Abstrakt Consultancy typically interacts with a variety of internal and external stakeholders upon the engagement of services that may include; owners, investors, employees, customers, suppliers, communities, governments, or trade associations. In addition to our engagement, confidentiality, and fee terms we operate within an agreed set of ethical guidelines with regard to all direct contact with stakeholders and adhere to the below policies.   

(i) Participant Information (PI) Document

The Participant Information (PI) Document is the document given to all potential participants with written information about the project in which we may require their involvement. Its purpose is to help potential participants decide whether they want to take part in the project being implemented and provide relevant details, including personal details. It includes the following core information:

• Title, or name of the project
• The name and contact details of the project team/research team, project manager/research manager
• The details of the ethical approval process including who granted ethical approval and the contact details for any ethical queries/comments/complaints
• An invitation to the participant inviting them to take part in the project/research and an explanation of why they have been invited
• Non-technical details explaining the project/research
• Assurance that participation is voluntary* and details of how they can withdraw from the study without penalty
• Non-technical explanation of what participation involves
• Summary of the risks and benefits to the participant
• Explanation of what will happen to the participant’s data
• Details of where the results of the project/research will be published and who will have access (all employees/department managers only/board members only etc.)
• Contact details for further queries/concerns/complaints
• The relevant Privacy Notice

*Voluntary participation; Abstrakt Consultancy would suggest that the participation of any stakeholder in organisational projects/research is voluntary. Whilst participation in such projects/research may be enforceable via contracted terms and conditions of employment. Abstrakt Consultancy suggests that a voluntary approach to project/research participation yields richer data sets, supports the morale and engagement of employees, and informs objectives more appropriately. 

(ii) Informed Consent (IC) Document

Abstrakt Consultancy takes the view that as a first principle, projects/research that involving participants should only take place with informed consent. In exceptional circumstances, consent may be given by a third party (where contractual obligations have been agreed prior between the client and employees for example). Gaining informed consent is an ethical requirement of the project/research process. It must be thought about at the planning stage of a project/research proposal and be tailored towards the specific project/research objectives.

The following principles should always underpin gaining informed consent:

• Potential participants should not be under the impression that they are required to participate (unless in exceptional circumstances as previously noted), or that there is any penalty or detriment to them if they do not take part
• Participants should be aware of their entitlement to refuse to continue to participate at any time, for whatever reason without incurring any penalty
• Potential participants should be given sufficient information (Participant Information Document) about a project, in a format they understand, to enable them to exercise their right to make an informed decision whether to participate in the project/research
• Participants should be aware of the benefits and risks to them of taking part in the project/research
• Participants should be aware of how their data will be used, including whether their anonymised data may form part of a re-usable, published dataset
• If participants form part of a vulnerable group, or could be made vulnerable as a result of their participation in the project/research particular care must be taken in relation to their consent and the conduct of the project/research to ensure their safety and wellbeing
• Participants should be given sufficient time to reflect on their consent before and after making their decision 
• Signed informed consent documents should be dated, with a copy being given to the participant, and the original kept securely. It should be explained to the participant how their information will be stored and destroyed
• Tick boxes/initial boxes are not used on Abstrakt Consultancy informed consent (IC) documents unless the project/research offers an opt in/out option for the participant on various parts of the project/research
• To comply with Data Protection legislation a privacy notice will always be included at the beginning of all online forms/surveys/questionnaires, and at the end of paper documents, when collecting personal data.

The Mental Capacity Act 2005 came into force on 1 October 2007.  It requires intrusive research to be subject to ethical scrutiny by a Research Ethics Committee established in England or Wales under the Governance Arrangements for NHS Research Ethics Committees (GAfREC, DH July 2001).  Intrusive research is defined in section 30(2) of the Act as: “[research] of a kind that would be unlawful if it was carried out on or in relation to a person who had capacity to consent to it, but without his consent”  and is not limited to medical and biomedical research, health-related research or research taking place within the NHS. 

(iii) General Data Protection Regulation (GDPR) Document

From 1 January 2021, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 became the UK law governing the processing of personal data.

The UK GDPR gives individuals more control and rights over the processing of their personal data. In addition, it introduces more accountability on data controllers. Abstrakt Consultancy ensures it is GDPR compliant at all times.

Some of the highlights in UK GDPR are as follows:

All personal data must be processed lawfully, fairly, and transparently. It must be collected for a specific and lawful purpose, limited to what is necessary to fulfill the purpose, kept accurate and for no longer in time than is necessary as well as processed in a secure way. Abstrakt Consultancy must be able to demonstrate compliance with these principles.

Data subjects (e.g. owners, investors, employees, customers, suppliers, communities, governments, or trade associations) must be provided with detailed information (usually through privacy notices) including an explanation as to the purpose and legal basis for processing.

Data subjects have increased rights in relation to the processing of their personal data. Some operate in only certain circumstances.

The rights include:

• the right to access to their personal data (eg via a subject access request, free of charge to be dealt with within one month of request)
• the right to rectification of inaccurate personal data
• the right to data portability (ie made available in a portable format in order to move it from one controller to another)
• the right to erasure (ie deletion of personal data)
• the right to object to processing
• the right to restrict processing and
• rights in relation to automated decision-making, including profiling.

Greater safeguards exist when processing special category personal data. This includes data relating to health, religion, race, sexual orientation, genetics, and biometrics.

Abstrakt Consultancy will ensure data protection by design and by default which means we will ensure there are appropriate technical and organisational controls in place to process personal data securely.

Abstrakt Consultancy will also ensure that major projects and developments are subject, where appropriate, to Data Protection Impact Assesments (DPIAs).

Safeguards will be in place if personal data is to be transferred outside of the UK or European Economic Area (EEA).

Abstrakt Consultancy will notify the regulator, the Information Commissioners Office (ICO), of any data protection breach 72 hours, at the latest, after becoming aware of it unless it does not pose a risk to the rights and freedoms of the individuals concerned.