High‑quality client feedback interviews often contain valuable commercial insight, views on service delivery, what worked well, and what could be improved next time. Occasionally, however, feedback may include sensitive observations about individuals. This raises an important question: how should such information be handled responsibly?
Managing feedback with discretion and confidentiality
It is essential that all client feedback is managed with discretion and confidentiality. At Acuigen and most of our clients, client interviews are normally undertaken on the basis that the client’s views are reported in an attributable manner. As a result, client comments are treated as personal data, and decisions about how feedback is handled must comply with data protection requirements, including the UK GDPR.
Informed consent is fundamental
Most importantly, the client being interviewed must be able to make an informed decision about the information they provide, knowing how it will be used before they share it. When undertaking client feedback interviews, you must therefore ensure that consent to use the feedback is properly recorded. In practice, consent is often obtained at the start of the interview and reconfirmed at the end. It is also important that the consents requested have been carefully considered by the data controller for the client feedback project. This ensures the firm is permitted to use the information as intended. For example, has the client explicitly agreed that their comments may be followed up if potential business development opportunities are mentioned?
Collecting sensitive data
On occasion, clients may refer to personal data, personal opinions, or details relating to their individual circumstances. This may move a client feedback interview into a UK GDPR “special category” of personal data. Special category data requires additional safeguards because of its sensitive nature and may necessitate a further data protection or privacy impact assessment, depending on the context and intended use. While most client feedback is routine and commercial in nature, interviewers may sometimes need to seek guidance on how particularly sensitive content should be handled or reported within a firm.
Quarantining sensitive interviews
At Acuigen, we operate a post‑interview process known as “quarantine”. Where an interview contains particularly sensitive material, or where special handling may be required, the transcript can be quarantined before it is shared with the client’s project team. This ensures that the sponsor organisation is prepared to receive and respond to the feedback appropriately.
The sponsor of a client feedback programme will normally be the data controller for the information collected. It is their responsibility to ensure that appropriate governance and controls are in place to mitigate the risks associated with sensitive personal data.
Tips for interviewers
- Conduct interviews on the basis of voluntary, informed consent
- Clearly explain the consents sought at the outset of the interview, and remind interviewees that they may withdraw if appropriate
- When preparing interview reports or transcripts, include only information that is relevant and necessary for the purpose of the feedback programme
- If in doubt, discuss potentially sensitive content with the interviewee or the data controller
- Retain interview data only for as long as necessary (for example, consider how long recordings or notes are held on personal devices)
Key checks for data controllers
- Ensure that the permissions and consents sought from clients cover both current and future intended uses of the feedback, and comply with data protection legislation
- Recognise that special category content (for example, medical or highly personal information) will usually have a shorter useful life than other feedback, and may need to be redacted or deleted earlier
- Consider introducing a quarantine process for interviews that require careful handling
- Provide guidance to interviewers on redacting unnecessary sensitive comments that are not appropriate for wider circulation
- Although UK GDPR does not apply to the deceased, all related matters should still be handled sensitively and respectfully
- Within Europe, confirm that data protection notifications to the relevant authority (in the UK, the Information Commissioner’s Office) explicitly permit the processing of special category data
- Document the special categories of personal data being processed
- Consider undertaking a privacy impact assessment to evaluate risks and ensure that both controller and processor arrangements are robust, particularly in relation to data minimisation and information security
Continue the discussion
If you would like to understand client feedback processes in more depth, or are considering initiating or scaling a client feedback programme within your firm, please get in touch. Our team would be happy to share practical experience and discuss how we can support you.
This article is provided for general information only and does not constitute legal advice. References to GDPR are based on UK law. The UK Information Commissioner’s Office (ico.org.uk) provides further guidance on data protection matters. Please seek professional legal advice where required.