ISO 20252:2019

INTERNATIONAL ISO
STANDARD 20252
Third edition
2019-02
Market, opinion and social research,
including insights and data
analytics — Vocabulary and service
requirements
Études de marché, études sociales et d'opinion, y compris insights et
analytique de données — Vocabulaire et exigences de service
Reference number
©
ISO 2019
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Core requirements for market, opinion and social research .12
4.1 Core framework .12
4.1.1 Statement of applicability .12
4.1.2 Confidentiality of research .14
4.1.3 Documentation and records management .16
4.2 Personnel and infrastructure responsibilities .17
4.2.1 Personnel and organisational responsibilities .17
4.2.2 Personnel — Performance management .17
4.3 Information security .17
4.3.1 Information security risk framework .17
4.3.2 Information handling .18
4.3.3 Information security controls.18
4.3.4 Information security training and awareness .18
4.4 Subcontracting services .18
4.4.1 General.18
4.4.2 Subcontracted project work .19
4.5 Planning, deli very and reporting on projects and research work .19
4.5.1 General.19
4.5.2 Client relationship management .19
4.5.3 Project, work requests or other responses to offer services .21
4.5.4 Providing deliverables to the client .23
4.6 Management r eview and improvement .24
4.6.1 Input .24
4.6.2 Output .25
4.7 Internal audits .25
4.8 Leg al requirements .25
Annex A (normative) Sampling including access panels .26
Annex B (normative) Fieldwork .39
Annex C (normative) Physical observation .48
Annex D (normative) Digital observation .50
Annex E (normative) Self completion .56
Annex F (normative) Data management and processing .60
Bibliography .66
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 225, Market, opinion and social research.
This third edition cancels and replaces the second edition (ISO 20252:2012), which has been technically
revised, and ISO 26362:2009 whose technical content has been included in this document. The main
changes to the previous edition are as follows:
— the document has been completely restructured, with a core clause (Clause 4) applicable to all
service providers, regardless of methodologies provided, and six separate annexes (Annexes A to F),
each covering requirements relating to one of the globally-recognized research methodologies;
— Clause 3 has been updated;
— technical content has been updated to reflect new or modified research practices and new
content has been added to Annex A and Annex D.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved

Introduction
The principal objective of international standardization within the market, opinion and social research
(henceforth referred to as “research”) is the facilitation of global and consistent industry standards
applicable to different national and regional markets. The intent of this document is to follow a structure
to ensure that its implementation leads to continual improvement of research and to harmonize other
national standards and industry codes already available.
With the emergence and general acceptance of online samples for market, opinion and social research,
a primary source of online samples, online access panels, have evolved in their use and have been
augmented with other online sample sources. ISO 26362:2009 has been withdrawn and incorporated
into this document which now covers access panels, both online and offline.
The research business core framework is established and documented as Clause 4 of this document.
The normative annexes provide the specific framework for various globally recognized research
methodologies. The service provider can align their practices to the requirements as stated within each
annex in order to attest conformity to the particular research methodology or functions.
The intent is to apply the requirements specified in Clause 4 as the mandatory framework for any
attestation by a service provider conforming with this document, supported by at least one annex. The
structure and scope of this document does not permit any attestation to this document without also
meeting the requirements of at least one annex.
Regardless of whether a business undertakes research activities as an in-house or outsourced
function, the service provider is ultimately responsible for ensuring that research activities meet
the requirements of this document. Therefore, the scope and boundaries of the applicable disciplines
need to be reflected in the statement of applicability (SoA), including the annexes with management
processes in place to ensure the requirements of this document are met.
Any claim of attestation will state clearly and unambiguously which annexes conform with this
document. The long-term aim is that businesses will attest the majority, if not all, of their research
activities to this document.
INTERNATIONAL STANDARD ISO 20252:2019(E)
Market, opinion and social research, including insights and
data analytics — Vocabulary and service requirements
1 Scope
This document establishes terms, definitions and service requirements for service providers conducting
market, opinion and social research, including insights and data analytics (hereinafter referred to as
“service providers”).
Non-market research activities, such as direct marketing, are outside the scope of this document.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
access panel
sample (3.86) database of potential participants (3.64) who declare that they will cooperate for future
data collection if selected
Note 1 to entry: This does not include continuously reporting panels (e.g. TV-rating panels) or re-contact
databases (asking for permission for follow-ups).
3.2
accuracy
degree of closeness between the estimate and the agreed parameter value
3.3
active panel member
panel member (3.61) who, within the last 12 months, has participated in at least one research study if
requested, updated their profile data, or registered to join the access panel (3.1)
3.4
ad impression
display of an advertisement on a device
3.5
algorithm
process or set of rules to be followed in calculations or other problem solving operations
3.6
anonymize
remove, obscure, aggregate or alter identifiers with the aim of preventing the identification of
individuals to whom data originally related
3.7
appraisal
process of monitoring the competency of an individual or group of individuals in carrying out their work
3.8
attestation
declaration of conformity by the service provider (3.92) related to the statement of applicability (SoA)
3.9
audit
systematic, independent and documented process for obtaining evidence and evaluating it objectively
to determine the extent to which a standard’s requirements are fulfilled
3.10
auditor
person with the competence to conduct an audit (3.9)
3.11
automated coding
form of coding where manual coding is replaced, totally or in part, by various forms of computer
coding or computer-assisted coding using computer-stored code lists, dictionaries, automated systems,
machine learning, artificial intelligence or other technologies
3.12
bias
systematic deviation between the estimate and the agreed parameter value
3.13
bot
autonomous software that operates as an agent for a user or a program or simulates a human activity
3.14
client
individual, organization, department or division, whether it is internal or external, that requests or
commissions a research project
3.15
code
character or combination of numeric, alphabetic or other types of characters associated with each
response category
3.16
code frame
list of categories with associated codes (3.15) for classifying responses
3.17
completion rate
number of participants (3.62) who fully complete a research project divided by the number of
participants who were invited to participate
3.18
computer-assisted interviewing
CAI
interviews where responses are keyed directly into a computer and where the administration of the
interview is managed by a specifically designed program
EXAMPLE Computer-assisted personal interviewing (CAPI); computer-assisted telephone interviewing
(CATI); computer-assisted self-interviewing (CASI); computer-assisted interviewing via web/internet (CAWI).
2 © ISO 2019 – All rights reserved

3.19
confidentiality
requirement that information, materials and data collected are protected from unauthorized access
3.20
consent
freely given agreements based on adequate information obtained prior to the collection/use of
participant (3.62) data
3.21
cookie
small piece of information (i.e. program code) that is stored on a browser for the purpose of identifying
that browser during activities and between visits or sessions
3.22
dashboard
software application with which a number of mini-applications can be reviewed or managed and
reported
EXAMPLE Mini-applications could include app to export data or allow API access.
3.23
data cleaning
process of identifying, correcting or removing unneeded or inaccurate data for research quality
purposes
3.24
data collection instrument
tool created for the purpose of gathering information from participants (3.62)
EXAMPLE Questionnaire, discussion guide, biometric device, webscraping technology, camera.
3.25
data editing
set of methods for verifying the collected data and, if necessary, correcting the data
3.26
data entry
process step where data collected are converted into computer-readable form or other types of
standardized forms
Note 1 to entry: Simple data entry is data entry containing no built-in logic checks.
Note 2 to entry: Logic data entry is a data entry process that uses automated checks for the logic of data on
elements such as data types, filters, question skips and response options.
3.27
data processing
management and converting of data from their raw state through to a required output
3.28
data record
set of data derived from a reporting or observed unit
3.29
de-duplication
process to remove data records (3.28) corresponding to a participant (3.62) or record (3.76) that appears
more than once in a research dataset or access panel (3.1)
3.30
depth interview
in-depth inverview (IDI)
semi-structured or unstructured interview conducted to understand the underlying motivations,
beliefs, attitudes behaviours and feelings of a participant (3.62)
3.31
derived data item
data item calculated or recoded from one or more sources and/or categories
3.32
device ID
device identification
machine ID
distinctive alphanumeric string associated with a computer, smartphone, tablet or other computing device
Note 1 to entry: A device can have multiple device IDs for a different purpose. These include device IDs to enable
Wi-Fi or Bluetooth or identify a device on a mobile carrier network. Other device IDs, such as Apple's UDID or
Android's Android ID, are used by apps, developers and other companies to identify, track and analyse devices
and their users for a number of purposes, including online advertising.
Note 2 to entry: For a PC or laptop computer the MAC (Media Access Control) address can be used as a device ID.
Note 3 to entry: A device ID can be personally identifiable.
3.33
digital analytics
analysing and reporting of electronic data for the purpose of measuring and understanding people and
their behaviour
3.34
digital device
mobile device
electronic device intended to be portable which can collect data, either directly or indirectly, that can be
uploaded to a third party (3.101) either immediately or upon syncronization with appropriate software
Note 1 to entry: Digital devices include smartphones, smart watches, fitness or health tracking devices, tablets,
geo-location devices and biometric data gathering devices.
3.35
digital fingerprint
device fingerprint
machine fingerprint
browser fingerprint
information collected about a computer, tablet, smartphone or other computing device for the purpose
of identification of individual research participants or devices
Note 1 to entry: Digital fingerprints are typically created using web browser configuration parameters along
with other device parameters that can be obtained from a device. These parameters are used to create a single
string that comprises the digital fingerprint.
Note 2 to entry: A digital fingerprint may be personally identifiable.
3.36
discussion guide
list of points or topics which are to be covered in a depth interview (3.30), focus group (3.42) or other
qualitative method
3.37
dongle
small piece of hardware, often a USB device, that can be connected to other electronic equipment, to
enable additional services such as access to the internet
4 © ISO 2019 – All rights reserved

3.38
duplication
situation where a participant (3.62) is invited or attempts to complete more than one response for a
specified research project
3.39
exclusion request
excluding a potential participant (3.62) from a research project based on their participation in a
research project involving the same or similar product/service category and/or methodology
3.40
fieldworker
interviewer
person involved in the collection of data for market, opinion and social research
Note 1 to entry: Fieldworkers include, but are not limited to, face-to-face and telephone interviewers, recruiters
for qualitative or other research, “mystery shoppers” (3.54) and other people carrying out data collection by
observation, and persons collecting data from retail outlets, following instructions from the service provider (3.92).
3.41
filter
question or instruction in a data collection instrument that restricts answers to a subgroup of
participants (3.62)
3.42
focus group
group discussion
open discussion with a small number of selected participants (3.62) conducted by a moderator (3.53)
Note 1 to entry: Focus groups can be conducted face-to-face, by telephone, online or by a combination of these.
Online focus groups can be synchronous or real-time (e.g. chat sessions), or asynchronous over an extended
period of time (e.g. message and/or bulletin boards).
3.43
fraudulent participant
participant (3.62) or panel member (3.61) who deliberately misrepresents their identity, profile data or
responses
3.44
frequency count
hole count
marginals
summary count of individual data items on a computer file
3.45
imputation
procedure where missing data are replaced by estimated or modelled data
3.46
inattentive participant
inattentive panel member
panel member (3.61) or participant (3.62) who does not give an adequate level of thought to the
responses they provide
Note 1 to entry: A poor quality of response is not necessarily the panel member’s (3.61) or participant’s (3.62)
fault, and could reflect poor data collection instrument design.
3.47
incentive
gift, payment or other considerations offered to potential participants (3.62) to increase participant
cooperation
3.48
indexing
numerical scale used to compare variables with one another or with a reference number
3.49
information security
preservation of confidentiality, integrity and availability of information
3.50
intercept
type of interviewing where participants (3.62) are approached, without prior consent, either in person
or online
3.51
internal audit
periodic checks carried out by a company’s own trained employees as to whether projects within the
company have been carried out in accordance with the described procedures
3.52
machine learning
computer technology with the ability to automatically learn and improve from experience without
being explicitly programmed
EXAMPLE Speech recognition, predictive text, spam detection, artificial intelligence.
3.53
moderator
individual responsible for facilitating the interactions among participants (3.62) of a focus group (3.42)
or other qualitative forum
3.54
mystery shopping
study using fieldworkers (3.40), researchers or participants (3.62) (consumers or general public) in the
role of customers/users in order to evaluate a business/service performance
3.55
near field communication
NFC
wireless technology that enables communication between devices over a short distance
3.56
netting
method of treating codes (3.15) assigned to multiple-response questions, which can include open-ended
codes, where the net refers to the total number of participants (3.62) responding with the same group
of codes, even when each participant has given more than one response within the same group of codes
3.57
non-response
absence of measurements on some sample (3.86) or census members for all or some questions or
variables
3.58
observational data collection
observational research
observational methodologies
collection of data by observation of the behaviour, habits, activities, relations, expressed opinions or
performance of individuals or groups, as well as phenomena, including the use of passive techniques,
without the use of direct questioning
Note 1 to entry: See also passive data collection (3.64) and physical observational data collection (3.66).
6 © ISO 2019 – All rights reserved

3.59
open-ended question
open-ended response
type of question where participants (3.62) are asked to answer in their own words
3.60
opt out
explicit request to terminate participation in a research activity
3.61
panel member
individual recruited from a documented source who has provided profile data and appropriate
information for validation of identity, given explicit consent to participate in research according to the
terms and conditions of panel membership, and not opted out
3.62
participant
respondent
data subject
person or organisation from whom or about whom data are collected for research
3.63
participation rate
start rate
number of participants (3.62) providing a usable response divided by the total number of initial
personal invitations requesting members to participate
3.64
passive data collection
passive methodologies
process of data collection that avoids or minimizes active interaction with the participant (3.62)
3.65
personal data
information relating to a natural living person that can be used to identify an individual
Note 1 to entry: The identification can be made for example by reference to direct identifiers (e.g. name, specific
geographic location, telephone number, picture, sound, video recording or biometric data) or indirectly by
reference to an individual’s physical, physiological, mental, economic, cultural or social characteristics.
3.66
physical observational data collection
physical observational research
collection of data through observation, whether in person or by video, including behaviour, habits,
activities, relations, expressed opinions or performance of individuals or groups without the use of
direct questioning and undertaken in the physical environment
Note 1 to entry: Physical observational data collection excludes online observation, such as digital behaviour.
3.67
prescreening
initial questions in a data collection instrument (3.24) used to establish eligibility of participants (3.62)
3.68
pretest
small-scale test to check the performance of a data collection instrument (3.24) or methodology before
embarking on full-scale fieldwork
3.69
primary record
data collected directly from the source and in their original state
Note 1 to entry: This can include survey (3.98) data, interview transcripts, field notes, biometric measurements
and recordings.
3.70
probability sample
random sample (3.86) from a population wherein each member has a known and non-zero probability
of being included and allows for the calculation of margin of error
EXAMPLE Simple random sampling (SRS); stratified sampling; cluster sampling; systematic sampling; and
multistage sampling (in which some of the methods above are combined in stages).
3.71
profile data
descriptive characteristics of a panel member (3.61)
3.72
qualitative research
analysis of motivations, patterns of thought, opinion, attitude, assessment or behaviour, via research
techniques such as focus groups (3.42), depth interviews (3.30), discourse content analysis and
qualitative observational research (3.58)
3.73
quantitative research
numerical measurement of observations via research techniques such as questionnaires (3.74), opinion
polls, surveys (3.98) and experimental research
3.74
questionnaire
structured or partly structured tool or instrument for collecting data, consisting of a series of questions
Note 1 to entry: Questionnaires can be self-completion or administered by a fieldworker (3.40).
3.75
quota sample
sample (3.86) drawn using a non-probabilistic method such that it conforms to a predefined structure
with respect to certain variables
Note 1 to entry: These types of samples do not allow for a margin of error to be calculated.
Note 2 to entry: Examples of non-probability samples include convenience samples, accidental samples and river
samples.
3.76
record
special type of document that provides historical evidence of an event, activity or fact
Note 1 to entry: For example, a questionnaire (3.74) is a document, but once it is completed by a participant (3.64)
or a fieldworker, it becomes a record.
Note 2 to entry: Records can be physical or digital.
3.77
recruiter
person who identifies and invites potential participants (3.62) to take part in a research project
8 © ISO 2019 – All rights reserved

3.78
reliability
overall consistency among replicated measures
Note 1 to entry: In this context, measurement has a high reliability if it can be repeated with the same or similar
results under the same or similar conditions.
3.79
representativeness
degree to which a sample (3.86) reflects the target population being studied
Note 1 to entry: A representative sample is one in which the distribution of important characteristics is
approximately the same as in the target population.
Note 2 to entry: The definition of ‘important characteristics’ is generally a function of the research topic.
3.80
response rate
calculation of the proportion of people responding to a survey (3.98) based on a probability sample
3.81
retail audit
collection of data from retail outlets using documentary (e.g. paper or digital) and/or observational
methods
3.82
review
determination of the suitability, adequacy or effectiveness of an object to achieve established objectives
3.83
river sampling
dynamic sampling
real-time sampling
web intercept
online sampling method that drives potential participants (3.62) for surveys (3.98) or other research
activities from advertisements on social media (3.95) and other websites to an online portal where they
are screened for research projects in real time
Note 1 to entry: Unlike access panels, river sampling participants (3.62) are not part of a database of people who
have agreed to participate in research activities on a regular basis.
3.84
robot instruction file
file that defines how an internet search engine should interact with the pages and files of a web site and
is often used to define where automated systems are not allowed to go
3.85
router
online software application that screens incoming research participants (3.62) and then uses those
results to assign research participants to one of multiple available research projects
Note 1 to entry: A router can also offer participants (3.62) additional screeners and surveys (3.98) after screener
qualification failure or survey (3.98) completion.
Note 2 to entry: It differs from “hardware router” as a communication equipment that relays data between two
or more different networks.
3.86
sample
subset of the target population (3.99) from which data are to be collected
3.87
sample blending
practice of combining multiple, heterogeneous sample (3.86) sources with the aim of achieving a more
consistent or more representative sample
3.88
sample provider
service provider (3.92) responsible for the provision and management of online or offline samples from
relevant sources such as panels, web-intercept-based sources (including river sample sources) and
email lists
3.89
sampling frame
list of population elements or other appropriate sources from which a sample (3.86) is to be drawn
3.90
satisficing
behaviour in which the research participant (3.62) gives less than necessary cognitive effort when
participating in a research project
3.91
secondary data
data that have already been collected and are available from another source
3.92
service provider
organization that conducts research projects or parts of research projects in market, opinion and social
research using statistical data and/or social science methods and techniques
EXAMPLE Private research institutions; academic and university research institutions; in-company
research departments; local authorities, official statistics agencies or individual researchers acting in the same
capacity.
3.93
sentiment
mood associated with, for example, a sound, image or statement, usually on a continuum from positive
to neutral to negative
3.94
silent call
abandoned call
telephone call generated by a dialler and answered by a participant (3.62) before a fieldworker (3.40) is
made available
Note 1 to entry: A dialler (automated dialling equipment) is any equipment or software able to dial a telephone
number and make the call available to the fieldworker (3.40).
3.95
social media
online technologies and practices that people use to share opinions, insights, experiences and
perspectives with each other, transforming traditional one-to-many interactions into many-to-many
interactions
3.96
spyware
devices or software that capture a participant’s (3.62) data or behaviour without obtaining consent (3.20)
10 © ISO 2019 – All rights reserved

3.97
subcontract
outsource
engage an external organisation or individual to perform part of the service provider’s (3.92) function or
process, under the responsibility of the service provider (3.92)
Note 1 to entry: Self-employed individual fieldworkers (3.40) are not defined as subcontractors for the purposes
of this document.
Note 2 to entry: Hired or otherwise outsourced services and/or assets include, for example, participant (3.62)
panels, cloud services, computer software and hardware, other technology platforms, electronic or other secure
data storage facilities and focus group (3.42) venues.
3.98
survey
data collection from a sample (3.86) of a target population (3.99) to which inferences can be made
3.99
target population
population of interest in the research project to which inferences are to be made
3.100
text analysis
content analysis
method used to describe the characteristics of a message
3.101
third party
independent organisation or individual not under the responsibility of the service provider (3.92)
3.102
unique visitor
inferred measure that signifies a distinct, unduplicated individual requesting a page from a website
during a given period, regardless of how often they visit
3.103
validation
procedures to check conformity to specifications or requirements at any stage of the research process
3.104
validity
assurance that the results of a research process represent what was intended
3.105
vulnerable person
person who is permanently or temporarily unable to represent their own interests through a mental,
emotional, societal or physical cause that may limit their capacity to make voluntary and informed
decisions
3.106
wave
successive repetition in a continuous project in which neither the objective nor the general project
design change
3.107
web analysis
analysing and reporting of behaviour, statements and sentiments (3.93) from users/participants (3.62)
of online platforms
3.108
web beacon
pixel tracker
web bug
piece of code (3.15), often a 1 × 1 pixel, on a website used to track website activity
Note 1 to entry: This differs from a beacon, which is a low-powered transmitter that notifies nearby devices of its
presence and can be used to trigger an action.
3.109
weighting
calculation process in which different units or subgroups are recalculated by assigning numerical
values, as necessary, to refine and/or correct the representativeness of sample (3.86) estimates
Note 1 to entry: Weighting can be used to adjust for unequal selection probabilities, such as multistage sampling,
coverage bias (3.12) and non-response (3.57) bias.
4 Core requirements for market, opinion and social research
4.1 Core framework
4.1.1 Statement of applicability
The service provider shall create a statement of applicability (SoA) that describes the complete scope of
the services attested to as meeting the requirements of this document. The SoA defines which annexes
are in conformity with this document, to the extent such services are included in the service provider
systems.
NOTE The intent is that the service provider attests the majority, if not all, of their research activities to this
document.
Attestation to this document shall be achieved by the service provider when the core requirements (see
Clause 4) and at least one of the following annexes, including all requirements cross-referenced to other
annexes, are met:
— Annex A — Sampling including access panels;
— Annex B — Fieldwork;
— Annex C — Physical observation;
— Annex D — Digital observation;
— Annex E — Self completion;
— Annex F — Data management and processing.
For service providers who specify Annex A in the SoA, whether directly or as subcontracted services,
the additional requirements specified in Annex A shall apply.
For service providers who specify Annex B in the SoA, whether directly or as subcontracted services,
the additional requirements specified in Annex B shall apply.
For service providers who specify Annex C in the SoA, whether directly or as subcontracted services,
the additional requirements specified in Annex C shall apply.
For service providers who specify Annex D in the SoA, whether directly or as subcontracted services,
the additional requirements specified in Annex D shall apply.
For service providers who specify Annex E in the SoA, whether directly or as subcontracted services,
the additional requirements specified in Annex E shall apply.
12 © ISO 2019 – All rights reserved

For service providers who specify Annex F in the SoA, whether directly or as subcontracted services,
the additional requirements specified in Annex F shall apply.
Conformity to a particular annex is required only when that annex is specified in the SoA, or when a
particular requirement is cross-referenced from an annex that is specified in the SoA.
Any communication of the attestation shall state clearly and unambiguously which annexes the service
provider is in conformity with.
a) The SoA (see Figure 1) shall record the attested scope by annex name and number as per this
document as a clear and unambiguous declaration of which services are included and excluded
from the scope.
b) The SoA shall include all subcontracted services.
c) The SoA shall be authorized and dated by a person in senior management representing the attested
service provider.
d) The service provider shall make the SoA available to clients and other stakeholders at all times
(e.g. on a web page).
e) The service provider’s SoA shall be subject to assessment against this document.
f) The service provider shall not use subjective, marketing or redundant phrases within the SoA, such
as ‘high quality’, ‘tremendous’, ‘largest global organization’ or ‘highly accurate’.
g) Product names can be included in the SoA if they are integral to a service provided.
The SoA shall be reviewed at least annually to determine the need for change and to ensure the details
are accurate.
Figure 1 — Example of a SoA template
4.1.2 Confidentiality of research
4.1.2.1 General
Information supplied by clients for project purposes shall only be used by service providers in the context
for which it was supplied. It shall not be made available to third parties without prior authorization by
clients and shall be treated in the strictest confidence in accordance with client requirements.
Identifiable participant data are confidential and all assurances given to participants shall be fulfilled.
Where databases or contact lists are provided by third parties (e.g. clients), the service provider shall
request that third parties confirm that use of such sources conforms to industry codes.
4.1.2.2 Participant reassurance
Invited or recruited participants shall be informed by the service provider that participation is
voluntary.
The service provider shall ensure that participant reassurance occurs:
a) during each recruitment or invitation, regarding the types of personal data, proposed uses, and
retention and/or reuse of the data to be collected;
14 © ISO 2019 – All rights reserved

b) during direct data collection (e.g. face-to-face, telephone) regarding confidentiality principles,
purposes for which the data may be used, and identity and contact details of the service provider
and any subcontractors and/or client(s), as appropriate.
Where digital identifiers (e.g. cookies) are used by the service provider during data collection, this shall
be communicated to participants including the purpose of the intended identifiers.
Whenever geo-location or geo-fencing methods are to be used to collect participant data, the service
provider shall make participants aware of this and obtain consent.
Where there is no direct contact between the service provider and the participant/s and it is not
possible to provide direct assurances, privacy obligations shall still be met.
Reasonable precautions shall be taken by the service provider to ensure that participants and observed
people (including those who may not be aware they are being observed) are not identified, harmed, or
adversely affected as a result of their participation.
4.1.2.3 Invitations to participate in research projects
The service provider shall provide each potential participant invited to take part in a research project
with appropriate information, including:
a) a general description of the purpose of a project;
b) the estimated length of their participation time;
c) a statement of the confidentiality of each participant’s responses;
d) a statement of the anonymity and/or identification of each participant’s responses;
e) the closing date for completed responses (if applicable);
f) full disclosure of incentive terms and conditions related to the project;
g) information as to whether the invitation is sent out on behalf of another service provider; and
h) the opportunity to unsubscribe or opt out of the research activity.
Where participants ask for the above details of a project, if the information cannot be shared prior to
participation, the service provider shall share these details after p
...