The Financial Inclusion Centre (‘the Centre’, ‘we’, ‘our’ or ‘us’) is not-for-profit organisation and as such is committed to being transparent about how it collects and uses personal data, and to meeting its data protection obligations.
This policy sets out: the principles the Centre follows with regards to data protection; and how personal data will be processed by The Financial Inclusion Centre as a Data Controller as part of our research work. Specifically, this sets out what data we may collect, how we use it, how long we keep it, where we transfer and store it.
Data Protection Principles
We use the following data protection principles when handling personal data:
• Personal data is collected only for specified, explicit and legitimate research purposes.
• Personal data is processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
• The Centre processes personal data lawfully, fairly and transparently.
• The Centre keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
• Personal data is retained only for the period necessary for processing.
• The Centre adopts appropriate measures to make sure that personal data is secure and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
• The Centre informs individuals the reasons for processing their personal data, how it uses such data, and the legal basis for processing in its privacy notices. It will not process personal data for other reasons.
• Where the Centre relies on its legitimate research interests as the basis for processing data, it will carry out an assessment to ensure that those interests are compliant with the rights and freedoms of those individuals whose data we are processing.
• Privacy notices will be maintained and updated to accommodate changes in policy and best practice.
• The Centre maintains a record of its processing activities in compliance with the requirements of the General Data Protection Regulation (GDPR).
The data we collect, how we use and store it
As a research based organisation the Centre may, from time to time, need to collect personal data as part of its projects. There are two main situations where we may need to collect personal data:
• To conduct large scale, email-based, quantitative surveys
• To undertake smaller scale, in-depth qualitative research including structured interviews
To conduct large scale quantitative surveys we need to use external email service providers to communicate with survey participants and to collect and store survey responses. The Centre uses SurveyMonkey for this purpose. We comply with the GDPR when doing so.
The eighth data protection principle states that personal data must not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Survey Monkey’s servers are in the United States, which is outside the EEA.
The European Commission formally decided that the EU-US Privacy Shield provided an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This means that personal data can be transferred to an organisation in the United States without the organisation transferring the data being in breach of the eighth principle if the organisation receiving the data is certified under the EU-US Privacy Shield.
Survey Monkey Inc. is certified under the Shield. The use of Survey Monkey is not therefore a breach of the eighth principle.
The UK has now left the EU. There is a transition arrangement in place which means that, for now, nothing will change. For more details see the Information Commissioner’s Office (ICO):
Details of SurveyMonkey’s policies on privacy and GDPR can be found here:
Depending on the nature of the project, as part of its research methodology, the Centre from time to time also monitors financial behaviours of consumers. For example, we would monitor whether credit union members are saving more, borrowing more and so on. Our policy in this case is to issue unique identifier code which we provide to the credit union we are working with. Both the credit union and the Centre would hold this unique identifier code. But, only the credit union would be in possession of sensitive or personal data (such as names and addresses) that would allow individuals to be identified or their personal circumstances to be inadvertently revealed. Any contact and ongoing communication with members would be done by the participating credit unions.
The only exception in this case is that we would include a message asking survey participants if they would be willing to be contacted by the Centre to take part in structured interviews.
We would have to hold email addresses to contact willing participants. No names or addresses would be recorded (we use identifier codes). Email addresses are destroyed once the interviews have been completed.
Any personal information which allows identification will be destroyed once the interviews have been completed. Although we will retain anonymous data such as female, age XX, works for ABC to contextualise write ups of interviews for report.