Data Protection and Information Security Policy

Freelance Research Consultant: Gus Allen trading as Beyond Insights

Email: gus@beyondinsights.co.uk

1. Introduction

As a freelance research consultant conducting qualitative and quantitative research, I am

committed to protecting the privacy and personal data of research participants, clients, and

collaborators. This policy outlines how I collect, use, store, and dispose of personal data in

compliance with the UK General Data Protection Regulation (UK GDPR) and the Data

Protection Act 2018.

2. Principles

I adhere to the core principles of data protection:

- Lawfulness, fairness, and transparency

- Purpose limitation

- Data minimisation

- Accuracy

- Storage limitation

- Integrity and confidentiality

3. Data Collection and Purpose

I only collect personal data when strictly necessary for the execution of research projects.

This may include:

- Contact details for participants or clients (e.g. names, email addresses)

- Anonymous survey responses or interview transcripts (with identifiers removed)

I do not collect or process sensitive personal data (e.g. health, ethnicity, political views).

4. Legal Basis for Processing

Personal data is processed under one or more of the following legal bases:

- Consent – where individuals explicitly agree to participate in research

- Legitimate interests – where data is necessary to deliver contracted research services to

clients, in a manner that respects individuals' privacy

5. Information Classification

A proportionate information classification policy is in place to ensure data is handled

according to its sensitivity and risk.

The following categories guide how data is treated:

Confidential data: Includes personally identifiable information (PII), participant recordings,

and any material that could directly or indirectly identify individuals or sensitive project details. This data is encrypted, access-restricted, and never shared externally without proper anonymisation.

Internal-use data: Includes working documents such as research plans, note-taking

templates, or coding frameworks that do not include PII. These are protected but not

subject to formal encryption.

Client-facing data: Final deliverables that are anonymised and appropriate for sharing.

These documents are prepared with the expectation that they may be distributed within the

client's organisation.

6. Data Storage and Security

All data is:

- Stored securely on a password-protected laptop

- Kept confidential and accessible only by myself

- Not shared with third parties unless contractually agreed with the client and anonymised

where possible

7. Retention and Disposal

Personal data is retained only for as long as necessary to fulfil the purpose of the research.

After this:

- Data is securely deleted from all devices

- Any physical notes are shredded

8. Data Retention Timeframes

All data is deleted as soon as it is no longer required for the purposes of the research.

Typical timeframes are as follows:

- Interview recordings are deleted within 7–14 days after transcription is completed and

quality-checked.

- Transcripts and anonymised data are retained only for the agreed duration of the project

or up to 6 months, unless otherwise specified by the client.

- Client deliverables (e.g. reports) may be stored securely for reference, but raw data is not

retained beyond its intended use.

This approach is aligned with UK GDPR’s principle of storage limitation to ensure personal

data is not kept longer than necessary.

9. Data Backup and Recovery

Backups are performed on a regular basis for systems storing data. The MacBook used for

research is backed up using Apple’s Time Machine, which provides automatic, versioned

backups whenever the external drive is connected.

10. Data Subject Rights

Individuals have the right to:

- Access the data I hold about them- Request correction or deletion

- Withdraw consent at any time (where consent is the legal basis)

All such requests will be responded to within the legal time frame of one calendar month.

11. Access Control Policy

Access to research data is restricted to myself as the freelance research manager. Where

third parties are involved, they are only given anonymised data and are required to sign

confidentiality agreements.

Client access is limited to final, anonymised outputs unless otherwise agreed. Access

permissions are reviewed at the end of each project, and access is revoked when no longer

Required.

12. User Access and Identification

All systems and devices used for research are accessed using individual user accounts. As a

sole operator, a unique user ID is used and secured with strong authentication measures. No

accounts or passwords are shared. Where third-party tools are used, access is restricted to

personal accounts under my control, ensuring accountability and traceability.

13. Password Policy

A password policy is in place to ensure all systems and services used in the research

process are securely protected. Strong, unique passwords are used for all accounts

including a mix of letters, numbers, and symbols.

Passwords are never reused across platforms, and two-factor authentication is enabled

wherever possible. In the event of suspected compromise, affected passwords are changed

Immediately.

14. Physical Security

Physical security measures are in place to ensure that devices used for research are

protected from theft, loss, or unauthorised access. The primary work device (MacBook) is

kept in a secure home office environment and is not accessible to any unauthorised

individuals.

The device is password-protected, encrypted using FileVault, and locked when not in use.

When working outside the home, the device remains in the user's possession or is stored

securely. No sensitive data is stored on external drives or printed materials. Care is taken to

ensure that screens are not visible to others in public or shared environments.

15. Network and Firewall Security

Appropriate firewall protections are in place to secure both the device and the network

environment. The MacBook used for research is protected by the built-in macOS firewall,

which is configured to block unauthorised incoming connections.External network protection is provided by a firewall-enabled home router. No internal

network is used for storing or processing research data, so internal segmentation is not

required. All cloud services accessed are secured through HTTPS and strong authentication.

16. Intrusion Detection and Prevention

While dedicated IDS/IPS tools are not in use, cloud platforms such as Google Drive and

Zoom incorporate enterprise-grade intrusion detection and prevention systems. The

MacBook used for research is protected with built-in macOS security features, and the home

network includes a firewall-enabled router to help detect and mitigate unauthorised access

attempts.

17. Patch Management

Patch management is in place to ensure all systems are kept up to date. The MacBook is

configured to install macOS and security updates automatically. Key software applications

are regularly reviewed and updated. Cloud-based platforms used for research apply their

own updates automatically, ensuring timely protection against known vulnerabilities.

18. Vulnerability Management

Vulnerability management is integrated into broader security practices. All systems and

software are kept up to date through automatic updates and regular manual checks. macOS

is configured to apply security patches automatically, with manual checks performed at

least weekly to ensure critical updates are not missed.

19. Project Risk Assessment

A risk assessment is conducted prior to the start of each research project to evaluate any

potential data protection or information security risks. This assessment includes a review

of:

- The types and sensitivity of data being collected

- The platforms and tools used for data collection, storage, and sharing

- Who has access to the data and under what conditions

- Legal and ethical considerations under UK GDPR

20. Change Management

A proportionate change management process is in place to assess and approve high-risk

changes that may impact data protection or information security. Examples of high-risk

changes include introducing new software tools, subcontracting work involving personal

data, or altering data handling procedures.

Such changes are reviewed for risk prior to implementation, with documentation retained

to ensure transparency and ongoing compliance with UK GDPR.21. Incident Management

An incident management policy is in place to guide the response to any actual or suspected

data protection or information security incidents. This includes steps to identify, assess, and

contain the incident, and to notify affected parties where appropriate.

Incidents involving personal data are assessed against UK GDPR reporting requirements. If

a breach is likely to result in a risk to the rights and freedoms of individuals, the Information

Commissioner’s Office (ICO) will be notified within 72 hours. All incidents are logged and

reviewed to improve future prevention and response efforts.

22. Data Breach Procedure

If a data breach occurs (e.g. loss, theft, or unauthorised access), I will:

- Assess the risk to individuals

- Notify affected parties and, where necessary, the ICO (Information Commissioner’s Office)

within 72 hours

23. Contact

If you have any questions about this policy or your personal data, you can contact me at:

Email: gus@beyondinsights.co.uk