Many member queries focus on the early stages of a market or social research project. The AMSRS Code of Professional Behaviour (the Code) covers the life of a project and several rules deal with data storage and destruction.
Researchers must ensure the security of all information relating to a research project at all stages of the project (Rule 35). Much information is stored electronically these days, and researchers must keep their electronic networks and storage systems secure.
Research project information
How long should researchers store project related information? The Code recommends having an organisation data retention policy that can be adjusted for each project according to client or project needs. It suggests a default period of one year for primary field records and two years for research data.
Participants’ personal identified information
Participants’ personal identified information must be kept securely, with reasonable steps taken to protect it from misuse or loss and from unauthorised access, modification or disclosure. (Rule 36)
This responsibility remains when you transfer information – if you have passed on participants’ personal identified information to anyone outside the organisation, you must take reasonable steps to make sure that it is handled securely by that person. (Rule 40)
It can be easy to overlook this
Are you sure all your suppliers securely store any personal identified information you provide, and destroy it as soon as the project is over? Good practice is to detail storage and destruction requirements in the contracts you have with suppliers.
This responsibility disappears once participants’ personal information is completely de-identified. So wherever possible, de-identify it as early as you can. Personal identified information must – in any case – be destroyed or de-identified as soon as the project is complete. Make sure all copies are destroyed – including emails with attached lists or files.
The APPs require that individuals may access and correct personal identified information held on them. This is unlikely to occur in a research context, but if requested, researchers must allow participants access, with two exceptions:
- it will disclose the identity of other participants (eg a video-recording of a group discussion) or
- a point in time record will be affected by a change.
Good practice is to have organisation policies on data storage, security, destruction and verification of external suppliers’ adherence to the policy.
Jane Gregory, AMSRS professional standards officer