1. Description of the Business
Hub Consulting Pty Ltd trading as Lucid (referred to hereinafter as “Lucid”) provides market research services to clients including, without limitation, qualitative research activities such as focus groups and one-on-one interviews, and quantitative research activities such as surveys to consumer and business-to-business respondents via internet, telephone (both fixed/landline and wireless/mobile), postal and multi-mode methodologies.
This Privacy Policy describes the types of information we collect, how we collect information, how we use the information, how we share or disclose the information, how we store the information, and your choices regarding the use and processing of the information.
2. What type of information do we collect?
We collect the following information:
- Personally identifiable information (“PII”) which includes, without limitation, first and last names, email address, telephone number(s) (e.g., home, mobile, and business numbers), and residential address.
- Business contact information, including, without limitation, company name, job title, and department.
- Information on your employer or the company you represent.
- Information collected through automated means, includes, without limitation, IP address, browser type, operating system, device type, for survey validation purposes.
- Information on your opinions, behaviors, experiences, perceptions and attitudes
- Depending on the nature of the research we conduct, we may also collect sensitive information from you which may include, amongst other information, your political opinions or health information. However, sensitive information will only be collected with your prior consent and only if it is directly related to, or reasonably necessary for, the research we conduct.
3. How we collect information
- Through completing a survey either sent directly from us or from one of our clients or from one of our third party providers;
- Through participating in a focus group or one-on-one discussion conducted by us;
- Through telephone calls, email communications, and/or other forms of communication.
When providing personal information, you have the option of remaining anonymous or using a pseudonym to be identified.
Information collected from third parties:
Lucid may collect information, including, without limitation, PII, business contact information and information collected through automated means, from third parties, including, without limitation, clients, panel providers and market research recruiters. In each case, we will rely on the third party to have obtained your consent to disclose this information for social or market research purposes.
We may use the information collected from such third parties for various purposes, including, without limitation, sending you emails or other communications as described herein. In the event you receive such communications you will have the opportunity to opt-out of receiving communications from us.
4. How We Use the Information that We Collect
We may use information, including, without limitation, PII and business contact information, to:
- Conduct market research activities in according with our Privacy Policy, without limitation, (a) contacting you to participate in surveys via telephone, email, or otherwise, (b) soliciting your opinions or feedback on our client’s business activities, including, without limitation, current and future products and services, and (c) analysing your responses to the qualitative and quantitative research
- Respond to inquiries and requests;
- Process and manage opt-out or unsubscribe requests;
In the event that you provide Lucid with any feedback, suggestions, and/or comments regarding Lucid or its client’s business activities, including, without limitation, regarding current and/or future products and/or services, Lucid may use, apply, and implement such feedback, suggestions, and/or comments, at Lucid’s discretion, and without notice to you, without any consent or approval from you, without any compensation to you, and/or without any attribution or credit to you, and you hereby irrevocably assign and transfer to Lucid all right, title, and interest in and/or to any such feedback, suggestions, and/or comments.
5. How do we share your information?
We will not use or disclose your PII for the purpose of advertising, promotions or direct marketing activities.
Lucid does not sell your information and does not use or disclose your PII for the purpose of advertising, promotions or direct marketing activities. Lucid uses the information in accordance with this Privacy Policy or as otherwise consented to by you.
We may share information, including, without limitation, PII and business contact information, as follows:
- With the directors, managers, officers, employees, consultants, and agents of Lucid, subject to the terms of this Privacy Policy or as otherwise disclosed to you at the time of the collection of the information or as subsequently consented to by you.
- To third party providers who are performing services on our behalf, who may host or store the data overseas (and whose details you may request). The third party providers are authorized to use and disclose the information only as necessary to perform and provide the services for which they were engaged.
- To our clients for whom we are performing services. The clients are authorized to use and disclose the information only as necessary to perform and provide the services for which they engaged us.
- We may disclose information about you: (a) if we are required to do so pursuant to applicable laws or legal or court process; or (b) when we believe disclosure is necessary to prevent harm or financial loss, or in connection with an investigation of actual or suspected fraud or illegal activity.
6. How do we keep your Information secure?
All information, including, without limitation, PII and business contact information, is stored on servers and systems located in the United States, which servers are licensed by Lucid. Where information is stored by a third-party provider or a client, we will take reasonable steps to ensure that they comply with the Privacy Act and this Privacy Policy and/or are subject to similar privacy laws or contractually, and you have the ability to enforce those rights.
Lucid will take reasonable steps under the Privacy Act, to secure personal information and protect such information from loss, misuse and unauthorised access, use, modification, disclosure, alteration, or destruction. Lucid reviews, monitors and evaluates its privacy practices and protection systems on a regular basis. Notwithstanding the foregoing, transmissions over the Internet and/or a mobile network are not one hundred percent (100%) secure and Lucid does not guarantee the security of transmissions. Should a data breach involving personal information occur:
- Lucid will take positive steps to address the breach in a timely manner and take remedial action such that the data breach does not result in serious harm.
- Lucid will undertake reasonable and expeditious assessment to determine if it is an ‘eligible data breach’, that is a breach likely to result in serious harm to any individual affected.
In compliance with Privacy Amendment (Notifiable Data Breaches) Act 2017, Lucid agrees that if it becomes aware of reasonable grounds to believe an eligible data breach has occurred, it will promptly notify the Office of the Australian Information Commissioner (Commissioner), the Association of Market and Social Research Organisations (AMSRO) and the affected individuals at likely risk of serious harm.
7. How can I opt-out?
You may opt-out by:
- clicking on the unsubscribe link contained in any e-mail communication received from or about Lucid; or
- contacting us as set forth below.
8. How Can You Access Your Information?
You may access information we collect from or about you in order to review, correct, or delete such information by contacting Lucid as follows:
- Sending an email request to info@purelylucid.com
Where we hold information that you are entitled to access, we will respond to your request in a reasonable time and endeavour to provide you with a suitable range of choices as to how access is provided (e.g., emailing or mailing it to you).
If, at any time, you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request amendment of it and we will either amend the information or make a record of your comment, as we think appropriate.
Should you require us to delete your information, we will do so within 14 working days.
9. Retention and destruction of Personal Information
Lucid will destroy or de-identify your personal information as soon as practicable once it is no longer needed for our research purposes unless required otherwise by our clients, or any other policies/ laws/ regulations the organisation may need to adhere to (e.g., such as archiving information for tax purposes). In circumstances where your personal information is retained your personal information will continue to be protected in accordance with this Policy. If we destroy personal information, we will do so by taking reasonable steps and using up-to-date techniques and processes.
10. Who can I contact with questions or complaints about this Privacy Policy?
If you have any questions or complaints regarding Lucid’s privacy practices and/or this Privacy Policy or want to communicate an opt-out request to Lucid, or want to exercise your rights to access, review, correct, delete or object to the processing of PII, please contact us via email at info@purelylucid.com.
11. Updates to this Privacy Policy
This Privacy Policy may be updated periodically and without prior notice to you to reflect changes to Lucid’s practices and procedures set forth herein.
In this policy “personal information” has the same meaning as under the Privacy Act.
Although we intend to observe this Privacy Policy at all times, it is not legally binding on Lucid in any way. From time to time we may regard it as necessary or desirable to act outside the policy. Lucid may do so, subject only to any other applicable contractual rights you have and any statutory rights you have under the Privacy Act or other applicable legislation.
12. For California Residents
Your Rights Under the California Consumer Protection Act of 2018 (“CCPA”)
Pursuant to the California Consumer Protection Act of 2018 (“CCPA”), and subject to certain exceptions and limitations, Californians can contact Lucid to exercise the rights described below with respect to certain personal information that Lucid holds about them. To the extent those rights apply to you, they are described below. Lucid also handles certain personal information on behalf of clients. You should contact those clients to exercise any rights you may have with respect to that personal information.
Right to Know About Personal Information Collected, Disclosed, or Sold
You have the right to request that we provide you with details about the personal information we collect, use, disclose and sell. You can submit a verifiable consumer request by emailing info@purelylucid.com. Lucid reserves the right to verify your identity to our satisfaction.
You are entitled to receive the following:
- The categories of your personal information that Lucid has collected in the preceding 12 months
- The categories of sources from which that information was collected
- The business/commercial purpose for the collection
- The categories of third parties with whom Lucid shares personal information
- The specific pieces of personal information Lucid has collected about you (subject to some exceptions)
Because Lucid has disclosed (as those words are defined in the CCPA) personal information to third parties in the last 12 months, you are also entitled to receive:
The categories of personal information that Lucid has disclosed in the past 12 months
Right to Request Deletion of Personal Information
You have the right to request deletion of the personal information we have collected about you (subject to some exceptions). You can submit your request as described above, and we reserve the right to conduct the verification described above.
Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights
You have the right not to receive unlawful discriminatory treatment by Lucid for the exercise of your privacy rights under the CCPA.
List of Categories of Personal Information to be Collected and May Have Been Disclosed
Categories of Personal Information Collected
Lucid collects personal information from research participants during the conduct of market research activities, including, without limitation, during participation in a survey, focus group or one-on-one discussion.
The categories of personal information we may collect include:
- “Identifiers” such as
- Name
- Address(es)
- Telephone number(s) (including home, cell, and/or business telephone numbers)
- Email address(es)
- Date of birth
- Internet Protocol address
- Unique device identification number (such as identifiers for analytics or advertising)
- Network provider user ID (a number uniquely allocated to you by your network provider)
- Media Access Control (MAC) address
- International Mobile Equipment Identity
- Unique cookie identifiers
- Internet or other electronic network activity information, and other information collected through automated means (more detail can be found [Here], such as:
- Information about your device (e.g., device operating system, the other applications on your device, device network provider, device type, time zone, network status, browser type, browser identifier and other information that alone or in combination may be used to uniquely identify your device)
- Geolocation
- Cookies and similar technology
- Social media information
- Log files
- Digital fingerprinting
- Watermarking
- Browsing activity
- Other behavioral information
- Professional or employment-related information, including occupation
- Education information
- Additional content/material you submit, including photos, videos and/or similar content
- Characteristics of potentially protected classifications under California, federal or international law (e.g., health and medical conditions, sexual orientation or sexual life, political opinions/views, race/ethnic origin, gender, religious and philosophical beliefs and trade-union membership)
- Other medical information
- Demographic information
All of the information above was collected for the purposes described in Clause 4.
Information Security Policy
Section 1 – Audience
- This policy applies to all users of Lucid’s resources and connected systems. Each user is required to comply with the terms of this policy as well all applicable legislation.
- This policy is supplemented by a comprehensive set of information security procedures, manuals and guidelines.
Section 2 – Purpose
- This policy provides management direction and support for information technology security in accordance with Lucid’s operational requirements, relevant laws, and regulations. This policy aligns with the Information Security Industry Standard ISO/IEC 27002:2013: Information Technology – Security Techniques – Code of Practice for Information Security Controls.
- Lucid’s aims to maintain an information security profile consistent with industry requirements and best practices in compliance with applicable laws and regulations.
- Risk management is at the core of Lucid. Information security risks must be identified, assessed, mitigated, and monitored to help protect the confidentiality, integrity and availability of Lucid’s information and information systems.
- Information security controls are established, implemented, monitored, reviewed, and improved, where necessary, to help ensure that the specific security and strategic objectives are met.
Section 3 – Scope
- This policy applies to Lucid in its entirety, including its controlled entities.
Section 4 – General Principles
- Lucid selects appropriate controls to protect Lucid’s ICT resources in accordance with ISO 27002:2013 Information Technology – Security Techniques – Code of Practice for Information Security Controls.
- Where an explicit procedure, manual, guideline
or control is not cited in this Policy, the following security principles are to
be applied by each user to guide their decision making regarding the use and protection
of Lucid’s ICT resources:
- all users are responsible for following Lucid’s policies and procedures for managing information in a secure manner;
- risk-based approach to information security should be adopted by all users to help ensure that all information related risks are managed in a consistent and effective manner;
- all users are to assist with the protection of Lucid’s data and information to prevent disclosure to unauthorised individuals;
- all users must comply with relevant legal and regulatory requirements; and
- users are to use or apply approved information security solutions and services to avoid creation of disparate IT security controls.
Section 5 – Information Security Controls
Human Resources Security
- All applicable users are subject to appropriate security processes before, during and after the cessation of their employment with Lucid.
- Exit procedures should be followed as far as practicable where a staff member is transferring to a new role or work location.
- Security awareness training must be provided to all Lucid employees and should be provided to contractors and third-party users of Lucid’s ICT resources and connected systems to minimise possible security risks.
Information and Data Classification
- Information must be classified and the classification reviewed upon any significant change to the asset, or changes in regulatory requirements, to ensure that appropriate controls remain in place for the asset as it evolves over time.
Information Handling
- Based on the data classification, Lucid staff must comply with the applicable controls to help maintain the confidentiality, integrity and availability of information assets under their control.
- All users must ensure that information is handled in accordance with its classification.
Access Control
- Access to information assets, and ICT resources that store or process those assets, should only be granted following a controlled and auditable process based on operational and security requirements defined by the nominated information owner.
- All users must protect passwords and other types of credentials.
Controls Against Malicious Code
- Lucid IT Security staff are responsible for:
a. implementing detection, prevention, and recovery controls to protect against malicious code; and
b. appropriate user awareness procedures for the ICT resources they manage.
Log Management
- IT Security staff are responsible for ensuring that event logs to record user relevant information security events (such as user activity, exceptions and failures) are produced for the ICT resources that they manage and kept for an appropriate period of time. Event logs may be used to identify potentially unauthorised activity, assist in investigations, and to facilitate appropriate follow up action.
Vulnerability Management
- IT Security staff are responsible for ensuring that security patch and vulnerability management processes are defined to identify, prioritise and remediate security vulnerabilities for ICT resources that they own or manage.
Supplier Relationships
- To ensure protection of the Lucid’s ICT resources and information assets, any access provided to external providers must be correctly risk-managed and covered by a formal agreement.
- Lucid will work with those third parties who access, support and service the Lucid’s ICT resources to ensure, as far as reasonably practicable, that they comply with this policy and information security requirements. These requirements must, where applicable, be outlined in the formal agreement with the relevant external provider.
Information Security Incident Management
- To ensure a consistent and effective approach to identifying and managing information security incidents that could impact the Lucid’s ICT resources, defined guidelines have been developed and implemented.
Section 6 – Enforcement
- All Users of Lucid’s ICT resources should be aware of this policy, their responsibilities, and obligations.
- Non-compliance with the provisions of this policy may result in action under Lucid’s policies, Code of Conduct or relevant enterprise agreement/employment contract and may also result in referral to a statutory authority and/or agency.
- The Chief Executive Officer (or their nominee) is responsible for monitoring the use of the Lucid’s ICT resources to measure compliance with this policy.
- Where a user has been found to fail to comply with this policy or any other of Lucid’s IT policies, procedures, manuals, or guidelines, a delegate may disconnect or restrict that user’s access to any part of Lucid’s ICT resources.
Section 7 – Exceptions
- Exceptions to this policy may be requested by a user in writing to the Chief Executive Officer. Exceptions will be assessed based on the business impact, the security risk that the proposed exemption may pose and any compensating controls that may be implemented in relation to the proposed exemption.
Section 8 – Roles and Responsibilities
Chief Executive Officer
- The Chief Executive Officer is responsible for information security policy development, and for managing the implementation and operation of Lucid’s information security capabilities to ensure that the requirements of this policy are appropriately applied.
- The Chief Executive Officer is responsible for:
- ensuring that users are aware of this policy;
- defining Lucid’s IT application and technology standards;
- maintaining a repository of Lucid’s approved applications and services;
- monitoring use of Lucid’s ICT resources, and disconnecting or restricting a user’s access if the user has failed to comply with this policy or any of Lucid’s other IT policies, procedures, manuals and guidelines; and
- reviewing and updating this policy to ensure that the policy continues to be suitable, adequate and effective.
- determining the value of the information;
- determining the statutory requirements regarding privacy and retention;
- developing guidelines for, and authorising and reviewing access to, the information;
- ensuring that risk assessments for their information assets are performed; and
- ensuring that appropriate controls are specified and communicated to the system owner who has technical control of the information.
Information Security Team
- The Information Security Team reports to the Chief Executive Officer. The Information Security Team is responsible for:
- the day-to-day administration of the ICT resource;
- developing, maintaining and documenting SOPs that include data integrity controls, authentication, recovery, and continuity of operations;
- ensuring that access to information and the ICT resource is secured;
- implementing security controls and other requirements of this policy on ICT Resources for which the System
- completing regular role-based training to ensure the effective management of the ICT resource;
- taking corrective action in respect of audit findings, system vulnerabilities and any reported security breaches;
- developing and testing disaster recovery plans.
- performing compliance and audit functions
- investigating and reporting on suspected breaches of this policy.
Status and Details
Status | Current |
Effective Date | 9th June 2022 |
Review Date | 9th June 2024 |
Approval Authority | CEO |
Approval Date | 30th May 2021 |
Expiry Date | Not Applicable |
Responsible Executive | Aruna Iyengar CEO |
Enquiries Contact | Information Security Team |