Privacy Notice
Data Controller
Reason Why is the data controller and SocialOptic the data processor acting under our instruction.
What personal data we collect
The surveys, consultations or forms may collect some or all of the following personal data: name, email address, mobile number, telephone number, postcode.
How we use your data (purposes)
The user’s personal data will be received by Reason Why and may use the personal data to contact the user. Your data is not shared with any other 3rd parties. Your email address may be used to send you an invitation to the survey, and reminder emails. Responses will be anonymised before reporting, and minimum response thresholds are applied to further protect your anonymity.
Legal basis for processing personal data
Article 6 of the General Data Processing Regulations:
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Data Processors and other recipients of personal data
SocialOptic is the data processor and will only share data with Reason Why. The data will be received by Reason Why and provided to 3rd parties when indicated by the user.
International data transfers and storage location(s)
As standard we do not transfer your personal data outside the United Kingdom. SocialOptic uses UK-based servers, and all data processing takes place within the UK.
Retention and disposal policy
Personal data will be stored during the field period of the survey, consultation or form and for the subsequent analysis. Following this, all data gathered (including personal data) will be retained for 7 years. Once this time has elapsed the data will be deleted.
How we keep your data secure
SocialOptic is certified under industry standard cyber security credentials (Cyber Essentials and IASME information assurance standards) as well as audits by financial services and government organisations. SocialOptic has a data security policy, data governance policy, business continuity plan and incident management process which are regularly reviewed. These policies cover patch management, testing, audit and the full data life cycle.
Each customer instance of SurveyOptic operates in its own separate, virtualised environment, ensuring the highest levels of data confidentiality. All data is held within UK-based data centres, with a primary data centre and mirroring to a secondary UK data centre, with a tertiary stand-by data centre for reliance, availability, and disaster recovery. All data centres are ISO 27001 certified, with independently verified security accreditations covering physical access control and logical security. All data is encrypted during transfer and storage and is automatically backed up in real time. Survey responses are journaled with a periodic roll up to minimise the chance of data loss, as well as periodic full snapshot backups providing an additional level of protection and recovery.
Your rights as a data subject
By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies. These rights are:
1. The right to get copies of information – individuals have the right to ask for a copy of any information about them that is used.
2. The right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
3. The right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used.
4. The right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.
5. The right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.
Comments or complaints
Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact sam@reasonwhy.uk in the first instance.
Anyone who is still not satisfied can complain to the Information Commissioners Office. Their website address is www.ico.org.uk and their postal address is:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Changes to this policy
This privacy notice is kept under regular review, and new versions will be available on our privacy notice page on our website. This privacy notice was last updated on 15 June 2022.