Data Protection Policy
1. Data protection principles
GABS is committed to processing data in accordance with general responsibilities under the data protection regulations which include to:
- protect the privacy of the individual and personal data by regulating the processing of personal information, and
- provide the process to obtain, hold, use or disclose personal information.
2. General provisions
This policy applies to all personal data processed by GABS. This policy shall be reviewed at least annually or when the need arises for it to be reviewed.
3. Lawful, fair and transparent processing
To ensure its processing of data is lawful, fair and transparent, GABS Research shall keep all consent forms obtained from survey participants for a minimum of 2 years or as required by the client in a secured manner.
4. Lawful purposes
All data processed by GABS Research must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data collected. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the organisation's processes. Survey participants have the right to opt out of a survey and all information collected from them would be discarded.
5. Data minimization
The company shall ensure that personal data collected are just adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6. Archiving / removal
To ensure that personal data is kept for no longer than necessary, the consult shall put in place an archiving policy for each area in which personal data is processed and this process shall be reviewed annually or when necessary. The archiving policy shall consider what data should be retained, for how long, and why.
7. Security
The company shall ensure that personal data is stored securely using modern software that is kept-up-to-date. Access to personal data shall be limited to personnel (Including stakeholders) who need access and appropriate security should be in place to avoid unauthorized sharing of information. When personal data is deleted this should be done safely such that the data is irrecoverable. Appropriate back-up and disaster recovery solutions shall be in place.
8. Data storage
The questionnaires, tablets and computers used for data collection should be stored securely in a locked cabinet only accessible to authorized persons of the company which generally include the data manager, research coordinator and research officers on the project. Consent forms should be stored separately from other forms.
The digital file describing sample units which might include ID (metadata), as needed, will be encrypted, password-protected and accessible to the local core research team only. All other electronic data files will be encrypted, password-protected and only accessible to the research coordinator and the data manager. Relevant files will be destroyed immediately after conclusion of the fieldwork and anonymous data files securely shared with the client. The data manager and research coordinator are responsible for the safe storing and encryption of the data and forms.
9. Data Ownership
The client is the owner of the data collected or processed and only authorized individuals from the client's organisation shall have access to the data.
10. Data Sharing and transfer
Only anonymous data will be transferred out of the country. Data will be transferred via approved secured cloud storage and transfer system. All raw electronic data files will be encrypted, password-protected and decryption codes / passwords only accessible to authorized individuals from the client's organisation. Data files will be destroyed immediately after conclusion of any cross-checking needed to ensure data quality by the client.
11. Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, the company shall promptly assess the risk to people's rights and freedoms and if appropriate report this breach to the regulator.