top of page

Data management policy

Version 3, December 2025


Introduction
Chalkstream Limited is a reputation and market research agency specialising in the education sector. Our projects commonly involve both the analysis of client customer contact data and its use in recruitment of respondents to qualitative and quantitative studies.
 

This document sets out our responsibilities and processes under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
 

Scope
This policy applies to all staff at Chalkstream and all associates working on Chalkstream projects, who must be familiar with this policy and comply with its terms. All staff and associates confirm in writing that they have read and will comply with this policy.
 

Who is responsible for this policy?
Managing Director, Ben Verinder.


ICO registration
Organisation name: Chalkstream Ltd
Registration reference: ZA349937


Our role
Chalkstream acts only as a data processor. We process personal data supplied by clients (the data controllers) strictly in accordance with their documented instructions. Clients remain responsible for establishing a lawful basis for processing under Article 6 UK GDPR, and where special category data is provided, for establishing an appropriate condition under Article 9.


Data transfer

Unless otherwise instructed, we ask all clients to transfer any files containing personal data to us by uploading the file to a Microsoft OneDrive folder.

Folders containing personal data are shared only with the client and the Chalkstream team working on the research project. In the event that data needs to be shared with a third party, Chalkstream (in accordance with the GDPR) will always seek written notification from a client.
 

We ask clients to password protect all files containing personal data and to ensure that they do not share personal data, at any point in the project lifecycle, via email attachment.


International transfer
Staff and associates must not transfer personal data anywhere outside the UK without first consulting the Managing Director. Data transfers outside the UK will only ever take place with the specific consent of client data controllers and in accordance with the conditions of transfer set out in Chapter 5 of the UK GDPR.

Pseudonymisation and anonymisation
Many Chalkstream projects involve analysis of personal data to understand a population in detail and, typically, generate a sample frame for a study to ensure that the respondents recruited to that research adequately represent the population under study. Where a project does not require us to use a set of personal data for fieldwork purposes, we will ask the client to remove all surplus data (including first names and surnames) in order to, where possible, anonymise the data set.

Special category data
Where clients supply special category data (such as ethnicity, disability, or health information), Chalkstream processes this data only under the lawful basis and Article 9 condition confirmed by the client. Clients must confirm they have established an appropriate legal basis before providing such data.

Chalkstream may verify demographic details (such as age or gender) with respondents solely to support representative sampling. This verification activity is undertaken on behalf of and under instruction from the client controller.

Aggregated, anonymised demographic findings may be reported (e.g. "34% of respondents are female"). These aggregated statistics do not identify individuals.

Contacting respondents
Chalkstream may contact individuals directly to invite them to take part in research on behalf of clients. Participation is voluntary. At point of contact, respondents are provided with a privacy notice (see below). A copy is available on request.


Documenting processing activities
Chalkstream maintains a Record of Processing Activities (ROPA) in line with Article 30(2) UK GDPR for processors. As part of our record of processing activities we document:

 

  • Client and project dates

  • Responsible officer and controller details

  • Data delivery date and basis for processing

  • Controller evidence of compliance

  • Password protection and contract status

  • Sub-processor arrangements (where applicable)

  • Data location and any protected characteristics

  • Agreed date for data destruction and confirmation of deletion.

 

We document our processing activities in electronic format so we can add, remove and amend information easily.


Sub-processors and associates
Where associates are engaged on Chalkstream projects, they operate under equivalent confidentiality and data protection obligations. Associates use their own secure, encrypted business devices and do not store client data on personal devices. Sub-processor arrangements require prior written consent from the client controller.

Subject access requests
Any subject access request received by Chalkstream is immediately forwarded to the data controller. Chalkstream will assist the controller in responding, as required under Article 28(3)(e) UK GDPR.

Reporting breaches
Any suspected or actual data breach must be reported to the Managing Director without delay. Chalkstream will notify the data controller promptly in order to support the controller's obligation to notify the ICO within 72 hours where required.

Retention and deletion
Chalkstream deletes all personal data within two months of project completion, or earlier if instructed by the client. Deletion is confirmed to clients on request.

AI use at Chalkstream
Chalkstream uses enterprise-grade AI tools (currently including Copilot, ChatGPT Enterprise, and Claude) only to analyse anonymised or de-identified data. Identifiable personal data is never uploaded to AI systems.

AI tools are used for qualitative coding, categorising open-text responses, thematic summaries, and table formatting. AI is used only as supplementary analytic support. All AI-generated analysis is reviewed and validated by Chalkstream staff before use.

AI is used only with client agreement and under enterprise security controls. We do not upload any documents containing client-identifiable information to AI systems.

For more on AI use, please see our AI policy.


Proportionality
As a micro-business, Chalkstream applies proportional governance to data protection and AI use, ensuring compliance while maintaining reasonable administrative requirements appropriate to our scale and risk profile.

For more information on data management, please see our privacy policy.

bottom of page