Data Governance and Protection Policy

1. Purpose and Objectives

Inference Research LLP is dedicated to protecting the confidentiality and privacy of information entrusted to us in accordance with the UK Data Protection Act 2018 including its applied GDPR provisions (DPA 2018).

This policy establishes the framework by which Inference governs, manages, and protects data across the organisation. It ensures that all data is managed ethically, securely, and in full compliance with existing regulations.

This policy sets out to:

• Maintain the confidentiality, integrity, and availability (CIA) of all data.

• Promote transparency, accountability, and ethical data use in research and analysis.

• Establish clear roles and responsibilities for data governance and protection.

• Mitigate risks associated with data breaches, unauthorized access, or misuse.

• Ensure compliance with data protection laws (GDPR, UK Data Protection Act 2018).

2. Scope

This policy applies to:

• All employees and associates of Inference Research LLP.

• All systems, devices, and platforms used to collect, process, store, analyse, or transmit data.

• All data types, including:

• Client data

• Research participant data (including personal and sensitive data)

• Operational data

• Publicly sourced data

• Third-party datasets

4. Data Governance Framework

Roles and Responsibilities:

• Data Protection Officer (DPO):

• Oversees compliance with data protection laws.

• Conducts data protection impact assessments (DPIAs).

• Serves as the contact for data subjects and regulators.

• Data Governance Committee:

• Develops and enforces data management standards.

• Reviews data lifecycle and access controls quarterly.

• Data Owners:

• Responsible for data quality, access, and retention within their domain.

• Data Users:

• Must follow this policy, complete data protection training, and handle data responsibly.

Policy Oversight

• The DPO reports quarterly to the Executive Board on compliance status, incidents, and improvement actions.

• This policy is reviewed annually or upon significant legal or operational changes.

5. Data Classification

All data must be classified into one of the following categories:

Classification

Description

Example

Public

Freely available, no restrictions

Published reports, website data

Internal

Non-sensitive operational data

Meeting notes, internal project plans

Confidential

Sensitive client or project data

Research datasets, client deliverables

Restricted

Personally identifiable or sensitive data

Participant survey data, health or demographic info

Data handling procedures (access, storage, transmission) must align with its classification level.

6. Data Lifecycle Management

Data Collection

• Collect only the minimum data necessary (“data minimization” principle).

• Obtain informed consent for research data collection.

• Document lawful bases for processing (e.g., consent, contract, legitimate interest).

Data Storage

• Store data securely using encrypted systems and access controls.

• Use secure cloud storage compliant with ISO 27001 or SOC 2 Type II.

• Backups must be encrypted and stored separately.

Data Processing

• Processing activities must be documented in the Record of Processing Activities (ROPA).

• Access to personal or confidential data must be role-based (least privilege principle).

• Sensitive data must be anonymized or pseudonymized where possible.

Data Sharing

• Share data only with authorized recipients under Data Sharing Agreements (DSAs) or Non-Disclosure Agreements (NDAs).

• Cross-border transfers must comply with adequacy decisions or standard contractual clauses (SCCs).

• Public release of research data requires de-identification and approval by the DPO.

Data Retention and Disposal

• Retain data only as long as necessary for research or legal purposes.

• The Data Retention Schedule specifies retention periods per data type.

• Securely delete or anonymize expired data using certified data destruction methods.

7. Data Security Controls

Technical Controls

• Encryption: All sensitive data encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Access Control: Multi-factor authentication (MFA) for all critical systems.

• Logging & Monitoring: System logs monitored for unauthorized access attempts.

• Endpoint Security: All devices must have antivirus, disk encryption, and auto-lock policies.

Organizational Controls

• Annual data protection and cybersecurity training for all staff.

• Vendor security due diligence before engagement.

• Incident response and breach management procedures established and tested annually.

Data Breach Management

• All suspected breaches must be reported immediately to the DPO at [contact email].

• The DPO will assess the severity, document findings, and notify the relevant authority (e.g., ICO) within 72 hours, if required.

• Impacted clients or data subjects will be informed where required by law.

9. Research Ethics and Data Protection

• All research involving human subjects must undergo ethical review.

• Data collection instruments (surveys, interviews) must include clear privacy notices.

• Data anonymization or pseudonymization is mandatory before analysis or sharing.

• Researchers must avoid re-identification attempts or use of data beyond the consent scope.

10. Compliance and Monitoring

• Regular internal audits assess adherence to this policy.

• Data protection impact assessments (DPIAs) are mandatory for high-risk research projects.

• Non-compliance may result in disciplinary action or termination of contracts.

11. Third-Party and Vendor Management

• Third parties with access to data must sign Data Processing Agreements (DPAs).

• Vendors must meet equivalent data protection standards.

• Annual review of vendor compliance and security certifications.

12. Continuous Improvement

Inference is committed to continuous improvement of data governance and protection through:

• Regular policy updates

• Staff feedback mechanisms

• Technological upgrades

• Lessons learned from incidents and audits