Privacy Policy

Updated 20th November 2024

INSTINCT AND REASON takes your privacy seriously and, as a company, we are committed to protecting and respecting your privacy. This policy contains important information about the personal information it collects about you, how we will use this data, the conditions under which it may be disclosed to other parties and how it is secured. Please read it carefully. Please note that our policy may change over time, so do check this page to ensure you are aware of any policy changes.

We may be required to comply with requests for personal data from regulatory bodies and legislative authorities.

Instinct and Reason (ABN 17 101 283 845) and INSTINCT AND REASON Limited (No: 06933192) respects and upholds your rights under the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (“Privacy Act”).

INSTINCT AND REASON also adheres to the Privacy (Market and Social Research) Code 2021 (“Code”) and the Australian Privacy Principles (APPs). For more information about the Privacy Act, the APPs, and the Code visit the Australian Data and Insights Association (ADIA) website: https://dataandinsights.com.au/member-services/privacy/.

Our Privacy Policy references four key sections including:

• Who we are
• Data security
• Market research
• Marketing communications
• Data protection complaints and resolutions

WHO WE ARE:

INSTINCT AND REASON conducts market research and provides business consulting services across the globe. We are committed to conducting our business lawfully and to the highest professional industry standards. This website is operated by INSTINCT AND REASON LIMITED part of the INSTINCT AND REASON HOLDINGS Group (ABN: 63 606 766 205), whose registered (trading) offices are listed below:

• INSTINCT AND REASON Limited (Registered in England No: 06933192, Registered Office: Column House, 7 London Road, Shrewsbury, SY2 6NN)
• INSTINCT AND REASON Pty Limited (Registered in Australia No: 17 101 283 845, Office: Suite 302, 410 Elizabeth Street Surry Hills NSW 2010 AUSTRALIA)

The legal basis for using your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we have your express consent to do so.
• Where we need to perform the contract, we are about to enter into or have entered into with you or to perform other legal obligations.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

DATA SECURITY:

How we keep your personal information secure

We take great care to ensure our business information systems are protected against the potential for malicious intrusion, for both stored and transmitted data. We use professional, reputable systems and suppliers and strong data encryption. We train all our staff to our information security standards.

We employ advanced encryption protocols, multi-factor authentication, regular security audits, and strict access controls to ensure the security and integrity of personal data in line with the 2021 Code.

In addition to data protection legislation (for example, the EU General Data Protection Regulation) and for Australian citizens the Australian privacy principles contained in the Privacy Act 1988, we work to market research industry professional standards and best practice.

Sending European Union (EU) citizens’ data outside of the EU

We keep EU citizens’ data within the European Union as standard. If we have a technical or business requirement for EU citizens’ data to transfer beyond the EU, then we obtain the individuals’ permission for this or we will ensure that there is a formal written contract in place approved by the European Commission which gives personal data the same protection as it has in the European Union; in the event that any personal data is transferred to the United States, we shall ensure that the party receiving personal data has signed up to the Privacy Shield which requires them to provide similar protection to that afforded in the European Union. We ensure any data transfer and repository beyond the EU is secure to the standards of EU data protection legislation.

Protocol for data breaches

In compliance with the Notifiable Data Breaches (NDB) scheme, Instinct and Reason will notify individuals and the Office of the Australian Information Commissioner (OAIC) within 72 hours if a data breach occurs and poses a risk to your personal information. We detail how we will handle data breaches in “Compliance Framework”.

MARKET RESEARCH:

Information about our market research activities

INSTINCT AND REASON collects and processes personal information as part of our business activity of conducting market research.

INSTINCT AND REASON Group complies with data protection legislation as applicable to the rights of citizens in the geographic areas in which our research activities are conducted.

In the EU, as from 25th May 2018, this is the General Data Protection Regulation (Regulation (EU) 2016/679), commonly known as GDPR, which replaces the 1995 Data Protection Directive (Directive 95/46/EC). This new GDPR ruling means that there is a single set of data protection rules across all EU member states for the protection of its citizens’ personal data. This includes Rights for Individuals.

GDPR – Summary of Individual Rights

1. The right to be informed – right to be informed about the collection and use of personal data
2. The right of access – right to access their personal data and supplementary information
3. The right to rectification – right for individuals to have inaccurate personal data rectified, or completed if it is incomplete
4. The right to erasure – right for individuals to have personal data erased in certain situations
5. The right to data portability – right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services
6. The right to object – right to restrict processing of their personal data in certain situations, for example the right to object to use of personal data for direct marketing purposes
7. Rights in relation to automated decision making and profiling – right to be informed about and object to automated processing of data which may  produce a potentially damaging decision
8. The right to withdraw consent at any time – this applies where we are relying on consent to process your personal data.

Why we collect and process personal data

The definition of personal data is where an individual can be identified directly or indirectly by that data on its own or together with other data.

As part of our market research activities we may collect and/or process personal data that helps us:

1. To know who to approach for participation in our research projects. This could be name, email address, telephone number, address. This may be from our clients if we are helping them assess their customers’ views of their products and services, or to conduct research amongst their own employees. It may be from a professional supplier of potential market research participants, where prior informed consent from the individuals will have been obtained by such suppliers. We may collect information from public sources on who to approach for research. In all cases we will obtain informed consent at the point of participation to proceed.
2. To control the design of the data collection.
3. For quality control purposes. For example, IP address is often used at this stage prior to anonymising the data collected from surveys.
4. To provide information for analysis.

We also collect, use and share Aggregated Data as part of the delivery of our service to our clients. Aggregated data may be derived from your personal data but is not considered personal data in law as this does not directly or indirectly reveal your identity. If we combine or connect any aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We may collect Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. This Special Category data is subject to even stricter rules than apply to standard personal data and is only collected with your permission or where we have another specific legal ground to do so.

Instinct and Reason takes a ‘Privacy by Design’ , meaning we build privacy protections into every part of developing our products and services. We carefully consider privacy at each step, especially when collecting or using any personal or sensitive information.

Collecting information from you

We collect personal information from people who take part in our market research related activities including, surveys (on-line or face to face, telephone), focus group discussions and other market research related activities. We will always explain what we require and obtain consent before it is collected.

We may collect information for market research by:

• Web/internet surveys
• Telephone surveys
• Interviews by one of our interviewers either in-home or in a specific location (e.g. in a shopping centre, on a train station, at a venue) – this could be by using equipment such as a tablet or on paper forms
• Self-completion surveys printed on paper forms – by post or in a specific location, site or event
• Focus groups
• Technology-based solutions (e.g. tracking website usage), behavioural data including eye-tracking data)
• Digital social media/interactive web platforms – in accordance with contractual terms and conditions as specified by the provider and relevant legislation
• Mobile devices in accordance with contractual terms and conditions as specified by the provider and relevant legislation

Sending personal information outside of the INSTINCT AND REASON Group

• Instinct and Reason may share your data with trusted third-party partners for research, data analysis, website hosting, infrastructure provision, IT services, e-mail delivery services, auditing services, business development and lead generation, marketing services or to comply with legal or regulatory requirements.
• When transferring data internationally, we ensure compliance with APP 8, implementing safeguards equivalent to Australian privacy standards.
• We will respond to requests for personal information in accordance with legislative and regulatory requirements.
• We may use a research solution that requires personal information in order to proceed. For example, when we run online interactive research sessions, or ask participants to undertake certain tasks using mobile apps. This would be explained at the point of participation to proceed. We undertake stringent scrutiny of such services to check data security. We use solutions that restrict data to the EU as standard. Contrary to this, we would obtain consent.
• We may ask you to attend a focus group discussion or go somewhere to test a new product, and it is possible we would need to send your contact details to our organisers for this.
• It may be beneficial to pass your answers to the client who has commissioned the research about their product or service. This would all be explained and your permission sought before we would do this.
• Your answers may be held on a database that is used by our clients to view and manipulate anonymised and aggregated research data. We will gain your consent for any personal data or personally identifiable information that is available to be viewed by our clients.
• We may use an approved research supplier to provide specialist services such as data collection, analysis, consultancy, digital production or research tools, specialist techniques such as biometric data collection and analysis.

Keeping your personal information

Under the 2021 Code individuals have enhanced rights over their personal data. You may request access, correction, restriction, or erasure of your data at any time by contacting us at enquries@instinctandreason.com

We only keep personal information for as long as required for the purposes of the research. Our data retention policy states that we will not keep personal information for longer than 2 years, except where previously agreed with our research participants.

Wherever possible, we work with data that does not have personal information in it. For example, we will detach personal information to make a data set that combines hundreds of completed surveys in order to conduct statistical analysis. From focus groups and small-scale research, we mask the identity of participants in our reporting with labels such as ‘Male, 25-34, London’.

Use of cookies as part of our market research activities

If the use of cookies is required, this will be explained at the time and we will clarify how they will be used.

Web/Internet Surveys IP Address

If you participate in a web/internet survey, our system will collect information about your computer, including where available your IP address, operating system and browser type. Whilst this is the default position of our online software, we do not retain this information in any data/database. This information is collected solely for quality control purposes, to identify and prevent duplicate or invalid entries.

Access to your personal data and processing restriction

Please contact us to request your data and/or data erasure or processing restriction. We will confirm receipt of your request within 5 working days and take the appropriate steps to consider your request in line with GDPR legislation. Please note, it is likely you will be asked for proof of identification prior to commencing any work in response to your request.

MARKETING COMMUNICATIONS:

How we collect information from you

We collect, store and retain information about you in a variety of ways when visiting our website:

• Registering to receive our marketing communications or information about upcoming events
• Registering to download content from our website
• Applying for vacancies listed on our websites
• When you contact us via our enquiry email

The type of personal information we collect

By personal information we mean any information that you provide via our website that we have collected and may include (but not limited to): Forename, Surname, Postal address, Email address, Telephone number, Job title.

How we use your information

If you are (i) an existing client (ii) interacting with our marketing communications (iii) engaging with us through business development and potential future work (iv) have given express consent to us to use personal information for marketing purposes, INSTINCT AND REASON may at times use your personal information to provide you with marketing communications related to products, services and information relating to conferences and events.

Sending your personal information outside of INSTINCT AND REASON Group

We may share information with our third-party service providers for services such as data analysis, website hosting, infrastructure provision, IT services, e-mail delivery services, auditing services, business development and lead generation, marketing services or to comply with legal or regulatory requirements.

Use of cookies on our website

Cookies are commonly used across websites and mobile applications which may be used by INSTINCT AND REASON to provide you with, for example, customised information from our website. The cookie will allow us to recognise you when you visit our website. A cookie is an element of data that a website can send to your browser which may then be stored on your system. It does not contain confidential information such as your home address, telephone number or credit card details.

We do not exchange cookies with any third-party websites or external data suppliers. If you wish, you can usually adjust your browser preferences so that your computer does not accept cookies. Turning off cookies may mean that there is a loss of functionality when using our website.

Unsubscribing from marketing communications

You have the right to withdraw consent to receiving direct marketing messages making use of your personal data at any point. If at any point you would like to opt out from receiving any marketing communications, simply click on the unsubscribe link at the bottom of any emails you receive.

COMPLIANCE FRAMEWORK – COMPLAINTS AND RESOLUTIONS

Instinct and Reason is committed to maintaining a high standard of privacy compliance in line with the 2021 Code. This Privacy Compliance Framework outlines our structured approach to safeguarding personal information and ensuring adherence to privacy obligations.

• Privacy Governance: Our Privacy Officer, supported by the management team, oversees privacy practices and responds to any privacy inquiries.
• Audits and Policy Reviews: We conduct annual audits and review our privacy policies each year to ensure compliance and identify areas for improvement.
• Privacy by Design:
  • Privacy is embedded into every new project at Instinct and Reason through standardised Privacy Impact Assessments (PIAs), ensuring consistent alignment with data handling, storage, and transfer practices.
  • Staff are trained to recognise and address unique privacy risks, conducting a standalone PIA if a project falls outside typical processes. This approach integrates both privacy and security considerations in alignment with ISO 20252:2019 standards to safeguard all sensitive data throughout its lifecycle.
  • We ensure privacy and security assessments of all third-party vendors who process personal data on our behalf. require compliance with Australian Privacy Principles, along with regular reviews to verify third-party practices align with our data protection standards. Sensitive data shared with third parties is monitored to ensure it is stored, processed, and transferred securely.
• Documentation and Monitoring: We maintain comprehensive records of all privacy-related activities, including PIAs, data-sharing agreements, and compliance audits, in line with ISO 20252:2019 standards. Regular monitoring of data access, risk events, and control measures helps us respond promptly to potential risks. Our risk is continuously updated to reflect new workflows, processes, and external threats, ensuring our privacy compliance framework remains proactive and effective.
• Staff Training: Instinct and Reason conducts privacy training sessions, ensuring all staff understand their responsibilities under the 2021 Code.
• Data Protection Feedback and Complaints: To ensure the process is fair and consistent, feedback, complaints and enquiries will be referred to a single point of contact being the Privacy Officer, currently Matthew Johnson.
• Incident Response: Our data breach response plan is regularly updated and enables prompt action and reporting as required under the NDB scheme.

Our Incident Response Plan

1. A complaint is received about an alleged breach of the 2021 Code/APPs
2. Complaint will be forwarded to the Privacy Officer within 1 day to ensure timely handling.
3. Within 72 hours of receiving the complaint, the Privacy Officer will perform a preliminary assessment to determine if the alleged breach meets the criteria for notification under the NDB scheme. If it does, notifications to the OAIC and affected individuals will be made as required
4. The Privacy Officer will conduct a full investigation and make a determination on the complaint within 30 days from the date of receipt. If more time is required due to the complexity of the complaint, the complainant will be informed of the anticipated timeframe
5. The Privacy Officer will keep a record of all complaints and determinations. Details of complaints will be logged to make sure that any serious or systemic issues are identified and acted upon. This will comprise a register and file records that will be securely stored in accordance with the 2021 Code /APP.
6. If the Privacy Officer determines there has been a breach of the 2021 Code/APPs he/she will, upon notification to the complainant, advise the relevant personnel in writing of any action required to remedy the breach.
7. If breach is incapable of being rectified and is not rectified within 30 days, the Privacy Officer must inform the Managing Director and Australian Data and Insights Association (ADIA) about the failure to rectify the breach.

Lodging a complaint with authorities:

Individuals have the right to lodge complaints about data protection issues with their national supervisory authority if they are not satisfied with our response or have not received a response within 30 days.

• For Australia, the supervisory authority is the Office of the Australian Information Commissioner:
  • Telephone: 1300 363 992
  • Notifiable data breaches: https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach.
  • Privacy complaint: https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us

• For EU Member States about alleged breaches of GDPR, the supervisory authority in the UK is the Information Commissioner:
  • Telephone: 0303 123 1113
  • Website: https://ico.org.uk/concerns/

CHANGES TO OUR PRIVACY POLICY

We reserve the right to modify this Policy at any time. Any changes we may make to our Policy in the future will be notified and made available to you using the Website. Your continued use of the services and the Website shall be deemed your acceptance of the varied privacy policy.

LINKS TO OTHER WEBSITES

The INSTINCT AND REASON website will contain links to other websites. Please note that this Privacy Policy only applies to the INSTINCT AND REASON Group and our website. If you are taken to another website please read their own privacy policies.

We do not control any third-party websites and are not responsible for their privacy policies. When you leave our website, you should read the privacy notice of every website that you visit.

CONTACT

If you have any questions relating to our policy please contact by email or by post addressed to:

• AUSTRALIA : INSTINCT AND REASON PTY LTD
  • Mail: Suite 302, 410 Elizabeth Street Surry Hills NSW 2010 AUSTRALIA.
  • Telephone: +612 9283 2233
  • Email: enquries@instinctandreason.com
• UK : INSTINCT AND REASON LTD
  • Mail: Column House, 7 London Road, Shrewsbury, Shropshire, SY2 6NN.
  • Telephone: +44 203 355 4454