Privacy and Confidentiality Policy

Beaton Research + Consulting (ACN 135 310 459) (‘beaton’) respects your rights to privacy and our Privacy and Confidentiality Policy (‘Policy’) outlines how we uphold those rights under the Australian Privacy Principles (‘APPs’), as written into the Privacy Act 1988 (Cth) (‘Privacy Act’). The APPs govern how private organisations in Australia handle ‘personal information’, which is information from which you can be identified. For more information about the Privacy Act and the APPs visit www.oaic.gov.au

In recognition of the growing interest in the responsible and transparent collection, storage and usage of data, the Policy also outlines the steps beaton has taken to ensure its processes are compliant with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This applies to the processing of data about and from individuals in the European Economic Area.

There are four main categories of individuals on whom beaton holds personal information:

Website visitor:

Any individual that visits the beaton sites and blogs, the Client Choice Awards website, and any other websites we operate.

Identified survey respondent:

Individuals whose survey responses and their identities, or identifying information, will be made available to our client. These surveys typically ask about a specific project or matter and any reference to the Policy in those surveys or emails will explicitly state that they are Identified survey respondents.

Group survey respondent:

The majority of individuals who complete a survey from us. These answers are reported to our client in aggregate or anonymous form only, unless with respondents' explicit and affirmative consent.

beaton client:

Individuals from organisations that are clients or prospective clients of beaton, including entrants to the Client Choice Awards, delegates to the Clients and Firms conference and attendees to our webinars and other events. Organisations that are interested in how beaton uses their current or prospective clients', customers' or members' personal information should read the Policy as an Identified or Group survey respondent.

What personal information about you does beaton collect and hold?

More detailed explanations can be found in the following sections.

What are the purposes for which beaton uses and handles your personal information?

For Website visitors:

It is in our legitimate interests to improve the usability of our website and to understand how visitors are viewing it. This may include Tracking clicks to monitor the pages with which visitors are interacting, using Device data such as screen size and by using cookies.

Cookies are either stored in memory (session cookies) or placed on your hard disk (persistent cookies). The beaton website does not use persistent cookies. Upon closing your browser, the session cookie set by this website is destroyed and no personal information is maintained which might identify you should you visit our website at a later date.

Individuals may choose to use our contact forms to ask for further information and need to provide us with their Contact details so that we may respond to their query. Visitors have the right to use a pseudonym instead of providing their real identities.

For beaton clients:

In order for us to deliver service to our clients, we collect and process Contact details of individual representatives of those organisations to pursue our legitimate business interests. These Contact details may be collected in the course of service delivery, through publicly accessible means (such as name, title and email addresses on organisations' websites) or provided to us (such as through a colleague or referral).

Part of pursuing our legitimate interests in delivering service to our clients is improving the service that is being delivered. This may involve using Contact details to survey our clients on their satisfaction with our service. We may use independent third party experts to assist us in doing this.

We may use the Contact details of clients and prospective clients for direct marketing purposes. It is in our legitimate interests to do so. We take reasonable steps to ensure that the services and/or products we are communicating are relevant to the individual's position. Individuals have the right request that they be removed from our direct mailing lists, usually through clicking an unsubscribe link in the footer of our emails. However, that right to not receive promotional and marketing materials shall not preclude beaton from corresponding with them regarding an existing business relationship.

We Track clicks of these direct marketing emails to measure the effectiveness of our campaigns. We may use this data to follow up with clients or prospective clients, such as those that opened the email or downloaded an attachment.

For Identified survey respondents:

Organisations retain beaton to conduct research on their behalf to help them improve their service to their current or prospective clients, customers or members. We collect this Survey data to help pursue the organisation's legitimate interests of better service delivery. This data is typically directly collected by us through our online surveys, however, from time to time organisations may provide us with existing Survey data so we can perform further analysis.

In order to help us conduct this research accurately, organisations provide beaton with the Contact details of the individuals they want to survey, including name and email. We act as an independent third party to assist the organisation in delivering their service to their current or prospective clients, customers or members by sending emails with unique survey links. This ensures the data is accurate and there has been no tampering. When individuals opt out of receiving further emails from us regarding surveys, we add those email addresses to a 'do not email' list.

We Track clicks on these links to ensure that we do not keep emailing individuals who have already completed the survey. We may use this information to invite partial respondents to complete the rest of the survey. To ensure the stability of our surveys and to improve their utility, we record Device data to understand how respondents are engaging with our surveys.

For Group survey respondents:

All details identified above for Identified survey respondents applies to Group survey respondents. In addition:

In some surveys we may invite respondents to participate in further surveys from beaton. With their explicit and affirmative consent, the respondent may allow us to retain their Contact details so that we can contact them in the future for our own initiatives. These individuals can withdraw their consent at any time.

Occasionally our clients or we may publish aggregated or anonymous findings.

To whom will beaton disclose your personal information?

beaton does not provide information to third parties for their own marketing purposes and we do not undertake promotional mailings for third parties. We will not disclose any personal information to a third party for a purpose other than pursuing our legitimate business interests or the legitimate interests of our clients (outlined above), unless specifically stated otherwise or we are required to do so by an Australia law or court/tribunal order.

We may use third party experts in order to conduct best practice research and deliver excellent service to our clients. This may involve the disclosure of personal data in order for these providers to deliver their service. It is appropriate to use third party experts whose domain knowledge ensures personal information is processed with the most up-to-date and secure methods. beaton will take reasonable steps to ensure the service provider, their employees, and their contractors do not breach the APPs and have privacy policies that provide equivalent protections to those described in the Policy.

When our third party experts are located internationally, we will take reasonable steps to ensure that privacy rights are protected, their security and confidentiality is in accordance with local data protection laws and that individuals have the ability to enforce these rights.

For beaton clients:

We are committed to maintaining the confidentiality of the information that organisations provide. Email addresses and other information provided to beaton will only be used to contact individuals for research purposes and not for any other purpose, unless otherwise specifically agreed with the organisation. This may involve disclosing personal information to third party experts to best conduct this research, as outlined above.

How does beaton protect your personal information?

Our internal processes encourage data protection by design and by default. Only authorised personnel have access to personal information and they are required maintain its confidentiality, unless with the specific and affirmative consent of the individuals involved or to third party experts as outlined above.

We take all reasonable steps to hold your personal information in a secure location, protected from misuse, interference, loss, unauthorised access, modification or destruction. When beaton holds information in a location other than our identified business address, we will take reasonable steps to ensure these locations comply with the APPs and the Privacy Act.

In the unlikely event of a suspected data breach, within 30 days beaton will assess and evaluate whether a data breach has occurred. However, beaton does not believe that it holds any information such that a breach would cause serious harm to the individuals involved. If our evaluation determined that a breach had occurred and that it may cause serious harm, the Office of the Australian Information Commissioner and all affected individuals will be notified. beaton will take steps, depending on the nature of the breach, to secure the data and/or minimise the potential for harm.

We will destroy or de-identify personal information as soon as practicable once it is no longer needed for our purposes. However, beaton may in certain circumstances be required by law to retain personal information. In this case, the personal information will continue to be protected in accordance with the Policy. If we destroy personal information, we will do so by taking reasonable steps and using up-to-date techniques and processes.

For Group survey respondents:

Personal information is stored together with survey data only while the research fieldwork period is active. After this period, personal information (such as contact details) and survey data are stored on physically separate and encrypted servers. The data is kept in this pseudonymised form for 24 months, after which the contact details are permanently deleted from our server. This means that the survey data becomes anonymous and cannot be re-associated with the respondent that provided that data.

When this data is produced as a report for our clients, we provide only aggregate or anonymous results, unless with respondents' explicit and affirmative consent.

For Identified survey respondents:

These surveys ask for feedback on specific projects or matters so by their very nature can never be truly anonymised. These surveys are designed so our clients can directly identify happy and unhappy clients and learn from what went right or wrong with a project. The contact details of respondents are removed from our system after 24 months, however, the identity of the respondent may still be able to be inferred.

What are your rights on how beaton processes your personal information?

All individuals covered by the Policy have rights surrounding how beaton collects, uses or otherwise processes personal information. These are:

The right to transparent explanation of how personal information is used and your rights
- i.e. the Policy
The right to access the information beaton holds about you
The right to correct any inaccurate personal information we may hold about you
The right to object to us using your data for profiling you or making automated decisions about you
- We do not use your data for profiling or automated decision-making
The right to object to us using your data
- i.e. by unsubscribing from our email invitations to surveys
The right to data erasure ('be forgotten')
- This applies to contact details only, as it is not practicable to remove survey data once it has been used to calculate averages and other statistical summary metrics and used in reports to our clients
- Note that total erasure also means being removed from our 'do not email' lists. This means that if your contact details are provided again in future, we will not know that you do not wish to be contacted for surveys
The right to lodge a complaint
- Please contact us first, using the below details, so we have the opportunity to address your concerns.

If you would like to exercise any of the above rights, have any questions about the Policy or believe that we have at any time failed to handle your personal information in the manner required by the Privacy Act, the APPs or GDPR, please contact us immediately using the following contact details:

Privacy Officer

Suite 9.12, Level 9, 9 Yarra St South Yarra VIC 3141

privacy@beatonglobal.com

+61 3 8373 2600

We will respond within one month (or let you know within one month if we need an extension of up to two months to process a complex request) and, where applicable, advise you whether we agree with your complaint or not. If we do not agree, we will provide reasons. If we do agree, we will advise what (if any) action we consider it appropriate to take in response. If you are still not satisfied after having contacted us and given us a reasonable time to respond, then we suggest that you exercise your right to contact the Office of the Australian Information Commissioner by:

Phone: 1300 363 992

If calling from overseas (including Norfolk Island): +61 2 9284 9749

TTY: 1800 620 241 (hearing impaired only)

TIS (Translating and Interpreting Service): 131 450

Post: GPO Box 2999 Canberra ACT 2601 Australia

Fax: +61 2 9284 9666

Email: enquiries@oaic.gov.au

Miscellaneous

In the Policy, ‘personal information’ has the same meaning as under the Privacy Act.

The Policy is effective from 25 May 2018. We may change the Policy from time to time; the APPs recommend regular review of privacy policies to make them ‘living documents’. Although we intend to observe the Policy at all times, it is not legally binding on beaton in any way. From time to time, we may regard it as necessary or desirable to act outside the Policy. beaton may do so, subject only to any other applicable contractual rights you have and any statutory rights you have under the Privacy Act or other applicable legislation.