Publication date: December 2020

This APP code was in force from 28 November 2014 to 21 March 2021.

Preliminary

1.  Name of APP code

This APP code is the Privacy (Market and Social Research) Code 2014.

2. Commencement

This APP code comes into force under the Privacy Act 1988 when it is included on the Codes Register kept under s 26U(1) of that Act and will remain in force until it is repealed.

3.  Authority

This APP code is a 'registered APP code' under s 26B(1) of the Privacy Act, and a legislative instrument, once it is included on the Codes Register kept under subsection 26U(1) of that Act and is in force.

4.  Entities bound by this APP code

All full and associate members of the Association of Market and Social Research Organisations (ABN: 20 107 667 398) who are an organisation covered by the Privacy Act (including because they have opted-in under s 6EA of that Act) are bound by this APP Code. If an organisation covered by the Privacy Act ceases to be a member of AMSRO they will still be liable under this APP code for acts and practices that breach this APP code and that occurred while they were an AMSRO member.

A. Preamble

  1. The Association of Market and Social Research Organisations (AMSRO) is the national industry body of market and social research organisations. AMSRO's primary objective is to protect and promote the market and social research industry so that it can continue its important contribution to Australia's economic, social and political wellbeing. In AMSRO's view, the long-term success of market and social research depends upon the willing cooperation of the public and business community, which is based upon confidence that research is carried out honestly, objectively and without unwelcome intrusion or disadvantage to participants.

  2. AMSRO decided on its own initiative to develop this APP Code under Part IIIB of the Privacy Act. http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act

    This Code replaces the Market and Social Research Privacy Code under the previous Part IIIAA (the superseded Code), which has operated continuously since 2003 (that Code was amended in 2007).

  3. Unlike the superseded Code, this Code does not substitute a set of Market and Social Research Privacy Principles (MSRPP) for the default statutory principles. Instead, the main section of this Code (Part E) sets out how the Australian Privacy Principles (APPs) in the Privacy Act are to be applied and complied with by AMSRO members in relation to the collection, retention, use and disclosure of personal information about the subjects of and participants in market and social research (this is defined as 'identifiable research information). The subjects/participants are any individual about or from whom any information is sought, collected, retained, used and/or disclosed by a research organisation for the purposes of research (research subjects). The provisions of this Code seek to give effect to the APPs in a manner that is tailored to the research context, while providing the public and business community with the assurances needed to encourage informed and willing participation in market and social research activities. This Code acknowledges and draws on relevant Guidelines published by the Office of the Australian Information Commissioner.[1]

  4. This Code imposes some additional requirements, which were also in the superseded Code. These obligations reflect the fact that participation by research subjects in market and social research as carried out by AMSRO members is always voluntary; that market and social researchers are generally not interested in making use of the identity of research participants and that they use and disclose the information collected only for research purposes. In some cases, the additional obligations reflect the AMSRS[2] Code of Professional Behaviour (COPB) which is stricter than the APPs in some respects.

  5. In some cases, the editing of the APPs in Part E simply deletes wording that is not applicable; such as where it applies only to 'agencies', or where it governs practices, such as direct marketing, which are incompatible with market and social research as carried out by AMSRO and AMSRS members.

  6. It is not intended that this APP Code will cover acts and practices that are otherwise exempt under section 7B of the Privacy Act.

  7. This Code includes (under APP 1.2 in Part E and in Part H) obligations relating to the internal handling of complaints and referral to the Commissioner. It includes standardised provisions for the reporting of complaints to the Code Administrator and to the Commissioner. These are additional to the 'default' complaint handling provisions of the Privacy Act (Part V), which apply to any complaints about breaches of this Code.

  8. This Code is administered by the AMSRO Secretariat, under direction of the AMSRO Board[3]. It will remain in force whilst registered, but is subject to periodic independent review by an Independent Code Reviewer, appointed afresh for each review (see Part G).

  9. Significant penalties apply for breaches of the APPs. In the case of organisations found to have committed serious or repeated breaches, penalties can be up to $1.7 million as at the date of commencement of this Code (which comes into force under the Privacy Act when it is included on the Codes Register kept under 26U(1) of that Act.)

B. Objectives

  1. The aims of this Code include:

    1. To set out how the Australian Privacy Principles (APPs) in the Privacy Act are to be applied and complied with by AMSRO members in the conduct of market and social research;

    2. To facilitate the protection of identifiable research information provided by, or held in relation to, the participants or subjects of market and social research; and

    3. To enable quality research to be carried out, so as to provide accurate information to government, commercial and not for profit organisations to support their decision-making processes.

C. Eligibility and coverage [S26C(3)]

  1. Subscription to this Code is a requirement of AMSRO full and associate membership, regardless of a research organisation's size or annual turnover. A current list of AMSRO members, and therefore of APP entities bound by this Code, is maintained at http://www.amsro.com.au

  2. Non-members of AMSRO are not eligible to subscribe to this Code.

  3. Eligibility for AMSRO membership is open to research organisations provided that the research organisation meets and complies with AMSRO's Articles of Association.

  4. AMSRO membership, and thus subscription to this Code, is voluntary.  However, this Code is binding on those research organisations that are AMSRO Members.

  5. Any personal information handled by AMSRO members outside the context of market and social research (such as marketing lists and contact details for clients and service providers, and staff recruitment records) remains subject to the statutory APPs and not to this Code.

D. Terminology

Many terms used in this Code have their meaning defined in the Privacy Act.  Further explanation of some of those terms in the ‘Market and Social Research’ context is required, and the meaning of other key terms is also set out in this section:

‘Breach of this Code’ means a breach of any obligation on Research Organisations under Parts E and H of this Code (also taking account of the terminology in Part D).

‘Client’ means an organisation, agency etc. that requests, commissions or subscribes to a given ‘Market and Social Research’ project; i.e. the ultimate beneficiary of the research findings.

‘This Code’ means this Market and Social Research Privacy Code (an APP Code under the Privacy Act).

‘The Code Administrator’ is AMSRO (see F (a)).

‘Collection of identifiable research information’ means gathering, acquiring or obtaining ‘identifiable research information’ from any source, by any means, for inclusion in a record.

‘Commissioner’ means the person who has functions and powers under the Privacy Act 1988.

‘Contact details’ means a record of identifying information such as names, companies, position titles, addresses and phone numbers, collected and retained in order to contact individuals in a research sample.

‘De-identification’ means a process of ensuring that identifiable research information is rendered permanently non-identifiable, i.e. without retaining a means by which the information could be reasonably re-identified.

‘Disclosure of identifiable research information’ means allowing ‘identifiable research information’ to become known outside an organisation, whether or not it is physically or electronically released or transferred (e.g. including by telling, showing or displaying to another person).

‘Genuine research concerns’ means where the ‘Research Organisation’ has valid reasons to expect that the purpose of the ‘Market and Social Research’ exercise would otherwise be defeated.

‘Identifiable research information’ means personal information about survey participants, respondents or subjects to which this Code applies. It includes ‘contact details, research status and research data’. It does not include any unsolicited information.

‘Market and Social Research’ means consensual investigation of the behaviour, needs, attitudes, opinions, motivations or other characteristics of a whole population or a particular part of a population, in order to provide accurate and timely information to clients (government, commercial and not-for-profit organisations) about issues relevant to their activities, to support their decision-making processes.

‘Research data’ means a record of the responses provided by individuals participating in Market and Social Research at the time of collection in order to obtain a representation of a population's or sub-population's behaviour, needs, attitudes, opinions and motivations at a given point in time.

’Research information privacy policy‘ means the APP policy that a Research Organisation develops, maintains and publishes to comply with APP 1 in relation to identifiable research information.

‘Research Organisation’ means an organisation (or that part of an organisation) that is a member of AMSRO and that carries out, or acts as a consultant or subcontractor in relation to, Market and Social Research, or offers their services or the services of others to do so.

‘Research Purpose’ means the handling of information in order to carry out any function considered essential to the conduct of a Market and Social Research project or communication of the results of a Market and Social Research project.

‘Research status’ means information in relation to whether or not an individual has been contacted or has participated in a ‘Market and Social Research’ exercise, but does not include research data.

’Research subject’ means an individual about whom identifiable research information is collected in the course of ‘Market and Social Research’.  Research subjects may be referred to as participants or respondents and may include another individual about whom a subject is providing information.

‘Unsolicited information’ means identifiable research information that a research organisation has taken no active steps to collect.

E. How the Australian Privacy Principles apply to market and social research

Transparency of management

Australian Privacy Principle 1: Open and transparent management of personal information (as customised for the purposes of this Code)

1.1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.

Compliance with the Australian Privacy Principles

1.2 When handling identifiable research information, Research Organisations must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the Research Organisation's functions or activities to ensure that:

  1. the Research Organisation complies with the Australian Privacy Principles and this Code; and
  2. will enable the Research Organisation to deal with inquiries or complaints from individuals about the  Research Organisation's compliance with this Code.
APP Privacy policy

1.3 A Research Organisation must have a clearly expressed and up to date research information privacy policy about the management of identifiable research information by the Organisation.

1.4 Without limiting subclause 1.3, the research information privacy policy must contain the following information:

  1. the kinds of identifiable research information that the organisation collects and holds;

  2. how the organisation collects and holds identifiable research information;

  3. the research purposes for which the organisation collects, holds, uses and discloses identifiable research information;

  4. how an individual may access identifiable research information about the individual that is held by the organisation and seek the correction of such information;

  5. how an individual may complain about a breach of this Code, and how the organisation will deal with such a complaint;

  6. whether the organisation is likely to disclose identifiable research information to overseas recipients;

  7. if the organisation is likely to disclose identifiable research information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Availability of privacy policy

1.5 A Research Organisation must take such steps as are reasonable in the circumstances to make its research information privacy policy available:

  1. free of charge; and
  2. in such form as is appropriate.

1.6 If a person or body requests a copy of the research information privacy policy of a Research Organisation in a particular form, the organisation must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.

Australian Privacy Principle 2: Anonymity and pseudonymity (as customised for the purposes of this Code)

2.1Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with a Research Organisation in the context of Market and Social Research.

2.2 Subclause 2.1 does not apply if, in relation to that matter:

  1. the Research Organisation is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or

  2. it is impracticable for the Research Organisation to deal with individuals who have not identified themselves or who have used a pseudonym.

Collection of personal information

Australian Privacy Principle 3: Collection of solicited personal information (as customised for the purposes of this Code)

Personal information other than sensitive information

3.1 Not applicable (agencies only)

3.2In the conduct of Market and Social Research, a Research Organisation must not collect identifiable research information (other than sensitive information) unless the information is reasonably necessary for that research.

Sensitive information

3.3A Research Organisation may only collect sensitive information (whether from an individual or from a third party) where the individual has consented, and the information is reasonably necessary for a research purpose, or if the collection is required by Australian law or a court/tribunal order.

Means of collection

3.5In the conduct of Market and Social Research, a Research Organisation must collect identifiable research information only by lawful and fair means.

3.6In the conduct of Market and Social Research, a Research Organisation must collect identifiable research information about an individual only from the individual unless it is unreasonable or impracticable to do so.

Solicited personal information

3.7This principle applies to the collection of identifiable research information that is solicited by a Research Organisation.

Australian Privacy Principle 4: Dealing with unsolicited personal information (as customised for the purposes of this Code)

4.1 If:

  1. a Research Organisation receives identifiable research information; and
  2. the Research Organisation did not solicit the information;

the Research Organisation must, within a reasonable period after receiving the information, determine whether or not the Research Organisation could have collected the information under APP 3 if the Research Organisation had solicited the information.

4.2 The Research Organisation may use or disclose the identifiable research information for the purposes of making the determination under subclause 4.1.

4.3 If the Research Organisation determines that it could not have collected the identifiable research information, it must, as soon as practicable, but only if it is lawful and reasonable to do so, destroy the information or ensure that it is de-identified.

4.4 If subclause 4.3 does not apply in relation to the identifiable research information, APPs 5-13 apply in relation to the information as if the Research Organisation had collected the information under APP 3.

Australian Privacy Principle 5—notification of the collection of personal information (as customised for the purposes of this Code)

5.1At or before the time or, if that is not practicable, as soon as practicable after, a Research Organisation collects identifiable research information about an individual, the organisation must take such steps (if any) as are reasonable in the circumstances:

  1. to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or
  2. to otherwise ensure that the individual is aware of any such matters.

5.2 The matters for the purposes of subclause 5.1 are as follows:

  1. the identity and contact details of the Research Organisation;

  2. if:

    1. the Research Organisation collects the identifiable research information from someone other than the individual; or

    2. the individual may not be aware that the Research Organisation has collected the identifiable research information;

    the fact that the Research Organisation so collects, or has collected, the identifiable research information and the circumstances of that collection;

  3. not applicable;

  4. the purposes for which the Research Organisation collects the identifiable research information;

  5. the main consequences (if any) for the individual if all or some of the identifiable research information is not collected by the Research Organisation;

  6. any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the Research Organisation usually discloses identifiable research information of the kind collected by the Research Organisation;

  7. that the research information privacy policy of the Research Organisation contains information about how the individual may access the identifiable research information about the individual that is held by the entity and seek the correction of such information;

  8. that the research information privacy policy of the Research Organisation contains information about how the individual may complain about a breach of this Code, and how the entity will deal with such a complaint;

  9. whether the Research Organisation is likely to disclose the identifiable research information to overseas recipients;

  10. if the Research Organisation is likely to disclose the identifiable research information to overseas recipients - the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

Additional requirement: matters of which respondents should be made aware — sources of information and identity of client

5.3 Research Organisations must disclose the source of the research sample (e.g. customer information, information collected by researchers, publicly available lists such as a telephone directory or electoral roll, random digit dialling, door knocking), no later than the end of the collection of information, except where the Research Organisation and client have reasonable grounds to decide that there are genuine research concerns or where there is another compelling reason not to do so (e.g. it may expose one of the parties to legal action).

5.4Research Organisations must disclose the identity of the client, unprompted, no later than the end of the collection of information, except where the Research Organisation and client have reasonable grounds to decide that there are genuine research concerns or where there is another compelling reason not to do so (e.g. it may expose one of the parties to legal action).

Dealing with personal information

Australian Privacy Principle 6: Use or disclosure of personal information (as customised for the purposes of this Code)

Use or disclosure

6.1If a Research Organisation holds identifiable research information about an individual that was collected for a particular purpose (the primary purpose), the Organisation must not use or disclose the information for another purpose (the secondary purpose) unless:

  1. the individual has consented, or

  2. the use or disclosure of the information is required or authorised by or under an Australian law or court/tribunal order;

  3. it is unreasonable or impracticable to obtain the individual's consent to the use or disclosure; and the Research Organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

  4. the Research Organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the Organisation's functions or activities has been, is being or may be engaged in; and the Organisation reasonably believes that the collection, use or disclosure is necessary in order for the Organisation to take appropriate action in relation to the matter.

  5. the Research Organisation reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf, of an enforcement body

Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.

6.2 Not applicable other than the exceptions now in 6.1(b)–(e)

Additional requirement: research use and disclosure

Re-use of identifiable research information for subsequent research

6.2AResearch Organisation may use identifiable research information for a research purpose provided that:

  1. if re-contact of an individual who initially declined to participate is involved, the Research Organisation and client have genuine research concerns that warrant such re-contact; and

  2. if re-contact of an individual who has participated in a research exercise is involved:

    1. the individual was informed of this likelihood at the time the information was collected, except where the research and client organisations have reasonable grounds to decide that there are genuine research concerns that justify not so notifying; or

    2. any individual who, at the time of collection, indicated a wish not to be re-contacted for research purposes is excluded unless the research and client organisations have reasonable grounds to decide that there are genuine research concerns that warrant the individual's inclusion.

Disclosure of personal information for research

6.2B A Research Organisation may disclose identifiable research information provided that:

  1. the disclosure is necessary for a research purpose; and

  2. only that part of the information considered necessary for this research purpose is disclosed; and

  3. if this research purpose could be achieved using de-identified information, the information is de-identified before being disclosed [APP 6.4]; and

  4. where the recipient is the client, the consent of all individuals who could be identifiable has been obtained, except where the personal information being disclosed to the client concerns individuals' research status.  In this case:

    1. the Research Organisation should take reasonable steps to ensure that the information concerning individuals' research status cannot be linked to individuals' research data about those individuals; and

    2. the Research Organisation should obtain the client's agreement to restrict use of the information concerning individuals' research status only for the specific purpose of regulating the frequency of contacts of individuals in the client's subsequent research.

6.3 (agencies only)

6.4If subsection 16B(2) applies in relation to the collection of the identifiable research information by the Research Organisation, it must take such steps as are reasonable in the circumstances to ensure that the information is de-identified before the Organisation discloses it in accordance with subclause 6.1 or 6.2:

Written note of use or disclosure

6.5 If a Research Organisation uses or discloses identifiable research information in accordance with paragraph 6.1(e), the Organisation must make a written note of the use or disclosure.

Related bodies corporate

6.6If a Research Organisation is a body corporate; and it collects identifiable research information from a related body corporate; this principle applies as if the Research Organisation's primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.

Exceptions

6.7This principle does not apply to the use or disclosure by a Research Organisation of:

  1. identifiable research information for the purpose of direct marketing; or
  2. government related identifiers.

Australian Privacy Principle 7: Direct marketing (as customised for the purposes of this Code)

7.1If a Research Organisations holds identifiable research information about an individual, the Research Organisations must not use or disclose the information for the purpose of direct marketing.

7.2–7.8 Not applicable.

Australian Privacy Principle 8—cross border disclosure of personal information (as customised for the purposes of this Code)

8.1 Before a Research Organisation discloses identifiable research information about an individual to a person (the ‘overseas recipient’):

  1. who is not in Australia or an external Territory, and
  2. who is not the Research Organisation itself or the individual,

the Research Organisation must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.

8.2 Subclause 8.1 does not apply to the disclosure of identifiable research information about an individual by a Research Organisation to the overseas recipient if:

  1. the Research Organisation reasonably believes that:

    1. the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

    2. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or

  2. both of the following apply:

    1. the Research Organisation expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;

    2. after being so informed, the individual consents to the disclosure; or

  3. the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

  4. a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the Research Organisation.

Exceptions (e) and (f) are not applicable (agencies only)

Note: For ‘permitted general situation’, see section 16A.

Australian Privacy Principle 9: Adoption, use or disclosure of government related identifiers (as customised for the purposes of this Code)

Adoption of government related identifiers

9.1 A Research Organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless:

  1. the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order; or
  2. subclause 9.3 applies in relation to the adoption.

Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Use or disclosure of government related identifiers

9.2A Research Organisation must not use or disclose a government related identifier of an individual unless:

  1. the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation's activities or functions; or

  2. the use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or

  3. the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or

  4. a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or

  5. the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

  6. subclause 9.3 applies in relation to the use or disclosure.

Note 1: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Note 2: For ‘permitted general situation’, see section 16A.

Regulations about adoption, use or disclosure

9.3This subclause applies in relation to the adoption, use or disclosure by a Research organisation of a government related identifier of an individual if:

  1. the identifier is prescribed by the regulations; and

  2. the Research Organisation is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and

  3. the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.

Note: There are prerequisites that must be satisfied before the matters mentioned in this subclause are prescribed, see subsections 100(2) and (3).

Integrity of personal information

Australian Privacy Principle 10: Quality of personal information (as customised for the purposes of this Code)

10.1A Research Organisation must take such steps (if any) as are reasonable in the circumstances to ensure that the identifiable research information that the Research Organisation collects is accurate, up to date and complete.

10.2A Research Organisation must take such steps (if any) as are reasonable in the circumstances to ensure that the identifiable research information that the Research Organisation uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.

Australian Privacy Principle 11: Security of personal information (as customised for the purposes of this Code)

11.1If a Research Organisation holds identifiable research information, the Research Organisation must take such steps as are reasonable in the circumstances to protect the information:

  1. from misuse, interference and loss; and
  2. from unauthorised access, modification or disclosure.

11.2 If:

  1. a Research Organisation holds identifiable research information about an individual; and

  2. the Research Organisation no longer needs the information for any purpose for which the information may be used or disclosed by the Research Organisation under this Code; and

  3. the information is not contained in a Commonwealth record; and

  4. the Research Organisation is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the Research Organisation must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

Additional Requirement: retention and disposal

11.3A Research Organisation must retain identifiable research information only while the details of the identity of the individual whom the information is about continue to be necessary for research purposes. The information must be destroyed or de-identified once these purposes have been achieved. Where identifiable research information has been returned to a third party (in accordance with APP6) any copies, including archived copies, must be destroyed or de-identified.

11.4If a Research Organisation wishes to de-identify identifiable research information that exists in a physical form that makes de-identification impracticable (e.g. on paper), the information must be moved to another medium, de-identified, and the physical records then destroyed.

11.5Where it is necessary to retain identifiable research information, identifying (contact) details must, if practicable, be stored separately from other information (research status and research data), with measures in place (e.g. by the use of an encrypted intervening variable) to ensure the identity of the individuals cannot be readily revealed from the other information.

11.6A Research Organisation must take reasonable steps to ensure that any identifiable research information that it discloses:

  1. will only be retained, used or disclosed by the recipient of the information in a manner that is consistent with this Code;

  2. will be protected by the recipient from misuse, interference and loss and from unauthorised access, modification, use and disclosure; and

  3. will only be used or disclosed by the recipient for a specified limited purpose and will be destroyed or de-identified once this purpose has been achieved. Where identifiable research information has been returned by the recipient to a third party (in accordance with APP6) any copies, including archived copies, must by destroyed or de-identified.

11.7 Research Organisation may disclose de-identified information freely, provided that there is no reasonable likelihood that the disclosed information could be used to identify one or more of the individuals who participated in the research, such as where the pattern of answers could reveal their identity.

Access to, and correction of, personal information

Australian Privacy Principle 12: Access to personal information (as customised for the purposes of this Code)

Access

12.1If a Research Organisation holds identifiable research information about an individual, the Research Organisation must, on request by the individual, give the individual access to the information.

12.2Not applicable (agencies only)

Exception to access

12.3Despite subclause 12.1, entity Research Organisation is not required to give the individual access to the identifiable research information to the extent that:

  1. the Research Organisation reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or

  2. giving access would have an unreasonable impact on the privacy of other individuals; or

  3. the request for access is frivolous or vexatious; or

  4. the information relates to existing or anticipated legal proceedings between the Research Organisation and the individual, and would not be accessible by the process of discovery in those proceedings; or

  5. giving access would reveal the intentions of the Research Organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

  6. giving access would be unlawful; or

  7. denying access is required or authorised by or under an Australian law or a court/tribunal order; or

  8. both of the following apply:

    1. the Research Organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the Research Organisation's functions or activities has been, is being or may be engaged in;

    2. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or

  9. giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

  10. giving access would reveal evaluative information generated within the Research Organisation in connection with a commercially sensitive decision-making process.

Dealing with requests for access

12.4The Research Organisation must:

  1. respond to the request for access to the identifiable research information within a reasonable period after the request is made; and

  2. give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

Other means of access

12.5If the Research Organisation refuses:

  1. to give access to the personal information because of subclause 12.3; or
  2. to give access in the manner requested by the individual;

the Research Organisation must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the Research Organisation and the individual.

12.6Without limiting subclause 12.5, access may be given through the use of a mutually agreed intermediary.

Access charges

12.7Not applicable (agencies only).

12.8If the Research Organisation charges the individual for giving access to the identifiable research information the charge must not be excessive and must not apply to the making of the request.

Refusal to give access

12.9If the Research Organisation refuses to give access to the identifiable research information because of subclause 12.3, or to give access in the manner requested by the individual, the Research Organisation must give the individual a written notice that sets out:

  1. the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and

  2. the mechanisms available to complain about the refusal; and

  3. any other matter prescribed by the regulations.

12.10If the Research Organisation refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.

Australian Privacy Principle 13—correction of personal information (as customised for the purposes of this Code)

Correction

13.1If:

  1. a Research Organisation holds identifiable research information about an individual; and
  2. either:

    1. the Research Organisation is satisfiedthat, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; or

    2. the individual requests the entity to correct the information;

the Research Organisation must take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

Notification of correction to third parties

13.2If:

  1. the Research Organisation corrects personal information about an individual that the Research Organisation previously disclosed to another APP entity; and

  2. the individual requests the Research Organisation to notify the other APP entity of the correction;

the Research Organisation must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.

Refusal to correct information

13.3If the Research Organisation refuses to correct the identifiable research information as requested by the individual, the Research Organisation must give the individual a written notice that sets out:

  1. the reasons for the refusal except to the extent that it would be unreasonable to do so; and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by the regulations.
Request to associate a statement

13.4If:

  1. the Research Organisation refuses to correct the identifiable research information as requested by the individual; and

  2. the individual requests the Research Organisation to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;

the Research Organisation must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

Dealing with requests

13.5If a request is made under subclause 13.1 or 13.4, the Research Organisation:

  1. must respond to the request within a reasonable period after the request is made; and

  2. must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).

Additional requirement: destruction or de-identification on request

13.6A Research Organisation must accept and act on requests for identifiable research information to be destroyed or de-identified, except in the following circumstances:

  1. the request is frivolous or vexatious; or

  2. destruction, deletion or de-identification would have an unreasonable impact upon the privacy of other individuals; or

  3. the organisation reasonably believes that destroying, deleting or de-identifying the information would pose a serious threat to the life, health or safety of any individual or to public health or public safety; or

  4. destroying, deleting or de-identifying the information would reveal the intentions of the research organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

  5. destroying, deleting or de-identifying the information would be unlawful; or

  6. retaining the identifiable information is required or authorised by or under an Australian law or a court/tribunal order; or

  7. the Research Organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation's functions or activities has been, is being or may be engaged in; and destroying, deleting or de-identifying the information would be likely to prejudice the taking of appropriate action in relation to the matter; or

  8. destroying, deleting or de-identifying the information, would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body; or

  9. where the Research Organisation is contractually obliged to retain the identifiable research information.

F. Governance

Code Administrator

  1. The Code Administrator for this Code is AMSRO. In practice, this Code is administered by the AMSRO Secretariat, under direction of the AMSRO Board.

  2. AMSRO will fund the administration of this Code in such manner as the AMSRO Board considers appropriate, having regard to the resource requirements necessary for the effective execution of those tasks described in subclause F c.

Tasks of the Code Administrator

  1. In administering this Code, the AMSRO Secretariat will perform the following tasks:

    1. maintain an accurate and up to date online list of AMSRO members, which doubles as a public register of research organisations which are bound by this Code.

    2. commission periodic reviews of this Code in accordance with Part G.

    3. produce a written response to a report resulting from an  independent code review;

    4. consider the need for any variation of this Code, and make any consequent applications;

    5. monitor and report on compliance with this Code (see Part H),

    6. Make available on the AMSRO website the following:

      1. information about this Code;
      2. a copy of the most current version of this Code;
      3. contact details for the Code Administrator;
      4. information about making complaints in relation to matters contained in this Code;
      5. the annual report on the operation of this Code required under Part H
      6. a link to the website of the Commissioner;
      7. any other information that the Code Administrator considers relevant to the efficient functioning of this Code.

    7. perform such other tasks as the AMSRO Board considers necessary or desirable for the effective operation of this Code, including but not limited to the establishment and management of a formal complaints handling process relating to alleged breaches of this Code.

    8. In relation to tasks a.ii-v, the Administrator will be assisted and advised by AMSRO's Privacy Compliance Committee

  2. AMSRO has established a Privacy Compliance Committee, comprising an independent chair, at least two industry representatives and one consumer representative, which meets at least twice a year.

  3. The Privacy Compliance Committee terms of reference include the following functions relevant to this Code:

    "To make recommendations on matters including, but not limited to:
    1) The Code Reviewer's recommendations concerning streamlining industry Guidelines to clarify how they work in conjunction with the Code;
    2) The Code Reviewer's recommendations concerning implementing an explicit privacy component into industry quality audits;

    5) Industry awareness/education regarding privacy issues, including information sheets, FAQs and best practice;

    7) Systemic issues arising from privacy complaints."

  4. The Privacy Compliance Committee will advise the Code Administrator about the timing and conduct of the periodic independent review of this Code under Part G.

  5. The Privacy Compliance Committee may be required by the Code Administrator to participate in any formal complaints handling process that might be established by the Code Administrator relating to addressing alleged breaches of this Code.

G. Review

Independent Code Review

  1. This Code is subject to periodic independent review by a reviewer to be appointed by the AMSRO Board for each review.

  2. The purpose of Code reviews is to ensure that this Code is meeting its objectives and remains effective and relevant.

  3. There will be a review of this Code at least every five years, but the Code Administrator may commission a review at any time, for example if regular monitoring indicates a lack of compliance with this code or if the Code Administrator becomes aware of systemic issues that would justify a review.

  4. The terms of reference for each review will be drawn up by the Code Administrator in consultation with the Privacy Compliance Committee.

  5. Each review will be funded by AMSRO in such manner as the AMSRO Board considers appropriate, having regard to the resource requirements necessary for the effective execution of the review.

  6. Reports of the independent code review will include recommendations for any amendments to this Code that are considered necessary or desirable for the effective operation of this Code.

Consultation

  1. In conducting an independent review, the Code Administrator will notify the Commissioner of the review; and the Independent Code Reviewer will seek the views of the Commissioner, government agencies, industry representatives (including the Australian Market and Social Research Society (AMSRS)), consumer representatives, the general public and other persons or bodies as appropriate in Australia and internationally; regarding the operation of this Code and in relation to suitable revisions and amendments.

Reporting following an Independent Code Review

  1. The report of the Independent Code Reviewer shall be made publicly available online and shall outline the issues raised by the review and the findings of the review.

  2. The report shall be accompanied by a response from the Code Administrator, outlining the actions taken, or that will be taken, by the Code Administrator and/or the research organisations bound by this Code to address issues identified by the review.

Variation of the Code

  1. Following a recommendation of an Independent Code Review, or for any other reason, the Code Administrator may apply to the Commissioner for variation of the Code.

  2. Any such application would follow the process set out in the Act and guidance issued by the Commissioner.

H. Monitoring and reporting

  1. Research Organisations must report annually, by 31 August, to the Code Administrator, on the number, nature and outcomes of any complaints received about Breaches of this Code.

  2. Research Organisations must report systemic issues or serious and repeated breaches of this Code to the Commissioner as soon as they become aware of them.

  3. The Code Administrator will monitor compliance by research organisations with this Code and will investigate serious and repeated breaches and systemic issues about code compliance.

  4. The Code Administrator will publish an Annual Report on the operation of this Code and make it available both to the Commissioner and publicly, including online. The Annual Report will include a summary of complaints handled by Research Organisations and reported to the Code Administrator under clause H (a).

  5. The Code Administrator will report systemic issues or serious and repeated breaches of this Code to the Commissioner as soon as it becomes aware of them.

Improper conduct

  1. If a Research Organisation subject to this Code acts in a manner that, in the AMSRO Board's opinion, constitutes seriously improper conduct in relation to this Code, (and the research practices defined herein that breach the Articles of Association), then the AMSRO Board shall direct the Code Administrator to notify the research organisation of the conduct.

  2. Within 7 business days of receipt of notification by the Code Administrator of an opinion by the AMSRO Board concerning seriously improper conduct by the Research Organisation the Research Organisation must:

    1. take all reasonable steps to rectify the seriously improper conduct; and
    2. notify the Code Administrator of the steps taken to rectify the seriously improper conduct.

  3. If the Research Organisation fails to adequately comply with clause g. above then the AMSRO Board will issue a final notice requiring the Research Organisation to rectify the seriously improper conduct within 7 business days.

  4. Where the AMSRO Board is satisfied that seriously improper conduct has occurred in relation to this Code, AMSRO may take such remedial action against the Research Organisation as is permitted under its Rules of Association and/or terms of membership, as varied from time to time, including suspension or expulsion.

  5. These misconduct provisions operate independently of the complaint provisions of the Privacy Act and the enforcement role of the Commissioner.

Footnotes

[1] In particular, Guidelines for developing codes, and Australian Privacy Principles (APP) Guidelines

[2] Australian Market and Social Research Society – all AMSRS members work under the COPB

[3] AMSRO is the entity that is the Code Administrator – see Part F [CDGL3.3-3.4]

Related pages

Privacy (Market and Social Research) Code 2021

Current version of the CR code

Arrow

Privacy codes register

Lists current and any previous versions of our privacy codes

Arrow
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia