Do I need to name the client?

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

In this, my last Impact column on legal developments, I decided to focus on the single most-asked GDPR question by researchers: do I need to name my client? The short answer to this question is ‘it depends’. And so it does – on the relationship between parties; the type of research study; the tolerable level of organisational risk; and, most importantly, the understanding of the data subjects and the sensitivity of data being captured.

Although, in most studies, naming the commissioning client is not problematic, sometimes it can have significant consequences and adverse impacts, such as in spontaneous awareness research, commercially sensitive product development tests or longitudinal studies. In these cases, disclosing the client identity can reduce methodological rigour by introducing bias to the responses, compromising commercial confidentiality and market sensitivity, or impacting on trend data where attitudes on behaviour, for instance, are measured over time, and the results are no longer comparable.

So, in the following paragraphs, I’ll try to elaborate on that initial short answer.

Is the client the source of personal data?

Where a client supplies personal data, such as a sample list from their customer database, they will need to be named.

This is legally required and allows you to be sufficiently transparent in meeting the data subject information requirements. The information will need to be given at an appropriate point in the data-capture activity, generally at the start of data collection.

Is the client receiving personal data?

Recipients of personal data must also be named; if a client is receiving personal data rather than aggregated and anonymised data, they must be named as a recipient of personal data. As above, this information will need to be given at an appropriate point in the data capture activity, generally at the start of data collection.

Is the client a data controller?

The hardest issue in deciding whether the client needs to be named is when the roles of the client and researcher as controllers, processors or third parties are uncertain.

In many research studies, a commissioning client will be a controller and the full-service agency, plus any subcontractors used by the agency, will be processor(s). However, in some cases, research suppliers may also be joint controllers (with the client). What’s critical is whether the client and research supplier are jointly ‘determining the purposes and means’ of processing the personal data. Deciding on controller/processor must be based on the facts of the situation and reflected in a contract between the parties.

Under the GDPR/DPA 2018, controller(s) must be named at the time that any personal data is obtained. If the commissioning client is a controller then they must be named, but views differ as to whether this requires the client to be named at the beginning of the data-collection exercise or if there is some discretion for naming them at the end.

MRS has published guidance, interpreting the requirements in the GDPR on naming the data controller as giving some leeway on when the controller must be named. However, remember that the more broadly this requirement is interpreted the less likely it is that the processing will be sufficiently transparent.

Risk-based decision on layered disclosure

If, as a researcher, you think naming the client at the outset will adversely impact the rigour and robustness of the research then consider whether it is appropriate to name them at the end. This approach is more likely to be appropriate if the research agency is a controller (with the client) or the client is a third party not providing or receiving any personal data from the research study.

If naming the client is deferred, then it is important to put in place safeguards. For example:

• Name the controller agency at the start of the study
• Make clear to data subjects that the client joint controller will be named at the end of the data-collection exercise
  
• Give assurances that any personal data collected will be deleted if, at the point that the controller is revealed, they object, wish to withdraw their consent, and/or no longer wish to participate.
  
• Data Protection Impact Assessments (DPIAs) are useful tools for examining and documenting decisions made on this – and should be prepared and shared between client and researcher.
  

Privacy and ethical research

MRS has continued to liaise with the Information Commissioner’s Office (ICO) and issues on controllers and processors are being considered by the ICO and other EU regulators. Additional guidance should be published before the end of 2019. In the interim, researchers and commissioning clients need to make a risk-based (but privacy-centric) decision on the best approach to take.

Privacy always needs to be understood as a fundamental right of individuals. Risk-based decisions under GDPR must keep sight of the importance of the social contract with research participants and the need to promote transparency and understanding of their rights. Maintaining and building consumer trust in the protection of personal data must be reflected in all decisions on research approaches.

This article was first published in the July 2019 issue of Impact.