Privacy Notice

This privacy notice tells you what to expect when ORS collects your personal information. The information below will apply, unless we have advised you of anything different. Where this standard information does not apply, we would tell you during an interview or on a letter or questionnaire. In those cases, the specific information that you are given would apply instead.

Introducing ORS

Opinion Research Services Ltd (ORS) is a limited company. We are registered in England and Wales to undertake Market Research and Public Opinion Polling and our registered company number is 02904006.

ORS is an independent social research practice that works across the UK. We work for the public, voluntary and private sector consulting on a wide range of social issues. These include community safety, housing, health and other local issues. Working with our clients, our aim is to understand your views, needs and priorities.

ORS is accredited as a Market Research Society Company Partner and we comply with their Code of Conduct. This validates that we operate to the highest professional standards. ORS is also a member of the Interviewer Quality Control Scheme. We always meet and will often exceed the IQCS requirements which provide the industry benchmark quality standard for data collection.

Our approach to privacy and data protection

ORS takes information security seriously and all of the data that we process is always safe and secure.

ORS fully adheres to the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). We also comply with regulations and guidelines from all other relevant regulatory bodies including the Information Commissioner’s Office and Ofcom.

We have an Information Security Management System which is accredited to ISO 27001. This covers the security of our IT systems, the physical security of our premises and the operational measures that are in place through policies, procedures and working practices. Our IT systems are also accredited under Cyber Essentials that is overseen by the National Cyber Security Centre. Any new systems or software that we develop are designed with privacy in mind.

If you have been asked to take part in a project and have any questions about privacy or data protection, you can contact the Project Manager. Their details should already have been made available to you. Otherwise, you can get in touch with our Data Protection Officer (DPO):

How we manage your data

How did you get my contact details?

Depending on the project, ORS will get contact details in a number of ways. This should be explained in the information with the questionnaire or by one of our interviewers.

ORS sometimes gets contact details from its clients, usually where you have had some contact with them and they are seeking feedback on their services. We also get contact details from commercial providers, who are bound by data protection legislation. They must make sure that they have a valid legal basis for passing your information to us for research purposes. They must also ensure that appropriate privacy information has been made available to you about this.

ORS also has an obligation to make sure that the data provided to us can be used for these purposes. If you think that we should not have been given your details, please tell us. We can then raise your concern with the organisation that gave us the details:

When your details have been provided by one of our clients, you will normally have agreed to this. That will often have been when you first gave your details to our client.

Otherwise, they should have informed you that your information would be passed to ORS or a research organisation. In that case, information would typically be provided under our client’s legitimate interests to conduct the research. Where our client is a public authority, information may be shared in order to conduct a task in the public interest.

Our clients will sometimes give us some information about you, as well as your contact details. This will only be information needed to conduct or report the research.

ORS will not normally pass back any information which could identify you. During the research, we will either tell about any information that could identify you or ask for your permission.

Why are you contacting me when I am on the TPS or MPS register?

The Telephone Preference Service (TPS) and Mailing Preference Service (MPS) are services that exist for individuals to prevent their details from being used for direct marketing. As ORS conducts research and does not market goods or services, the obligation to use these suppression lists does not apply.

ORS keeps its own ‘no further contact’ lists to screen samples for projects. If you never want us to contact you, then please send us your details. Make sure that you include any telephone numbers, email addresses and postal addresses that you do not want us to use:

We will always remove your details as quickly as possible. It could take up to a week for telephone numbers and email addresses to be removed from any current projects. It could take up to a month for any postal addresses to be removed, due to the longer lead times on those projects.

Will I be identified?

ORS applies ‘Privacy by Default’. This means that you will not normally be identified to anyone outside of the ORS project team.

Only internal working files will have information which could identify you from those files alone. This information will be removed at the earliest opportunity if not required later (this is termed pseudonymisation).

We are very careful when reporting information and typically published reports contain only aggregate or combined data. Where certain subgroups of respondents are small and are likely to allow identification, the result will not be presented.

During the research, we will either tell about any information that could identify you or ask for your permission. Only then could you be identified in any data sent to our client(s) and/or any published results. If you are identified, that will only be to the people, or organisations, that you have been informed about and never to anyone else.

Who else might my data be shared with?

ORS will only give personal information collected for research to the third parties identified here, unless we have asked you. That would normally be at the point of data collection, when we would explain the purpose and ask for your permission.

The only exception is where ORS has significant concern for someone’s wellbeing or an unreported crime has been committed. We may then report our concerns to the appropriate authorities, as permitted by data protection legislation.

Where will my data be stored?

ORS’s IT systems are all in-house and our offices and Contact Centre are based in the UK.

Almost all of our clients are based in the UK, so ORS does not normally transfer data outside the UK. If we are working for a client that is based outside of the UK, we will have informed you of this. We would also inform you about the safeguards put in place for the transfer of your data.

ORS does not use third party or cloud storage services for any personal data.

How long will my data be kept?

ORS will typically retain information (apart from telephone recordings) that would identify you for one year beyond completion of the project. This is in case ORS needs to go back to it for some reason (e.g. to validate results or undertake further analysis for a client).

One year is the default retention period recommended by ISO 20252:2019 which is the international standard for Market, Opinion and Social Research. If the research that you’ve participated in has a different retention period, then you will have been informed of this in the questionnaire or during the research.

Whilst we are working on a project, we will usually remove any information that could directly identify you from the datasets. However, you could still be identifiable to ORS from the original raw data. After the specified retention period, we remove your personal details completely, and it should then be impossible to identify you by any reasonable means. Your anonymous responses will then be kept for research purposes only.

The surveys, consultations and other research that ORS conducts on behalf of our clients allow you to give your feedback on services or to have your say on public policy. You do not have to take part. If you refuse to participate or choose to not answer any questions, there are no negative consequences. However, if you do not provide any feedback then your views will not inform our findings.

Will my data be kept securely?

All of the data that we process is kept secure at all times.

ORS has an Information Security Management System which is accredited to ISO 27001. This covers the security of our IT systems, the physical security of our premises and the operational measures that are in place through policies, procedures and working practices. Any new systems or software that we develop are designed with privacy in mind.

Our IT systems are also accredited under the Cyber Essentials scheme that is overseen by the National Cyber Security Centre.

It is very rare that personal data leaves our premises. However, any data held on portable devices (e.g. mobile phones, tablets, laptops, USB sticks, etc.) is encrypted. This means that it is stored in an unreadable form and password protected. It can also be deleted remotely where technology allows.

Will my data be disposed of securely?

All information on paper/hard copy (e.g. paper questionnaires, written notes from focus groups, etc.) is destroyed at ORS premises by a professional shredding and recycling company. They are also ISO 27001 accredited and controlled by contractWe supervise their work and they provide us with certificates of secure disposal as part of their service

Hardware and devices which have had personal data stored on them are also destroyed using an appropriate and secure method.

Taking part in a research project

As part of our service delivery, we may contact you and ask you to take part in a survey or complete a questionnaire. This is usually to gather information for one of our customers and the information will be used to improve the services provided directly, or indirectly, to you.

Face-to-face interviews

The data from face-to-face interviews are stored on the tablets the interviewers carry before being sent back to ORS’s servers. Once a batch of interviewing has been completed and the transfer to the server is confirmed, the data on the tablet is securely deleted.

The tablets themselves and the connection for transferring the data to the server are encrypted (stored in an unreadable form and password protected) to ensure the security of your data.

Telephone interviews

Telephone interviews are recorded for training and quality purposes and sometimes a more senior member of staff may monitor calls in order to give interviewers feedback on their performance.

It is in ORS’s legitimate interests to make these recordings. They are used to maintain high standards of quality, and check that the information we collect is as accurate as possible. It is also to the advantage of those completing interviews if for whatever reason they need to hear what was said during the interview.

Unless informed otherwise, these recordings are kept for a year after the end of the preceding financial year.

Depth interviews and other qualitative research

At the start of these activities you may be asked permission for an audio recording of the session being made. The recording is simply to enable ORS’s researchers to more easily and accurately report on the findings of the session. If anyone attending the session refuses then the entire session will not be recorded and only handwritten notes will be used.

These recordings are typically kept for a year after the end of the research study. There will be some times when recordings need to keep for longer, in which case you will be told the actual period during the interview or discussion group. All recordings will be securely deleted after this time.

Online questionnaires

When you respond to one of ORS’s questionnaires online, we will log your User Agent String. This is a line of text that specifies which version of which browser you are using and the operating system on your device. We use this to make sure that the questionnaire is displayed in a form that’s best for the software on your device.

This information, together with your IP address and cookie, may also be used when checking for duplicate responses to the questionnaire. This will not normally enable ORS to identify you as an individual, and would never be used for that purpose.

Questionnaires and letters sent out by post

Sometimes ORS will use a professional printing company. This will usually be to send letters to contact lists provided to us by our clients or a commercial provider. We also use the Royal Mail Postcode Address File (PAF) which is a database of every address in the country.

Where ORS passes contact details to a professional printing company, the processing of the data that they are given is strictly controlled by a contract. This Data Processing Agreement clearly sets out our information security requirements. It ensures that they only keep any data for as long as they need it to print the forms or letters. It also requires them to confirm that they have deleted the information afterwards.

Access panels

Where you have been recruited either to one of ORS’s access panels or to a panel that ORS holds on behalf of a client, your information will only be used to conduct research projects.

Your information may be shared with a commercial printer to allow bulk printing of forms or letters. We may also use a commercial change of address and death screening service to keep the panels we maintain up to date. All data shared in this way is controlled by contract. Data will be deleted by the contractor once the operation is complete and will not be used for any other purpose.

If your information is held as part of a client panel, it will only be kept by ORS for as long as we are contracted to manage that panel. After this time it may be transferred to our client or passed to another carefully selected research provider.

Your information will never be shared for sales or marketing purposes.

Reference IDs

When we send out letters and questionnaires, they will often have a unique reference on the front. This is there so that we can log and monitor failed mail, refusals and completed questionnaires or for other admin purposes like making appointments with face-to-face interviewers.

Invitations to take part in online surveys may include a short code to type in. The code is sometimes included as part of the URL in an email invitation. This allow you to access the correct record in the survey sample and helps prevent duplicate completions.

These unique references and short codes can normally be used to identify your responses. They can be used to attach information about the general area in which you live (for example, local authority or ward). They will never be used to identify you to the client without your knowledge.

Further research

Where you have agreed to take part in further research, your information will be stored securely and only used for research purposes.

Your information may be shared with a commercial printer to allow bulk printing of forms or letters. All data shared in this way is controlled by contract. Data will be deleted by the contractor once the operation is complete and will not be used for any other purpose.

Your information will never be shared for sales or marketing purposes.

Taking part in an interview for a Gypsy and Traveller Accommodation Assessment

ORS has many clients who are Local Authorities with a statutory responsibility to assess the accommodation needs of Gypsies, Travellers and Travelling Showpeople on a regular basis.

The purpose of the assessment of need is to establish an evidence base to inform local authority development plan making and decision taking. Information that is required for these assessments is collected through a combination of face‑to‑face and telephone interviews, and observations recorded at site visits.

The legal basis for processing data collected through these needs assessments is that it is a task in the public interest necessary to comply with the relevant public sector law.

Relevant legislation and associated national policies and guidance include:

  • Housing Act 1985
  • Planning and Compulsory Purchase Act 2004
  • Town and Country Planning (Local Planning)(England) Regulations 2012
  • Housing (Wales) Act 2014
  • Undertaking Gypsy and Traveller Accommodation Assessments 2015
  • Planning Policy Wales 2016
  • Housing and Planning Act 2016

The legal basis for collecting special categories of personal data (e.g. ethnic group, health/disability, etc.) is substantial public interest. This is based on the Equalities Act 2010, to ensure provision of services to all groups and to avoid discrimination.

Although these legal bases do not legally give you the right to withdraw, we would still try to honour any requests. Therefore, let us know if you want your information to be removed. However, we will normally only be able to remove your information whilst we are still completing interviews for the assessment.

Due to the time periods needed to prepare development plans the data will be retained for an initial period of six years from the date the assessment is published. There is an option to extend this period should it be required by the development plan examination and adoption process, and any subsequent intervention by the Secretary of State. After this period has elapsed, data will be retained in an anonymised format should any further legal challenges be made to the development plan.

Submitting a response to a statutory consultation

Where ORS’s client has a statutory obligation to conduct a consultation before making decisions about services provided on a statutory basis, the legal basis for processing data collected through the open consultation questionnaire is that it is a task in the public interest necessary to comply with the relevant public sector law.

Relevant legislation includes:

  • National Health Service Act 2006
  • Fire and Rescue Services Act 2004
  • Cities and Local Government Devolution Act 2016
  • Housing Act 1985
  • Housing Act 2004

The legal basis for collecting special categories of personal data (e.g. ethnic group, health/disability, etc.) is substantial public interest. This is based on the Equalities Act 2010, to ensure provision of services to all groups and to avoid discrimination.

Although these legal bases do not legally give you the right to withdraw, we would still try to honour any requests. Therefore, let us know if you want your information to be removed. We will only be able to remove your information if we can identify your response in the data. Also, we will normally only be able to remove your information during the consultation period. We are not able to remove responses after the information has been reported unless there is a legal justification.

Applying for a job

From time to time we need to recruit staff and therefore we will invite people to send us applications or CVs directly. These will only be used for the purpose of recruitment and ORS remains the sole data controller of this information.

We may also advertise through recruitment websites or other agencies. They and us are both controllers for any information you submit to us through their platform. You may therefore also wish to view the privacy information provided by whichever service you have used, or are considering using, in order to apply.

Our legal basis for collecting the information which you provide when applying is that it is in our legitimate interests to collect your data in order to fill a job vacancy. It is also obviously in your interest to apply for the job.

Your data will not be shared by ORS with any third party and you will only be contacted by us for purposes related to your application.

ORS holds all personal data within the UK and your data will not be transferred outside of the UK.

If an offer is not made to you or not accepted by you, we will erase/destroy your application after two months of the vacancy being filled.

The right of access, right to be informed, right to rectification, right to object, right to restrict processing and right to make a complaint described below all apply to your application. The right to be forgotten also applies but only in the circumstance that we have kept your data for longer than was needed.

Failure to provide some information or providing incorrect, or misleading information, may affect the success of your application.

Please note that if you are appointed to a position, ORS’s Staff Privacy Notice and retention schedule will then apply. This will be made available to you at the time that you are offered the position.

Getting in touch

If you need to get in touch with us, any information that you provide will only be used to respond to your query or complaint.

Telephone calls

Telephone calls to numbers made available to the public on this website or through communications related to research that we are conducting may be recorded to help us improve our service, handle complaints, and protect staff. Recordings are made in our legitimate interests (GDPR Article 6.1(f)) and will usually be kept for one month.

Complaints

Recordings of telephone calls may also be used when handling complaints and in defence of legal claims. In such cases, they may need to be retained until the complaint or claim is resolved.

Abusive and offensive communications

ORS will not tolerate abusive or offensive communication towards any of its employees at any time, and any abusive or offensive telephone calls may be terminated immediately and the associated telephone numbers may be blocked.

Under the Malicious Communications Act 1988, it is a criminal offence to send any communication (including telephone calls, letters, email correspondence, and text messages) that has the intent to cause distress or anxiety. ORS will report any such offence to the relevant authorities whenever it is considered appropriate to do so, and any recordings of telephone calls and copies of letters, email correspondence and text messages associated with the offence may be provided as evidence.

What are my rights?

The right to withdraw consent

Where you have given consent to us processing your personal data, you have the right to withdraw your consent at any time. If you choose to withdraw your consent, please contact the project staff whose details you have been given. Alternatively, you can:

The right to be informed

You have the right to be informed about:

  • The purpose for which your personal data are being processed
  • The categories of data being processed
  • The (categories of) recipients of your data
  • The likely period that your data will be stored or the decision process for eventually deleting it, and
  • The existence and details of any automated decision making

This is normally made available to you through specific information provided as part of the research material, interview or group activity. Further information is also provided in this Privacy Notice.

The right of access, 
also known as Subject Access Requests

As well as being informed of the above, you have the right to a copy of your data which is held by ORS. In order to search for the correct information, ORS will need to ask for confirmation of your identity. ORS may also need to ask you for other information that is needed for us to make adequate searches.

Where one of our clients has received a Subject Access Request, ORS will give them every assistance in complying with any requests that they get.

To request a copy of your data which is held by ORS, you can:

The right to rectification

If you think that the information which ORS holds might be inaccurate then you have the right to have this corrected. However, it should be noted that data held for statistical purposes represent a point in time. Therefore, ORS is under no obligation to change any information that was correct at the time it was collected.

Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.

The right to be forgotten, also known as the right to erasure

You have the right to withdraw your consent to ORS processing your data, in circumstances where consent is relied on. ORS will usually agree to such a request. However, where data is used for statistical purposes, we will usually have the right to continue processing your responses and only remove the information that makes you identifiable. The application of this will be judged on circumstances.

Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.

ORS keeps its own ‘no further contact’ lists to screen samples for projects. If you never want us to contact you, then please send us your details. Make sure that you include any telephone numbers, email addresses and postal addresses that you do not want us to use:

We will always remove your details as quickly as possible. It could take up to a week for telephone numbers and email addresses to be removed from any current projects. It could take up to a month for any postal addresses to be removed, due to the longer lead times on those projects.

The right to object

Where processing of your data is based on the legitimate interests of ORS or its clients, you have the right to object based on your particular situation. Processing may be restricted (see below) while the balance of whose interests are overriding is decided.

Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.

The right to restrict processing

Your right to restrict processing applies where:

  • The accuracy of personal data is in question
  • Processing is deemed to be unlawful but you do not want your data erased
  • ORS no longer needs the data but you need it kept for legal claims, or
  • You have challenged the balance of ORS’s and/or its clients legitimate interests in processing vs. your own interests (see above)

The application of this right will be considered on a case by case basis.

Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.

The right to data portability

Where the processing of your data is based on consent and is conducted electronically, you have the right to request that a copy of your data is made available.

Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.

Rights in relation to automated decision making and profiling

In general ORS does not conduct any activities to which this right would apply.

Where our clients are subject to this right, ORS will give them every assistance in complying with any requests that they get.

The right to make a complaint

ORS takes data protection very seriously and does its upmost to comply with legislation and best practice. If you think that we have not handled your data correctly, please contact us with your concerns:

You also have the right to lodge a complaint with a supervisory authority, which for the UK is the Information Commissioner’s Office (ICO).

Accessing our websites

The below details apply for all visits to ors.org.uk including sub-domains and redirects e.g. online questionnaires and client Members Area, and redirects to ors.org.uk from opinionresearch.co.uk

Whenever you load any webpage from ORS’s website, our server will log details of the page load, including the date and time and your Internet Protocol (IP) address. These logs are typically kept for up to five weeks. This information will not be shared with any third parties except in the case where unauthorised or malicious use has resulted in criminal investigation and/or legal proceedings.

This information does not usually enable us to identify any individuals.

Home internet connections usually use dynamic IP addresses. This means that a new IP address is normally assigned to you by your Internet Service Provider (ISP) every time you reset your connection. As a result, ORS and its clients cannot identify you from this information alone.

Organisations or premises with their own servers will often have static IP addresses. This means that the same IP address is permanently assigned. The only information that ORS could access would be the owner of the IP address. This may identify where your device was connected when you accessed the website, but ORS and its clients cannot identify you from this information alone.

ORS is the sole data controller of all information gathered through its website in this way. We are legally allowed to process this information as we have legitimate interests to monitor the use of our websites. This enables us to review and improve the information and services we provide. It also enables us to track any unauthorised or malicious use for security purposes.

As this does not usually enable us to identify any individuals, and we have no reason to do so, this activity does not contravene the interests, or fundamental rights and freedoms, of any individuals.

Cookies

Cookies are small text files stored on a user’s web browsing device (e.g. computer, mobile phone, tablet, web-enabled TV, etc.).

ORS has a number of websites, some of which use cookies. We use them for purposes such as ensuring the security of ORS’s websites, improving the reliability of our online surveys, allowing users to resume online surveys, understanding how ORS’s websites are used, and so on.

Cookies may be of two different types; session cookies or persistent cookies.

Session cookies last only as long as the browser remains open and allow ORS to recognise that requests for different web pages in one browsing session originate from the same browser. This is essential for the correct functioning of certain parts of ORS’s site for example online surveys or sections that require a user login.

Persistent cookies are stored between browsing sessions and allow ORS to recognise that a web browser has previously visited ORS’s site.

Removing or Blocking Cookies

Your web-browser should have settings which allow you to remove or block cookies. It is difficult to provide detailed instructions on how to do this due to the wide variety of web-browsers in use. We therefore recommend that you check with your browser vendor for further information. The website What Are Cookies provides instructions for most popular browsers and further background information.

Please note that in some cases, removing or blocking cookies may prevent parts of some ORS websites from working.

Details of First Party Cookies

These are cookies which originate from ORS’s own servers. Below is a list of websites maintained by ORS together with a list of cookies that each uses and a brief description of their purpose.

Websites

Cookie Name

Purpose

members.ors.org.uk
public.hub.ors.org.uk
PHPSESSID Session ID used to recognise that subsequent page requests originate from the same web browser. Essential for the correct functioning of online questionnaires and areas of the website protected by a login.
members.ors.org.uk has_js Placed by ORS’s website management software, Drupal, to remember whether your browser has JavaScript enabled.
members.ors.org.uk Drupal.toolbar.collapsed Placed by ORS’s website management software, Drupal, to remember display preferences.
online.ors.org.uk laravel_session Session ID used to recognise that subsequent page requests originate from the same web browser. Essential for the correct functioning of online questionnaires.
www.ors.org.uk
members.ors.org.uk
online.ors.org.uk
public.hub.ors.org.uk
SERVERID Place by one of our servers to identify which server your session is currently running on to enable load balancing.
online.ors.org.uk unique_respondent Used to detect and prevent abuse of online surveys.
online.ors.org.uk cookieconsent_status Used to hide cookie notice once acknowledged.
online.ors.org.uk XSRF-TOKEN Used to prevent cross-site request forgery.
public.hub.ors.org.uk scoi2
scoi3
Used to manage login information for a session.