Privacy Policy & SoA - Tebbutt Research

Privacy Policy

Tebbutt Research Confidentiality
Confidentiality at Tebbutt Research is considered in the context of data, products, and other information collected and used for the purposes of research.

Privacy at Tebbutt Research is considered in the context of personally identifiable information (PII) that could potentially identify a specific individual.

Tebbutt Research understands the needs and expectations of our research clients, participants, and anyone else who provides information in the form of documents or products, regardless of format or media, and undertakes to treat this information confidentially and secure from misuse.

Where information provided is of a personally identifiable nature, additional processes shall be initiated in accordance with legal and industry standards.

Legal and Industry considerations

The Research Society Code of Professional Behaviour

The Research Society fact sheet – MSR and the Privacy Act 1988 and Australian Privacy Principles

ISO 20252: 2019 Clause 4.3 Information Security

The ESOMAR Code of Conduct

General Data Protection Regulation (GDPR) policy

General confidentiality and privacy controls

Assets including buildings and infrastructure, hardware and software, fixed and mobile devices are subject to protective protocols due to the risks associated with data storage.

Unattended electronic assets whether fixed or mobile are secured by the user and monitored centrally by a designated IT officer. Access controls of devices and software platforms are restricted to designated personnel as administrators. Individual users do not have access to modify critical system settings.

Secure areas in the building where sensitive documents, products or data are stored are subject to lockable restraints.

Operations security protection protocols are in place to:

ensure hardware and software is protected from cyber-attack, malware, and unrestricted use,

restrict access to equipment on a user-need basis,

ensure cyber security protocols are maintained,

operational data is protected via backup from loss of data, and

operational data is monitored via logs and audits or other monitoring to track technical integrity and risk.

Information handling and transfer
Information transfer responsibilities, authorisations and protocols are assigned to a senior project manager taking into account client specific requests, legal requirements and local issues related to security of project information on transfer. This applies to all external parties including clients, participants, and outsourced providers/vendors.

Your Personal Information
In general, the type of personal and sensitive information Tebbutt Research collects and holds includes (but is not limited to): contact details, e.g., name, month, year of birth, location, telephone number, email address, occupation and other details provided by you relating to your family composition, product or service usage as well as a record of your participation in market research activities organised by us. Other details relating to individuals’ profiles may include behaviours, attitudes, and opinions.

How we use your personal information
Tebbutt Research uses and discloses your personal information for the primary purpose for which it is collected, for reasonably expected secondary purposes which are related to the primary purpose and in other circumstances authorised by the Privacy Act, the GDPR and legislation relevant to your country of residence.

In general, we may use and disclose your personal information for the following purposes:

to extend invitations to participate in market research;

for quality control or validation of research participants;

to provide our research clients with profiling information about participants recruited to their study;

to monitor participation rates;

to contact past participants to conduct further, follow-up research;

to comply with our legal obligations; and

to help us manage and enhance our services.

Apart from the above circumstances, your personal information will not be disclosed without your consent unless legally obliged to do so.

Personal information about research respondents will only be used in compliance with the Privacy Act, the GDPR, and legislation relevant to your country of residence.

When we disclose your personal information
With your permission, we may disclose your personal information to:

other companies or individuals who assist us in providing services or who perform functions on our behalf and organisations that carry out activities essential to our research activities, including for quality control activities, data entry, data processing, conduct of interviewing, contacting people to ask them to participate in research exercises, or

anyone else to whom you authorise us to disclose it, usually our client.

Unless required or authorised by law, the identity of research respondents will not be disclosed to anyone not directly involved with the research project or to (end) clients requesting the research or used for any non-research purpose without the individual’s consent.

Sending information overseas
Data including your personal information is typically collected in your country of residence and may be transferred to our data processing centre in Australia, and our operations centres in Fiji, Papua New Guinea, and Solomon Islands.

All personal information crossing international borders is done so in compliance with the GDPR, including the requirement for data to be encrypted in transit.

Sensitive information
Some personal information which we collect is classified as sensitive information. Sensitive information includes information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences and criminal record, that is also personal information, and health information about an individual.

Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or where certain other limited circumstances apply, for example, where required by law.

Management of personal information
The APPs and GDPR require us to take reasonable steps to protect the security of personal information. Tebbutt Research staff are required to respect the confidentiality of personal information and the privacy of individuals.

Tebbutt Research takes a range of technical, administrative, and physical security steps to protect personal information held from misuse, loss and from unauthorized access, modification, or disclosure, for example by use of physical security and restricted access to electronic records.

Where we no longer require your personal information for a permitted purpose, we will take reasonable steps to de-identify or destroy it.

How we keep personal information accurate and up to date
Tebbutt Research takes reasonable steps to make sure that the personal information it holds is accurate, complete and up to date. Our contact details are set out below.

The Tebbutt Research website
When visiting our website, the site server makes a record of the visit and logs the following information for statistical and administrative purposes:

the user’s server address – to consider the users who use the site regularly and tailor the site to their interests and requirements;

the date and time of the visit to the site – this is important for identifying the website’s busy times and ensuring maintenance on the site is conducted outside these periods;

pages accessed and documents downloaded – this indicates to Tebbutt Research which pages or documents are most important to users and also helps identify important information that may be difficult to find;

duration of the visit – this indicates to us how interesting and informative Tebbutt Research site is to visitors;

the type of browser used – this is important for browser specific coding.

A cookie is a piece of information that an Internet web site sends to your browser when you access information at that site. Cookies are either stored in memory (session cookies) or placed on your hard disk (persistent cookies). The Tebbutt Research website does not use persistent cookies. Upon closing your browser, the session cookie set by this web site is destroyed and no Personal Information is maintained which might identify you should you visit our web site at a later date.

Retention and destruction of Personal Information
Tebbutt Research will destroy or de-identify your personal information as soon as practicable once it is longer needed for the purpose for which it was collected. However, we may be required by law to retain your Personal Information after your relationship with us has expired. In this case your Personal Information will continue to be protected in accordance with this Policy. If we destroy Personal Information, we will do so by taking reasonable steps and using up-to-date techniques and processes.

Questions, issues, and complaints
Where we hold information that you are entitled to access, we will endeavour to provide you with a suitable range of choices as to how access is provided (e.g., through direct login to your profile or by emailing it to you).

If you have any questions about this Privacy Policy or believe that we have at any time failed to keep one of our commitments to you to handle your personal information in the manner required by the Privacy Act, then we ask that you contact us immediately using the following contact details:

Email our data privacy officer: dpo@tebbuttresearch.com

Telephone our head office in Australia: +61 7 55532 4666

We will respond and advise whether we agree with your complaint or not. If we do not agree, we will provide reasons. If we do agree, we will advise what action we consider is appropriate to take in response. If you are still not satisfied after having contacted us and given us a reasonable time to respond, then we suggest that you contact the Office of the Australian Information Commissioner on Email: enquiries@oaic.gov.au

Statement of Applicability SoA

Tebbutt Research Pty Ltd is a market, opinion and social research organisation that provides qualitative and quantitative research services throughout the south Pacific. The Tebbutt Research ISO 20252: 2019 Market, opinion and social research system delivers the provision of research services to telecommunications, finance, media, FMCG, government, tourism, social and public companies and organisations throughout the south Pacific, including Fiji, PNG, Solomon Islands, New Caledonia, Vanuatu, Tonga, Samoa, Kiribati, Niue, French Polynesia, Cook Islands, Guam, Palau, Marshall Island, FSM, Tuvalu, American Samoa, Australia and New Zealand.

Tebbutt Research includes the following scope of services certified to ISO 20252: 2019 in accordance the summary Annex Table below, and in accordance with the detailed Statement of Applicability found: ISO 20252 Tebbutt Research Statement of Applicability Detailed, including a description of the core framework, which is mandatorily attested to.

Tebbutt Research Statement of Applicability (Summary)

ANNEX	ATTESTED	EXCLUDED	REASONS FOR EXCLUSION
Annex A Sampling methodologies including panel management We offer sampling and recruitment services including: – Probability sampling – Non-probability samples – Panel services (not currently active)	YES
Annex B Fieldwork methodologies Our core business is fieldwork methodologies. We offer fieldwork services including: – Qualitative research, such as focus group discussions, depth interviews and ethnographic interview – Quantitative research conducted via CATI, CAPI or online, such as customer satisfaction surveys, employee satisfaction surveys, program and policy evaluation, opinion polling, advertising development and evaluation, brand development, concept and product testing, sensory evaluation, segmentation studies, usage and attitudinal studies, shopper studies, and television, radio and media ratings We offer a range of services associated with fieldwork including: – Project management – Fieldwork management – Questionnaire/research material development – Scripting – Translation – Transcription – Field reporting	YES
Annex C Physical observation methodologies We offer some limited physical observation methodologies such as: – Observational research, such as mystery shopping and audits and counts		YES	Although we do occasionally conduct physical observation methods, it is a rare fieldwork activity and thus not attested to in this statement of applicability.
Annex D Digital observation methodologies N/A		YES	We currently do not offer digital methodologies collected passively as part of our research services suite, and thus, this is not attested to in this statement of applicability
Annex E Self complete methodologies We offer self-complete methodologies including: – Online surveys (employee surveys, B2B surveys) – Interviewer assisted CAPI self-complete	YES
Annex F Data management and processing We offer a range of data management and processing services including: – Data analysis, including tables, weighting – Data delivery – File conversion – Reporting – Presentations, both electronic and in person	YES

Authorised by: Caz Tebbutt OAM, Managing Director – 2024-03-21