The protection and security of your information is very important to us.

The following explains how we do this.

‘We’ and ‘us’ refers to Healthcare Fieldwork.

Our Information Commissioner’s Office (ICO) registration number is ZA204538.

The data that we collect from you is necessary for establishing your eligibility for market research studies and how we treat the data is described below.

Data Protection Policy

Healthcare Fieldwork complies with the EU General Data Protection Regulation 2018 (GDPR) and UK Data Protection Act 2018 (DPA2018) in ensuring the confidentiality of data. It also ensures that all personal data about research study participants, employees and individuals working on its behalf will be stored securely and will only be passed on to other companies, market research agencies, medical consultancies or pharmaceutical organisations, known to Healthcare Fieldwork, for the purposes of the market research, as agreed with the participant.

Our lawful basis for collecting data is direct consent from the individual.

Healthcare Fieldwork needs to collect personal information about its study participants, employees and individuals who work on its behalf to be able to carry out its business and provide its services. The personal information may include name, address, email address, telephone number, date of birth, private and confidential information and sensitive information including (in the case of study participants), medical history. This information may be collected, recorded and used (e.g. on a computer or on paper) and must be dealt with properly to ensure compliance with the GDPR/DPA 2018.

The lawful and proper treatment of personal information by Healthcare Fieldwork is extremely important to the success of its business and to maintain the confidence of study participants, employees and individuals who work on its behalf.  Healthcare Fieldwork aims to treat all personal information lawfully and correctly.

Data Protection Principles

The GDPR and DPA 2018 set out rules and controls on the collection and processing of personal data. Personal data is any information that can directly or indirectly identify a natural person. It applies to paper records as well as those held in electronic form or another format. The GDPR gives individuals certain rights. It also imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

1.     Personal data shall be processed fairly and lawfully and in a transparent manner.

  • There must be a good reason for collecting the data.

  • The use of data must not upset the individual in any way.

2.     Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any             manner incompatible with that purpose or those purposes.

  • We are clear about the exact data we have collected, why we are holding it and how it will be used and will not deviate from this.

3.     Personal data shall be adequate, relevant and limited to the purpose or purposes for which they are collected.

  • We make sure we have enough data but not an excessive amount. If we cannot explain why we have the data, then we shouldn’t have it.

4.     Personal data shall be accurate and, where necessary, kept up to date.

  • Data should be accurate as it is coming directly from the individual.

  • Each year we check that data is still relevant and correct.

  • Data that is no longer accurate or relevant is deleted.

5.     Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those             purposes.

  • Records will be deleted when an individual asks to be removed from our database or if the individual has died.

  • We will check annually that the participants wish to remain on our database.

  • Any paper records held will be destroyed by shredding after the completion of a study.

6.     Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data         and against accidental loss or destruction of, or damage to, personal data.

  • We have appropriate security to prevent the personal data we hold being accidentally or deliberately compromised.

7.     Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or         territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of                 personal data.

  • The EEA is all countries in the EU plus Norway, Iceland and Liechtenstein.

Rights of Individuals

Under the GDPR/DPA 2018 an individual has the following rights:

  • the right to access the personal information that an organisation holds about them. Accessing personal data in this way is known as making a Subject Access Request

  • the right to correct inaccurate personal data

  • the right in certain cases to have personal data erased

  • the right to object to or restrict the way their data is processed

  • the right to move their personal data from one provider to another (data portability)

  • the right not to be subject to automated profiling.

Responsibilities of Data Controllers and Processors under GDPR/DPA 2018

The GDPR imposes certain responsibilities on all those who control and process personal data at Healthcare Fieldwork.  These obligations include:

  • holding and using data in a secure manner

  • ensuring that data is handled in line with what individuals have been told and consented to and that this consent is explicit

  • having appropriate arrangements in place for the access to (and sharing of) data and making sure that individuals' data is accurate and retained for a suitable period.

Most importantly, if a data breach occurs (e.g. personal data held by the Healthcare Fieldwork is lost, stolen, inadvertently disclosed to an external party, or accidentally published), this will be dealt with in an appropriate way.

Roles and Responsibilities of Healthcare Fieldwork

Healthcare Fieldwork will:

  • ensure there is a designated person with overall responsibility for data protection. Currently this person is the Data Protection Officer (DPO)

  • provide training for all staff members who handle personal information

  • ensure the staff understand cyber security threats

  • ensure that software is up to date

  • ensure that security software is in place and up to date

  • perform regular checks to monitor and assess new processing of personal data

  • develop, maintain and enforce GDPR policies and procedures.

Roles and Responsibilities of Healthcare Fieldwork Employees

All Healthcare Fieldwork employees and individuals working on behalf of Healthcare Fieldwork will through appropriate training and responsible management:

  • observe all forms of guidance, codes of practice and procedures about the collection and use of personal information

  • understand fully the purposes for which the Healthcare Fieldwork uses personal information

  • collect and process appropriate information, and only in accordance with the purposes for which it is to be used by Healthcare Fieldwork to meet its service needs or legal requirements

  • ensure the information is correctly recorded

  • ensure the information is destroyed (in accordance with the provisions of GDPR) when it is no longer required or at such point a participant requests their data is removed (if this is sooner)

  • understand that breaches of this Policy may result in disciplinary action, including dismissal.


If you have any questions regarding our Data Protection Policy, please contact our Data Protection Officer Sarah Weir.