Data Protection and Information Security Policy
Freelance Research Consultant: Gus Allen trading as Beyond Insights
Email: gus@beyondinsights.co.uk
1. Introduction
As a freelance research consultant conducting qualitative and quantitative research, I am
committed to protecting the privacy and personal data of research participants, clients, and
collaborators. This policy outlines how I collect, use, store, and dispose of personal data in
compliance with the UK General Data Protection Regulation (UK GDPR) and the Data
Protection Act 2018.
2. Principles
I adhere to the core principles of data protection:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
3. Data Collection and Purpose
I only collect personal data when strictly necessary for the execution of research projects.
This may include:
- Contact details for participants or clients (e.g. names, email addresses)
- Anonymous survey responses or interview transcripts (with identifiers removed)
I do not collect or process sensitive personal data (e.g. health, ethnicity, political views).
4. Legal Basis for Processing
Personal data is processed under one or more of the following legal bases:
- Consent – where individuals explicitly agree to participate in research
- Legitimate interests – where data is necessary to deliver contracted research services to
clients, in a manner that respects individuals' privacy
5. Information Classification
A proportionate information classification policy is in place to ensure data is handled
according to its sensitivity and risk.
The following categories guide how data is treated:
Confidential data: Includes personally identifiable information (PII), participant recordings,
and any material that could directly or indirectly identify individuals or sensitive project details. This data is encrypted, access-restricted, and never shared externally without proper anonymisation.
Internal-use data: Includes working documents such as research plans, note-taking
templates, or coding frameworks that do not include PII. These are protected but not
subject to formal encryption.
Client-facing data: Final deliverables that are anonymised and appropriate for sharing.
These documents are prepared with the expectation that they may be distributed within the
client's organisation.
6. Data Storage and Security
All data is:
- Stored securely on a password-protected laptop
- Kept confidential and accessible only by myself
- Not shared with third parties unless contractually agreed with the client and anonymised
where possible
7. Retention and Disposal
Personal data is retained only for as long as necessary to fulfil the purpose of the research.
After this:
- Data is securely deleted from all devices
- Any physical notes are shredded
8. Data Retention Timeframes
All data is deleted as soon as it is no longer required for the purposes of the research.
Typical timeframes are as follows:
- Interview recordings are deleted within 7–14 days after transcription is completed and
quality-checked.
- Transcripts and anonymised data are retained only for the agreed duration of the project
or up to 6 months, unless otherwise specified by the client.
- Client deliverables (e.g. reports) may be stored securely for reference, but raw data is not
retained beyond its intended use.
This approach is aligned with UK GDPR’s principle of storage limitation to ensure personal
data is not kept longer than necessary.
9. Data Backup and Recovery
Backups are performed on a regular basis for systems storing data. The MacBook used for
research is backed up using Apple’s Time Machine, which provides automatic, versioned
backups whenever the external drive is connected.
10. Data Subject Rights
Individuals have the right to:
- Access the data I hold about them- Request correction or deletion
- Withdraw consent at any time (where consent is the legal basis)
All such requests will be responded to within the legal time frame of one calendar month.
11. Access Control Policy
Access to research data is restricted to myself as the freelance research manager. Where
third parties are involved, they are only given anonymised data and are required to sign
confidentiality agreements.
Client access is limited to final, anonymised outputs unless otherwise agreed. Access
permissions are reviewed at the end of each project, and access is revoked when no longer
Required.
12. User Access and Identification
All systems and devices used for research are accessed using individual user accounts. As a
sole operator, a unique user ID is used and secured with strong authentication measures. No
accounts or passwords are shared. Where third-party tools are used, access is restricted to
personal accounts under my control, ensuring accountability and traceability.
13. Password Policy
A password policy is in place to ensure all systems and services used in the research
process are securely protected. Strong, unique passwords are used for all accounts
including a mix of letters, numbers, and symbols.
Passwords are never reused across platforms, and two-factor authentication is enabled
wherever possible. In the event of suspected compromise, affected passwords are changed
Immediately.
14. Physical Security
Physical security measures are in place to ensure that devices used for research are
protected from theft, loss, or unauthorised access. The primary work device (MacBook) is
kept in a secure home office environment and is not accessible to any unauthorised
individuals.
The device is password-protected, encrypted using FileVault, and locked when not in use.
When working outside the home, the device remains in the user's possession or is stored
securely. No sensitive data is stored on external drives or printed materials. Care is taken to
ensure that screens are not visible to others in public or shared environments.
15. Network and Firewall Security
Appropriate firewall protections are in place to secure both the device and the network
environment. The MacBook used for research is protected by the built-in macOS firewall,
which is configured to block unauthorised incoming connections.External network protection is provided by a firewall-enabled home router. No internal
network is used for storing or processing research data, so internal segmentation is not
required. All cloud services accessed are secured through HTTPS and strong authentication.
16. Intrusion Detection and Prevention
While dedicated IDS/IPS tools are not in use, cloud platforms such as Google Drive and
Zoom incorporate enterprise-grade intrusion detection and prevention systems. The
MacBook used for research is protected with built-in macOS security features, and the home
network includes a firewall-enabled router to help detect and mitigate unauthorised access
attempts.
17. Patch Management
Patch management is in place to ensure all systems are kept up to date. The MacBook is
configured to install macOS and security updates automatically. Key software applications
are regularly reviewed and updated. Cloud-based platforms used for research apply their
own updates automatically, ensuring timely protection against known vulnerabilities.
18. Vulnerability Management
Vulnerability management is integrated into broader security practices. All systems and
software are kept up to date through automatic updates and regular manual checks. macOS
is configured to apply security patches automatically, with manual checks performed at
least weekly to ensure critical updates are not missed.
19. Project Risk Assessment
A risk assessment is conducted prior to the start of each research project to evaluate any
potential data protection or information security risks. This assessment includes a review
of:
- The types and sensitivity of data being collected
- The platforms and tools used for data collection, storage, and sharing
- Who has access to the data and under what conditions
- Legal and ethical considerations under UK GDPR
20. Change Management
A proportionate change management process is in place to assess and approve high-risk
changes that may impact data protection or information security. Examples of high-risk
changes include introducing new software tools, subcontracting work involving personal
data, or altering data handling procedures.
Such changes are reviewed for risk prior to implementation, with documentation retained
to ensure transparency and ongoing compliance with UK GDPR.21. Incident Management
An incident management policy is in place to guide the response to any actual or suspected
data protection or information security incidents. This includes steps to identify, assess, and
contain the incident, and to notify affected parties where appropriate.
Incidents involving personal data are assessed against UK GDPR reporting requirements. If
a breach is likely to result in a risk to the rights and freedoms of individuals, the Information
Commissioner’s Office (ICO) will be notified within 72 hours. All incidents are logged and
reviewed to improve future prevention and response efforts.
22. Data Breach Procedure
If a data breach occurs (e.g. loss, theft, or unauthorised access), I will:
- Assess the risk to individuals
- Notify affected parties and, where necessary, the ICO (Information Commissioner’s Office)
within 72 hours
23. Contact
If you have any questions about this policy or your personal data, you can contact me at:
Email: gus@beyondinsights.co.uk