Under the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 C.M.R 17.00), the Fair Information Practice and the EU General Data Protection Regulation (GDPR) personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable whether the information or opinion is true or not, and whether the information or opinion recorded in material form or not. Also including but not limited to, a resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
All personal information that we collect, is reasonably necessary for the purposes relating to providing professional services to our clients or in conjunction with research into actuarial issues.
The types of personal information we collect includes contact details such as name, email, phone and mailing address and position/title. Where we provide services to a client, we may collect sensitive information in the performance of our services. In these circumstances, we rely on the client having informed relevant parties of this use and obtaining consent.
If it is reasonable and practical to do so, we will collect personal information directly from you and not through a client. This will include contact details and other information relevant to providing services to our client. This may take place in a number of ways, such as when you attend our seminars, client functions, e-mail or otherwise contact us or if you subscribe to our publications.
We may also collect personal information from third parties including but not limited to publically available sources. In these situations, we will take reasonable steps to ensure you are made aware that we hold your personal information and the matters listed above, unless an exemption applies under 201 C.M.R 17.00 or the EU GDPR.
In relation to our professional engagements, prior to commencing, we require clients to authorise the release, collection and retrieval of personal information to us. In addition, we require a client to provide us with confirmation that it has made, or will make those persons to whom the personal information relates, aware that we have their personal information, the reasons for its collection by us and that it may be further disclosed to governments or other bodies (where necessary) for the purposes of completing the engagement. These authorisations and statements form part of our standard terms and conditions of engagement with clients.
We will not collect personal information unless the information is reasonably necessary for or directly related to one, or more of our functions or activities. If we are unable to collect personal information we reasonably require, we may not be able to do business with you or the organisation with which you are connected.
If we receive personal information about you that we did not ask for, or from someone other than you, and we determine that we could have collected this information from you had we asked for it, we will take reasonable steps to ensure that you are notified, as soon as practicable, that we have collected your personal information. If we could not have collected this personal information, we will lawfully de-identify or destroy that personal information.
In carrying out an engagement, it may be necessary for CoreData to obtain from a client personal and sensitive information about the employees of the client or other persons connected with the client’s business (such as policyholders and claimants). We will take reasonable steps to ensure that the individual’s consent has been obtained by the client before collecting the sensitive information.
All data, including personal information is received on a confidential basis and CoreData has appropriate internal arrangements with its systems and staff to ensure that the confidentiality of the personal information is protected.
When you visit our web site, we (or our service providers) may obtain information from your personal computer that provides your internet address, your domain name (if applicable), and the previous sites you have visited and when you visited the web site.
When you visit the web site, our server attaches a ‘cookie’ to your computer’s memory. This is done to help us store information on how visitors to our web site use it and the pages that may be of most interest. However, this information is not linked to any information you may provide and cannot be used to identify you and is therefore not personal information.
By accepting to receive incentives or enter prize draws for completion of surveys, you consent to allowing CoreData Research to process your personal information to contact you for further surveys.
CoreData maintains the highest standards of data security requiring careful management of data security and storage on protected servers. CoreData has an exemplary track record of ensuring client data security since inception over a decade ago. This is a key requirement for the business’ viability and something the firm takes very seriously.
We take reasonable steps to ensure the security of personal information held by CoreData against risks such as loss or unauthorised access, destruction, use, modification or disclosure.
CoreData conforms to current professional best practice (Fair Information Practice) relating to the keeping of records securely for an appropriate period of time after the project has ended.
This includes password protection for access to its information technology systems and securing access to physical records.
The proposed period of time for which the CoreData should keep research records will vary with the nature of the information (e.g. whether they are identified or de–identified), the nature of the project (e.g. ad-hoc, panel, repetitive) and the possible requirements for follow-up research or further analysis. CoreData may retain information in an identified form only while the details of the identity of the Respondent continue to be necessary for research purposes. Records should be kept in a manner in which it should be possible to reconstruct all the information originally collected with the exception of any personal identifiers.
In default of any agreement to the contrary, the normal period for which the primary field records should be retained is one year after completion of the fieldwork while the research data should be stored for possible further analysis for at least five years.
All data is stored on secure on site servers with well -maintained firewall facilities. All data is additionally backed up daily to a secure offsite server that also has well maintained firewall facilities. Security of our servers is managed by a dedicated IT provider who has explicitly agreed to adhere to the ESOMAR standards for data storage and security.
Staff that handle personal information have the knowledge, skills, training and commitment to protect it from unauthorized access or misuse. In the event that third parties are permitted under informed consent to access data they must commit to the aforementioned privacy principles in a written contract.
All research data, findings (except in the case of syndicated projects), research briefs and other information provided must not be disclosed to third parties without prior explicit arrangement.
If the respondent consents to having their personal information disclosed to a third party or client that CoreData works with, the consent given only applies to the specific circumstances in which the data was requested by a client/third party. Any repeated requests for said data will require another document of consent and the client/third party must delete said data or refrain from any further contact once the purpose of it has been fulfilled.
The transfer of information about Respondents is permissible between a Researcher and the Client where the intent of this is to limit research contacts by means of maintaining records about participation. This should not be done where this practice would allow personalised information to be extrapolated or where any research data gathered about an individual may be appended or inferred by the transfer.
The personal information collected by us may be used to:
We may use personal information about you for the primary purpose of providing you with our services, and other purposes you would reasonably expect us to use that information for, limited to the prior terms of engagement and the adherence to 201 C.M.R 17.00 and EU GDPR.
Unless we are required to disclose your information by law, Court or arbitration proceedings, by a regulatory authority, under regulations or to fulfil a professional duty, your information will only be used by or disclosed to persons working at or for CoreData and our contracted service providers.
It may be necessary for us to transfer personal information we hold about you to an organisation outside The United States of America or Europe. We will transfer information outside The United States of America in a manner that is consistent with the requirements of the 201 C.M.R 17.00, Fair Information Practice and EU GDPR. By providing your personal information to us directly or via one of our clients you consent to this disclosure.
When contacting us, you or the providing body have the option to either not identify themselves or to use a pseudonym when you contact us, unless it is impracticable for us to communicate with you in that manner or unless we are required or authorised under American or European law, or a court or tribunal order, to deal with individuals who have identified themselves.
We take all reasonable steps to de-identify personal information in reports and work generally. The retention of personal information is subject to the same retention policy as other information in our possession, that is, material is generally destroyed ten years after its creation unless it is still required for legal reasons or is being retained as an historical record.
Under 201 C.M.R 17.00, the Fair Information Practice and EU GDPR you have a right to seek access to your personal information, subject to any exemptions allowed under the 201 C.M.R 17.00.
If you request access to your personal information, you will need to prove your identity. If not requested by the client, we may also need to inform our client about your request under our contractual arrangements with them.
You also have the right to ask us to correct information about you to ensure the personal information we hold is accurate, up-to-date, complete, relevant and not misleading. Our policy is to consider any requests for access or correction in a timely way.