How to collect anonymous data and still comply with the GDPR

We know that HR teams, employee wellbeing officers and student support services aren’t always experts in data protection, but licensing an anonymous or named reporting system means collecting personal data and complying with the GDPR.

Fortunately at Culture Shift we have several years of experience of helping organisations deploy reporting and support systems in a way that complies with the GDPR, and our onboarding and success teams can provide advice and recommendations to get the most out of your system in a GDPR-compliant way.

Unlike other systems that pre-date the GDPR and had to be retrofitted to be compliant, the Culture Shift platform was built when GDPR was already around, and we’ve been compliant throughout the platform since day one. 

The GDPR can seem intimidating at first, but the foundations are set in 7 key principles as part of the regulations, and the Culture Shift system helps you apply these principles in your reporting and support systems.

These principles are:

  • lawfulness, fairness and transparency: you must identify a reason in law that you are allowed to use someone’s data, and you must handle this data in a fair way and be open with how you do this. In buying a license to use Culture Shift, this includes the use of our best practice questions which have been designed to remove reporting barriers, and these questions are designed to be upfront about why they’re asked, and how the data is used, in keeping with this principle.
  • purpose limitation: you must only use the data for the purpose it was originally collected, and you should be upfront about what this purpose is, which our best practice question structure includes.
  • data minimisation: data processed by the system must be adequate, relevant and limited to what is necessary. Our best practice questions are designed to remove barriers by not asking any more than is necessary, but capturing what is needed to help you support the reporter and track trends across your organisation, compliant with these principles. 
  • accuracy: our system gives you the power to correct mistakes, whilst keeping a record of who made the correction to avoid any data tampering.
  • storage limitation: data must not be kept longer than you need it. The system’s workflow gives you the tools you need to redact personal data when a case is archived and the personal data no longer needed, complying with this principle. Non-personal data will still be available for trend analysis to show changes over a number of years.
  • integrity and confidentiality: appropriate security measures must be in place for the data. The security of the Culture Shift system is best in class, with an in-house “DevSecOps” development model applying security principles continuously, certified with the NCSC Cyber Essentials certification and verified by annual security testing undertaken by an industry-leading third party.
  • accountability: you must take responsibility for what you do with the personal data. Culture Shift’s partnerships and success teams are able to support you to ensure that you have appropriate systems and measures in place to remain compliant, and can work with Data Protection Officers to demonstrate how our system is compliant.
There are 6 reasons permitted under law to process someone’s personal data to satisfy the lawfulness principle. These are known as the lawful bases. In addition, if you wish to process particularly sensitive data (“special category” data including race/ethnicity, religion/faith, disabilities and sexual orientation), you must have an additional basis to process that data beyond the 6 lawful bases. For a reporting system, there are two lawful bases that can be used:
  • the basis of consent, where a reporter must explicitly confirm their personal data will be processed as part of a report. Our best practice questions incorporate a clear consent process, and we minimise the number of required questions to those truly required to ensure a victim/survivor only gives the information they wish to as part of a report. For handling special category data, this is made stronger as requiring explicit consent - as we make special category data optional in a report and explain the consent for this separately, this satisfies this.
  • the basis of legitimate interest, where the wider interests of the organisation or society is balanced against the personal interest of the reporter. Culture Shift believes that personal data in reports aimed at reducing bullying and harassment in places of work and study are of legitimate interest. For special category data, this can also be justified under “reasons of substantial public interest” which includes “equality of treatment”, “preventing and detecting unlawful acts” and safeguarding.

Some sector specific areas such as public interest disclosures or safeguarding may also allow you to use the basis of legal obligation, if you are implementing a reporting system to help you comply with legal responsibilities.

Under law, it is your responsibility to determine which bases to use, but Culture Shift recommends these two bases as appropriate depending on the individual. 

When evaluating a reporting system under the GDPR, there are three terms you might come across:

  • the data controller is the organisation ultimately responsible for the personal data being collected in the system - this would be the company or institute deploying the reporting tool.
  • the data processor is an organisation processing the personal data on behalf of the controller - this would be the company supplying the reporting tool, Culture Shift.
  • the data subject is an individual who the personal data refers to, and they have rights given to them by the GDPR. This is usually the reporter, but if a report makes an allegation against a specific individual, that individual is also a data subject and has rights under the GDPR.

For an individual to be a data subject, they must be identifiable from the data. For most anonymous reports, the reporter is not identifiable from the data provided, but this is not always the case. For example, in small organisations, certain combinations of the equality monitoring data may identify an individual. Culture Shift therefore treats anonymous reports with the same security as named reports, and our best practice questions advise reporters that if they believe they will be identifiable from the answers and they do not wish to be, that they can be left blank. Similarly, when setting up your system, we advise that the department list is set such that very small departments are grouped together, or only a higher tier of organisation hierarchy is used as the department list.

Both the victim/survivor and any people named as perpetrators in the report are considered to be data subjects, and legal bases for processing their data should be selected. Culture Shift recommends that the basis of consent is used for the reporter, and legitimate interest used for all others. Once a report has been made and their data captured, the data subjects have rights under GDPR which must be respected, and the Culture Shift system enables this.

  • To be informed. Data subjects are entitled to know who is holding their personal data, and why. Culture Shift’s reporting system is intended to be used by employees, members or students who already have a relationship with the company or institution. In these cases, Culture Shift should be incorporated into your existing privacy notice for your relationship with them to be aware that their data might be processed as part of a report, and this privacy notice linked to from your reporting website as a way of complying with this. This covers both reporters and people named in reports. If a person is named in a report who you do not have a relationship with, then you may be able to use the exemption where informing them impairs the purposes of the report (for example, if you are passing the report to the police for serious cases), or you may need to inform them a report has been made which names them, or instead decide to remove their personal information from the report to stop processing it.
  • Right of access. Data subjects are entitled to know what personal data is held around them. The Culture Shift system allows you to search for reports by named individuals and then allows you to create PDFs of those reports to be provided in response to a subject access request. If a person is named in their report, all that is needed is to confirm their name is held, and the report does not need to be provided to them.
  • Rectification. If a data subject asks to correct inaccurate information made in a report, the “redaction” feature within the product allows users to not only redact information but correct it too.
  • Erasure (sometimes known as “right to be forgotten”). The “redaction” feature allows all personal information to be removed from a case, whilst maintaining non-identifiable information for long-term trend analysis. Named allegations are not always subject to this right, and this can not be used to allow an individual to get away from an investigation if one is in process.
  • To restrict processing. The updates feed can be used to note that any cases should be put on hold in response to a request for processing to be requested. Again, this right does not always apply and can not be used by someone to stop an investigation being made against them, but instead if they have been mis-identified and clarity is needed.
  • For data portability. An encrypted Excel export can be provided of reports if needed to comply with this request.
  • To object. In a typical use of the Culture Shift platform, the circumstances under which a data subject can object to their data being processed do not apply.
  • Of automated decision making and profiling. As the Culture Shift system does not make any decisions without human involvement, this right does not apply.

Many of these rights are supplementary to procedures your company or institute will already have in place for wider GDPR compliance, and Culture Shift enhances them to ensure we enable you to comply as part of your wider procedures.

Culture Shift are a UK-based company, and as such are covered by UK law which has adopted the GDPR in its entirety. We have worked with companies across the EU and are ready for a potential no-deal Brexit through the adoption of Standard Contractual Clauses to allow us to continue our partnership even in the event of a no-deal Brexit.

Culture Shift have a comprehensive approach to GDPR compliance, and our partnership packages include the knowledge and experience of our team to help you make the most of your reporting system in a compliant way. If you are interested in partnering with us and licensing our reporting system, please get in touch.

Keep in touch

Sign up to our newsletter to receive monthly insights and resources.