Preamble
Researchers have professional and legal responsibilities to their respondents that are embodied in the procedures of a research study. Underlying these specific responsibilities are four fundamental ethical principles:
Respondents should be:
a. willing participants in survey research;
b. appropriately informed about the survey's intentions and how their personal information and survey responses will be used and protected;
c. sufficiently satisfied with their survey experience;
d. willing to participate again in survey research.
A. Confidentiality
1. Since individuals who are interviewed are the lifeblood of the Survey Research Industry, it is essential that Survey Research Organizations be responsible for protecting from disclosure to third parties--including Clients and members of the Public--the identity of individual Respondents as well as Respondent-identifiable information, unless the Respondent expressly requests or permits such disclosure.
2. This principle of confidentiality is qualified by the following exceptions:
a. A minimal amount of Respondent-identifiable information will be disclosed to the Client to permit the Client:
(1) to validate interviews and/or (2) to determine an additional fact of analytical importance to the study (including the practice of appending Client-owned database information to the Survey Research Organization's data file as an analytic aid). Where additional inquiry is indicated, Respondents must be given a sound reason for the re-inquiry; a refusal by Respondent to continue must be respected.
Before disclosing Respondent-identifiable information to a Client for purposes of interview validation or re-inquiry, the Survey Research Organization must take whatever steps are needed to ensure that the Client will conduct the validation or recontact in a fully professional manner. This includes the avoidance of multiple validation contacts or other conduct that would harass or could embarrass Respondents. It also includes avoidance of any use of the information (e.g., lead generation) for other than legitimate and ethical Survey Research purposes or to respond to Customer/Respondent complaints. Assurance that the Client will respect such limitations and maintain Respondent confidentiality should be confirmed in writing before any confidential information is disclosed.
Where Respondent-identifiable data is disclosed to clients so that the Survey Research Organization may analyze survey data in combination with other respondent-level data such as internal customer data, respondent-level data from another survey, etc., it is understood that the information will be used for model building, internal (Survey Research Organization) analysis, or the like and not for individual marketing efforts and that no action can be taken toward an individual respondent simply because of his or her participation in the survey. To assure Client compliance, the Survey Research Organization must obtain written confirmation from the Client before releasing any data. (A suggested CASRO® Client agreement clause is available.)
Further, with respect to such research uses as Database Segmentation and/or Modeling (see preceding paragraph), specific action(s) may not be taken toward an individual Respondent as a result of his/her survey information and participation beyond those actions taken toward the entire database population group the Respondent by chance has been selected to represent. In order for such specific action, the following two elements must be met:
The Respondent has first given his/her permission to do so, having been told the general purpose and limitationsof such use; and
The research firm has obtained a written agreement from the Client assuring that no other use will be made of Respondent-identifiable information.
Predictive equations which integrate a segmentation scheme into a Client database may be applied so long as no action is taken toward an individual Respondent simply because of his or her participation in the survey. Respondents must be treated like all other individuals in the database according to the segment(s) to which they belong or have been assigned.
b. The identity of individual Respondents and Respondent-identifiable information may be disclosed to other Survey Research Organizations whenever such organizations are conducting different phases of a multi-stage study (e.g., a trend study). The initial Research Company should confirm in writing that Respondent confidentiality will be maintained in accordance with the Code.
c. In the case of research in which representatives of the Client or others are present, such Client representatives and others should be asked not to disclose to anyone not present the identity of individual Participants or other Participant-identifying information except as needed to respond, with the Participant's prior specific approval, to any complaint by one or more of the Participants concerning a product or service supplied by the Client.
3. The principle of Respondent confidentiality includes the following specific applications or safeguards:
a. Survey Research Organizations' staff or personnel should not use or discuss Respondent-identifiable data or information for other than legitimate internal research purposes.
b. The Survey Research Organization has the responsibility for insuring that Subcontractors (Interviewers, Interviewing Services and Validation, Coding, and Tabulation Organizations) and Consultants are aware of and agree to maintain and respect Respondent confidentiality whenever the identity of Respondents or Respondent-identifiable information is disclosed to such entities.
c. Before permitting Clients or others to have access to completed questionnaires in circumstances other than those described above, Respondent names and other Respondent-identifying information (e.g., telephone numbers) should be deleted.
d. Invisible identifiers on mail questionnaires that connect Respondent answers to particular Respondents should not be used. Visible identification numbers may be used but should be accompanied by an explanation that such identifiers are for control purposes only and that Respondent confidentiality will not be compromised.
e. Any Survey Research Organization that receives from a Client or other entity information that it knows or reasonably believes to be confidential, Respondent-identifiable information should only use such information in accordance with the principles and procedures described in this Code.
f. The use of survey results in a legal proceeding does not relieve the Survey Research Organization of its ethical obligation to maintain in confidence all Respondent-identifiable information or lessen the importance of Respondent anonymity. Consequently, Survey Research firms confronted with a subpoena or other legal process requesting the disclosure of Respondent-identifiable information should take all reasonable steps to oppose such requests, including informing the court or other decision-maker involved of the factors justifying confidentiality and Respondent anonymity and interposing all appropriate defenses to the request for disclosure.
B. Privacy and the Avoidance of Harassment
1. Survey Research Organizations have a responsibility to strike a proper balance between the needs for research in contemporary American life and the privacy of individuals who become the Respondents in the research. To achieve this balance:
a. Respondents will be protected from unnecessary and unwanted intrusions and/or any form of personal harassment.
b. The voluntary character of the Interviewer-Respondent contact should be stated explicitly where the Respondent might have reason to believe that cooperation is not voluntary.
2. This principle of privacy includes the following specific applications:
a. The Research Organization, Subcontractors and Interviewers shall make every reasonable effort to ensure that the Respondent understands the purpose of the Interviewer/Respondent contact.
(1) The Interviewer/Research Company representative must provide prompt and honest identification of his/her research firm affiliation.
(2) Respondent questions should be answered in a forthright and non-deceptive manner.
b. Deceptive practices and misrepresentation, such as using research as a guise for sales or solicitation purposes, are expressly prohibited.
c. Survey Research Organizations must respect the right of individuals to refuse to be interviewed or to terminate an interview in progress. Techniques that infringe on these rights should not be employed, but Survey Research Organizations may make reasonable efforts to obtain an interview including: (1) explaining the purpose of the research project; (2) providing a gift or monetary incentive adequate to elicit cooperation; and (3) re-contacting an individual at a different time if the individual is unwilling or unable to participate during the initial contact.
d. Research Organizations are responsible for arranging interviewing times that are convenient for respondents.
e. Lengthy interviews can be a burden. Research Organizations are responsible for weighing the research need against the length of the interview and Respondents must not be enticed into an interview by a misrepresentation of the length of the interview.
f. Research Organizations are responsible for developing techniques to minimize the discomfort or apprehension of Respondents and Interviewers when dealing with sensitive subject matter.
g. Electronic equipment (taping, recording, photographing) and one-way viewing rooms may be used only with the full knowledge of Respondents.
3. Internet Research
The unique characteristics of Internet research require specific notice that the principle of respondent privacy applies to this new technology and data collection methodology. The general principle of this section of the Code is that survey Research Organizations will not use unsolicited emails to recruit survey respondents or engage in surreptitious data collection methods. This section is organized into three parts: (A) email solicitations, (B) active agent technologies, and (C) panel/sample source considerations.
a. Email Solicitation
(1) Research Organizations are required to verify that individuals contacted for research by email have a reasonable expectation that they will receive email contact for research. Such agreement can be assumed when ALL of the following conditions exist:
a. A substantive pre-existing relationship exists between the individuals contacted and the Research Organization, the Client supplying email addresses, or the Internet Sample Providers supplying the email addresses (the latter being so identified in the email invitation);
b. Survey email invitees have a reasonable expectation, based on the pre-existing relationship where survey email invitees have specifically opted in for Internet research with the research company or Sample Provider, or in the case of Client-supplied lists that they may be contacted for research and invitees have not opted out of email communications;
c. Survey email invitations clearly communicate the name of the sample provider, the relationship of the individual to that provider, and clearly offer the choice to be removed from future email contact.
d. The email sample list excludes all individuals who have previously requested removal from future email contact in an appropriate and timely manner.
e. Participants in the email sample were not recruited via unsolicited email invitations.
(2) Research Organizations are prohibited from using any subterfuge in obtaining email addresses of potential respondents, such as collecting email addresses from public domains, using technologies or techniques to collect email addresses without individuals' awareness, and collecting email addresses under the guise of some other activity.
(3) Research Organizations are prohibited from using false or misleading return email addresses or any other false and misleading information when recruiting respondents. As stated later in this Code, Research Organizations must comply with all federal regulations that govern survey research activities. In addition, Research Organizations should use their best efforts to comply with other federal regulations that govern unsolicited email contacts, even though they do not apply to survey research.
(4) When receiving email lists from Clients or Sample Providers, Research Organizations are required to have the Client or Sample Provider verify that individuals listed have a reasonable expectation that they will receive email contact, as defined, in (1) above.
(5) The practice of "blind studies” (for sample sources where the sponsor of the study is not cited in the email solicitation) is permitted if disclosure is offered to the respondent during or after the interview. The respondent must also be offered the opportunity to "opt-out” for future research use of the sample source that was used for the email solicitation.
(6) Information about the CASRO Code of Standards and Ethics for Survey Research should be made available to respondents.
b. Active Agent Technology
(1) Active agent technology is defined as any software or hardware device that captures the behavioral data about data subjects in a background mode, typically running concurrently with other activities. This category includes tracking software that allows Research Organizations to capture a wide array of information about data subjects as they browse the Internet. Such technology needs to be carefully managed by the research industry via the application of research best practices.
Active agent technology also includes direct to desktop software downloaded to a user's computer that is used solely for the purpose of alerting potential survey respondents, downloading survey content or asking survey questions. A direct to desktop tool does not track data subjects as they browse the Internet and all data collected is provided directly from user input.
Data collection typically requires an application to download onto the subjects' desktop, laptop or PDA (including personal wireless devices). Once downloaded, tracking software has the capability of capturing the data subject's actual experiences when using the Internet such as Web page hits, web pages visited, online transactions completed, online forms completed, advertising click-through rates or impressions, and online purchases.
Beyond the collection of information about a user's Internet experience, the software has the ability to capture information from the data subject's email and other documents stored on a computer device such as a hard disk. Some of this technology has been labeled "spyware,” especially because the download or installation occurs without the data subject's full knowledge and specific consent. The use of spyware by a member of CASRO is strictly prohibited.
A cookie (defined as a small amount of data that is sent to a computer's browser from a web server and stored on the computer's hard drive) is not an active agent. The use of cookies is permitted if a description of the data collected and its use is fully disclosed in a Research Organizations' privacy policy.
(2) Following is a list of unacceptable practices that Research Organizations should strictly forbid or prevent. A Research Organization is considered to be using spyware when it fails to adopt all of the practices in set forth in Section 3 below or engages in any in the following practices:
a. Downloading software without obtaining the data subject's informed consent.
b. Downloading software without providing full notice and disclosure about the types of information that will be collected about the data subject, and how this information may be used. This notice needs to be conspicuous and clearly written.
c. Collecting information that identifies the data subject without obtaining affirmed consent.
d. Using keystroke loggers without obtaining the data subject's affirmed consent.
e. Installing software that modifies the data subject's computer settings beyond that which is necessary to conduct research providing that the software doesn't make other installed software behave erratically or in unexpected ways.
f. Installing software that turns off anti-spyware, anti-virus, or anti-spam software.
g. Installing software that seizes control or hijacks the data subject's computer.
h. Failing to make commercially reasonable efforts to ensure that the software does not cause any conflicts with major operating systems and does not cause other installed software to behave erratically or in unexpected ways.
i. Installing software that is hidden within other software that may be downloaded.
j. Installing software that is difficult to uninstall.
k. Installing software that delivers advertising content, with the exception of software for the purpose of ad testing.
l. Installing upgrades to software without notifying users
m. Changing the nature of the active agent program without notifying user
n. Failing to notify the user of privacy practice changes relating to upgrades to the software
(3) Following are practices Research Organizations that deploy active agent technologies should adopt. Research Organizations that adopt these practices and do not engage in any of the practices set forth in Section 2 above will not be considered users of spyware.
a. Transparency to the data subject is critical. Research companies must disclose information about active agents and other software in a timely and open manner with each data subject. This communication must provide details on how the Research Organization uses and shares the data subject's information.
i. Only after receiving an affirmed consent or permission from the data subject or parent's permission for children under the age of 18, should any research software be downloaded onto the individual's computer or PDA.
ii. Clearly communicate to the data subject the types of data if any, that is being collected and stored by an active agent technology.
iii. Disclosure is also needed to allow the data subject to easily uninstall research software without prejudice or harm to them or their computer systems.
iv. Personal information about the subject should not be used for secondary purposes or shared with third parties without the data subject's consent.
v. Research Organizations are obligated to ensure that participation is a conscious and voluntary activity. Accordingly, incentives must never be used to hide or obfuscate the acceptance of active agent technologies.
vi. Research Organizations that deploy active agent technologies should have a method to receive queries from end-users who have questions or concerns. A redress process is essential for companies if they want to gauge audience reaction to participation on the network.
vii. On a routine and ongoing basis, consistent with the stated policies of the Research Organization, data subjects who participate in the research network should receive clear periodic notification that they are actively recorded as participants, so as to insure that their participation is voluntary. This notice should provide a clearly defined method to uninstall the Research Organization's tracking software without causing harm to the data subject.
b. Stewardship of the data subject is critical. Research companies must take steps to protect information collected from data subjects.
i. Personal or sensitive data (as described in the Personal Data Classification Appendix) should not be collected. If collection is unavoidable, the data should be destroyed immediately. If destruction is not immediately possible, it: (a) should receive the highest level of data security and (b) should not be accessed or used for any purpose.
ii. Research Organizations have an obligation to establish safeguards that minimize the risk of data security and privacy threats to the data subject.
iii. It is important for Research Organizations to understand the impact of their technology on end-users, especially when their software downloads in a bundle with other comparable software products.
iv. Stewardship also requires the Research Organization to make commercially reasonable efforts to ensure that these "free” products are also safe, secure and do not cause undue privacy or data security risks.
v. Stewardship also requires a Research Organization that deploys active agent technologies to be proactive in managing its distribution of the software. Accordingly, companies must vigorously monitor their distribution channel and look for signs that suggest unusual events such as high churn rates.
vi. If unethical practices are revealed, responsible research companies should strictly terminate all future dealings with this distribution partner.
c. Panel/Sample Source Considerations
The following applies to all Research Organizations that utilize the Internet and related technologies to conduct research.
(1) The Research Organization must:
a. Disclose to panel members that they are part of panel.
b. Obtain panelist's permission to collect and store information about the panelist.
c. Collect and keep appropriate records of panel member recruitment, including the source through which the panel member was recruited.
d. Collect and maintain records of panel member activity.
(2) Upon Client request, the Research Organization must disclose:
a. Panel composition information (including panel size, populations covered, and the definition of an active panelist).
b. Panel recruitment practice information.
c. Panel member activity.
d. Panel incentive plans.
e. Panel validation practices.
f. Panel quality practices.
g. Aggregate panel and study sample information (this information could include response rate information, panelist participation in other research by type and timeframe, see Responsibilities in Reporting to Clients and the Public).
h. Study related information such as email invitation(s), screener wording, dates of email invitations and reminders, and dates of fieldwork.
(3) Stewardship of the data collected from panelists is critical:
a. Panels must be managed in accordance with applicable data protection laws and regulations.
b. Personal or sensitive data should be collected and treated as specified in the Personal Data Classification Appendix.
c. Upon panelist request, the panelist must be informed about all personal data (relating to the panelist that is provided by the panelist, collected by an active agent, or otherwise obtained by an acceptable method specified in a Research Organization's privacy policy) maintained by the Research Organization. Any personal data that is indicated by panel member as not correct or obsolete must be corrected or deleted as soon as practicable.
(4) Panel members must be given a straightforward method for being removed from the panel if they choose. A request for removal must be completed as soon as practicable and the panelist must not be selected for future research studies.
(5) A privacy policy relating to use of data collected from or relating to the panel member must be in place and posted online. The privacy policy must be easy to find and use and must be regularly communicated to panelists. Any changes to the privacy policy must be communicated to panelists as soon as possible.
(6) Research Organizations should take steps to limit the number of survey invitations sent to targeted respondents by email solicitations or other methods over the Internet so as to avoid harassment and response bias caused by the repeated recruitment and participation by a given pool (or panel) of data subjects.
(7) Research Organizations should carefully select sample sources that appropriately fit research objectives and Client requirements. All sample sources must satisfy the requirement that survey participants have either opted-in for research or have a reasonable expectation that they will be contacted for research.
(8) Research Organizations should manage panels to achieve the highest possible research quality. This includes managing panel churn and promptly removing inactive panelists.
(9) Research Organizations must maintain survey identities and email domains that are used exclusively for research activities.
(10) If a Research Organization uses a sample source (including a panel owned by the Research Organization or a subcontractor) that is used for both survey research and direct marketing activities, the Research Organization has an obligation to disclose the nature of the marketing campaigns conducted with that sample source to Clients so that they can assess the potential for bias.
(11) All data collected on behalf of a Client must be kept confidential and not shared or used on behalf of another Client (see also Responsibilities to Clients).
(4) Privacy Laws and Regulations
a. Research Organizations must comply with existing state, federal, and international statutes and regulations governing privacy, data security, and the disclosure, receipt and use of personally-identifiable information (collectively "Privacy Laws”). Some of the Privacy Laws affecting Survey Research are limited to specific industries (e.g., financial and health care industries), respondent source (e.g., children), and/or international venues.
b. In instances in which privacy laws apply to Survey Research operations for specific industries or respondent source, Research Organizations will:
(1) Always enter into a confidentiality or "chain of trust” agreement when receiving and using legally-protected, personally-identifiable information from a source other than the data subject, insuring that the Research Organization will protect the information and only use it for the purposes specified in the agreement;
(2) Always require subcontractors and other third parties to whom they disclose personally-identifiable information to enter into confidentiality or "chain of trust” agreements that require such party(ies) to provide the same level of security and limitations of use and disclosure as the Research Organization;
(3) Always store or maintain personally-identifiable information in a verifiably secure location;
(4) Always control and limit accessibility to personally-identifiable information;
(5) Always use reasonable efforts to destroy personally-identifiable information once the survey is complete and validation has been conducted, unless the personally-identifiable information relates to Respondents in panels, to ongoing studies, or for some other critical research reason, or the research Client is legally or contractually obligated to require its service providers to maintain such information for a certain period of time and contractually imposes this requirement on the Research Organization;
(6) Never knowingly receive, use or disclose personally-identifiable information in a way that will cause the Research Organization or another party to violate any Privacy Law or agreement.
c. In order to conduct international research that requires either transmitting or receiving personally-identifiable information of Respondents, Research Organizations must comply in all material respects with international privacy laws and regulations, by, in the case of data transfers with a person or entity in the European Union, either (i) certifying their compliance with the privacy provisions described in the United States Safe Harbor Principles of the European Union Directive on Data Protection or (ii) satisfying an alternative method of complying in all material respects with the Directive. The EU Safe Harbor privacy principles are contained in the CASRO Model Privacy Policy and are as follows:
(1) Notice: A description of what information is collected, how it is collected, its purpose, and its disclosure to third parties.
(2) Choice: A statement of and procedures for allowing individuals to choose not to participate in the research and/or to have their personal information used or disclosed to a third party.
(3) Onward Transfer: A statement that personal information will be transferred only to third parties who are also in compliance with the Safe Harbor Principles.
(4) Access: Procedures to provide individuals with access to their personal information in order to correct, amend, or delete that information where it is inaccurate.
(5) Security: A description of the reasonable precautions taken to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction.
(6) Data Integrity: A statement that information will be used consistent with the purpose for which it was collected.
(7) Enforcement: A description of internal and external mechanisms for assuring compliance, and addressing and resolving disputes and complaints.
d. Research Organizations will, to the extent required by law or as necessary to fully and completely comply with the principles set forth in the section of this Code entitled Responsibilities to Respondents, adopt effective and comprehensive legal and operational policies, such as those set forth in CASRO's Privacy Protection Program, which will be updated as necessary to conform with additions to and changes in Privacy Laws.