Prepared by: Sarah Bailey
Approved by: Paul Craddy
Effective date: 10th February 2021
Next review date: 9th February 2022
An individual who works part-time or full-time for Remap Consulting under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary Employees and independent contractors.
An external organisation with which Remap Consulting conducts business and is also authorised, under the direct authority of Remap Consulting to process the Personal Data of Remap Consulting contacts
Remap Consulting’s Third Party contacts include, but are not limited to: Bruntwood Property Services, Sodexo, BioHub/BioCity, Payroll, Inland Revenue, Accountants, Expensify, Zool Digital, GoDaddy, Insightly, MailChimp
The identified or Identifiable Natural Person to which the data refers to
A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data
Example: Joe gives his employer Remap Consulting Personal Data (bank account details). Remap Consulting uses an external payroll service ‘Small Payroll’ to pay Joe. Small Payroll receives Personal Data about Joe to process and pay his wages. Remap Consulting is the controller of this data
A natural or legal person, Public Authority, Agency or other body which processes Personal Data on behalf of a Data Controller
Example: Small Payroll is a processor of the Personal Data received from Remap Consulting in order to process and pay Joe’s wages
Any activity that involves use of Personal Data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it
Processing also includes transferring Personal Data to Third Parties
The purposes for which Personal Data may be used by us:
Personnel, administrative, financial, regulatory, payroll and business development purposes
Business purposes include the following:
Information stored electronically or on paper relating to an identifiable living individual, such as job applicants, current and former Employees, Agency, Freelancers and other Employees, Clients, Third Parties and marketing contacts
Personal Data we gather may include: individuals’ contact details, date of birth, educational background, bank details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Sensitive Personal Data
Sensitive Personal Data are special categories of Personal Data that are subject to additional protections. In general, organisations require stronger grounds to process Sensitive Personal Data than they require to process “regular” Personal Data.
This can be Personal Data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), genetic, biometric (pictures, audio, video, fingerprints), physical or mental health or condition, criminal offences, or related proceedings
Sensitive Personal Data we gather may include: Biometrics for ID purposes, Ethnicity, photos for website and social media outlets, video recordings or health data for accident and sickness records
Remap Consulting holds Personal Data about its Employees, Clients, Third Parties and other individuals for a variety of business purposes.
Remap Consulting is committed to protecting the rights and freedoms of data subjects by safely and securely processing their data in accordance with our legal obligations.
It is important that this information is handled lawfully and appropriately in line with the requirements of the [Data Protection Act 2018] and the General Data Protection Regulation (collectively referred to as the ‘Data Protection Requirements’).
People who have contacted us with a request for information
If you have requested information from Remap Consulting, we will collect and process the personal data that you provide in order to respond to your request. Unless you consent to the contrary, we shall only use your personal data to provide the information you have requested.
We may collect some or all of the following personal data (this may vary according to your relationship with us):
We will process your personal data where there is a legitimate interest in us doing so, if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights).
If you apply to work at Remap Consulting, we will only use the information you supply to us to process your application. Where we want to disclose information to a third party, for example where we want to take up a reference, we will not do so without informing you beforehand unless the disclosure is required by law.
Personal data about unsuccessful candidates, including the results of any assessments, may be held for 6 months after the recruitment exercise has been completed, if we feel there maybe future suitable vacancies and we want to keep your details longer we will ask your permission. It will then be destroyed or deleted.
Once you have taken up employment with Remap Consulting, we will compile a file (in both electronic and paper formats) relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment.
We will ask you to provide us with certain personal data. We may collect additional information from third parties including former employers, credit reference agencies or other background check agencies. We will also collect additional personal data in the course of job-related activities throughout any period of you working for us.
We will process your personal data for the following purposes:
Remap Consulting may also need to process information you provide or that we fairly obtain about your criminal convictions and offences (including alleged offences), your health (including any medical condition, health and sickness records), race, ethnic origin, religious beliefs, sexual orientation, your biometric information, for example, photographs, for security purposes, political opinions and trade union memberships (‘Special Category Data’). We may process your Special Category Data in the following circumstances:
We retain your personal data including any Special Category Data while you work for Remap Consulting and, after you cease working for Remap Consulting, for as long as is necessary to fulfil our contractual obligations to you, for applicable legal, accounting, or reporting requirements and to provide you with information at your request (such as references).
We use the information we collect or receive, such as your email address, phone number, postal address, to communicate directly with you. We may ask you to give us your consent to send you emails containing newsletters or updates or contact you on other ways. If you do not want to receive such communications, you will be given the option to unsubscribe or change your preferences.
Where individuals do not have a relationship with us, for example, if we have identified them from public domain information, as we feel they may have an interest in our services, we shall be relying on ‘legitimate interests’ to engage in promotional activities including direct marketing. See the section on Your rights.
Remap Consulting uses a network of fieldwork partners and clinical sites to recruit participants to our market research and health outcomes research. Someone from the clinical site or fieldwork agency will contact you to see if you are willing to participate in the research. In some circumstances a member of Remap Consulting may contact you directly to recruit you to a research project. We process your personal data by obtaining your explicit consent. This means that before we collect any information from you we ensure that you are provided with full details about the purpose and nature of the project and what will happen to the information we collect.
All information provided will remain confidential and will only be reported to the commissioning client combined with other respondent’s data so there is no information that can identify you, unless you have given your consent to the contrary. Only members of the direct project team will have access to personal data that might identify you, however, we will only collect and use this information for the purposes of our research with your explicit consent. We collect data in our studies for market research and health outcomes research purposes only, and our use of that information will be limited to that purpose.
Research participation is voluntary and you can withdraw consent at any time.
In some cases, we may need to share personal data with third parties that provide research services in support of the research project. Any third party that receives personal data is obligated to follow all of the same privacy protection regulations as followed by Remap Consulting.
We do not rent, sell or give personal data to any third party for the purpose of directly marketing any products or services. We will not send you unsolicited mail or pass on your email addresses to others for this purpose.
In the relatively few instances where we ask you for permission to pass data on in a form which allows you to be personally identified, we will ensure that the information will be used only for the purposes stated. We process your personal data by obtaining your explicit consent.
Before we share your data we ask you if you are prepared to pass data on in a form which allows you to be personally identified. We will provide you with the following information so you can decide if you wish to consent.
Where you have given your permission for us to share the recording of your interview with the commissioning client company, we shall not disclose your name or contact details. Companies are under a strict legal obligation not to try and identify you from any video or audio recording.
If we share the video or audio recording (for example, at the request of the client) we obtain your explicit consent by providing you with information on the client company, the usage of the recording and who will view your recording. This will be stated in a consent form which we will ask you read understand and confirm your acceptance. The client company will also sign a form confirming that will only use the recording as agreed by you.
We are required by the client commissioning the research and regulatory bodies to pass on details of adverse events/product complaints for any of the client’s products, mentioned during the course of research interviews/activities. This is solely for drug safety to fulfil their obligation to the regulatory authorities. The processing may take place outside the European Economic Area (“EEA”), or the country where the interview took place. You will only be identified in these reports where you have expressly given your permission. You will be asked at the end of the interview if you give your consent to be identified so drug safety can follow up with you if required. You do not need to provide your details and we will report the adverse events/product complaints anonymously.
At the end of the project Remap Consulting will check with the client’s drug safety department to ensure that all reports have been safely received. At that point any contact details on the reporting form will be removed by Remap Consulting and we will keep the form without any personal data. Only drug safety will have your contact information.
The drug safety department of the commissioning client may require that your participation information be available for review. This will be solely for drug safety to fulfil their obligation to the regulatory authorities. In order to fulfil this obligation, we will keep the audio recording of your interview for up to 10 years for drug safety purposes only. Drug safety will need to apply to Remap Consulting in writing as to the purpose of the review, who will review and how long drug safety will keep the audio recording. Your name is not associated with the recording and Remap Consulting and drug safety will not know who you are. We will obtain your explicit consent to keep the audio recording. After 10 years the audio recording will be securely destroyed.
From time to time, we may create survey questionnaires through a 3rd party website, on behalf of our commissioning client (For example, SurveyMonkey and Microsoft Forms). These sites are created to collect information on your experiences/opinions. These sites do not have a registration process, they have no user log-in, and so all data collected is anonymous. In terms of the data captured, that obviously depends on the questions we want to ask, and we don’t usually ask for any identification information. If we do need to collect any personal data from you, we will only do so with your explicit consent and we will ensure that you are provided with full details about the purpose and nature of the project and what will happen to the information we collect.
For some 3rd party sites we ask you to register and create a unique account, with a user name and password, by providing your name, email address, and profession. We obtain your personal data with your explicit consent, when you register on the website.
These sites may, from time to time, contain links to and from other websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.
The length of time we hold your personal data varies depending upon the type of information and its use. We will hold your personal data on our systems only for as long as necessary to provide the services and/or products that you have requested, or for such other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Personal data is kept according to our data retention and deletion policy.
We keep a backup of our data in order to restore the original data after a data loss event. When we delete your personal data it will be deleted from the live storage immediately but there will be a delay before it is removed from the backup data.
Examples of our retention periods are as follows:
Written particulars of employment / Contracts of employment, including the Certificate of Qualification Changes to terms and conditions, including change of hours letters
Duration: For duration of employment and for 6 years after employment ceases
Job History – consolidated record of whole career and location details (paper or electronic)
Duration: For duration of employment and for 6 years after employment ceases
Applicant CVs – CVs for successful and unsuccessful candidates
Duration: Unsuccessful candidates – delete after 6 months. Successful candidates – CV kept on record.
Respondent names and contact details
Duration: Deleted after 2 years following the end of the project
We use selected agents to process your information on our behalf, such as software providers to host our website. These third-party providers will be authorised to see and use your information but only to fulfil their contractual obligations to us and will not be permitted to use it for any other purpose. We retain full responsibility for how your personal data may be used by such agents.
We may share your personal data so that we can comply with a legal obligation to which we are subject. For example: where we are obliged to share your personal data with regulatory bodies which govern our work and services; government departments such as law enforcement and HMRC; court orders etc.
We will process your personal data where there is a legitimate interest in us doing so if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights). Remap Consulting will not sell, trade or rent your personal data under any circumstances.
We generally store and process your information within the European Economic Area (EEA).
Where we need to transfer your information outside of the European Economic Area we only do so to countries which have been determined by the European Commission to have an adequate level of data protection. If we transfer personal data to countries that have not been determined to have an adequate level of protection we do so using a variety of legal mechanisms, including the US Privacy Shield and contracts, to help ensure your rights and protections.
In order to protect your personal data Remap Consulting employ:
Remap Consulting tries to be as open as it can be in terms of giving people access to their personal data. You have specific rights connected to provision of your personal data to Remap Consulting. These include your rights to request what personal data we may hold about you, if any, and for what purposes.
You have the right to request that Remap Consulting:
You also have the right to:
If you have a concern about the way we are collecting or using your personal data, or if we do not address your request, or fail to provide you with a valid reason why we have been unable to do so, you have the right to contact the Information Commissioner’s Office to make a complaint. They can be contacted via their website https://ico.org.uk/
How can you access the information we hold about you?
You can request to access any personal data that you have submitted to us. The easiest way is to request a copy via the contact details listed below.
Send and email to the data controller, firstname.lastname@example.org, or write to us at:
7461 6302 Zug,
+44 (0)7957 028493
Please ensure that you include your name and clear instructions on what you would like us to do.
If you require us to supply you with details of the personal data that we hold about you, then we will provide this information free of charge and we will provide this information to you within one month of your request unless the request is complex or is numerous requests. If this is the case we will inform you within one month of your request about the reason for the extension of time.