You are currently not logged in. Any progress made will be lost.

Client Supplied Databases/Customer Lists

If you are working from a sample provided by a client (also called client supplied databases or client customer lists) there are other considerations that need to be taken into account.


In this situation the clients will be the data controller and the recruiter will usually be the data processor. There must be a written contract with the client that all people on the client database have consented to being contacted e.g. any individuals who have requested not to be contacted for research purposes are excluded from the list. The data controller  - the client in this instance - is responsible for ensuring that recruiters use the data in accordance with the terms under which it was collected. You may be required to sign a legal contract with the client often called a “Sub-processor Data Handling Contract”. Recruiters must also ensure that client supplied data is retained and stored securely. The data controller - clients which supply customer lists - must be registered with the ICO and within client notifications it must state that customer data will be used for research purposes. Information on registered data controllers is publicly available on the ICO website.


The Data Protection Act does not specify a length of time to keep data. The legislation requires that you do not keep personal data for longer than you need it. You also need to be able to justify how long you propose to keep personal data. The purpose (research recruitment)  itself would not justify keeping data indefinitely.  You need a policy setting a standard retention period wherever possible, to comply with the documentation requirements.  If you are collecting data on behalf of a client the data retention period should be agreed before you start collecting data on their behalf, as you will need to relay this information to participants once you start collecting data.As part of the contract between the data controller and the data processor it is advisable that a timescale for keeping any database/list is specified and adhered to. Once the list is no longer required it should be securely deleted.

Only data that is necessary for the project must be collected during recruitment. The client is not allowed to collect extra data just in case they need it at some future point. The participant should be advised that they will not be contacted for any other reason than for the purpose of that particular research project.


As you call through a list you should annotate it after each call. Clients are not allowed to use market and social research recruitment as an opportunity to update their records. In practice this means that you should record information relevant to the call but not expand upon it. For instance you should record if you find out that someone has died; if someone has moved  house you should record “no longer at this address” but you cannot provide details of the new address. It is the responsibility of data controllers to collect up-to-date customer information, using any data screening protocols which they may have in place.


Clients can request that you report details of specific complaints or dissatisfactions for investigation. Participants must first give consent for feedback to be passed to the client before the information can be given to the client.


It is advisable that you have a standard list of annotations that you can use on a list and always keep to that format e.g. not at this address, declined to be interviewed, interviewed but didn’t fit criteria, no answer, telephone number not recognised, recruited etc. Then the list can easily be sorted and the client updated with how many people have been contacted and what the results of that contact were. You cannot give clients the individual names of people who have refused to participate or didn’t fit the criteria for a project. You can only give the numbers e.g. -   10 not at this address, 9 declined to be interviewed, 8 didn’t fit the criteria etc.


You cannot retain any data for your own use e.g. adding client customer names to your own database.


Client databases can contain very sensitive information so always make sure that you identify the person you are talking to. It is advisable not to leave messages that can be picked up by others e.g. “Message for Sue. If you are interested in doing market research about your Swiss bank account please ring this number”.