Investors in People Community Interest Company
Client Privacy Notice
Last Updated: 21 December 2022
Content
1. About
2. Introduction
3. What personal information is collected and how is it used?
4. Do we share personal data with other organisations?
5. Cookie Policy
6. How long do we keep your information for?
7. How do we store and protect your personal information?
8. International Transfers
9. We will never sell your information to anyone
10. How to complain
11. Changes to this Privacy Notice
Appendix 1
1. About
1.1. This policy statement is all about our commitment to protect the privacy and security of your personal data. When working with us, you may give us access to a certain amount of personal data. So, the purpose of this statement, or ‘Privacy Notice’, is to explain how we collect, use and hold your personal data.
1.2. You may have heard the term GDPR. It stands for the General Data Protection Regulation, which came into force in May 2018. Since leaving the European Union the UK GDPR has come into effect. We are responsible for looking after personal data and information in accordance with that regulation and all the other data protection legislation that’s currently in force.
1.3. That legislation also means that we have to give you a lot of detail on what we do, and the definitions of our role, as far as UK GDPR is concerned. It’s a long read, and by its very nature contains a lot of legal phrases but feel free simply to talk to us (gdpr@investorsinpeople.com) if you have any questions or concerns.
2. Introduction
2.1. Investors in People Community Interest Company trading as Investors in People (we, our, us) collects, uses and is responsible for certain personal data about you. When we do so we are regulated under the UK General Data Protection Regulation. We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer in the European Economic Area (EEA).
2.2. We are committed to complying with the provisions of the Data Protection Legislation and ensuring that the personal data we hold is processed fairly and lawfully. This Privacy Notice has therefore been prepared to tell you about the way we collect information from you and what we do with that information. This Privacy Notice explains the legal basis for this and the rights you have over the way your information is used.
2.3. This Privacy Notice explains how we collect information from organisations or individuals who use our website and applications, who attend our events, who complete one of our assessment surveys or with whom we contract for the delivery of services. It also explains how this information is then used. Please read this Privacy Notice carefully and re-visit this page from time to time to review any changes that may have been made.
2.4. For the purposes of the Data Protection Legislation we are the data controller and we will process any personal information we collect about you in accordance with the Data Protection Legislation.
2.5. If you have any questions about this statement or your personal data that we may collect from you, please contact us at gdpr@investorsinpeople.com.
3. What personal information is collected and how is it used?
3.1 What is personal data:
‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.
‘Special category personal data’ is more sensitive personal data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.
3.2 Information collected by us:
We could collect personal information in a number of ways:
- When you complete an online registration.
- When your organisation signs up to one of our services.
- When you register for one of our events.
- By the use of cookies on our website.
- When we ask you to provide us with feedback on our products and services.
- When you make a purchase from our shop.
3.3. Personal data collected from other sources:
We also obtain personal data from other sources as follows:
- When your organisation provides your contact details to one of our Practitioners or Delivery Partners for the purposes of engaging our services or completing a survey. For further information on Delivery Partners please see section 3.
- When you use third party websites or allow us indirectly to access your information via third party websites, if you gave prior permission to that third party.
3.4. How we, the Practitioners or Delivery Partners may use the personal data:
- To contact you to provide any further information you or your organisation has requested.
- To deliver products and services as per the contract with your organisation (e.g. carry out an Investors in People assessment or raising invoices).
- To contact you to complete a survey.
- To let you know about related products and services that may be of benefit to you or your organisation (provided you have not opted out from receiving this type of communication from us).
- To measure and analyse behaviour when you are using our platforms or website in order to monitor, maintain and improve our services or features of those platforms.
- To personalise or customise the user experience of people using our platforms and services.
- To prevent or address service, security, support or technical issues.
- To create anonymised and aggregated data for benchmarking, public relations and marketing purposes.
3.5. Reasons why collection and use of your personal data is consistent withthe current data privacy directives:
The use of your personal data for the purposes set out above should be considered lawful because one or more of the following processes applies:
- Where you have provided information to us for the purposes of receiving information about us, we rely on legitimate interests as the lawful basis on which we collect and use your personal data. Our legitimate interest is to provide details of our services to you.
- It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or your organisation or to take steps you ask us to prior to entering into a contract. We also rely on this being in our interest in delivering on our obligations to you, at your request, or that of your organisation. Our services to you may be delivered via
a third party. - It is necessary to comply with our legal obligations e.g. for the purposes of fraud prevention or through the court of law.
3.6 Undertaking an Investors in People survey:
If your organisation has contracted with us to be assessed against any of the Investors in People standards, your organisation will inform you of why they are undertaking the survey and how this will be used to inform business improvement.
In order for you to complete one of our surveys, we collect from your employer:
- Your name and email addresses so that you can be invited to participate in the survey.
- Other details which may include your role, department or site where you work.
As a participant, you may be asked to submit the following information when completing the survey:
- Views about your organisation, your age, managerial level, gender, length of service.
The information provided by your organisation is the minimum needed for us to provide the contractual services which your organisation has asked us to provide. They do this because it is in their legitimate interests as your employer to do so with the aim of improving the business for the benefit of all concerned. This does not affect your individual rights and freedoms as you may object to this
processing at any time, and:
- Choose not to respond to the survey.
- Object to the processing of your personal data by (a) contacting your organisation or (b) by contacting us directly at gdpr@investorsinpeople.com
3.6.1. How is the information collected in a Survey used?
Responses you provide as part of a survey remain anonymous and confidential to Investors in People. We retain ownership on all survey submissions, and we are the Data Controller. Submitted data is stored against the email record only for the purposes of debugging and occasionally correcting or deleting user data which has been submitted incorrectly. All data is aggregated and anonymised to remove any
Personal Identifiable Information (PII) before being shared with your organisation, third parties such as Practitioners, delivery partners and other administrators. For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question. Submissions via an “open account” are not linked to any PII and so can be considered anonymous.
Your rights regarding personal information collected for a Survey:
You have certain rights in relation to the processing of your personal data, including to:
- Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
- Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes we will stop sending you marketing material.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party (data portability).
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
Right to withdraw consent
In the circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law to do so.
How to exercise your rights
You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If you wish to exercise your rights, please contact us at gdpr@investorsinpeople.com.
Back to top
4. Do we share personal data with other organisations?
All data collected is for the sole purpose of providing our services or further information. In certain geographical locations we may also allow third party delivery partners to deliver services to your organisation using our brand and methodologies. These partners are listed in Appendix 1, and we call them our Delivery Partners.
We (or our Delivery Partners) may also engage the services and may share your information with a third party in the following areas:
- Contracted Practitioners to deliver our services (for example advisory orassessment services).
- Third parties to provide services in relation to CRM hosting, administering the Investors in People survey platform, website or to prevent or address service, security, support or technical issues.
For the following services we transfer you to a third party and their privacy notice will
apply to you:
- Third-parties who manage registrations, booking and payments for events.
- The collection, processing and management of payments for purchases in our on-line shop.
We select our third-party service providers with care. We provide these third parties with the information that is necessary to enable them to provide the services for which they are engaged. We will take steps to ensure that they comply with their obligations under GDPR and Data Protection Legislation.
For clients/individuals within the European Economic Area (EEA) we do not share your personal data outside of the EEA. Where clients/individuals are located outside the EEA we ensure that the information is protected by entering into a Data Sharing Agreement which contains model EU clauses.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
Back to top
5. Cookie Policy
When you visit our website, we may collect using electronic means such as cookies, technical information. This information may include information about your visits to the website, including the IP address of your computer and which browser was used to view the website, your operating system, resolution of screen, location, language settings in browsers, the site you came from, keywords searched (if arriving from a search engine), the number of page views, information entered, and advertisements
seen. This data is used to measure and improve the effectiveness of our website and platform’s website or enhance the experience for other users. While most of the time this information is depersonalised, if this information relates to an identifiable individual, we will treat this information as personal information.
For further details on how we may collect and use information when you visit and/or interact with us on the website please visit our Website Privacy Policy or our Cookies Policy.
Back to top
6. How long do we keep your information for?
We will only hold your personal information for as long as it is necessary for the relevant activity, including to fulfil our legal obligations.
- Surveys:
We invest in people: Shortly after the survey closes it has to be archived in order to reveal full results data. Once a survey has been archived, personal names and email addresses are anonymised using asterisks and the email body is wiped. This process occurs weekly and is irreversible.
We invest in wellbeing: Shortly after the survey is closed, personal names and email addresses are deleted from the database, this process occurs regularly and is irreversible.
- Client and individual records on CRM:
We maintain a CRM database record of our client organisations, key employee contact details and details of projects and services your organisation has enquired about or requested – including a copy of the key documents related to services which have been performed (including documents provided to us by third parties in the provision of their services, namely the plans and reports). These records are kept indefinitely to help us manage the history and ongoing accreditation and support given to our clients, as well as to compile information for statistical analysis. The records may be made available to our Practitioners or Delivery Partners.
If you ask us to stop contacting you with marketing materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
- Data collected by Practitioners and Delivery Partners:
As stated above, we engage a number of contracted Practitioners and Delivery Partners to deliver certain services which enable us to implement our accreditation scheme. Any personal information they collect and share with us will be dealt with by us in accordance with this Privacy Notice.
7. How do we store and protect your personal information?
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Back to top
8. International Transfers
When we collect your personal data, it may be processed outside the UK. This is because the organisations we use to provide our services to you are located in other countries.
We have taken appropriate steps to ensure that where personal data processed outside the UK, it has an essentially equivalent level of protection as it has within the UK. We do this by ensuring that:
- Your personal data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation); or
- We enter into either International Data Transfers Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with the receiving organisations and ensure that supplementary measures are also applied, where necessary.
9. We will never sell your information to anyone
We do not sell any of your information and we carry out all processing in strict compliance with European privacy laws.
Back to top
10. How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, if you believe we are infringing the UK data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
Back to top
11. Changes to this Privacy Notice
If we make any changes to this privacy notice these changes will be detailed on our website to ensure that you are fully aware of what information is collected, how it is used and under what circumstances it will be disclosed. If we make any significant changes we may advertise this on the website or, contact you directly with the information.
Back to top
Appendix 1
Our Delivery Partners
- Philippines: Inspiring Partners Inc
Delivery of advice only:
- Bermuda: Management Solutions
- Bulgaria: International Human Resources
- Turkey: Management Centre Turkey