Privacy Notice
This privacy notice tells you what to expect when Opinion Research Services Ltd (ORS) collects your personal information. The standard information below will apply, unless during the study (e.g. in an interview, or on a particular questionnaire, etc.) you have been advised of anything different that supersedes it.
- What is ORS?
- Information ORS collects when you load a webpage on ors.org.uk, (including subdomains and redirects)
- I’ve been asked to respond to a questionnaire or take part in an interview
- I want to submit a response to a statutory consultation
- I’ve been asked to take part in further research or been recruited to a panel
- I’ve been asked to take part in a qualitative interview, forum, focus group, workshop or other group activity
- For all research:
- What are my rights?
- The right to withdraw consent
- The right to be informed
- The right of access (also known as Subject Access Requests (SARs))
- The right to rectification
- The right to erasure/to be forgotten
- The right to object
- The right to restrict processing
- The right to data portability
- Rights in relation to automated decision making and profiling
- I don’t think my data is being handled correctly
What is ORS?
Opinion Research Services is an independent social research practice that works across the UK and is registered in England and Wales. We work for the public, voluntary and private sector consulting on a wide range of social issues such as community safety, housing, health and other local issues. Working with our clients, our aim is to understand your views, needs and priorities.
ORS’s registered office is Opinion Research Services, Strand, SWANSEA, SA1 1AF; telephone 01792 535 300 or Freephone (UK landline and mobile) 0800 107 7890; or email privacy@ors.org.uk. Our company number is 2904006.
Our Data Protection Officer (DPO) is Richard Harris who can be contacted at dpo@ors.org.uk. If you have been asked to complete a questionnaire, take part in a telephone interview, or other research, contact details for the Project Manager should already have been made available to you.
ORS adheres to the Data Protection Act 2018 (DPA 2018) and the EU General Data Protection Regulation 2016 (GDPR). We are also a Company Partner of the Market Research Society (MRS) and adhere to the MRS Code of Conduct. ORS takes information security seriously and our systems are fully accredited to ISO 27001:2013 - Information Security Management and the UK Government backed Cyber Essentials Scheme.
Information ORS collects when you load a webpage on ors.org.uk, (including subdomains and redirects)
The below details apply for all visits to ors.org.uk including sub-domains and redirects e.g. online questionnaires and client Members Area, and redirects to ors.org.uk from opinionresearch.co.uk.
Whenever you load any webpage from ORS’s website: your Internet Protocol (IP) address, the page you loaded, and the date and time of the page load will be logged on ORS’s server. This is a standard practice and as home internet connections usually use dynamic IP addresses (i.e. a new one is assigned to you by your Internet Service Provider (ISP) every time you reset your connection), ORS and its clients would not be able to identify you from this alone. Organisations or premises with their own servers will often have static IP addresses (the IP address is permanently assigned) but the only information ORS could obtain from this is the owner of the IP address (i.e. who you work for or where you were when you completed the questionnaire).
ORS is the sole data controller of all information gathered through its website in this way. We are legally allowed to process this information as we have legitimate interests to monitor the use of our websites both to enable us to review and improve the information and services we provide, as well as to enable us to track any unauthorised or malicious use for security purposes. As this does not usually enable us to identify any individuals, and we have no reason to do so, this activity does not contravene the interests, or fundamental rights and freedoms, of any individuals.
These logs are typically kept for up to five weeks and this information will not be shared with any third parties except in the case where unauthorised or malicious use has resulted in criminal investigation and/or legal proceedings.
Cookies
Cookies are small text files stored on a user’s web browsing device (e.g. computer, mobile phone, tablet, web-enabled TV, etc.) ORS’s websites use both first party and third party cookies for a variety of reasons.
ORS’s use of cookies
ORS runs a number of websites some of which use cookies. We use them for purposes such as ensuring the security of ORS’s website, improving the reliability of our online surveys, allowing users to resume online surveys, understanding how ORS’s website is used, and so on.
Cookies may be of two different types; session cookies or persistent cookies. Session cookies last only as long as the browser remains open and allow ORS to recognise that requests for different web pages in one browsing session originate from the same browser. This is essential for the correct functioning of certain parts of ORS’s site for example online surveys or sections that require a user login. Persistent cookies are stored between browsing sessions and allow ORS to recognise that a web browser has previously visited ORS’s site.
First Party Cookies
These are cookies which originate from ORS’s own servers. Below is a list of websites maintained by ORS together with a list of cookies that each uses and a brief description of their purpose.
Websites | Cookie Name | Purpose |
---|---|---|
www.ors.org.uk |
PHPSESSID |
Session ID used to recognise that subsequent page requests originate from the same web browser. Essential for the correct functioning of online questionnaires and areas of the website protected by a login. |
www.ors.org.uk |
unique |
Used to detect and prevent abuse of online surveys. |
members.ors.org.uk |
has_js |
Placed by ORS’s website management software, Drupal, to remember whether your browser has JavaScript enabled. |
members.ors.org.uk |
Drupal.toolbar.collapsed |
Placed by ORS’s website management software, Drupal, to remember display preferences. |
online.ors.org.uk |
laravel_session |
Session ID used to recognise that subsequent page requests originate from the same web browser. Essential for the correct functioning of online questionnaires. |
www.ors.org.uk |
SERVERID |
Place by one of our servers to identify which server your session is currently running on to enable load balancing |
online.ors.org.uk |
unique_respondent |
Used to detect and prevent abuse of online surveys |
Removing or Blocking Cookies
Your web-browser should have settings which allow you to remove or block cookies. In some cases doing so will prevent some parts of ORS’s website from working. It is difficult for ORS to provide detailed instructions on how to do this due to the wide variety of web-browsers in use so it is recommended that you check with your browser vendor for further information. Alternatively the website What Are Cookies provides instructions for most popular browsers and further background information.
I’ve been asked to respond to a questionnaire or take part in an interview
As part of our service delivery, we may contact you and ask you to complete a questionnaire. This is usually to gather information for one of our customers and the information will be used to improve the services provided directly, or indirectly, to you.
Online questionnaires
In addition to the details above about our websites and cookies, when you respond to one of ORS’s questionnaires online, we will also automatically log your User Agent String. This is a line of text that specifies which version of which browser you are using and the operating system on your computer. This enables the questionnaire to be displayed in a form that’s best for your computer’s software. This, along with your IP address and cookie, may also be used when checking for duplicate responses to the questionnaire. As stated previously, this will not normally enable ORS to identify you as an individual, and will never be used for this purpose.
Telephone interviews
Telephone interviews are recorded for training and quality purposes and sometimes a more senior member of staff may monitor calls in order to give interviewers feedback on their performance. It is in ORS’s legitimate interests to make these recordings and use them to maintain high standards of quality, and to be able to check that the information collected is as accurate as possible. It is also to the advantage of those completing interviews if for whatever reason they need to hear what was said during the interview. Unless informed otherwise, these recordings are kept for a year after the end of the preceding financial year.
Face-to-face interviews
The data from face-to-face interviews are stored on the tablets the interviewers carry before being sent back to ORS’s servers. The tablets themselves and the connection for transferring the data to the server are encrypted (stored in an unreadable form and password protected) to ensure the security of your data. Once a batch of interviewing is completed and transfer to the server is confirmed, the data is no longer stored on the tablet.
Questionnaires and letters sent out by post
Sometimes ORS will use a professional printing company. This will usually be the case where contact lists are drawn from the Royal Mail’s Postcode Address File (PAF) which is a database of every address in the country (with no other identifying information), although sometimes contact lists are provided to us by our clients or a commercial provider. Where ORS passes contact details to a professional printing company, the processing of the data that they are given is strictly controlled by contract (namely a Data Processing Agreement). Amongst other things, this restricts the printers to only follow our written instruction, to meet our requirements for information security and only to hold the data for as long as they need it in order to print the forms or letters. We also request confirmation from them that they have deleted the information afterwards.
Reference IDs
When we send out letters and questionnaires, they will often have a unique reference on the front. This is there so that we can log and monitor failed mail, refusals and completed questionnaires or for other admin purposes like making appointments with face-to-face interviewers. Invitations to take part in online surveys may include a short code to type in (sometimes already included in the URL in an email invitation) to allow you to access the correct record in the survey sample and to prevent multiple completions. Though we can identify you through these IDs, and they may be used to attach which general area you live in (for example, local authority or ward), they will not be used to identify you to the client without your knowledge and consent.
I want to submit a response to a statutory consultation
Where ORS’s client has a statutory obligation to conduct a consultation before making decisions about services provided on a statutory basis, the legal basis for processing data collected through the open consultation questionnaire is that it is a task in the public interest necessary to comply with the relevant public sector law (e.g. the National Health Service Act 2006, Fire and Rescue Services Act 2004, Cities and Local Government Devolution Act 2016, Housing Act 1985, Housing Act 2004) and the need to collect special categories of personal data (e.g. ethnic group, health/disability, sexual orientation, etc.) is therefore in the substantial public interest, based on the Equalities Act 2010, to ensure provision of services to all groups and to avoid discrimination. Although these legal bases do not legally give you the right to withdraw your consent, we would normally still honour any request to have your response removed from the consultation before the information is reported as long as we have a means to identify your response in the data.
Collection and processing of information collected through research tasks undertaken alongside the open consultation questionnaire will be based on consent (and explicit consent for any special categories of personal data).
I’ve been asked to take part in further research or been recruited to a panel
Where you have agreed to take part in further research or you have been recruited either to one of ORS’s access panels or to a panel that ORS holds on behalf of a client, your data will be stored securely, and in the case of a panel, only held by ORS for as long as we are contracted to manage that panel. After this time it may be transferred to our client or passed to another carefully selected research provider. Your information will only be used to conduct research projects, for example in the form of survey questionnaires, qualitative in-depth interviews or discussion groups (e.g. focus groups, workshops and forums) and will never be shared for sales or marketing purposes.
Where we have collected your address for research purposes, this may be shared with a commercial printer to allow bulk printing of forms or letters. We may also use a commercial change of address and death screening service to keep the panels we maintain up to date. All data shared in this way is controlled by contract and data will be deleted by the contractor once the operation is complete and will not be used for any other purpose.
I’ve been asked to take part in a qualitative interview, forum, focus group, workshop or other group activity
At the start of these activities you may be asked for consent to an audio recording of the session being made. The recording is simply to enable ORS’s researchers to more easily and accurately report on the findings of the session. If anyone attending the session refuses their consent then the entire session will not be recorded and only handwritten notes will be used. These recordings are typically kept for a year after the end of the research study, or longer in certain circumstances (in which case you will be advised of the actual period during the interview or discussion group), but they will be deleted after this time.
For all research:
How did ORS get my contact details?
Depending on the project, ORS will get contact details in a number of ways but this should be explained in the information with the questionnaire or by one of ORS’s interviewers. ORS sometimes gets contact details from its clients, usually where you have had some contact with them and they are seeking feedback on the service provided to you, or from a commercial provider of contact details. Such providers are bound by data protection legislation to make sure that they have a valid legal basis for passing your information to us for the purposes of research, and to ensure that appropriate privacy information has been made available to you regarding this purpose.
ORS also has an obligation to make sure that the data provided to us can be used for these purposes. If you think that your details should not have been passed to ORS, please inform us by emailing privacy@ors.org.uk so that we can raise the concern with the organisation that provided us with the contact details.
Where your contact details have been provided to us by one of our clients, you will either have agreed to this when you gave them your contact details (consent) or they should have informed you that your information would be passed to ORS or to an organisation conducting the research. In the latter case the information provided to ORS is done so either under our client’s legitimate interests to conduct the research or where they are a public authority, that it is necessary to share the information in order to conduct the research task in the public interest. ORS’s clients will sometimes give ORS additional information about you, along with your contact details, but this will only be information needed for conducting or reporting the research. ORS will not seek to pass back any information which could identify you without your explicit consent, unless you are otherwise informed during the course of the research.
I’m on the TPS/MPS so why have you contacted me?
The Telephone Preference Service (TPS) and Mailing Preference Service (MPS) are services that exist for individuals to prevent their details from being used for direct marketing. As ORS conducts research and does not market goods or services, the obligation to use these suppression lists does not apply.
ORS keeps its own ‘no further contact’ lists to screen samples for research projects against. If you would like to be included on these lists, please let us know by emailing privacy@ors.org.uk.
Will I be identified?
ORS applies ‘Privacy by Default’. This means that you will not be identified to anyone outside of the ORS project team, unless during the research ORS has asked you for, and you have granted, explicit consent to be identified in any data sent to our client(s) and/or published results. Only internal working files will have information which could identify you from those files alone, and this information will be removed at the earliest opportunity if not required later (this is termed pseudonymisation).
If you are asked for and give your consent to being identified, then you will only be identified to the people, or organisations, that you have been informed about and given your consent to, and never to anyone else. We are very careful when reporting information and typically published reports contain only aggregate/combined data. Where certain subgroups of respondents are small and are likely to allow identification, the result will not be presented.
Who else might my data be shared with?
ORS will never give personal information collected for research to any other third parties that are not mentioned either in this document or at the point of data collection without explaining the purpose and obtaining your explicit consent. The only exception to this is where ORS has significant concern for someone’s wellbeing or that an unreported crime has been committed. In these instances ORS may report its concerns to the appropriate authorities, as permitted by data protection legislation.
Where will my data be stored?
ORS’s IT systems are all in-house and our offices and call centre are based in the UK. In the main, our clients are based in the UK so in general ORS does not transfer data collected from our research to anywhere outside of the UK. However, on the rare occasions that you respond to a questionnaire for a client that is based outside of the European Union, then you will have been separately informed of this and the safeguards that exist for the transfer of your data. Importantly, ORS does not use third party or cloud storage services for any personal data.
How long will my data be kept?
ORS will typically retain information (apart from telephone recordings) that would identify you for one year beyond completion of the project (this is the default retention period recommended by ISO 20252:2012 - Market, Opinion and Social Research). This is in case ORS needs to go back to it for some reason (e.g. to validate results or undertake further analysis for a client). If the research that you’ve participated in has a different retention period, then you will have been informed of this in the questionnaire or during the research.
Whilst we are working on a project, we will usually remove any information that could directly identify you from the datasets, but you could still be identifiable to ORS from the original raw data. After the specified retention period, we remove your personal details completely, and it should then be impossible to identify you by any reasonable means; your anonymous responses will then be kept for research purposes only.
The surveys, consultations and other research that ORS conducts on behalf of ORS’s clients allow you to give your feedback on services or to have your say on public policy. There is no obligation to take part and there are no negative consequences to refusing to participate or choosing not to answer any, or all, of the questions, other than the fact that your feedback will not inform our client’s research.
Will my data be kept securely?
As mentioned above, ORS has an Information Security Management System which is accredited to ISO 27001:2013. This covers the security of our IT systems, the physical security of our premises and the operational measures that are in place through policies, procedures and working practices. ORS’s IT systems are also accredited under the UK Government-backed Cyber Essentials Scheme. It is very rare that personal data leaves our premises. However, any data held on portable devices (e.g. mobile phones, tablets, laptops, USB sticks, etc.) is encrypted (stored in an unreadable form and password protected) and can be deleted remotely where technology allows. Any new systems or software that we develop are designed with privacy in mind.
Will my data be disposed of securely?
All information on paper/hard copy (e.g. paper questionnaires, written notes from focus groups, etc.) is destroyed at ORS premises by a professional shredding and recycling company who are also ISO 27001 accredited and who are controlled by contract and supervised by a member of ORS staff whilst performing their task. They provide us with certificates of secure disposal as part of their service.
Hardware and devices which have had personal data stored on them are also destroyed using an appropriate and secure method.
What are my rights?
The right to withdraw consent
Where you have given consent to us processing your personal data, you have the right to withdraw your consent at any time. If you would like to do so, please contact either the project staff, whose details you have been given, by email to privacy@ors.org.uk or by phone or letter to the contact details at the top of this page.
The right to be informed
You have the right to be informed about the purpose for which your personal data are being processed; the categories of data being processed; the (categories of) recipients of your data; the likely period that your data will be stored or the decision process for eventually deleting it; and the existence and details of any automated decision making. This is made available to you through the information in this Privacy Notice as well as the information which has been given to you alongside or within the research material, interview or group activity.
The right of access (also known as Subject Access Requests (SARs))
As well as being informed of the above, you have the right to a copy of your data which is held by ORS. In order to search for the correct information, ORS may need to ask you for certain pieces of information in order to make adequate searches, as well as confirmation of your identity. The best way to make such a request is to send an email to privacy@ors.org.uk or write to DPO, Opinion Research Services, Strand, SWANSEA, SA1 1AF. Where one of ORS’s clients has received a SAR, we will also give them every assistance in complying with any requests that they get.
The right to rectification
If you think that the information which ORS holds might be inaccurate then you have the right to have this corrected. However, it should be noted that data held for statistical purposes represent a point in time and therefore ORS is under no obligation to change anything which was correct at the time of collection. Where ORS’s clients are subject to this right, we will give them every assistance in complying with any requests that they get.
The right to erasure/to be forgotten
You have the right to withdraw your consent to ORS processing your data, in circumstances where consent is relied on. ORS will usually agree to such a request, however, where data is used for statistical purposes, we will usually have the right to continue processing your responses and only remove the information that makes you identifiable. The application of this will be judged on circumstances. Where ORS’s clients are subject to this right, we will give them every assistance in complying with any requests that they get.
If you do not want to be contacted again, ORS keeps ‘no further contact’ lists and screens samples for research projects against these. If you would like to be included on these lists, please let us know by emailing privacy@ors.org.uk.
The right to object
Where processing of your data is based on the legitimate interests of ORS or its clients, you have the right to object based on your particular situation. Processing may be restricted (see below) while the balance of whose interests are overriding is decided. Where ORS’s clients are subject to this right, we will give them every assistance in complying with any requests that they get.
The right to restrict processing
Your right to restrict processing applies where the accuracy of personal data is in question; where processing is deemed to be unlawful but you do not want your data erased; where ORS no longer needs the data but you need it kept for legal claims; or where you have challenged the balance of ORS’s and/or its clients legitimate interests in processing vs. your own interests (see above). Obviously the application of this right must be judged on a case by case basis. Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.
The right to data portability
Where the processing of your data is based on consent and is conducted electronically, you have the right to request that a copy of your data is made available. Where ORS’s clients are subject to this right, we will give them every assistance in complying with any requests that they get.
Rights in relation to automated decision making and profiling
In general ORS does not conduct any activities to which this right would apply. Where ORS’s clients are subject to this right, we will give them every assistance in complying with any requests that they get.
I don’t think my data is being handled correctly
ORS takes data protection very seriously and does its upmost to comply with legislation and best practice. If you think that your data has been mishandled by us, please contact us with your concerns at privacy@ors.org.uk. You also have the right to lodge a complaint with a supervisory authority, which for the UK is the Information Commissioner's Office (ICO).