This APP code was registered on 1 March 2021.

The Association of Market and Social Research Organisations (AMSRO) is now known as the Australian Data and Insights Association (ADIA). All references to AMSRO in the code should be construed as a reference to ADIA.

Part 1: Preliminary

1  Name

This APP code is the Privacy (Market and Social Research) Code 2021. This APP code may also be cited as the Market and Social Research Privacy Code.

2  Commencement

This APP code commences on 22 March 2021. The Privacy (Market and Social Research) Code 2014 will cease to operate when this APP code comes into force.

3  Authority

This APP code is a ‘registered APP code’ under s 26B(1) of the Privacy Act, and a legislative instrument, once it is included on the Code Register kept under subsection 26U(1) of that Act and is in force. This APP code has been developed under subsection 26E(1) of the Privacy Act.

3  Preamble

The Association of Market and Social Research Organisations (AMSRO) is the national industry body of market and social research, data and insights organisations. AMSRO’s primary objective is to protect and promote the research, data and insights sector so that this sector can continue its important contribution to Australia’s economic, social and political wellbeing. In AMSRO’s view, the long-term success of the sector depends upon the willing cooperation of the public and business community, which is based upon confidence that the work of the sector is carried out honestly, objectively and without unwelcome intrusion or disadvantage to participants.

AMSRO decided on its own initiative to develop this APP code under Part IIIB of the Privacy Act.

The provisions of this Code seek to give effect to the APPs in a manner that is tailored to the research context, while providing the public and business community with the assurances needed to encourage informed and willing participation in market and social research activities.

This Code imposes some additional requirements to the requirements of the APPs. These obligations reflect the fact that participation by research subjects in market and social research as carried out by AMSRO members is always voluntary; that market and social researchers are generally not interested in making use of the identity of research participants and that they use and disclose the information collected only for research purposes.

4  Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

5  Definitions

Note: A number of expressions used in this instrument are defined in s 6(1) of the Privacy Act, including, but not limited to, the following:

  • APP code
  • APP entity
  • consent
  • personal information
  • sensitive information

In this APP code:

‘Breach of this Code’ means a breach of any obligation on Research Organisations under Part 2 and Part 5 of this Code (also taking account of the definitions in this section).

‘Client’ means an organisation, agency etc. that requests, commissions or subscribes to a given Market and Social Research project; i.e. the ultimate beneficiary of the research findings.

The ‘Code Administrator’ is AMSRO (see subsection 22(1))

‘Collection of identifiable research information’ means gathering, acquiring or obtaining ‘identifiable research information¹ from any source, by any means, for inclusion in a record.

‘Commissioner’ means the person who has functions and powers under the Privacy Act.

‘Contact details’ means a record of identifying information such as names, companies, position titles, addresses and phone numbers, collected and retained in order to contact individuals in a research sample.

‘De-identification’ means a process of ensuring that identifiable research information is rendered permanently non-identifiable, i.e. without retaining a means by which the information could be reasonably re-identified.

‘Direct marketing’ involves the use and/or disclosure of identifiable research information to communicate directly with an individual to promote goods and services, whether through voice communications, electronic messaging, mail, email, social media channels or online or mobile advertising.

‘Disclosure of identifiable research information’ means ‘identifiable research information’ becoming known outside an organisation, whether or not it is physically or electronically released or transferred (e.g. including by telling, showing or displaying to another person). Disclosure may be deliberate, or inadvertent (such as a data breach). In assessing whether an individual is reasonably identifiable, regard is to be had to all information reasonably available to an entity, such as other data points and data sources that might be used to infer or confirm the identity of a purportedly non-identifiable person. Accordingly, although information as disclosed by an organisation may not appear to be identifying of any individual, that information may be personal information about an identifiable individual when in the hands of a recipient (even if the information was otherwise not personal information about an individual when in the hands of a discloser). In this circumstance the disclosing entity must treat the disclosure as a disclosure of personal information about an individual, even though the individual is not identified within the information disclosed.

‘Genuine research’ concerns mean where the ‘Research Organisation’ has valid reasons to expect that the purpose of the ‘Market and Social Research’ exercise would otherwise be defeated.

‘Identifiable research information’ means personal information about survey participants, respondents or subjects to which this Code applies. It includes ‘contact details’, ‘research status’ and ‘research data’. It does not include unsolicited information.

‘Market and Social Research’ means consent-based investigation of the behaviour, needs, attitudes, opinions, motivations or other characteristics of a whole population or a particular part of a population, in order to provide accurate and timely information to clients (government, commercial and not-for-profit organisations) about issues relevant to their activities, to support their decision-making processes.

‘Research data’ means a record of the responses provided by individuals participating in Market and Social Research at the time of collection in order to obtain a representation of a population’s or sub-population’s behaviour, needs, attitudes, opinions and motivations at a given point in time.

‘Research information privacy policy’ means the APP policy that a Research Organisation develops, maintains and publishes to comply with APP 1 in relation to identifiable research information.

‘Research Organisation’ means an organisation (or that part of an organisation) that is a member of AMSRO and that carries out or acts as a consultant or subcontractor in relation to, Market and Social Research, or offers their services or the services of others to do so.

‘Research Purpose’ means the handling of information in order to carry out any function considered essential to the conduct of a Market and Social Research project or communication of the results of a Market and Social Research project.

‘Research status’ means information in relation to whether or not an individual has been contacted or has participated in a ‘Market and Social Research’ exercise but does not include research data.

‘Research subject’ means an individual about whom identifiable research information is collected in the course of ‘Market and Social Research’. Research subjects may be referred to as participants or respondents and may include another individual about whom a subject is providing information.

‘Unsolicited information’ means identifiable research information that a research organisation has taken no active steps to collect.

6  Objectives

The aims of this code include:

  1. to set out how the Australian Privacy Principles (APPs) in the Privacy Act are to be applied and complied with by AMSRO members in the conduct of market and social research;
  2. to facilitate the protection of research information about identifiable individuals being the participants or subjects of market and social research as provided by, or held in relation to, those participants or those subjects; and
  3. to enable quality research to be carried out, so as to provide accurate information to government, commercial and not-for-profit organisations to support their decision-making processes.

7  Entities bound by this APP code

All members of the Association of Market and Social Research Organisations ABN 20 107 667 398 who are an organisation covered by the Privacy Act (including because they have opted-in under s 6EA of that Act) are bound by this APP Code. If an organisation covered by the Privacy Act ceases to be a member of AMSRO they will still be liable under this APP code for acts and practices that breach this APP code and that occurred while they were an AMSRO member.

8  Eligibility and coverage

1 Subscription to this Code is a requirement of AMSRO membership, regardless of a research organisation’s size or annual turnover. A current list of AMSRO members, and therefore of APP entities bound by this Code, is maintained at http://www.amsro.com.au.

2 Organisations that are not members of AMSRO are not eligible to subscribe to this Code.

3 Eligibility for AMSRO membership is open to research organisations provided that the research organisation meets and complies with AMSRO’s Articles or Association.

4 AMSRO membership, and thus subscription to this Code, is voluntary. However, this Code is binding on those research organisations that are AMSRO members.

5 Any personal information about individuals that is handled by AMSRO members outside the context of market and social research, such as marketing lists and contact details for clients and service providers, and staff recruitment records, is not subject to this Code but will be governed by the Privacy Act.

Part 2: How the Australian Privacy Principles apply to market and social research

Transparency of management

9  Australian Privacy Principle 1: Open and transparent management of personal information (as customised for the purposes of this Code)

1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.

Compliance with the Australian Privacy Principles

2When handling identifiable research information, Research Organisations must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the Research Organisation’s functions or activities to ensure that:

  1. the Research Organisation complies with the Australian Privacy Principles and this Code; and
  2. will enable the Research Organisation to deal with inquiries or complaints from individuals about the Research Organisation’s compliance with this Code.
APP Privacy Policy

3A Research Organisation must have a clearly expressed and up-to-date research information privacy policy about the management of identifiable research information by the Organisation.

4Without limiting subsection 9(3), the research information privacy policy must contain the following information:

  1. the kinds of identifiable research information that the organisation collects and holds;
  2. how the organisation collects and holds identifiable research information;
  3. the research purposes for which the organisation collects, holds, uses and discloses identifiable research information;
  4. how an individual may access identifiable research information about the individual that is held by the organisation and seek correction of such information;
  5. how an individual may complain about a breach of this Code, and how the organisation will deal with such a complaint;
  6. whether the organisation is likely to disclose identifiable research information to overseas recipients;
  7. if the organisation is likely to disclose identifiable research information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
Availability of privacy policy

5A Research Organisation must take such steps as are reasonable in the circumstances to make its research information privacy policy available:

  1. free of charge; and
  2. in such form as is appropriate.

6If a person or body requests a copy of the research information privacy policy of a Research Organisation in a particular form, the organisation must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.

10  Australian Privacy Principle 2: Anonymity and pseudonymity (as customised for the purposes of this Code)

1Individuals must have the option of not identifying themselves or of using a pseudonym, when dealing with a Research Organisation in the context of Market and Social Research.

2Subsection 10(1) does not apply if, in relation to that matter:

  1. the Research Organisation is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or
  2. it is impracticable for the Research Organisation to deal with individuals who have not identified themselves or who have used a pseudonym.

Collection of personal information

11  Australian Privacy Principle 3: Collection of solicited personal information (as customised for the purposes of this code)

Personal information other than sensitive information

1In the conduct of Market and Social Research, a Research Organisation must not collect identifiable research information (other than sensitive information) unless the information is reasonably necessary for that research.

Sensitive information

2A Research Organisation may only collect sensitive information (whether from an individual or from a third party) where the individual has consented, and the information is reasonably necessary for a research purpose, or if the collection is required by Australian law or a court/tribunal order.

Means of collection

3In the conduct of Market and Social Research, a Research Organisation must collect identifiable research information only by lawful and fair means.

4In the conduct of Market and Social Research, a Research Organisation must collect identifiable research information about an individual only from the individual unless it is unreasonable or impracticable to do so.

Solicited personal information

5his principle applies to the collection of identifiable research information that is solicited by a Research Organisation.

12  Australian Privacy Principle 4: Dealing with unsolicited personal information (as customised for the purposes of this Code)

1If:

  1. a Research Organisation receives identifiable research information; and
  2. the Research Organisation did not solicit the information;

the Research Organisation must, within a reasonable period after receiving the information, determine whether or not the Research Organisation could have collected the information under APP 3 if the Research Organisation had solicited the information.

2The Research Organisation may use or disclose the identifiable research information for the purposes of making the determination under subsection 12(1).

3If the Research Organisation determines that it could not have collected the identifiable research information, it must, as soon as practicable, but only if it is lawful and reasonable to do so, destroy the information or ensure that it is de-identified.

4If subsection 12(3) does not apply in relation to the identifiable research information, APPs 5-3 apply in relation to the information as if the Research Organisation had collected the information under APP 3.

13  Australian Privacy Principle 5: Notification of the collection of personal information (as customised for the purposes of this Code)

1At or before the time or, if that is not practicable, as soon as practicable after, a Research Organisation collects identifiable research information about an individual, the organisation must take such steps (if any) as are reasonable in the circumstances:

  1. to notify the individual of such matters referred to in subsection 13(2) as are reasonable in the circumstances; or
  2. to otherwise ensure that the individual is aware of any such matters.

2The matters for the purposes of subsection 13(1) are as follows:

  1. the identity and contact details of the Research Organisation;
  2. if:
    • i. the Research Organisation collects the identifiable research information from someone other than the individual; or
    • ii. the individual may not be aware that the Research Organisation has collected the identifiable research information;

the fact that the Research Organisation so collects, or has collected, the identifiable research information and the circumstances of that collection;

  1. the purposes for which the Research Organisation collects the identifiable research information;
  2. the main consequences (if any) for the individual if all or some of the identifiable research information is not collected by the Research Organisation;
  3. any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the Research Organisation usually discloses identifiable research information of the kind collected by the Research Organisation;
  4. that the research information privacy policy of the Research Organisation contains information about how the individual may access the identifiable research information about the individual that is held by the entity and seek the correction of such information;
  5. that the research information privacy policy of the Research Organisation contains information about how the individual may complain about a breach of this Code, and how the entity will deal with such a complaint;
  6. whether the Research Organisation is likely to disclose the identifiable research information to overseas recipients;
  7. if the Research Organisation is likely to disclose the identifiable research information to overseas recipients - the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

13A  Additional requirement: matters of which respondents should be made aware – sources of information and identity of client

1Research Organisations must disclose the source of the research sample (e.g. customer information, information collected by researchers, publicly available lists such as a telephone directory or electoral roll, random digit dialling, door knocking), no later than the end of the collection of information, except where the Research Organisation and client have reasonable grounds to decide that there are genuine research concerns or where there is another compelling reason not to do so (e.g. it may expose one of the parties to legal action).

2Research Organisations must disclose the identity of the client, unprompted, no later than the end of the collection of information, except where the Research Organisation and client have reasonable grounds to decide that there are genuine research concerns or where there is another compelling reason not to do so (e.g. it may expose one of the parties to legal action).

Dealing with personal information

14  Australian Privacy Principle 6: Use or disclosure of personal information (as customised for the purposes of this Code)

Use or disclosure

1If a Research Organisation holds identifiable research information about an individual that was collected for a particular purpose (the primary purpose), the Organisation must not use or disclose the information for another purpose (the secondary purpose) unless:

  1. the individual has consented;
  2. the use or disclosure of the information is required or authorised by or under an Australian law or court/tribunal order;
  3. it is unreasonable or impracticable to obtain the individual’s consent to the use or disclosure; and the Research Organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety;
  4. the Research Organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the Organisation’s functions or activities has been, is being or may be engaged in; and the Organisation reasonably believes that the collection, use or disclosure is necessary in order for the Organisation to take appropriate action in relation to the matter; or
  5. the Research Organisation reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf, of an enforcement body.

Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.

14A  Additional requirement: research use and disclosure

Re-use of identifiable research information for subsequent research

1A Research Organisation may use identifiable research information for a research purpose provided that:

  1. if re-contact of an individual who initially declined to participate is involved, the Research Organisation and client have genuine research concerns that warrant such re-contact; and
  2. if re-contact of an individual who has participated in a research exercise is involved:
    • i. the individual was informed of this likelihood at the time the information was collected, except where the research and client organisations have reasonable grounds to decide that there are ‘genuine research concerns’ that justify not so notifying; or
    • ii. any individual who, at the time of collection, indicated a wish not to be re-contacted for research purposes is excluded unless the research and client organisations have reasonable grounds to decide that there are ‘genuine research concerns’ that warrant the individual’s inclusion.
Disclosure of personal information for research

2A Research Organisation may disclose identifiable research information provided that:

  1. the disclosure is necessary for a research purpose; and
  2. only that part of the information considered necessary for this research purpose is disclosed; and
  3. if this research purpose could be achieved using de-identified information, the information is de-identified before being disclosed; and
  4. where the recipient is the client, the consent of all individuals who could be identifiable has been obtained, except where the personal information being disclosed to the client concerns individuals’ research status. In this case:
    • i. the Research Organisation should take reasonable steps to ensure that the information concerning individuals’ research status cannot be linked to individuals’ research data about those individuals; and
    • ii. the Research Organisation should obtain the client’s agreement to restrict use of the information concerning individuals’ research status only for the specific purpose of regulating the frequency of contacts of individuals in the client’s subsequent research.

3If subsection 16B(2) of the Privacy Act applies in relation to the collection of the identifiable research information by the Research Organisation, it must take such steps as are reasonable in the circumstances to ensure that the information is de‑identified before the Organisation discloses it in accordance with subsections 14(1).

Written note of use or disclosure

4If a Research Organisation uses or discloses identifiable research information in accordance with paragraph 14(1)(e), the Organisation must make a written note of the use of disclosure.

Related bodies corporate

5If a Research Organisation is a body corporate; and it collects identifiable research information from a related body corporate; this principle applies as if the Research Organisation’s primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.

Exceptions

6This principle does not apply to the use or disclosure by a Research Organisation of:

  1. identifiable research information for the purpose of direct marketing; or
  2. government related identifiers.

15  Australian Privacy Principle 7: Direct marketing (as customised for the purposes of this Code)

If a Research Organisation holds identifiable research information about an individual, the Research Organisations must not use or disclose the information for the purpose of direct marketing.

16  Australian Privacy Principle 8: Cross-border disclosure of personal information (as customised for the purposes of this Code)

1Before a Research Organisation discloses identifiable research information about an individual to a person (the ‘overseas recipient’):

  1. who is not in Australia or an external Territory, and
  2. who is not the Research Organisation itself or the individual,

the Research Organisation must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.

2Subsection 16(1) does not apply to the disclosure of identifiable research information about an individual by a Research Organisation to the overseas recipient if:

  1. the Research Organisation reasonably believes that:
    • i. the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
    • ii. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
  2. both of the following apply:
    • i. the Research Organisation expressly informs the individual that if he or she consents to the disclosure of the information, subsection 16(1) will not apply to the disclosure;
    • ii. after being so informed, the individual consents to the disclosure; or
  3. the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
  4. a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of the Privacy Act) exists in relation to the disclosure of the information by the Research Organisation.

Note: For ‘permitted general situations’, see section 16A of the Privacy Act.

17  Australian Privacy Principle 9: Adoption, use or disclosure of government related identifiers (as customised for the purposes of this Code)

Adoption of government related identifiers

1A Research Organisation must not adopt a government related identifier of an individual as its own identifier of the individuals unless:

  1. the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order;
  2. subclause 9.3 applies in relation to the adoption.

Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A of the Privacy Act.

Use or disclosure of government related identifiers

2A Research Organisation must not use or disclose a government related identifier of an individual unless:

  1. the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or
  2. the use or disclosure is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or
  3. the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
  4. a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of the Privacy Act) exists in relation to the use or disclosure of the identifier; or
  5. the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  6. subclause 9.3 applies in relation to the use or disclosure.

Note 1:  An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A of the Privacy Act.

Note 2:  For ‘permitted general situations’, see section 16A of the Privacy Act.

Regulations about adoption, use or disclosure

3This section applies in relation to the adoption, use or disclosure by a Research organisation of a government related identifier of an individual if:

  1. the identifier is prescribed by the regulations; and
  2. the Research Organisation is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and
  3. the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.

Note: There are prerequisites that must be satisfied before the matters mentioned in this section are prescribed, see subsections 100(2) and (3) of the Privacy Act.

Integrity of personal information

18  Australian Privacy Principle 10: Quality of personal information (as customised for the purposes of this Code)

1A Research Organisation must take such steps (if any) as are reasonable in the circumstances to ensure that the identifiable research information that the Research Organisation collects is accurate, up‑to‑date and complete.

2A Research Organisation must take such steps (if any) as are reasonable in the circumstances to ensure that the identifiable research information that the Research Organisation uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant.

Security of personal information

19  Australian Privacy Principle 11: Security of personal information (as customised for the purposes of this Code)

1If a Research Organisation holds identifiable research information, the Research Organisation must take such steps as are reasonable in the circumstances to protect the information:

  1. from misuse, interference and loss; and
  2. from unauthorised access, modification or disclosure.

2If:

  1. a Research Organisation holds identifiable research information about an individual; and
  2. the Research Organisation no longer needs the information for any purpose for which the information may be used or disclosed by the Research Organisation under this Code; and
  3. the information is not contained in a Commonwealth record; and
  4. the Research Organisation is not required by or under an Australian law, or a court/tribunal order, to retain the information;
  5. the Research Organisation must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de‑identified.

19A  Additional requirement: retention and disposal

1A Research Organisation must retain identifiable research information only while the details of the identity of the individual whom the information is about continue to be necessary to be retained for research purposes. The information must be destroyed or de-identified once these purposes have been achieved. Where identifiable research information has been returned to a third party (in accordance with APP6) any copies, including archived copies, must be destroyed or de-identified.

2If a Research Organisation wishes to de-identify identifiable research information that exists in a physical form that makes de-identification impracticable (e.g. on paper), the information must be moved to another medium, de-identified, and the physical records then destroyed.

3Where it is necessary to retain identifiable research information, identifying (contact) details must, if practicable, be stored separately from other information (research status and research data), with measures in place (e.g. by the use of an encrypted intervening variable) to ensure the identity of the individuals cannot be readily revealed from the other information.

4A Research Organisation must take reasonable steps to ensure that any identifiable research information that it discloses:

  1. will only be retained, used or disclosed by the recipient of the information in a manner that is consistent with this Code; and
  2. will be protected by the recipient from misuse, interference and loss and from unauthorised access, modification, use and disclosure; and
  3. will only be used or disclosed by the recipient for a specified limited purpose and will be destroyed or de-identified once this purpose has been achieved. Where identifiable research information has been returned by the recipient to a third party (in accordance with APP6) any copies, including archived copies, must by destroyed or de-identified.

5A Research Organisation may disclose de-identified information freely, provided that there is no reasonable likelihood that the disclosed information could be used to identify one or more of the individuals who participated in the research, such as where the pattern of answers could reveal their identity.

Access to, and correction of, personal information

20  Australian Privacy Principle 12: Access to personal information (as customised for the purposes of this Code)

Access

1If a Research Organisation holds identifiable research information about an individual, the Research Organisation must, on request by the individual, give the individual access to the information.

Exception to access

2Despite subsection 12.1, a Research Organisation is not required to give the individual access to the identifiable research information to the extent that:

  1. the Research Organisation reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
  2. giving access would have an unreasonable impact on the privacy of other individuals; or
  3. the request for access is frivolous or vexatious; or
  4. the information relates to existing or anticipated legal proceedings between the Research Organisation and the individual, and would not be accessible by the process of discovery in those proceedings; or
  5. giving access would reveal the intentions of the Research Organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  6. giving access would be unlawful; or
  7. denying access is required or authorised by or under an Australian law or a court/tribunal order; or
  8. both of the following apply:
    • i. the Research Organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the Research Organisation’s functions or activities has been, is being or may be engaged in;
    • ii. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
  9. giving access would likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  10. giving access would reveal evaluative information generated within the Research Organisation in connection with a commercially sensitive decision‑making process.
Dealing with requests for access

3The Research Organisation must:

  1. respond to the request for access to the identifiable research information within a reasonable period after the request is made; and
  2. give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
Other means of access

4If the Research Organisation refuses:

  1. to give access to the personal information because of subsection 20(2); or
  2. to give access in the manner requested by the individual;

the Research Organisation must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the Research Organisation and the individual.

5Without limiting subsection 20(4), access may be given through the use of a mutually agreed intermediary.

Access charges

6If the Research Organisation charges the individual for giving access to the identifiable research information the charge must not be excessive and must not apply to the making of the request.

Refusal to give access

7If the Research Organisation refuses to give access to the identifiable research information because of subsection 20(2), or to give access in the manner requested by the individual, the Research Organisation must give the individual a written notice that sets out:

  1. the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by the regulations.

8If the Research Organisation refuses to give access to the personal information because of paragraph 20(2)(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.

21  Australian Privacy Principle 13: Correction of personal information (as customised for the purposes of this Code)

Correction

1If:

  1. a Research Organisation holds identifiable research information about an individual; and
  2. either:
    • i. the Research Organisation is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out‑of‑date, incomplete, irrelevant or misleading; or
    • ii. the individual requests the entity to correct the information;

the Research Organisation must take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up‑to‑date, complete, relevant and not misleading.

Notification of correction to third parties

2If:

  1. the Research Organisation corrects personal information about an individual that the Research Organisation previously disclosed to another APP entity; and
  2. the individual requests the Research Organisation to notify the other APP entity of the correction;

the Research Organisation must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.

Refusal to correct information

3If the Research Organisation refuses to correct the identifiable research information as requested by the individual, the Research Organisation must give the individual a written notice that sets out:

  1. the reasons for the refusal except to the extent that it would be unreasonable to do so; and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by the regulations.
Request to associate a statement

4If:

  1. the Research Organisation refuses to correct the identifiable research information as requested by the individual; and
  2. the individual requests the Research Organisation to associate with the information a statement that the information is inaccurate, out‑of‑date, incomplete, irrelevant or misleading;

the Research Organisation must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

Dealing with requests

5If a request is made under subsections 21(1) or 21(4), the Research Organisation:

  1. must respond to the request within a reasonable period after the request is made; and
  2. must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).

21A  Additional requirement: destruction or de-identification on request

1A Research Organisation must accept and act on requests for identifiable research information to be destroyed or de-identified, except in the following circumstances:

  1. the request is frivolous or vexatious; or
  2. destruction, deletion or de-identification would have an unreasonable impact upon the privacy of other individuals; or
  3. the organisation reasonably believes that destroying, deleting or de-identifying the information would pose a serious threat to the life, health or safety of any individual or to public health or public safety; or
  4. destroying, deleting or de-identifying the information would reveal the intentions of the research organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  5. destroying, deleting or de-identifying the information would be unlawful; or
  6. retaining the identifiable information is required or authorised by or under an Australian law or a court/tribunal order; or
  7. the Research Organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in; and destroying, deleting or de-identifying the information would be likely to prejudice the taking of appropriate action in relation to the matter; or
  8. destroying, deleting or de-identifying the information, would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body; or
  9. where the Research Organisation is contractually obliged to retain the identifiable research information.

Part 3: Governance

22 Code Administrator

1The Code Administrator for this Code is AMSRO. In practice, this Code is administered by the AMSRO Secretariat, under direction of the AMSRO Board.

2AMSRO will fund the administration of this Code in such manner as the AMSRO Board considers appropriate, having regard to the resource requirements necessary for the effective execution of those tasks described in section 23.

23 Tasks of the Code Administrator

1In administering this Code, the AMSRO Secretariat will perform the following tasks:

  1. maintain an accurate and up to date online list of AMSRO members, which doubles as a public register of research organisations which are bound by this Code;
  2. commission periodic reviews of this Code in accordance with Part 4;
  3. produce a written response to a report resulting from an independent code review;
  4. consider the need for any variation of this Code, and make any consequent applications;
  5. monitor and report on compliance with this Code (see Part 5);
  6. make available on the AMSRO website the following:
    • i. information about this Code;
    • ii. a copy of the most current version of this Code;
    • iii. contact details for the Code Administrator;
    • iv. information about making complaints in relation to matters contained in this Code;
    • v. the annual report on the operation of this Code required under Part 5;
    • vi. a link to the website of the Commissioner;
    • vii. any other information that the Code Administrator considers relevant to the efficient functioning of this Code.
  7. perform such other tasks as the AMSRO Board considers necessary or desirable for the effective operation of this Code, including but not limited to the establishment and management of a formal complaints handling process relating to alleged breaches of this Code.
  8. in relation to paragraphs 23(1)(a)-(e), the Administrator will be assisted and advised by AMSRO’s Privacy Compliance Committee.

2AMSRO has established a Privacy Compliance Committee, comprising an independent chair, at least two industry representatives and one consumer representative, which meets at least twice a year.

3The Privacy Compliance Committee terms of reference include the following functions relevant to this Code:

“To make recommendations on matters including, but not limited to:

1) the Code Reviewer’s recommendations concerning streamlining industry Guidelines to clarify how they work in conjunction with the Code;

2) the Code Reviewer’s recommendations concerning implementing an explicit privacy component into industry quality audits;

3) Industry awareness/education regarding privacy issues, including information sheets, FAQs and best practice;

7) Systemic issues arising from privacy complaints.”

4The Privacy Compliance Committee will advise the Code Administrator about the timing and conduct of the periodic independent review of this Code under Part 4.

5The Privacy Compliance Committee may be required by the Code Administrator to participate in any formal complaints handling process that might be established by the Code Administrator relating to addressing alleged breaches of this Code.

Part 4: Review

24 Independent Code Review

1This Code is subject to periodic independent review by a reviewer to be appointed by the AMSRO Board for each review.

2The purpose of Code reviews is to ensure that this Code is meeting its objectives and remains effective and relevant.

3There will be a review of this Code at least every five years, but the Code Administrator may commission a review at any time, for example if regular monitoring indicates a lack of compliance with this code or if the Code Administrator becomes aware of systemic issues that would justify a review.

4The terms of reference for each review will be drawn up by the Code Administrator in consultation with the Privacy Compliance Committee.

5Each review will be funded by AMSRO in such manner as the AMSRO Board considers appropriate, having regard to the resource requirements necessary for the effective execution of the review.

6Reports of the independent code review will include recommendations for any amendments to this Code that are considered necessary or desirable for the effective operation of this Code.

25 Consultation

In conducting an independent review, the Code Administrator will notify the Commissioner of the review; and the Independent Code Reviewer will seek the views of the Commissioner, government agencies, industry representatives, consumer representatives, the general public and other persons or bodies as appropriate in Australia and internationally; regarding the operation of this Code and in relation to suitable revisions and amendments.

26 Reporting following an Independent Code Review

1The report of the Independent Code Reviewer shall be made publicly available online and shall outline the issues raised by the review and the findings of the review.

2The report shall be accompanied by a response from the Code Administrator, outlining the actions taken, or that will be taken, by the Code Administrator and/or the research organisations bound by this Code to address issues identified by the review.

27 Variation of the Code

1Following a recommendation of an Independent Code Review, or for any other reason, the Code Administrator may apply to the Commissioner for variation of the Code.

2Any such application would follow the process set out in the Act and guidance issued by the Commissioner.

Part 5: Monitoring and reporting

28 Monitoring and reporting

1Research Organisations must report annually, by 31 August, to the Code Administrator, on the number, nature and outcomes of any complaints received about Breaches of this Code.

2Research Organisations must report systemic issues in relation to their compliance with this Code, or serious and repeated Breaches of this Code, to the Commissioner as soon as they become aware of them.

3Research Organisations must notify eligible data breaches to the Australian Information Commissioner and otherwise comply with the eligible data breach requirements of the Privacy Act. Research Organisations should also inform the Code Administrator of any notification of an eligible data breach as provided to the Australian Information Commissioner and of any reasonably likely or actual serious data breach (whether or not a notifiable eligible data breach) that demonstrates a significant vulnerability of other Research Organisations in handling of identifiable research information that might reasonably be expected to be mitigated by appropriate action taken by Research Organisations generally.

4Research Organisations must handle enquires and complaints received from individuals as to handling of identifiable research information about those individuals courteously, promptly and efficiently. Research Organisations should establish reliable processes and procedures for handling enquires and complaints received from individuals as to handling of identifiable research information, including by taking reasonable steps to address special needs and requirements of individuals with disabilities or particular vulnerabilities. In general responses should be provided within 30 days.

5The Code Administrator will monitor compliance by research organisations with this Code and will investigate serious and repeated breaches and systemic issues about code compliance.

6The Code Administrator will publish an Annual Report on the operation of this Code and make it available both to the Commissioner and publicly, including online. The Code Administrator will conduct an annual feedback review by making enquiries of research organisations in relation to issues or concerns that research organisations have experienced in relation to or within the scope of operation of this Code during the year in review, including complaints or other concerns of any individual raised with a research organisation in relation to or within the scope of operation of this Code during the year in review, and consider any responses of research organisations in relation to such matters, before finalising and publishing an Annual Report on the operation of this Code. The Annual Report will include a summary of complaints handled by Research Organisations and reported to the Code Administrator under subsection 28(1).

7The Code Administrator will report systemic issues or serious and repeated breaches of this Code to the Commissioner as soon as it becomes aware of them.

29 Improper conduct

1If a Research Organisation subject to this Code acts in a manner that, in the AMSRO Board’s opinion, constitutes seriously improper conduct in relation to this Code, the AMSRO Board shall direct the Code Administrator to notify the Research Organisation of the conduct.

2Within 7 business days of receipt of notification by the Code Administrator of an opinion by the AMSRO Board concerning seriously improper conduct by the Research Organisation, the Research Organisation must:

  1. take all reasonable steps to rectify the seriously improper conduct; and
  2. notify the Code Administrator of the steps taken to rectify the seriously improper conduct.

3If the Research Organisation fails to adequately comply with paragraph 29(2)(a) then the AMSRO Board will issue a final notice requiring the Research Organisation to rectify the seriously improper conduct within 7 business days.

4Where the AMSRO Board is satisfied that seriously improper conduct has occurred in relation to this Code, AMSRO may take such remedial action against the Research Organisation as is permitted under its Rules of Association and/or terms of membership, as varied from time to time, including suspension or expulsion.

5These misconduct provisions operate independently of the complaint provisions of the Privacy Act and the enforcement role of the Commissioner.

Schedule 1: Repeals

Privacy (Market and Social Research) Code 2014

1  The whole of the instrument

Repeal the instrument