FingerPost Consulting Ltd, a company registered in England and Wales under incorporation number 09715384, whose registered office is at Pure Offices, Cheadle Royal Business Park, Brooks Drive, Cheadle, SK8 3TD, takes its responsibilities and obligations regarding data protection and the personal data rights of its sub contracted freelancers and third-party engagements, including research subjects very seriously.
FingerPost Consulting is registered with the Information Commissioner’s Office in the UK as a Data Controller and complies with EU GDPR, UK GDPR and the Data Protection Act 2018.
All personal data will be collected lawfully and as minimally as possible in order to undertake the objectives of our business.
The Data Protection Officer at FingerPost Consulting is Victoria Wooldridge, firstname.lastname@example.org
What type of personal data do FingerPost collect and how do we collect it?
- Personal information such as your name, email address, telephone number and IP address should you make an enquiry or apply for a vacancy via the forms on our website
- Personal information such as your name, email address, IP address and other details you may wish to disclose should you email FingerPost Consulting or any of its employees directly
- FingerPost may collect information from content shared with us on email, via telephone/web call or face to face meetings. This may include content supplemented as an attachment, on screen or in paper copy
- FingerPost conduct Primary Market Research as part of our service offering. Should research subjects’ consent to take part in studies, data may be collected from the following sources as per our Primary Research Process:
- The information provided upon consenting to partake in research (name, email address, telephone number, job title, your disclosed notes within the communication)
- The information required to complete screening document for eligibility (job title, professional qualifications, professional experience and career history, professional interests and activities, memberships or affiliations with professional bodies or groups)
- A video recording or voice recording of in-person interviews – the use of data and confidentiality criteria will be reinforced as part of this process by the moderator. (Your voice, gender, appearance, job title, professional qualifications, professional experience and career history, interests and activities, membership or affiliations with professional bodies or groups)
- Personal information provided should you sign up to partake in online/questionnaire based research (your name, email address, IP address, job title, professional qualifications, professional experience and career history, interests and activities, membership or affiliations with professional bodies or groups)
- Details contained within an invoice provided to process honoraria payments (your name, address, banking details and details of your banking institution)
- FingerPost may collect personal data from publicly available sources
- Lawfully, we may collect data from clients if they wish us to engage you specifically, by name, for certain sub-contracting or research purposes
Why do FingerPost collect personal data?
In order to undertake our business offering and the requirements of work contracted to us by our clients, we process personal data only within the parameters of our business interests. This includes secondary research and primary market research for the purpose of advising our clients regarding the market access, pricing and reimbursement of pharmaceutical and healthcare products.
FingerPost’s legal obligations concerning data
FingerPost process personal data in line with legal obligations; these are both operational in the areas of employment and tax & accounting and industry/research specific in situations such as adverse event reporting.
FingerPost also have legal obligations in personal data processing for the detection and prevention of crime and we would be obliged to comply with the personal data processes of authorised parties (such as the police) should we be approached regarding criminal investigations.
FingerPost’s Collection of ‘Special Category Data’
Special Category Data is personal data that UK GDPR deems to be more sensitive, and therefore highlights extra protection processes are required. These categories include racial or ethnic information, political opinions, religious/philosophical beliefs, trade union memberships, genetic and biometric data and data concerning personal health status, sexual orientation or activity.
As part of the market research studies FingerPost undertakes, it is unlikely that special data categories will apply, however, should any requirement for the disclosure of special categories occur, FingerPost will make clear in advance that this will be the case as part of obtaining your express consent to participate. Subjects may decline to answer Special Data Category questions and still participate in the wider research study.
Job applicants to, and employees of FingerPost may be required to disclose Special Category Data as per the obligations of employment law, internal recruitment, and diversity/equality policies and to make any suitable contractual changes or manage HR process effectively. FingerPost store all Special Category Data in line with guidance and with extremely limited access to authorised personnel only.
Employees can access the company Data Protection Policy at any time within the Employee Handbook.
Gaining consent for personal data processing
FingerPost will gain consent for personal data requested across all business activities where we initiate the requirement to collect such information.
Data subjects agree to FingerPost managing, processing and storing their personal data in line with legal requirements and internal processes should they initiate the sharing of personal data such as submitting a CV to a job advertisement or invoicing us for work conducted.
Should you share the personal details of a third party to FingerPost in form of a recommendation or referral you must have their express consent to do so. FingerPost will not store the details of third parties until direct communication with and consent from the individual has been made/obtained.
FingerPost may store minimal third-party personal data obtained from the public domain.
Sharing personal data and information with others
FingerPost will NEVER sell, distribute or lease personal details to third party companies/ organisations.
FingerPost may share personal data:
- Within the permanent staff team as per the necessary business requirements, eg: recruitment, payment of invoices, participation in research, escalation of query, sharing of job responsibilities
- With external contractors or agencies who are partnering with us to deliver work, eg: sub contracted data processors. We will always endeavour to communicate third parties who are involved with processing of personal data on our behalf.
- As part of our research obligations to adverse event and safety reporting. In this instance you will be specifically asked for consent and FingerPost will thereafter follow the reporting process of the relevant company involved.
- With auditing firms or official inspectors upon formal request from bodies such the Police or HMRC.
In the case of research subjects who undertake audio or WebEx interviews, FingerPost generally ‘double blind’ these and do not pass recordings to client/sponsor companies. However, should a client/sponsor company request to access these materials to corroborate findings, consent shall be sought and documented, prior to the interview. These materials may be passed to third-party processors (namely sub-contracted partners) as above for transcription, translation or analysis.
FingerPosts management of personal data – storage and security
All information and data, including personal data and Special Category Data is stored on an encrypted platform on secure servers in the UK and EEA/EU.
FingerPost implement and regularly review a series of policies and processes relating to IT security/audit, data management and operational/project management procedure to ensure the information we store and process is safe and has the required access and review dates in place.
FingerPost understand that information stored and shared electronically can be at risk of compromise, so we take Anti-Virus protection, VPN activation and regular IT Security monitoring and patching seriously as reflected in our internal IT security policies.
FingerPost aim to be a completely ‘paperless’ and ‘print free’ company. Should personal details be sent to us in hard copy, they will be scanned, processed and stored as part of our electronic processes. Hard copy personal information will be disposed of via shredding as per company confidentiality policies on the management of paper materials.
Personal Information stored electronically will be subject to regular audit and disposed of as required/requested in a secure manner.
Personal data will be kept for the following periods:
|Relating to Job Applications:||12 months from the end of the recruitment process|
|All invoices submitted:||7 years in addition to the current year|
|Personal details relating to your profile data for participation in market research||Retained until you request its removal|
|Personal details stored in our directory as an industry client, third party agency contact, contractor||3 years from last contact unless removal requested. This is under regular review.|
|Personal data required for Adverse Event/Safety Reporting||Stored indefinitely in order to comply with laws around adverse event reporting.|
|Banking details for the purposes of incentive processing||Retained on our banking systems for no longer than three months after the most recent transaction, at which time disposal will be completed in a secure manner. As above, invoices containing banking details will be retained for 7 years in addition to the current financial year|
Information you can access and how you can access
All your rights concerning personal data and relevant data protection legislation, including GDPR can be found on the Information Commissioners website: www.ico.org.uk
FingerPost are always happy to inform you of the personal data we hold on file for you and to action the removal or updating of these details as requested. Please reach out to Victoria Wooldridge, Chief Operating Officer, to arrange further discussion: email@example.com
Complaints around Fingerpost’s processing of personal data
If you have enquired as to how we store and process your personal data and you are unhappy with how we manage this information, please raise a complaint in writing at the earliest opportunity to Victoria Wooldridge, Data Protection Officer, firstname.lastname@example.org for quick and direct resolution. Failing a satisfactory resolution with FingerPost, you may escalate a complaint to the Information Commissioners Office, www.ico.org.uk
Any content changes/updates to this policy will be reflected by a change of date and version number.
By agreeing to FingerPost holding your personal data, you are accepting any ongoing changes made to this policy.