The MRS launched a fully revised Code of Conduct on 1
October 2019, and it comes into force from 1 January 2020. The new Code has
been consulted on with members, research professionals and employers.
This article sets out how the changes to the Code might affect you.
What are the main changes to the MRS Code of Conduct?
Alignment with the Data Protection Act 2018 and the EU GDPR
The new Code of Conduct has several clauses that ensure alignment with the DPA/ GDPR, particularly around consent, transparency and lawful purposes. These are further discussed below.
Expanded scope
The MRS has expanded the scope of the Code to cover all professional activities by its members and company partners – not just activities that would traditionally be recognised as market research. This is in recognition of the fact that MRS members now do so much more, both in term of how data are collected and how they are analysed.
Article 3 states that “Members
must ensure that all of their professional activities, whatever the purpose,
are conducted in a transparent manner and that their activities promote
compliance with privacy ethics and data protection rules.”
There is particular mention of direct marketing activities,
which includes offering client goods or services as incentives.
The Code goes on to explain that sugging, frugging, plugging
and mugging are forbidden.
Mystery shopping
Rather curiously, in expanding the scope of the Code it has
completely abolished one category: mystery shopping. Mystery shopping has only
a passing mention in the new Code; for non-binding guidelines you will have to
look at the MRS website under MRS
Guidance (Research in Practice).
Consent and transparency
Another curious thing is that the first principle from the
2014 version has disappeared:
MRS Members shall … ensure that participation in their activities is based on voluntary informed consent.
Given the emphasis on consent in the Data Protection Act
2018 and the GDPR in particular, this seems odd.
There are, however, many references to consent and
transparency in the body of the Code.
Alignment with the DPA includes a tightening up of the rules
around the information to be provided to participants. Article 31 of the Code states
that “If consent is the legal basis for
the data collection, Members must ensure that participants are provided with
appropriate information to allow informed consent to be given, at the point that they agree to participate.”
[my bold]
This includes the source of the sample if it was the client.
But this contradicts Article 15 which states that the source of personal data
must be revealed at an appropriate point
in the data collection. In the 2014 version, this was further qualified by
adding “if requested by participants” – now it is mandatory at all times.
The same applies to the likely length of the interview,
which must now be revealed without first being requested.
Additional items to be provided “at the point that they
agree to participate” are: the type of data to be collected (including sensitive
data); the use of automated decision making (this applies mainly to situations
where a decision to approve an application is based on profiling or other data
rather than a human intervention. Remember – the Code now covers all
activities, not just market research); transfer of data abroad; retention periods;
and the right to complain.
It will be extremely difficult to convey all this in the
intro of a CATI survey, say, or an SMS survey invite! Although it is not
mentioned in the Code, we have confirmed with Codeline that it is permissible
to convey this information by reference to a Privacy Statement on the company’s
website.
The Code has explicit clauses for handling data for
secondary purposes and ensuring that there is a lawful basis for this.
And an easy-to-overlook change regarding panel ownership:
Article 53 states that “Data controllers
may change data processors without the consent of data subjects, e.g. the owner
of a panel may change platform providers without seeking the agreement of panel
members, although the panel members must
be notified.” [changed wording is in bold]
Data Protection Impact Assessments
The Code now stipulates that “Members must carry out [a] Data Protection Impact Assessment (DPIA) for
specified types of processing prescribed by data and privacy legislation and
for any other processing that is likely to result in a high risk to
participants.”
The ICO has a full guide
to DPIAs, including a template. Although it may seem like an onerous
requirement, it can be a useful exercise to make you think about how much data
is being sent by a client, how it is being used, and how it is conveyed back to
the client.
Children and
vulnerable people
The new Code has clear information about how to approach and
include children and vulnerable people.
In summary
The new MRS Code of Conduct reflects the reality that the
industry as a whole is about much more than just market research interviews –
so the Code is much more relaxed than it used to be about companies doing other
stuff.
But with this comes more responsibility for transparency. The only way primary data collection can survive is to ensure that (potential) participants trust that we will handle their data ethically and safely. The Code seeks to ensure that this is the case.