The MRS launched a fully revised Code of Conduct on 1 October 2019, and it comes into force from 1 January 2020. The new Code has been consulted on with members, research professionals and employers.
This article sets out how the changes to the Code might affect you.
What are the main changes to the MRS Code of Conduct?
Alignment with the Data Protection Act 2018 and the EU GDPR
The new Code of Conduct has several clauses that ensure alignment with the DPA/ GDPR, particularly around consent, transparency and lawful purposes. These are further discussed below.
The MRS has expanded the scope of the Code to cover all professional activities by its members and company partners – not just activities that would traditionally be recognised as market research. This is in recognition of the fact that MRS members now do so much more, both in term of how data are collected and how they are analysed.
Article 3 states that “Members must ensure that all of their professional activities, whatever the purpose, are conducted in a transparent manner and that their activities promote compliance with privacy ethics and data protection rules.”
There is particular mention of direct marketing activities, which includes offering client goods or services as incentives.
The Code goes on to explain that sugging, frugging, plugging and mugging are forbidden.
Rather curiously, in expanding the scope of the Code it has completely abolished one category: mystery shopping. Mystery shopping has only a passing mention in the new Code; for non-binding guidelines you will have to look at the MRS website under MRS Guidance (Research in Practice).
Consent and transparency
Another curious thing is that the first principle from the 2014 version has disappeared:
MRS Members shall … ensure that participation in their activities is based on voluntary informed consent.
Given the emphasis on consent in the Data Protection Act 2018 and the GDPR in particular, this seems odd.
There are, however, many references to consent and transparency in the body of the Code.
Alignment with the DPA includes a tightening up of the rules around the information to be provided to participants. Article 31 of the Code states that “If consent is the legal basis for the data collection, Members must ensure that participants are provided with appropriate information to allow informed consent to be given, at the point that they agree to participate.”
This includes the source of the sample if it was the client. But this contradicts Article 15 which states that the source of personal data must be revealed at an appropriate point in the data collection. In the 2014 version, this was further qualified by adding “if requested by participants” – now it is mandatory at all times.
The same applies to the likely length of the interview, which must now be revealed without first being requested.
Additional items to be provided “at the point that they agree to participate” are: the type of data to be collected (including sensitive data); the use of automated decision making (this applies mainly to situations where a decision to approve an application is based on profiling or other data rather than a human intervention. Remember – the Code now covers all activities, not just market research); transfer of data abroad; retention periods; and the right to complain.
It will be extremely difficult to convey all this in the intro of a CATI survey, say, or an SMS survey invite! Although it is not mentioned in the Code, we have confirmed with Codeline that it is permissible to convey this information by reference to a Privacy Statement on the company’s website.
The Code has explicit clauses for handling data for secondary purposes and ensuring that there is a lawful basis for this.
And an easy-to-overlook change regarding panel ownership: Article 53 states that “Data controllers may change data processors without the consent of data subjects, e.g. the owner of a panel may change platform providers without seeking the agreement of panel members, although the panel members must be notified.” [changed wording is in bold]
Data Protection Impact Assessments
The Code now stipulates that “Members must carry out [a] Data Protection Impact Assessment (DPIA) for specified types of processing prescribed by data and privacy legislation and for any other processing that is likely to result in a high risk to participants.”
The ICO has a full guide to DPIAs, including a template. Although it may seem like an onerous requirement, it can be a useful exercise to make you think about how much data is being sent by a client, how it is being used, and how it is conveyed back to the client.
Children and vulnerable people
The new Code has clear information about how to approach and include children and vulnerable people.
The new MRS Code of Conduct reflects the reality that the industry as a whole is about much more than just market research interviews – so the Code is much more relaxed than it used to be about companies doing other stuff.
But with this comes more responsibility for transparency. The only way primary data collection can survive is to ensure that (potential) participants trust that we will handle their data ethically and safely. The Code seeks to ensure that this is the case.