© COPYRIGHT 2017 Analysis Group, Inc., ALL RIGHTS RESERVED.
Last Updated on December 7th, 2017
About this document
Analysis Group Ltd. (a UK registered company, registered in England with company number 10629120) is the data controller of your personal data and is subject to the Data Protection Act 1998 ("DPA") (and, once in force, the General Data Protection Regulation (the "GDPR")).
How we collect your information
We may collect your personal data in a number of ways, for example:
- from the information you provide to us when you interact with us before becoming a client, for example when you express your interest in our services;
- when you instruct us to provide services to you, sign an engagement letter or provide information about you and your organisation to us in connection with those instructions;
- when you communicate with us by telephone, email or via our website, for example in order to make enquiries or raise concerns;
in various other ways as you interact with us during your time as a client of Analysis Group, for the various purposes set out below;
from third parties, for example in order to carry out required due diligence checks on you or your organisation before we accept your instructions.
The types of information we collect
We may collect the following types of personal data about you (and anyone at your organisation who we need to carry out due diligence checks on, for example):
- your name, and contact information such as address, email address and telephone number;
- your date of birth, national insurance number (or other tax identification number) and due diligence information;
- billing and financial information (including bank routing number and bank account numbers – used for receipt of funds).
We may also collect sensitive personal data, including information concerning your health and medical conditions, particularly where our services are provided to health care sector clients (for example, where we advise on health care research).
How we use information about our clients
The purposes for which we may use personal data (including sensitive personal data) we collect during a client's association with us include:
- the provision of our core services to clients, including research services, litigation support services, strategic advice, and all other advisory and consulting services (and, in each case, for the offer and provision of services to our clients);
- other administrative purposes, including administering finance, administering IT and HR systems, carrying out research and statistical analysis (for our own or a third party's purposes), carrying out audits (for example, to ensure compliance with our regulatory and legal obligations);
- sharing our knowledge and promoting our services (for example, providing you with briefings and other publications, details of events, or information about our other services which may be of interest to you). If you do not wish to receive such information, please let us know now or at any time in the future by contacting us as set forth below, and your details will be removed from our mailing list(s);
- dealing with complaints and enquiries.
The basis for processing your information and how we use it
We may process your personal data because it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract. In this respect, we use your personal data for the following:
- to interact with you before you become a client, for example when you express your interest in our services (for example, to send you promotional material or answer enquiries about our services);
- once you have engaged us and become a client, to provide you with the services as set out in our engagement letter;
- to deal with any concerns or feedback you may have;
- for any other purpose for which you provide us with your personal data.
We may also process your personal data because it is necessary for our or a third party's legitimate interests. Our "legitimate interests" include our commercial interests in operating our business (and the business of Analysis Group more generally) in a client focused, efficient and sustainable manner, in accordance with all applicable legal and regulatory requirements.
In this respect, we may use your personal data for the following:
- to monitor and evaluate the performance and effectiveness of our services, including by training our staff or monitoring their performance;
- outsourcing selected 'back office' functions to third parties (for example, vendors of hosted software solutions or cloud storage providers) for the purposes of efficient, fast and secure access to information across the Analysis Group member companies;
- to seek advice on our rights and obligations, such as where we require our own legal advice;
- to keep you informed (by letter, telephone, email and other electronic means) of services from us and other Analysis Group member companies which may be of interest to you. If you do not wish to receive such information, please let us know now or at any time in the future by contacting us as set forth below, and your details will be removed from our mailing list(s).
We may also process your personal data for our compliance with our legal obligations. In this respect, we may use your personal data for the following:
- to meet our compliance and regulatory obligations, such as tax reporting requirements;
- in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities.
We may also process your personal data where:
- it is necessary to protect your or another person’s vital interests;
- it is necessary for the establishment, exercise or defence of legal claims (for example, to protect and defend our rights or property, and/or the rights or property of our clients, or of third parties);
- it is necessary for medical purposes (for example, where we are engaged to advise on health care research matters, or the management of health or social care systems and services);
- is necessary for reasons of public interest in the area of public health;
- we have your specific or, where necessary, explicit consent to do so.
Sharing information with others
- our employees, agents and contractors where there is a legitimate reason for their receiving the information, including:
- those of our staff and consultants providing services to you (including those who work for Analysis Group member companies);
- third party consultants and experts providing services to us or directly engaged by you;
- law firms and other service providers who are advising you;
- providers of outsourced services to us (for example, IT vendors and cloud storage providers);
- internal and external auditors;
- with a third party in a business transaction, in the event that all or part of Analysis Group is sold, merged, dissolved, acquired, or involved in a similar transaction which involves the transfer of client files.
International data transfers
In the course of providing services to you, we may transfer your personal data to Analysis Group sprl in Belgium; in that case, your information will remain within the European Economic Area ("EEA").
In addition, some of the personal data we process about you may be transferred to, and stored at, a destination outside of the EEA, for example where it is processed by staff operating outside the EEA who work for us, or where personal data is processed by one of our suppliers or vendors who is based outside the EEA or who uses storage facilities outside the EEA.
In these circumstances, your personal data will only be transferred on one of the following bases:
- where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (for example, standard data protection clauses adopted by the European Commission). In particular, we have model clauses in place between us and Analysis Group, Inc. in the United States;
- a European Commission decision provides that the country or territory to which the transfer is made ensures an adequate level of protection. In particular, data transfers from us to Groupe d'Analyse Ltée in Canada are covered by the European Commission's adequacy finding on the Canadian Personal Information Protection and Electronic Documents Act; or
- there exists another situation where the transfer is permitted under applicable law (for example, where we have your explicit consent).
How long your information is kept
Subject to our legal and regulatory obligations as well as any other notices that we may provide to you, we may retain your personal data for a period of seven years after your association with us has come to an end. However, some information may be retained for longer than this, for example where we need to retain it for the purposes of litigation.
Under the DPA you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require that we cease processing your personal data if the processing is causing you damage or distress;
- to require us not to send you marketing communications.
Once the GDPR comes into force in May 2018, you will also have the following additional rights:
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data;
- to require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
- to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.
If you have given your consent and you wish to withdraw it, please contact our Director of Compliance using the contact details set out below. Please note that where our processing of your personal data relies on your consent and where you then withdraw that consent, we may not be able to provide all or some aspects of our services to you and/or it may affect the provision of those services.
If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner. You can find out more about your rights under data protection legislation from the Information Commissioner's Office website available at: www.ico.org.uk.
- by email: firstname.lastname@example.org;
- by telephone: (00 1) 617 425 8000;
- or by post: Director of Compliance, Analysis Group Ltd., 1 Angel Court, London EC2R 7HJ.