third parties or used for other purposes unless we have your explicit consent.
Know your rights – we respect them
If you are an EU/UK citizen, you have a number of rights over your personal data and our aim is to fulfil these as best we can. Please contact us using the details below if you;
- Want to withdraw your consent
- Want to request that we delete, correct or restrict the use of your personal data
- Want to know about or see the personal data we hold that belongs to you
- Want to port your personal data
- Have any concerns or questions about the ongoing processing of your personal data
Write to the Data Protection Officer, Firefish Ltd, 170-172 Tower Bridge Road, London, SE1 3LS or email firstname.lastname@example.org
If you don’t think we’ve done enough or you want to lodge a complaint then you can contact our data protection supervisory authority. In the U.K., this is the Information Commissioner’s Office (“ICO”). Contact details can be found at https://ico.org.uk/
In the U.K., our industry regulatory body is the Market Research Society (MRS) and we are bound by the MRS Code of Conduct and associated guidelines. Details can be found at www.mrs.org.uk
Firefish Ltd is an independent market research agency incorporated in England and Wales with a company registration of 03854900 and located at 170-172 Tower Bridge Road, London, SE1 3LS, U.K.
Policy effective date: 25th May, 2018
Policy version: V8_2022