Data Governance and Protection Policy

1. Purpose and Objectives

Inference Research LLP is dedicated to protecting the confidentiality and privacy of information entrusted to us.

This policy establishes the framework by which Inference governs, manages, and protects data across the organisation. It ensures that all data is managed ethically, securely, and in full compliance with existing regulations. This includes the UK Data Protection Act 2018 and its applied GDPR provisions (DPA 2018).

2. Scope

This policy applies to:

  • All employees and associates of Inference Research LLP.

  • All systems, devices, and platforms used to collect, process, store, analyse, or transmit data.

  • All data types, including:

    • Client data

    • Research participant data (including personal and sensitive data)

    • Operational data

    • Publicly sourced data

    • Third-party datasets

 

3. Data Governance Framework

Roles and responsibilities:

  • Data Protection Officer (DPO): Llorenc O’Prey (llorenc@inference.org)

    • Oversees compliance with data protection laws.

    • Conducts data protection impact assessments (DPIAs).

    • Serves as the contact for data subjects and regulators.

  • Data Governance Committee: SMT

    • Develops and enforces data management standards.

    • Reviews data lifecycle and access controls quarterly.

  • Data Owners: All staff and associates

    • Responsible for data quality, access, and retention within their domain.

  • Data Users: All staff and associates

    • Must follow this policy, complete data protection training, and handle data responsibly.

 Policy oversight:

  • The DPO reports quarterly to the Data Governance Committee on risk register, compliance status, and continuous improvements.

  • This policy is reviewed annually or upon significant legal or operational changes.

 

5. Data Classification

In the course of a research project, we handle many different types of data. All data must be classified into one of the following four categories. Data handling procedures (access, storage, transmission, disclosure and disposal) must align with its classification level, including:

Public

Information intended for public release, such as published reports, blogs, or publicly available datasets. Handling procedures:

  • Access: Open access for all staff and the general public.

  • Storage: Can be stored on public-facing platforms (e.g, website, open data or publication repositories).

  • Transmission: Requires Quality Assurance checks for rigour and ethics prior to transmission, no encryption required.

  • Disclosure: Only with client’s consent, or for SMT for non-project related data.

  • Disposal: Standard deletion or archival methods.

Internal

Non-sensitive information and data required to undertake our research, such as research designs, tools, privacy notices, informed consent forms etc. Handling procedures:

  • Access: Those involved with the research project, including participants and staff both within Inference and the organisations we work with.

  • Storage: Secure servers with access controls.

  • Transmission: Requires Quality Assurance checks for rigour and ethics prior to transmission. Can be shared through internal (e.g. email) or external (e.g. website) communication channels or approved collaboration platforms.

  • Disclosure: Only with client’s consent, or for SMT for non-project related data.

  • Disposal: Secure deletion after retention period.

Confidential

Sensitive information related to research projects, clients or partners. This includes strategic or operationally sensitive information, both for our partners and internally.

  • Access: Project staff only, multi-factor authentication required.

  • Storage: Encrypted storage (AES-256) on Inference’s secure servers.

  • Transmission: Encrypted channels only (secure file sharing platform, or TLS-enabled email).

  • Disclosure: Only with project lead consent or where legally required.

  • Disposal: Permanent deletion using secure wipe procedures.

Restricted

Highly sensitive information containing personally identifiable information, health and well-being data, or any other data protected by law or contract. Handling procedures:

  • Access: Limited to only staff requiring restricted data to implement research; multi-factor authentication required.

  • Storage: Encrypted at rest and in transit; stored only on Inference’s secure servers.

  • Transmission: End-to-end encryption mandatory; sharing externally (outside Inference) requires data sharing agreements.

  • Disclosure: Only when absolutely necessary, and with the express agreement of participants informed consent or client agreement (through data sharing agreements).

  • Disposal: Certified data destruction methods; maintain audit records of deletion.

 

6. Data Lifecycle Management

Inference operates the following principles across the data lifecycle:

Data Collection

  • Collect only the minimum data necessary to complete the research, especially identifiable or sensitive data.

  • Obtain informed consent for research data collection.

  • Document lawful bases for processing (e.g., consent, contract, legitimate public interest).

Data Storage

  • Store data securely using encrypted systems and access controls.

  • Use Inference’s secure cloud storage which is ISO 27001 and SOC 2 Type II compliant.

Data Processing

  • Access to personal or confidential data must be role-based (least privilege principle).

  • Sensitive data must be anonymised or pseudonymised where possible.

Data Sharing

  • Share data only with authorised recipients under Data Sharing Agreements.

  • Cross-border transfers must comply with adequacy decisions or standard contractual clauses.

  • Public release of research data requires de-identification and approval by the DPO.

Data Retention and Disposal

  • Retain data only as long as necessary for research or contractual purposes.

  • Securely delete or anonymize expired data using certified data destruction methods.

 

7. Data Security Controls

Technical Controls

  • Encryption: All sensitive data encrypted in transit (TLS 1.2+) and at rest (AES-256).

  • Access Control: Multi-factor authentication (MFA) for all critical systems.

  • Logging & Monitoring: System logs monitored for unauthorized access attempts.

  • Endpoint Security: All devices must have antivirus, disk encryption, and auto-lock policies.

Organisational Controls

  • Annual data protection and cybersecurity training for all staff.

  • Vendor security due diligence before engagement.

  • Incident response and breach management procedures established and tested annually.

Data Breach Management

  • All suspected breaches must be reported immediately to the DPO at llorenc@inference.org

  • The DPO will assess the severity, document findings, and notify the relevant authority (ICO) within 48 hours, if required.

  • Impacted clients or data subjects will be informed.

9. Research Ethics and Data Protection

  • All research involving human subjects must undergo ethical review.

  • Data collection instruments (surveys, interviews) must include clear privacy notices.

  • Data anonymisation or pseudonymisation is mandatory before analysis or sharing.

  • Researchers must avoid re-identification attempts or use of data beyond the scope of the research questions under examination.

 

10. Compliance and Monitoring

  • Regular internal audits to assess adherence to this policy.

  • Data protection impact assessments (DPIAs) are mandatory for high-risk research projects.

  • It is everyone’s responsibility to maintain the highest standards of data handling and management.

 

11. Continuous Improvement

Inference is committed to continuous improvement of data governance and protection through:

  • Regular policy updates

  • Staff feedback mechanisms

  • Technological upgrades

  • Lessons learned from audits or incidents

 

12. Approval and Review

Policy Owner: Data Protection Officer
Next Review Date: September 2026