Expanded and updated privacy and confidentiality policy

Beaton Research + Consulting (‘Beaton’) is striving to be good citizens in how for ourselves we interpret and comply with the letter and spirit of privacy laws, including the General Data Protection Regulation (‘GDPR’). Accordingly, we are making the following statement of our position. We trust our example is helpful to you. This statement does not constitute advice or guidance.

The lawful basis upon which Beaton collects information on our clients (e.g. name, email address, organisation) is our legitimate interest [Regulation (EU) 2016/679, Article 6(1)f] in collecting and using this information given there is “a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller” [Recital 47] and processing this information helps us deliver better service to our (i.e. Beaton’s) clients. We believe that using that personal data (i.e. email addresses) to collect client feedback constitutes processing for the same purpose, i.e. helping us deliver better service to our clients. Even if our use of the data was determined to be for a different purpose, we believe asking for feedback from our clients satisfies GDPR’s criteria for using collected personal data for a further compatible purpose [Article 6(4)], namely:

• There is a clear link between using these contact details to deliver service and using these contact details to ask for feedback on that service,
• The context of asking for evaluation of a service after having delivered it,
• That the personal data (i.e. name, email addresses, organisation) is not considered a special category,
• The only consequences would be potential minor annoyance at receiving a request-for-feedback email (to which clients can opt-out), and
• That we ensure appropriate safeguards are in place to protect that data (e.g. pseudonymisation, kept for no longer than is necessary).

To that end, we do not believe that we need consent to provide client data to a third party in order to get that feedback. It is in our legitimate interests to do so, provided we ensured the third party had all the relevant protections in place. Our Privacy Policy has been expanded and updated to make clear that we use third parties that meet the standards of GDPR [Article 46] and the Australian Privacy Principles. In the interests of transparency and accountability we may include in our Privacy Policy direct reference to some of the third party providers we may use to process personal data, even though we do not believe that is necessary under GDPR.

We will include explicit reference in our Privacy Policy [Articles 12, 13, 14] that we believe using personal data we have on our clients for research purposes is considered a legitimate interest in helping us deliver better service to our clients. We believe it not necessary to state this explicitly, because it is for the same purpose for which it was collected in the first place, but do so to be comprehensive.

We believe that making a comprehensive and easy-to-read Privacy Policy outlining all of the above available to all clients, and ensuring there are relevant safeguards in place with our third party providers, give us the right to provide personal data to third parties without the need for consent from our clients or making specific provisions in our terms of engagement with our clients.