Privacy Policy

In my work capacity for Sarah Wickham Consulting, I am a registered ‘data controller’ of personal data. The UK General Data Protection Regulation (UK GDPR) and, in the UK context, the Data Protection Act 2018 allow me to process personal data without consent for

• Legitimate business interests of providing consultancy services to organisations, for profit.
• Legal reasons - usually performing a contract, or keeping data for tax purposes.

Often I process personal data only with your informed consent, as in the following examples:

• Surveys: participation is always optional and voluntary. Surveys will never require you to enter personal details, although you may choose to give these (e.g. if you are happy to be contacted for follow-up or if you would like to enter a prize draw advertised in a survey where this is available).
• Interviews and focus groups: participation is always optional and voluntary. If you participate you can choose what information to provide, refuse to answer questions or leave at any time.
• Newsletter: If you consent by subscribing, your email address will be used to send you emails. There are no trackers on the emails.
• Reports: When reporting the results of research or evaluation through surveys, interviews and focus groups, personal information is usually anonymised and cannot be traced back to individuals.

You may restrict data processing or withdraw your consent later by contacting me.

Clients may share personal data with me, e.g. to recommend I contact someone to request they take part in a survey or an interview/focus group, because we genuinely believe that person could strongly contribute to the project. Taking part is always optional and voluntary: please ask me to delete your personal data if it has been shared with me in this way.

Sometimes I work with associates to conduct research and consultancy projects. When this happens, access to the information I collect may be granted to them for the duration of the project. This will be regulated by a contract, and the associates will be considered “data processors”. This means they are obliged to comply with the relevant legislation and to follow my standards of security and confidentiality. Associates’ access to project data ends once the project ends.

I do not share personal information with any third-party organisation, unless obliged to do so by contract, by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, or unless I have your consent.

Most of my personal data processing is within the UK or transferred to countries/territories which are covered by the ‘adequacy regulations’ in UK data protection law, as follows:

• Email/calendar appointments – privacy-first Proton (servers in Switzerland).
• Documents (e.g. reports, notes) – Microsoft OneDrive (servers in the European Union).
• Survey and questionnaire responses – SmartSurvey (servers in the UK).
• Bookings - Calendly (servers in the US). Personal data limited to email address.
• Newsletter subscriptions – Buttondown (servers in the US). Personal data limited to email address.
• Videoconferencing – Zoom (US and Australia). Personal data only processed during the call - calls and chats are not recorded.
• Payments by credit card - Stripe (Europe and the US).

The above are ‘data processors’ and comply with data protection law. Their ‘privacy policies’ or equivalent provide further detailed information.

I handle and manage personal data in compliance with the UK’s data protection legislation and following strict security processes. These include protecting all information by secure accounts with strong passwords and multi-factor authentication. I have an information security policy.

I keep personal data for six years after work is completed and any invoices are paid.

Buttondown holds the email addresses of current subscribers to my newsletter. If you unsubscribe your email address will be retained in Buttondown to suppress your details and ensure you no longer receive the newsletter. (If you unsubscribe and then change your mind, email me direct to work it out).

UK GDPR gives you rights over personal data that relates to you held by or on behalf of Sarah Wickham Consulting. You can:

• request personal data
• correct any personal data if you can show it is incorrect
• ask me to erase any personal data that there is no longer a legitimate purpose for processing
• get a machine-readable copy of personal data that you provided with your consent or under a contract
• stop me from processing any personal data that there is no legal or contractual obligation to process. You can opt out of newsletters I send you whenever you like.

To exercise any of these rights, please contact me. If you think I am using personal data about you in any way that is unfair or prejudicial to you, I will fix it if I can.

You may need to prove your identity before getting access to data that relates to you or exercising other rights. This may be by showing me a proof of ID or by providing contextual information that proves that you are who you say you are.

If you have any concerns about my handling of personal data that relates to you, you can raise these with me directly. You have a right to make a complaint to the Information Commissioner.