Federal Register of Legislation - Australian Government

Primary content

Market and Social Research Privacy Code

Authoritative Version
Codes & Codes of Practice as amended, taking into account amendments up to Market and Social Research Privacy Code - Variation
Administered by: Attorney-General's
Registered 26 Sep 2013
Start Date 30 Jun 2007
End Date 17 Oct 2014
Date of repeal 17 Oct 2014
Repealed by Spent and Redundant Instruments Repeal Regulation 2014 (No. 2)

Commonwealth Coat of Arms

Market and Social Research Privacy Code

as amended

made under section 18BD of the

Privacy Act 1988

Compilation start date:                     30 June 2007

Includes amendments up to:            Approval to Vary the Market and Social Research Privacy Code

 

About this compilation

This compilation

This is a compilation of the Market and Social Research Privacy Code as in force on 30 June 2007. It includes any commenced amendment affecting the compilation to that date.

This compilation was prepared on 13 September 2013.

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of each amended provision.

Uncommenced amendments

The effect of uncommenced amendments is not reflected in the text of the compiled law but the text of the amendments is included in the endnotes.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Modifications

If a provision of the compiled law is affected by a modification that is in force, details are included in the endnotes.

Provisions ceasing to have effect

If a provision of the compiled law has expired or otherwise ceased to have effect in accordance with a provision of the law, details are included in the endnotes.

 

 

  

  

  


Contents

A. PREAMBLE..................................................................................................1

B. OBJECTIVES................................................................................................1

C. ELIGIBILITY...............................................................................................2

D. TERMINOLOGY.........................................................................................2

E. MARKET AND SOCIAL RESEARCH PRIVACY PRINCIPLES ............5

F. ADMINISTRATION...................................................................................15

G. REVIEW.......................................................................................................15

H. COMPLAINTS...............................................................................................17

I. REGISTRATION AND DEREGISTRATION...........................................17

Endnotes                                                                                                                                                               20

Endnote 1—About the endnotes                                                                                                      20

Endnote 2—Abbreviation key                                                                                                          21

Endnote 3—Legislation history                                                                                                       22

Endnote 4—Amendment history                                                                                                     23

Endnote 5—Uncommenced amendments                                                                                    24

Endnote 6—Modifications                                                                                                                  24

Endnote 7—Misdescribed amendments                                                                                       24

Endnote 8—Miscellaneous                                                                                                                 24

 

 


A. PREAMBLE

1.   The Association of Market and Social Research Organisations (AMSRO) is the national industry body of market and social research organisations.  AMSRO’s primary objective is to protect and promote the market and social research industry so that it can continue its important contribution to Australia’s economic, social and political well being.  In AMSRO’s view, the long-term success of market and social research depends upon the willing cooperation of the public and business community, which is based upon confidence that research is carried out honestly, objectively and without unwelcome intrusion or disadvantage to participants.

2.   The Market and Social Research Privacy Principles included in this Code replace the National Privacy Principles in the Privacy Act 1988 (Commonwealth) in governing the collection, retention, use, disclosure and transfer of information about the subjects of and participants in market and social research, that is, any individual about or from whom any information is sought, collected, retained, used, disclosed and/or transferred by a research organisation for the purposes of research.  These Principles seek to give effect to the National Privacy Principles in the Privacy Act 1988 (Commonwealth) in a manner that is tailored to the research context, while providing the public and business community with the assurances needed to encourage informed and willing participation in market and social research activities.  These principles reflect the fact that participation in market and social research is voluntary, that market and social researchers are generally not interested in making use of the identity of research participants and that they use, disclose and/or transfer the information collected only for research purposes.

3.   It is not intended that this Privacy Code will cover acts and practices that are otherwise exempt under sections 7B and 7C of the Privacy Act.

4.   This Code was approved by the Privacy Commissioner on 1st September 2003.  This approval indicates that the Privacy Commissioner is satisfied that the Market and Social Research Privacy Principles included in this Code are at least the overall equivalent of all of the obligations set out in the National Privacy Principles in the Privacy Act 1988 (Commonwealth).

5.   This Code is administered by the AMSRO Secretariat, under direction of the AMSRO Board, and is subject to independent review by the Independent Code Review Panel.

 

B. OBJECTIVES

1.   The aims of this Code include:

1.1     to facilitate the protection of identified information provided by, or held in relation to, the participants or subjects of market and social research;

1.2     to enable quality research to be carried out, so as to provide accurate information to government, commercial and not for profit organisations to support their decision-making processes;

1.3     to allow market and social research small business operators that are otherwise not subject to the Privacy Act 1988 (Commonwealth) to benefit from compliance with industry best practice in relation to the handling of identified information.

 

C. ELIGIBILITY

1.   Subscription to this Code is a requirement of AMSRO membership, regardless of the research organisation’s size or annual turnover.

2.   A member of AMSRO that is a Small Business Operator for the purposes of the Privacy Act 1988 (Commonwealth) must first opt in to coverage of that Act in order to be bound by this Code.  However, it is noted that any member of AMSRO that:

2.1     discloses identified information about another individual to anyone else for a benefit, service or advantage; or

2.2     provides a benefit, service or advantage to collect identified information about another individual from anyone else; or

2.3     is a contracted service provider for a Commonwealth contract (whether or not a party to the contract)

is not a Small Business Operator for the purposes of the operation of the Privacy Act 1988 (Commonwealth).

3.   Non-members of AMSRO are not eligible to subscribe to this Code.

4.   Eligibility for AMSRO membership is open to research organisations provided that:

4.1     at least one senior executive of the research organisation is a member of the Market and Social Research Society of Australia; and

4.2     a contact person, owner, director, manager or employee of a member organisation of AMSRO, to whom the research organisation is known, nominates the research organisation for membership.

5.   AMSRO membership, and thus subscription to this Code, is voluntary.  However, subject to subclause C.2, this Code is binding on those research organisations that are AMSRO Members (‘Code Subscribers’) and, in consequence, agree to be bound by it in accordance with the procedures set out in this Code.

 

D. TERMINOLOGY

1.   Other than as defined below, words used in this Code have the meaning defined in the Privacy Act 1988 (Commonwealth).

1.1     client organisation means an organisation that requests, commissions or subscribes to a given research project; the ultimate beneficiary of the research findings.

1.2     Code means this Market and Social Research Privacy Code.

1.3     Code Administrator means the body outlined in subclause F.1.

1.4     Code Subscriber means an organisation that has agreed to be bound by the Code and has been approved by the Code Administrator in accordance with clause I.

1.5     collection means gathering, acquiring or obtaining information from any source, by any means.  Collection may be directly from an individual or indirectly from another person or organisation.  In practical terms, collection in research is likely to include, but not be limited to, the recording of responses given in research (e.g. telephone surveys, central location surveys), the receipt of self-completion questionnaires (e.g. postal questionnaires, on-line questionnaires), the audio and/or video recording of group discussions or interviews, the recording of contact details of potential research participants (e.g. panels) and the receipt of customer information from client organisations.

1.6     Commonwealth identifier means a combination of letters, numbers or both, assigned by a Commonwealth agency, or an agent or contracted service provider of a Commonwealth agency, to an individual to enable him or her to be identified.  Examples of Commonwealth identifiers include Medicare numbers and social security numbers.  However, this does not include an individual’s ABN (as defined in the A New Tax System (Australian Business Number) Act 1999).

1.7     contact details means a record of identifying information such as names, companies, position titles, addresses and phone numbers, collected and retained in order to contact individuals in a research sample.

1.8     de-identification means the removal from identified information of any details that identify the individual, or from which the identity of the individual can reasonably be ascertained, without retaining a means by which the information could be re-identified.  De-identification is thus a permanent and irreversible process.

1.9     disclosure means allowing information to become known outside an organisation without physically or electronically releasing it (e.g. by telling, showing or displaying to another).

1.10   genuine research concerns means where the research organisation has valid reasons to expect that the purpose of the research exercise would otherwise be defeated, for example, where bias due to non-response (or research opt-outs) may materially affect the information obtained in the research exercise, where significant public interest lies in achieving high response rates, where the research is a genuine study of non-response or research opt-outs, where prior knowledge of the likelihood of being re-contacted may materially affect the information obtained, or where the validity of a longitudinal or ongoing research exercise may be compromised.

1.11   Guidelines means the set of Guidelines that interpret and expand upon the Market and Social Research Privacy Principles including Guidelines for Qualitative Recruitment and Research, Guidelines for Quantitative Research and Guidelines for using Customer Information for Research Sampling.

1.12   identified information means information or an opinion, whether true or not, and whether recorded in a material form or not, provided by, or held in relation to, an individual whose identity is apparent, or can reasonably be ascertained.  Research generally involves two types of identified information: contact details and research data.  In practical terms, identified information in research is likely to include, but not be limited to, interview records awaiting validation or for use in longitudinal research, audio or video recordings of research and lists of potential research participants (e.g. recruitment databases, panels, customer information).

1.13   Independent Code Review Panel means the body established under subclause G.1.

1.14   individual means any natural person.  In the context of research, the individual may be referred to as the participant, respondent or subject of the research, but also includes any person about whom a participant, respondent or subject is providing information.  This includes any case where the person’s identity can reasonably be ascertained.

1.15   market and social research means investigation of the behaviour, needs, attitudes, opinions, motivations or other characteristics of a whole population or a particular part of a population, in order to provide accurate and timely information to clients (government, commercial and not-for-profit organisations) about issues relevant to their activities, to support their decision-making processes.  The process of market and social research includes specifying the information required to achieve the specific research needs of the client, designing the method for collecting information, managing and implementing the data collection process, analysing the results, and communicating the findings and their implications to clients.  Methods of collecting information in market and social research include postal or mail surveys, e-mail surveys, internet surveys, telephone surveys, door-to-door surveys, central location (e.g. shopping centre) surveys, observational techniques, desk research, and the recruitment and conduct of group discussions, in depth interviews and series of interviews with panels.  Market and social research differs from other forms of information gathering in that the information is not used, disclosed nor transferred either to support measures or decisions with respect to the particular individual, or in a manner that results in any serious consequence (including substantial damage or distress) for the particular individual.  Any information gathering activity in which the names and contact details of the people contacted are to be used for sales, promotional or fundraising activities or other non-research purposes (e.g. debt collection, credit rating) directed at the particular individual can under no circumstances be regarded as market and social research.  In addition, any activity that attempts to impart information to individuals rather than collect information from individuals (e.g. push polling) can under no circumstances be regarded as market and social research.

1.16   organisation means an individual, body corporate, partnership, trust or any unincorporated association.

1.17   person includes an organisation and the Crown.

1.18   Privacy Commissioner means the Federal Privacy Commissioner.

1.19   Public Register means the register of Code Subscribers maintained by the Code Administrator in accordance with subclause F.3.2.

1.20   research means market and social research as defined is this Code.

1.21   research data means a record of the responses provided by participating individuals at the time of collection in order to obtain a representation of a population’s or sub-population’s behaviour, needs, attitudes, opinions and motivations at a given point in time.  Research data is identified information if it is associated with contact details of the participating individual or if the particular pattern of research data held in relation to an individual allows that individual’s identity to reasonably be ascertained.

1.22   research organisation means an organisation (or that part of an organisation) that is a member of AMSRO and that carries out, or acts as a consultant or subcontractor in relation to, market or social research, or offers their services or the services of others to do so.

1.23   research purpose means the handling of information in order to carry out any function considered essential to the conduct or communication of the results of a market or social research project.  In practical terms, research purposes include handling information in order to conduct analysis, maintain its accuracy, draw a research sample, carry out quality control, note the willingness or unwillingness of an individual to be contacted in relation to future research or assist in the resolution of a problem that has come to light during a research activity.

1.24   research status means information in relation to whether or not an individual has been contacted or has participated in a research exercise, but does not include research data.  This is likely to take the form of a list containing customers, whose contact details were originally forwarded from a client organisation to a research organisation for research sampling, that conveys or contains information regarding individuals who were contacted or who participated in research.

1.25   sensitive information means information or an opinion about an identified individual’s racial or ethnic origin, political opinion, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record; health information about an individual; or genetic information about an individual that is not otherwise health information.

1.26   transfer means the physical or electronic release of information outside an organisation.  This includes when a research organisation gives another organisation information under contract to carry out an activity.

1.27   unreasonably intrusive means any collection of information where the subject or manner is likely to cause unreasonable inconvenience, or to upset or offend an individual.  This includes, but is not limited to, a research organisation’s contacting individuals at unreasonably early or late times during the day, attempting to coerce an individual into participating in research, conducting unreasonably lengthy research interviews, collecting information where the level of detail is much greater than that required by the research objectives or collecting sensitive information, as defined in the Privacy Act 1988 (Commonwealth), or other potentially sensitive information, where it is not essential to achieve the research objectives or where the subject matter might reasonably be expected to cause offence.

1.28   business day means any day on which Australian government offices are open for business.

 

E. MARKET AND SOCIAL RESEARCH PRIVACY PRINCIPLES

1.  Collection

1.1     In the conduct of research, a research organisation must not collect identified information (including from another organisation) for any purpose other than a research purpose.

1.2     In the conduct of research, a research organisation may collect identified information (including from another organisation) provided that the details of the identity of the individual are necessary for research purposes.

1.3     A research organisation may collect sensitive information from an individual, provided that the research organisation has explained to that individual that he or she may withhold information at any time.

1.4     A research organisation must collect information only by lawful and fair means, and not in an unreasonably intrusive way.

1.5     When a research organisation collects identified information from an individual, it must take reasonable steps to ensure that the individual is aware of:

(a)     the fact that identified information is being collected; and

(b)     the reason for this, so as to provide assurance of the principle of confidentiality within research; and

(c)     the fact that the information collected will be used only for research purposes and that no other use will be made of the information, either during the research or afterward; and

(d)     the fact that information collected for research is routinely de-identified (if this applies); and

(e)     how long (if at all) the information provided is likely to remain identified; and

(f)     the fact that, having participated in a research exercise, there is a reasonable likelihood that the individual will be re-contacted for research purposes (if this applies), except where the research and client organisations have reasonable grounds to decide that there are genuine research concerns; and

(g)     how long (if at all) an individual’s name and contact details are likely to be retained to enable re-contact for research purposes; and

(h)     the fact that, while the information remains identifiable, the individual is allowed to, at his or her discretion:

(i)      access that information; and/or

(ii)     have part or all of that information destroyed, deleted or de-identified; and

(i)      the identity of the research organisation and how to contact it (e.g. via the MRSA Survey Line); and

(j)      the source of the research sample (e.g. customer information, information collected by researchers, publicly available lists such as a telephone directory or electoral roll, random digit dialing, door knocking), no later than the end of the collection of information, except where the research and client organisations have reasonable grounds to decide that there are genuine research concerns or where there is another compelling reason not to do so (e.g. it may expose one of the parties to legal action); and

(k)     the identity of the client organisation, no later than the end of the collection of information, except where the research and client organisations have reasonable grounds to decide that there are genuine research concerns or where there is another compelling reason not to do so (e.g. it may expose one of the parties to legal action); and

(l)      the fact that the research organisation wishes to disclose and/or transfer identified information to a client organisation (if this applies).  In these circumstances, the individual’s consent must be obtained; and

(m)    any law that requires the particular information to be collected[1]; and

(n)     the main consequences (if any) for the individual if all or part of the information is not provided.

1.6     If it is reasonable and practicable to do so, a research organisation should collect identified information directly from the individual concerned.

1.7     If a research organisation collects research data relating to an individual from a third party (such as another householder or member of the family), it must take reasonable steps to:

(a)     where practicable, and where this would pose no serious threat to the life or health of any individual, ensure that the individual is, or has been, made aware of the matters listed in subclause 1.5 (e.g. the individual may be, or have been, made aware by the third party of the particulars of his or her identified information that has been, or is going to be, collected by the research organisation, and that the individual may obtain further information in relation to this from the research organisation); and

(b)     where the research data is being collected as part of a longitudinal research study keep any identifying details (e.g. name, phone number) separately from the research data, with measures in place to ensure that the identity of the parties cannot be reasonably ascertained (e.g. by the use of an encrypted intervening variable).

1.8     If a research organisation collects identified information other than research data (such as contact details) from a third party (such as a client organisation or list provider), it must take reasonable steps to:

(a)     where practicable, and where this would pose no serious threat to the life or health of any individual, ensure that the individual is, or has been, made aware of the matters listed in subclause 1.5 (e.g. the individual may be, or have been, made aware by the third party that his or her identified information may be disclosed and/or transferred to research organisations to be used for research purposes, and that the individual may obtain further information in relation to this from the third party or, at the time of any contact, the individual may be made aware that the research organisation has collected his or her identified information from the third party for research purposes); and

(b)     ensure that at least one of the following applies:

(i)      the purpose for which the information was originally collected is related to the market or social research to be conducted and the individual would reasonably expect to be contacted to be invited to participate in such research[2]; or

(ii)     all individuals who could be identified from the information have consented to their identified information being released, either specifically for research purposes or generally for a range of purposes within which research purposes are included[3]; or

(iii)    a readily accessible means exists by which an individual who could be identified from the information can withdraw his or her consent to being included on the provided list, and this fact is made known to any person who is contacted, at the time of such contact; and

(c)     ensure that the information will only be used, disclosed and/or transferred for a specified limited purpose and will be destroyed, deleted, de-identified or returned to the third party once this purpose has been achieved.

1.9     A research organisation may only collect information that contains or conveys sensitive information from a third party provided that the consent of all individuals whose identities could reasonably be ascertained from the information has been obtained.

1.10   Despite subclause E.1.9, a research organisation may collect health information about an individual if:

(a)     the collection is necessary for any of the following purposes:

(i)      research relevant to public health or public safety; or

(ii)     the compilation or analysis of statistics relevant to public health or public safety; or

(iii)    the management, funding or monitoring of a health service; and

(b)     that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

(c)     it is impracticable for the organisation to seek the individual’s consent to the collection; and

(d)     the information is collected:

(i)      as required by law, other than the Privacy Act 1988 (Commonwealth); or

(ii)     in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

(iii)    in accordance with guidelines approved by the Commissioner under section 95A of the Privacy Act 1988 (Commonwealth) for the purposes of this subparagraph.

2.   Use, disclosure and transfer

2.1     In the conduct of research, a research organisation must not use, disclose or transfer identified information (including information received from another organisation) for any purpose other than a research purpose.

2.2     The provisions of subclause E.2.1 do not apply if:

(a)     The research organisation reasonably believes that the use, disclosure or transfer is necessary to lessen or prevent:

(i)      a serious and imminent threat to an individual’s life, health or safety; or

(ii)     a serious threat to public health or public safety; or

(b)     the research organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses, discloses or transfers the identified information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(c)     the use, disclosure or transfer is required or authorised by or under law; or

(d)     the research organisation reasonably believes that the use, disclosure or transfer is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i)      the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

(ii)     the enforcement of laws relating to the confiscation of the proceeds of crime; or

(iii)    the protection of the public revenue; or

(iv)    the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)     the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1: It is not intended to deter research organisations from lawfully co-operating with agencies performing law enforcement functions in the performance of their functions.

Note 2: Subclause 2.2 does not override any existing legal obligations not to disclose identified information.  Nothing in subclause 2.1 requires an organisation to disclose identified information; a research organisation is always entitled to not disclose identified information in the absence of a legal obligation to disclose it.

2.3     If an organisation uses, discloses or transfers identified information under paragraph 2.2(d), it must make a written note of the use, disclosure or transfer.

2.4     A research organisation may use identified information for a research purpose provided that:

(a)     the research is conducted in accordance with these Principles; and

(b)     if re-contact of an individual who initially declined to participate is involved, the research and client organisations have reasonable grounds to decide that there are genuine research concerns that warrant such re-contact.  In these cases, re-contact must be undertaken in a way that is not unreasonably intrusive; and

(c)     if re-contact of an individual who has participated in a research exercise is involved:

(i)      the individual was informed of this likelihood at the time the information was collected, except where the research and client organisations have reasonable grounds to decide that there are genuine research concerns; and

(ii)     any individual who, at the time of collection, indicated a wish not to be re-contacted for research purposes is excluded, unless the research and client organisations have reasonable grounds to decide that there are genuine research concerns that warrant the individual’s inclusion.  In these cases, re-contact must be undertaken in a way that is not unreasonably intrusive; and

(d)     in the absence of consent to use the information for broader research purposes, the use is restricted to research on the same (or substantially the same) topic, for the same (or substantially the same) client organisation(s) as at the time of collection by the research organisation.

2.5     A research organisation may disclose and/or transfer identified information provided that:

(a)     the disclosure and/or transfer is essential for a research purpose; and

(b)     only that part of the information considered necessary for this research purpose is disclosed and/or transferred; and

(c)     if this research purpose could be achieved using de-identified information, the information is de-identified before being disclosed and/or transferred; and

(d)     in the absence of consent to disclose and/or transfer the information for broader research purposes, the disclosure and/or transfer is restricted to research on the same (or substantially the same) topic, for the same (or substantially the same) client organisation(s) as at the time of collection by the research organisation; and

(e)     where the recipient is the client organisation, the consent of all individuals who could be identified from the information has been obtained, except where the identified information being disclosed and/or transferred to the client organisation concerns individuals’ research status.  In this case:

(i)      The research organisation must take reasonable steps to ensure that the identified information concerning individuals’ research status can not:

I.       be linked (or potentially linkable) to individuals’ research data; and

II.      enable any de-identified research data held by, or available to, the client organisation, to be identified; and

(ii)     the research organisation must obtain the client organisation’s agreement to restrict use of the identified information concerning individuals’ research status only for the specific purpose of regulating the frequency of contacts of individuals in the client organisations’ subsequent research.

2.6     A research organisation must take reasonable steps to ensure that any identified information that it discloses and/or transfers either within Australia or an external Territory or to someone (other than within the research organisation or the individual) who is in a foreign country:

(a)     will only be retained, used, disclosed and/or transferred by the recipient of the information in a manner that is consistent with these Principles; and

(b)     will be protected from misuse and loss and from unauthorised access, modification, disclosure and transfer; and

(c)     will only be used, disclosed and/or transferred by the recipient for a specified limited purpose and will be destroyed, deleted, de-identified or returned to the research organisation once this purpose has been achieved.

2.7     A research organisation may disclose and/or transfer de-identified information freely, provided that there is no reasonable likelihood that the pattern of answers could be used to identify one or more of the individuals who participated in the research.

3.   Data quality

3.1     A research organisation must take reasonable steps to ensure that the information it collects is accurate, complete and up-to-date at the time of collection.

3.2     Once information has been de-identified, any obligation of a research organisation to update the information ceases.

3.3     If a research organisation retains identified information, when using, disclosing or transferring that information, a research organisation must:

(a)     where it concerns research data, warrant that the information is an accurate and complete record of the information supplied at the time of collection; and

(b)     where it concerns identified information other than research data (such as contact details), take reasonable steps to ensure that the information remains accurate, complete and up-to-date.

3.4     If a research organisation retains identified information, having received a request from an individual to correct his or her identified information, a research organisation must take reasonable steps to:

(a)     where it concerns research data:

(i)      where the research organisation agrees that the information is not accurate, complete or up-to-date, correct the information so that it is accurate, complete and up-to-date; or

(ii)     where the research organisation disagrees about whether the information is accurate, complete and up-to-date:

I.       explain to the individual the reason for the research organisation’s objection (e.g. that the information retained must be an accurate and complete record of the information supplied at the time of collection); and

II.      at the individual’s discretion:

A.      append the corrected information thereto; or

B.      destroy, delete or de-identify part or all of that information.

(b)     where it concerns identified information other than research data (such as contact details):

(i)      correct the information so that it is accurate, complete and up-to-date; or

(ii)     where a record of previous contact details is required for research purposes, append the corrected information thereto.

4.   Data security

4.1     A research organisation may retain identified information only while the details of the identity of the individual whom the information is about continue to be necessary for research purposes.

4.2     If a research organisation wishes to de-identify identified information that exists in a physical form that makes de-identification impracticable (e.g. on paper), the information must be moved to another medium and the physical records destroyed.

4.3     A research organisation must take reasonable steps to protect any identified information that it holds from misuse and loss and from unauthorised access, modification, disclosure and transfer.

4.4     Where it is necessary to retain identified information, identifying details must, if practicable, be stored separately from other information, with the linkage maintained by the use of an intervening variable.

5.   Openness

5.1     A research organisation must set out in a document clearly expressed policies on its management of identified information and must make this document available to anyone who requests it.

5.2     On request, a research organisation must state, generally, what sort of identified information it holds, for what purposes, and how it collects, holds, uses, discloses and/or transfers that information.

5.3     A research organisation must make a copy of these Principles and the Guidelines available to anyone who requests them.

6.   Access and destruction, deletion and de-identification

6.1     Once information has been de-identified, any obligation of a research organisation to provide access or deletion to individuals whom the information is about ceases.

6.2     If a research organisation retains identified information, it must allow the individual whom the information is about to, at his or her discretion:

(a)     access that information; and/or

(b)     have part or all of that information destroyed, deleted or de-identified, at the individual’s discretion.

6.3     The provisions of subclause E.6.2 do not apply if:

(a)     the request is frivolous or vexatious[4]; or

(b)     the provision of access or destruction, deletion or de-identification would have an unreasonable impact upon the privacy of other individuals; or

(c)     in the case of identified information other than health information, providing access, or destroying, deleting or de-identifying the information, would pose a serious and imminent threat to the life or health of any individual; or

(d)     in the case of health information, providing access, or destroying, deleting or de-identifying the information, would pose a serious threat to the life or health of any individual; or

(e)     the information relates to existing or anticipated legal proceedings between the research organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

(f)     providing access, destroying, deleting or de-identifying the information would reveal the intentions of the research organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(g)     providing access or destroying, deleting or de-identifying the information would be unlawful; or

(h)     denying access or retaining the information is required or authorised by or under law; or

(i)      providing access or destroying, deleting or de-identifying the information, would be likely to prejudice an investigation of possible unlawful activity; or

(j)      providing access or destroying, deleting or de-identifying the information, would be likely to prejudice:

(i)        the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

(ii)       the enforcement of laws relating to the confiscation of the proceeds of crime; or

(iii)      the protection of the public revenue; or

(iv)      the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)       the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

by or on behalf of an enforcement body; or

(k)     an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

6.4     If a research organisation is not required to provide the individual with access to identified information because of one or more of paragraphs E.6.3 (a) to (k) (inclusive), it must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

6.5     The provisions of subclause E.6.2 (b) do not apply if the destruction, deletion or de-identification would involve the destruction, deletion or de-identification of information relating to other individuals.

6.6     If a research organisation charges for providing access to identified information, those charges:

(a)     must not be excessive; and

(b)     must not apply to lodging a request for access.

6.7     A research organisation must provide reasons for denial of access or a refusal to destroy, delete or de-identify identified information.

7.   Commonwealth identifiers

7.1     A research organisation must not adopt as its own identifier of an individual a Commonwealth identifier.

7.2     However, subclause E.7.1 does not apply to the adoption by a prescribed research organisation of a prescribed identifier in prescribed circumstances.

7.3     A research organisation must not use, disclose or transfer a Commonwealth identifier unless:

(a)     The use, disclosure or transfer is necessary for the organisation to fulfil its obligations to the agency; or

(b)     One or more of paragraphs E.2.2 (a) to (d) (inclusive) applies; or

(c)     The use, disclosure or transfer is by a prescribed research organisation of a prescribed Commonwealth identifier in prescribed circumstances.

8.   Anonymity

8.1     Wherever practicable, individuals must have the option of not identifying themselves when dealing with a research organisation.

9.   Transborder data flow

9.1     Refer to provisions governing the disclosure and transfer of information to a foreign country in subclause E.2.5.

10. Sensitive information

10.1   Refer to provisions governing the collection of sensitive information in subclauses E.1.3 and E.1.9.

 

F.  ADMINISTRATION

Code Administrator

1.   This Code is administered by the AMSRO Secretariat (‘Code Administrator’), under direction of the AMSRO Board, which comprises:

1.1     the AMSRO Executive Director; and

1.2     such other persons as the AMSRO Board may from time to time nominate.

2.   The Code Administrator will be funded by AMSRO in such manner as the AMSRO Board considers appropriate, having regard to the resource requirements necessary for the effective execution of those tasks described in subclause F.3.

Tasks of the Code Administrator

3.   In administering this Code, the Code Administrator will perform the following tasks:

3.1     manage the registration of Code Subscribers; and

3.2     maintain an accurate and up to date online Public Register of Code Subscribers; and

3.3     produce a written response to the report produced by the Independent Code Review Panel under subclause G.3, which will be submitted, along with the report, to Privacy Commissioner within 30 business days of the report’s being finalised; and

3.4     perform such other tasks as the AMSRO Board considers necessary or desirable for the effective operation of the Code.

 

G. REVIEW

Independent Code Review Panel

1.   This Code is subject to independent review by the Independent Code Review Panel, which comprises:

1.1     an independent chairperson; and

1.2     such other persons as the AMSRO Board may from time to time nominate.

2.   The Independent Code Review Panel will be funded by AMSRO in such manner as the AMSRO Board considers appropriate, having regard to the resource requirements necessary for the effective execution of its tasks.

Tasks of Independent Code Review Panel

3.   The Independent Code Review Panel will:

3.1     within 3 years after registration of this Code, and once every three years thereafter, produce a report on the operation of the code, which will be submitted, along with the Code Administrator’s written response to this report, to the Privacy Commissioner within 30 business days of the report’s being finalised; and

3.2     recommend amendments to the Code, at any time that it considers them necessary or desirable for the effective operation of the Code, on request or by its own initiative; and

3.3     where an amendment has been recommended, complete the steps necessary to make an amendment to the Code referred to in subclause G.6.

4.   The steps referred to in subclauses G.3.1 to 3.3 shall together provide a basis for ensuring that the Code is meeting its objectives and remains relevant and up to date.

Consultation

5.   In conducting the review under subclause G.3, the Independent Code Review Panel will:

5.1     direct the Code Administrator to notify the Office of the Federal Privacy Commissioner of the review; and

5.2     seek the views of the Privacy Commissioner, government agencies, industry representatives, consumer representatives, the general public and other persons or bodies as appropriate in Australia and internationally, regarding the operation of the Code and in relation to suitable revisions and amendments.

Amendment Procedure

6.   To amend the Code, the Independent Code Review Panel must complete the following steps:

6.1     In accordance with section 18BD (2) of the Privacy Act 1988 (Commonwealth), where the amendment is likely to be considered by the Privacy Commissioner as a major amendment:

(a)     seek the views of the Privacy Commissioner, government agencies, industry representatives, consumer representatives, the general public and other persons or bodies as appropriate in Australia and internationally, regarding the proposed amendment; and

(b)     resolve the terms of any proposed amendment; and

6.2     give notice of the terms of the proposed amendment to each Code Subscriber and the general public; and

6.3     allow 60 business days to provide comments to Independent Code Review Panel; and

6.4     adopt or reject the proposed amendment with or without modifications (not including modifications that would make the proposed amendment substantively different to that originally proposed); and

6.5     obtain the approval of the AMSRO Board; and

6.6     obtain the approval of the Privacy Commissioner; and

6.7     give notice of the Code as amended and the date at which it becomes effective to each Code Subscriber and to the general public.

7.   Amendments to the Code will come into effect 30 business days after completion of the step described in subclause G.6.6.

 

H. COMPLAINTS

Internal Complaint Handling Procedures

1.   Code Subscribers will ensure that they have in place publicly available procedures for dealing with complaints from inception to satisfaction or determination, which are available to any individual (irrespective of nationality or place of residence) about whom identified information is held.

Time for Resolution and Referral to Privacy Commissioner

2.   If complaints cannot be resolved to the satisfaction of the complainant within 30 business days, either the complainant or the Code Subscriber may refer the complaint to the Privacy Commissioner.

 

I.   REGISTRATION AND DEREGISTRATION

Application to become a Code Subscriber

1.   Research organisations eligible to be Code Subscribers may make application to the Code Administrator in accordance with the procedures established by the Code Administrator and approved by the AMSRO Board from time to time.

2.   If an applicant intends that its registration as a Code Subscribers is to cover one or more subsidiaries, then, subject to each subsidiary’s being eligible for registration, the applicant must provide the names of each subsidiary organisation in its application.

3.   The application shall be in a form prescribed by the Code Administrator and approved by the AMSRO Board from time to time and will include a duly authorised and signed statement by the applicant that it agrees to be bound by the Code.

4.   The Code Administrator will, within a reasonable time:

4.1     assess the eligibility of the applicant for approval as a Code Subscribers; and

4.2     upon satisfying itself that an applicant is eligible for approval as a Code Subscribers, recommend to the AMSRO Board that the relevant application be approved.

5.   Where, in the course of assessing an application under subclause I.4, the Code Administrator finds an applicant to be ineligible for approval, the Code Administrator will notify the applicant, setting out the reasons for its ineligibility.

6.   An applicant who is notified of their ineligibility under subclause I.5 shall have the opportunity of rectifying their ineligibility and reapplying for approval.

7.   The AMSRO Board will periodically consider all recommendations for approval of applications by the Code Administrator and will notify the Code Administrator of its decision to ratify or otherwise reject each application.

8.   If the AMSRO Board decides not to ratify the Code Administrator’s recommendation under subclause I.4.2, it shall provide the Code Administrator with reasons, whereupon the Code Administrator will notify the applicant of its unsuccessful application, together with reasons.

9.   Neither:

9.1       refusal by the AMSRO Board to ratify an application; nor

9.2     deregistration in accordance with subclause I.19,

will prevent a research organisation from reapplying at a later stage for registration, provided that:

9.3     such application is made in good faith; and

9.4     in the case of re-registration, the applicant satisfies the AMSRO Board that:

(a)     it is willing to comply with the Code; and

(b)     it has adequate procedures in place to do so; and

(c)     it has taken all reasonable steps to ensure that it is capable of complying with the Code.

Procedure Upon Approval

10. Upon approval of an application, the Code Administrator will:

10.1   notify in writing the applicant of the approval; and

10.2   add the name of the applicant to the Public Register.

11. The steps referred to in subclause I.10 shall constitute registration of a Code Subscriber, and shall take effect from the date that the notification referred to in subclause I.10.1 is sent by the Code Administrator.

Public Information Resource

12. The Code Administrator shall cause to be published on the AMSRO website www.AMSRO.com.au an easily accessible public information resource which contains:

12.1   the Public Register of current Code Subscribers; and

12.2   information about the Code; and

12.3   a copy of the most current version of the Code; and

12.4   contact details for the Code Administrator; and

12.5   information about making complaints in relation to matters contained in the Code; and

12.6   a link to the website of the Office of the Federal Privacy Commissioner; and

12.7   any other information that the Code Administrator considers relevant to the efficient functioning of the Code.

Improper conduct

13. If a Code Subscriber acts in a manner that, in the AMSRO Board’s discretion, constitutes seriously improper conduct in relation to the Code, then the AMSRO Board shall direct the Code Administrator to notify the Code Subscriber of the breach.

14. Within 7 business days of receipt of such notification, the Code Subscriber must:

14.1   take all reasonable steps to rectify the seriously improper conduct; and

14.2   notify the Code Administrator of the steps taken to rectify the seriously improper conduct.

15. If the Code Subscriber fails to adequately comply with subclause I.14, then the AMSRO Board will issue a final notice requiring the Code Subscriber to rectify the seriously improper conduct within 7 business days.

16. The provisions in subclauses I.13 to I.15 and I.17.1 shall not have the effect of limiting in any way the discretion of the Federal Privacy Commissioner to deal as he or she sees fit with any Code Subscriber that is the subject of a complaint under this Code.

Revocation of Membership

17. The AMSRO Board shall notify the Code Administrator of its decision to revoke a Code Subscriber’s subscription where:

17.1   a Code Subscriber fails to act in accordance with the final notice under subclause I.15; or

17.2   the AMSRO Board, in its discretion, considers that a Code Subscriber has acted with seriously improper conduct in relation to the Code to an extent warranting the revocation of the Code Subscriber’s subscription, or

17.3   a Code Subscriber advises the AMSRO Board by written notice to the Code Administrator that it wishes no longer to be a Code Subscriber.

Procedure upon Revocation

18. Upon revocation of a membership, the Code Administrator will:

18.1   notify in writing the Code Subscriber of the revocation, and, except in response to a advice under subclause I.17.3, set out the reasons for the revocation; and

18.2   remove the name of the Code Subscriber from the Public Register.

19. The steps referred to in subclause I.18 shall constitute deregistration of a Code Subscriber, and shall take effect from the date that the notification referred to in subclause I.18.1 is sent by the Code Administrator.

20. On receipt by the Code Administrator of a Code Subscriber’s advice in accordance with subclause I.17.3, deregistration of that Code Subscriber will occur within 7 business days.

21. On deregistration, the Code Subscriber must make no further representation that it complies with the Code.

Appeal

22. A Code Subscriber who has been deregistered in accordance with subclause I.18, may, within 7 business days of receipt of the notice referred to in subclause I.18.2, by written notice, appeal against the decision to the Chairperson of the Independent Code Review Panel.

23. The Chairperson of the Independent Code Review Panel shall give the deregistered Code Subscriber an opportunity to be heard and shall make a final determination.


Endnotes

Endnote 1—About the endnotes

The endnotes provide details of the history of this legislation and its provisions. The following endnotes are included in each compilation:

 

Endnote 1—About the endnotes

Endnote 2—Abbreviation key

Endnote 3—Legislation history

Endnote 4—Amendment history

Endnote 5—Uncommenced amendments

Endnote 6—Modifications

Endnote 7—Misdescribed amendments

Endnote 8—Miscellaneous

 

If there is no information under a particular endnote, the word “none” will appear in square brackets after the endnote heading.

 

Abbreviation key—Endnote 2

The abbreviation key in this endnote sets out abbreviations that may be used in the endnotes.

 

Legislation history and amendment history—Endnotes 3 and 4

Amending laws are annotated in the legislation history and amendment history.

 

The legislation history in endnote 3 provides information about each law that has amended the compiled law. The information includes commencement information for amending laws and details of application, saving or transitional provisions that are not included in this compilation.

 

The amendment history in endnote 4 provides information about amendments at the provision level. It also includes information about any provisions that have expired or otherwise ceased to have effect in accordance with a provision of the compiled law.

 

Uncommenced amendments—Endnote 5

The effect of uncommenced amendments is not reflected in the text of the compiled law, but the text of the amendments is included in endnote 5.

 

Modifications—Endnote 6

If the compiled law is affected by a modification that is in force, details of the modification are included in endnote 6.

 

Misdescribed amendments—Endnote 7

An amendment is a misdescribed amendment if the effect of the amendment cannot be incorporated into the text of the compilation. Any misdescribed amendment is included in endnote 7.

 

Miscellaneous—Endnote 8

Endnote 8 includes any additional information that may be helpful for a reader of the compilation.

Endnote 2—Abbreviation key

 

ad = added or inserted

pres = present

am = amended

prev = previous

c = clause(s)

(prev) = previously

Ch = Chapter(s)

Pt = Part(s)

def = definition(s)

r = regulation(s)/rule(s)

Dict = Dictionary

Reg = Regulation/Regulations

disallowed = disallowed by Parliament

reloc = relocated

Div = Division(s)

renum = renumbered

exp = expired or ceased to have effect

rep = repealed

hdg = heading(s)

rs = repealed and substituted

LI = Legislative Instrument

s = section(s)

LIA = Legislative Instruments Act 2003

Sch = Schedule(s)

mod = modified/modification

Sdiv = Subdivision(s)

No = Number(s)

SLI = Select Legislative Instrument

o = order(s)

SR = Statutory Rules

Ord = Ordinance

Sub-Ch = Sub-Chapter(s)

orig = original

SubPt = Subpart(s)

par = paragraph(s)/subparagraph(s)

 

           /sub-subparagraph(s)

 

 

Endnote 3—Legislation history

 

Title

FRLI registration

Commencement

Application, saving and transitional provisions

Market and Social Research Privacy Code

23 Feb 2009 (see F2009B00228)

1 Sept 2003

 

Approval to Vary the Market and Social Research Privacy Code

29 June 2007 (see F2007L02061)

30 June 2007

 

Endnote 4—Amendment history

 

Provision affected

How affected

Part A

 

Part A...................................

rs F2007L02061

c 1–4....................................

rs F2007L02061

c 5........................................

ad F2007L02061

Part B

 

Part B...................................

rs F2007L02061

c 1........................................

rs F2007L02061

Part C

 

Part C...................................

rs F2007L02061

c 1–5....................................

rs F2007L02061

Part D

 

Part D...................................

rs F2007L02061

c 1........................................

rs F2007L02061

Part E

 

Part E...................................

rs F2007L02061

c 1–10..................................

rs F2007L02061

Part F

 

Part F...................................

rs F2007L02061

c 1–3....................................

rs F2007L02061

Part G

 

Part G...................................

rs F2007L02061

c 1–7.................................... ............................................

rs F2007L02061

Part H

 

Part H...................................

rs F2007L02061

c 1–2....................................

rs F2007L02061

Part I

 

Part I....................................

rs F2007L02061

c 1–23..................................

rs F2007L02061

 

Endnote 5—Uncommenced amendments

Endnote 6—Modifications

Endnote 7—Misdescribed amendments

Endnote 8—Miscellaneous


 



[1] At the time of approval, there are no laws to compel individuals to provide information for market or social research.  However, this principle would apply if such a situation arose.

[2] Where customer information is collected and retained for the primary purpose of contacting customers of an organisation in relation to products and/or services of that organisation, the secondary purpose of contacting those customers to invite them to participate in research on those or related products and/or services is considered both related to the primary purpose and reasonably expected by individuals.  For these purposes, the term “customer”, encompasses related meanings such as “client”, “passenger”, “member” and so on and also refers to individuals who have at some time been, or might reasonably be expected to become, customers.

 

[3] There is evidence to suggest that many customers who do not wish to be contacted for direct marketing purposes may be willing to be contacted for genuine confidential market research.  Therefore, it is recommended that requests for consent to be contacted for research purposes be made separate from those for direct marketing.

 

[4] This includes situations in which the organisation has reason to believe that the request is trivial and being made for amusement’s sake; or is being made as a means of pursuing some unrelated grievance against the organisation; or is a repeated request for access to the same identified information; or is being made principally for the purpose of creating inconvenience.