Report Issue

• All Individuals, including children, young people and other vulnerable individuals, who are approached to participate as data subjects in research - have the right to decline participation. This includes subjects of secondary data collection where feasible.
• Regardless of whether personal data is gathered directly or indirectly for quantitative or qualitative research, researchers must ensure that participation does not result in harm.
• Essential personal data may be disclosed to emergency services in exceptional life - threatening or abusive situations, as defined by local law.
• Researchers must remain mindful that research depends on public confidence in both its integrity and the confidential treatment of provided information. Therefore, researchers must diligently maintain a clear distinction between research and non-research activities.
• Data subjects must be informed of any non-research activity - for example promotional, commercial or customer experience follow-up - before data collection begins. Separate consent must be obtained for non-research purposes. Such applications must be clearly distinguished from the research activities.

• Consent from a parent, legal guardian or responsible adult must be obtained whenever children are involved as data subjects, and also whenever such consent is required under applicable law. Researchers must determine the data subject's age and obtain consent before collecting any additional personal data from children. The nature and extent of the information to be collected must also be presented at this time, together with clear means to provide consent.
• Researchers must exercise special care when considering the involvement of children and young people in research. The content and nature of the research must be appropriate for their age, maturity level, and varying cognitive abilities. Throughout the research process, researchers must remain attentive to any susceptibilities that a child or vulnerable individual may have or exhibit.
• Personal data must only be disclosed by researchers to third parties after obtaining consent from a parent, legal guardian or responsible adult or where disclosure is authorised by law.
• When working with vulnerable individuals, researchers must ensure they are capable of making informed decisions and are not unduly pressured to cooperate with a research request.

• When collecting personal data directly from a data subject for the purpose of research:
  • Researchers - regardless of whether representing an organisation, company or as an independent practitioner - must identify themselves promptly, and data subjects must be able to verify the identity of the researcher without difficulty. The data subject must also be able to contact the researcher or their organisation quickly and easily with any concerns or questions they may have about the research.
  • The use of a synthetic persona for data collection must be clearly notified to the data subject at the beginning of the research.
  • Researchers must ensure that participation is voluntary and based on clear and accurate information about the general purpose and nature of the research. Such information must be provided at the beginning of the research. If this is not possible due to methodology, data subjects must be informed at the earliest opportunity.
  • Researchers must inform data subjects if any activity will involve re-contact and seek the data subjects’ agreement to such re-contact. The only exceptions are re-contact for quality control purposes, the reporting of adverse events such as those encountered in medical research, or if required by law.
  • Researchers must provide a clear statement as to how long, and for what purpose, personal data will be retained.
• When collecting data indirectly/passively from a data subject:
  • Data collection must be based on the consent of the data subject and meet all the conditions (a) i-v above.
  • Where it is not possible to obtain consent, researchers must have legally permissible grounds to collect the data, and they must remove or obscure any identifying characteristics as soon as operationally possible.
• Researchers must allow data subjects to withdraw from the research at any time. Upon withdrawal, all personal data collected must be deleted - provided this is technically and operationally feasible and does not compromise the integrity of previously collected or analysed research results.
• Data subjects must have access to amend their personal data where technically and operationally feasible and where this does not comprise the integrity of the research results.

When using secondary data that includes personal data, researchers must ensure that:

• The intended use aligns with the purpose and quality for which the data was originally collected and that there are clear grounds for its re-use for any additional data collection or processing.
• The intended use was not specifically excluded at the time of original collection, nor does it violate any contractual restrictions, copyright or intellectual property rights.
• The use of the data will not result in direct harm to data subjects, and there are measures in place to prevent such harm.
• Any requests from individual data subjects that their data not be used for other purposes are upheld.

• Researchers and subcontractors must not share or transfer a data subject’s personal data to a client unless the data subject has consented to the specific purpose for which the data will be used and agreed to such transfer.
• Researchers must provide a privacy notice that is clear, not misleading and readily accessible to data subjects. If tracking tools are used, notice of this must also be given before any data is collected from the data subject.
• Researchers must take steps to ensure that personal data including a person’s inferred identity is not traceable via deductive disclosure even when advanced analytic techniques or AI are used. Such techniques may involve cross-analysis, small samples, other forms of inference or combining with additional data such as a client’s records, secondary or publicly available data sets.
• Researchers must take all reasonable precautions to ensure that personal data is held securely. It must be protected against risks such as loss, unauthorised access such as cyberattacks or hacking, destruction, misuse, manipulation, modification, disclosure or any other act that could compromise data.
• Personal data is to be held no longer than necessary and only for the initial purpose for which it was collected or used. After this, the data must be anonymised or deleted.
• Before transferring personal data to clients, subcontractors, or other third-party service providers, researchers must ensure that such recipients maintain at least equivalent security measures, and comply with all applicable data protection and data breach laws.
• Researchers must take particular care to ensure that the data protection rights of data subjects whose personal data is transferred from one jurisdiction to another are maintained. Such transfers must not be made without the consent of the data subject and meet all conditions noted in Article 4 (a) i-v. In addition, researchers must take all reasonable steps to ensure that the security measures and data protection principles of this Code are complied with by all parties.
• In the event of a data breach involving personal data, researchers have a duty of care to the data subjects involved. Those data subjects, along with any relevant authorities, must be informed of the breach as required by applicable laws.

• Researchers must design research that is fit for purpose, and meets the requirements and quality agreed with the client. If this is not considered to be the case, the client must be informed and the issues resolved.
• Researchers must carefully design research that is appropriate for the population in question and reflect the intended target group as accurately as possible. They must also be transparent about any limitations — such as potential gaps in data sources or population representation — that may affect how well the research reflects the defined target group.
• Researchers must provide clients with sufficient technical information, including method, sources of data, quality controls, analysis used and possible limitations about the research to enable them to assess the validity of the results and any insights and conclusions drawn.
• Researchers must ensure that findings, results and any interpretation of them are clearly and adequately supported by data. They must also clearly distinguish between the findings, the researchers’ interpretation of those findings, and any insights and conclusions drawn or recommendations made.
• The client must be informed when AI or other emerging technologies are to be used in the compilation of datasets, analysis, reporting or interpretation of findings. This includes the use of synthetic data and synthetic personas. In such situations, the extent of human oversight must be stated.
• Researchers must ensure that any research data, or collateral materials, whether from surveys or client-related sources, remain confidential when utilised by AI or emerging technologies. Access to such materials must be strictly limited to a secure and controlled environment.
• Upon request, researchers must allow clients to arrange for independent checks on the quality of data collection and data preparation, subject to appropriate confidentiality agreements.

• Researchers must identify and be transparent about any known, potential or suspected biases in the research that may have an impact on the collection, curation, processing, analysis or interpretation of the data and the findings.
• Researchers must comply with any intellectual property (IP) restrictions, such as copyright, or privacy requirements associated with the re-use or application of the data.
• Upon request, researchers must declare the use of subcontractors.
• All parties must work in good faith to resolve disputes, whether they involve researchers, clients, subcontractors or data subjects.
• Researchers must keep all communications with the client and all research results confidential, unless otherwise agreed with the client.

When publishing findings:

• Researchers and clients must ensure that the public has access to sufficient information, including data source, sampling, and methodology, to assess the validity of the conclusions. This must be in a form that is easily understandable by the general public.
• Upon a reasonable request, researchers must make sufficient technical information and clear documentation available in a timely manner to validate any published findings. Researchers and clients must disclose whether AI, synthetic data, or other emerging techniques and/or technologies played a significant role in sampling, deployment, analysis, or interpretation of the data, and to what extent human oversight was involved.
• Researchers must not disseminate research or conclusions, nor allow their names or that of their organisation to be associated with such dissemination, unless these are adequately supported by the data.
• Researchers must ensure that they are consulted on the form and content of any publication of the research findings by the client. Both the client and the researcher have a responsibility to ensure that published results are not misleading and that there is no undue selectivity of the findings.
• If research involves the publication of a data subject’s identity or personal data, researchers must clearly inform the data subject in advance about which data will be published and obtain their consent beforehand.

• Researchers must be honest, transparent, truthful, and objective. They must ensure that the data or information gathering, processing, and analysis are conducted in accordance with appropriate scientific research principles, methods and techniques.
• Researchers must behave ethically and not do anything that may undermine the public’s trust and confidence in research or damage its reputation.
• Researchers must be straightforward and honest in all their professional and business dealings.
• Researchers must not make false or otherwise misleading statements about their skills, experience or activities, or about those of their organisation.
• Researchers must not unjustifiably criticise other researchers.
• Researchers must conform to the generally accepted principles of fair competition.
• Researchers must declare any potential conflict of interest associated with a research engagement to the client.

• Researchers must comply with all applicable international and national laws, as well as local codes of conduct, professional standards or rules. If the ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics imposes a higher standard, researchers must adhere to that higher standard.
• Researchers and clients must check that there is no privacy, or intellectual property (IP) infringement, such as a copyright breaches including that related to the application of AI and the training data, in the published research results and findings

• Researchers must ensure that research is carried out in accordance with this Code, that clients and other parties to the research, including all sub-contractors, agree to comply with its requirements, and that the Code is applied, where appropriate, by all organisations, companies and individuals at all stages of the research commensurate with their activities, expertise and control. Where appropriate, all parties are encouraged to include a clause in their contracts confirming their compliance with, and responsibility for adhering to, the Code.
• Correction of a breach of this Code by a researcher, while desirable, does not excuse the breach.
• Researchers must co-operate with any disciplinary investigation by ESOMAR into a possible breach of this Code. Failure to do so will be considered a breach of this Code. This also applies to members of other self-regulatory bodies implementing this Code and disciplinary investigations by their responsible bodies.

• Once the Code and its underlying principles are adopted, they must be implemented at the local, national and international levels by the appropriate self-regulatory bodies. Researchers and clients must also familiarise themselves with relevant local self-regulatory documents on research and with any decisions issued by the appropriate self-regulatory body.
• Requests for interpretation of the principles contained in this Code must be submitted to the ESOMAR Professional Standards Committee or under specific circumstances the Global ICC Commission on Marketing and Advertising for possible consideration by its ICC Code interpretation panel.