Investors in People Community Interest Company
Client Privacy Notice
Last Updated: 21 December 2022

Content
1. About
2. Introduction
3. What personal information is collected and how is it used?
4. Do we share personal data with other organisations?
5. Cookie Policy
6. How long do we keep your information for?
7. How do we store and protect your personal information?
8. International Transfers
9. We will never sell your information to anyone
10. How to complain
11. Changes to this Privacy Notice
Appendix 1

 

 

1. About

1.1. This policy statement is all about our commitment to protect the privacy and security of your personal data. When working with us, you may give us access to a certain amount of personal data. So, the purpose of this statement, or ‘Privacy Notice’, is to explain how we collect, use and hold your personal data.

1.2. You may have heard the term GDPR. It stands for the General Data Protection Regulation, which came into force in May 2018. Since leaving the European Union the UK GDPR has come into effect. We are responsible for looking after personal data and information in accordance with that regulation and all the other data protection legislation that’s currently in force.

1.3. That legislation also means that we have to give you a lot of detail on what we do, and the definitions of our role, as far as UK GDPR is concerned. It’s a long read, and by its very nature contains a lot of legal phrases but feel free simply to talk to us (gdpr@investorsinpeople.com) if you have any questions or concerns.

Back to top

 

 

2. Introduction

2.1. Investors in People Community Interest Company trading as Investors in People (we, our, us) collects, uses and is responsible for certain personal data about you. When we do so we are regulated under the UK General Data Protection Regulation. We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer in the European Economic Area (EEA).

2.2. We are committed to complying with the provisions of the Data Protection Legislation and ensuring that the personal data we hold is processed fairly and lawfully. This Privacy Notice has therefore been prepared to tell you about the way we collect information from you and what we do with that information. This Privacy Notice explains the legal basis for this and the rights you have over the way your information is used.

2.3. This Privacy Notice explains how we collect information from organisations or individuals who use our website and applications, who attend our events, who complete one of our assessment surveys or with whom we contract for the delivery of services. It also explains how this information is then used. Please read this Privacy Notice carefully and re-visit this page from time to time to review any changes that may have been made.

2.4. For the purposes of the Data Protection Legislation we are the data controller and we will process any personal information we collect about you in accordance with the Data Protection Legislation.

2.5. If you have any questions about this statement or your personal data that we may collect from you, please contact us at gdpr@investorsinpeople.com.

Back to top

 

 

3. What personal information is collected and how is it used?

3.1 What is personal data:

‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.

‘Special category personal data’ is more sensitive personal data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.

3.2 Information collected by us:

We could collect personal information in a number of ways:

 

3.3. Personal data collected from other sources:

We also obtain personal data from other sources as follows:

 

3.4. How we, the Practitioners or Delivery Partners may use the personal data:

 

3.5. Reasons why collection and use of your personal data is consistent withthe current data privacy directives:

The use of your personal data for the purposes set out above should be considered lawful because one or more of the following processes applies:

 

3.6 Undertaking an Investors in People survey:

If your organisation has contracted with us to be assessed against any of the Investors in People standards, your organisation will inform you of why they are undertaking the survey and how this will be used to inform business improvement.

In order for you to complete one of our surveys, we collect from your employer:

 

As a participant, you may be asked to submit the following information when completing the survey:

 

The information provided by your organisation is the minimum needed for us to provide the contractual services which your organisation has asked us to provide. They do this because it is in their legitimate interests as your employer to do so with the aim of improving the business for the benefit of all concerned. This does not affect your individual rights and freedoms as you may object to this
processing at any time, and:

 

3.6.1. How is the information collected in a Survey used?

Responses you provide as part of a survey remain anonymous and confidential to Investors in People. We retain ownership on all survey submissions, and we are the Data Controller. Submitted data is stored against the email record only for the purposes of debugging and occasionally correcting or deleting user data which has been submitted incorrectly. All data is aggregated and anonymised to remove any
Personal Identifiable Information (PII) before being shared with your organisation, third parties such as Practitioners, delivery partners and other administrators. For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question. Submissions via an “open account” are not linked to any PII and so can be considered anonymous.

Your rights regarding personal information collected for a Survey:

You have certain rights in relation to the processing of your personal data, including to:

 

Right to withdraw consent

In the circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law to do so.

How to exercise your rights

You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If you wish to exercise your rights, please contact us at gdpr@investorsinpeople.com.
Back to top

 

 

4. Do we share personal data with other organisations?

All data collected is for the sole purpose of providing our services or further information. In certain geographical locations we may also allow third party delivery partners to deliver services to your organisation using our brand and methodologies. These partners are listed in Appendix 1, and we call them our Delivery Partners.

We (or our Delivery Partners) may also engage the services and may share your information with a third party in the following areas:

For the following services we transfer you to a third party and their privacy notice will
apply to you:

We select our third-party service providers with care. We provide these third parties with the information that is necessary to enable them to provide the services for which they are engaged. We will take steps to ensure that they comply with their obligations under GDPR and Data Protection Legislation.

For clients/individuals within the European Economic Area (EEA) we do not share your personal data outside of the EEA. Where clients/individuals are located outside the EEA we ensure that the information is protected by entering into a Data Sharing Agreement which contains model EU clauses.

We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.

Other than this, we will not share your information with other organisations without your consent.
Back to top

 

 

5. Cookie Policy

When you visit our website, we may collect using electronic means such as cookies, technical information. This information may include information about your visits to the website, including the IP address of your computer and which browser was used to view the website, your operating system, resolution of screen, location, language settings in browsers, the site you came from, keywords searched (if arriving from a search engine), the number of page views, information entered, and advertisements
seen. This data is used to measure and improve the effectiveness of our website and platform’s website or enhance the experience for other users. While most of the time this information is depersonalised, if this information relates to an identifiable individual, we will treat this information as personal information.

For further details on how we may collect and use information when you visit and/or interact with us on the website please visit our Website Privacy Policy or our Cookies Policy.
Back to top

 

 

6. How long do we keep your information for?

We will only hold your personal information for as long as it is necessary for the relevant activity, including to fulfil our legal obligations.

We invest in people: Shortly after the survey closes it has to be archived in order to reveal full results data. Once a survey has been archived, personal names and email addresses are anonymised using asterisks and the email body is wiped. This process occurs weekly and is irreversible.

We invest in wellbeing: Shortly after the survey is closed, personal names and email addresses are deleted from the database, this process occurs regularly and is irreversible.

We maintain a CRM database record of our client organisations, key employee contact details and details of projects and services your organisation has enquired about or requested – including a copy of the key documents related to services which have been performed (including documents provided to us by third parties in the provision of their services, namely the plans and reports). These records are kept indefinitely to help us manage the history and ongoing accreditation and support given to our clients, as well as to compile information for statistical analysis. The records may be made available to our Practitioners or Delivery Partners.

If you ask us to stop contacting you with marketing materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.

As stated above, we engage a number of contracted Practitioners and Delivery Partners to deliver certain services which enable us to implement our accreditation scheme. Any personal information they collect and share with us will be dealt with by us in accordance with this Privacy Notice.

Back to top

 

 

7. How do we store and protect your personal information?

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Back to top

 

 

8. International Transfers

When we collect your personal data, it may be processed outside the UK. This is because the organisations we use to provide our services to you are located in other countries.

We have taken appropriate steps to ensure that where personal data processed outside the UK, it has an essentially equivalent level of protection as it has within the UK. We do this by ensuring that:

Back to top

 

 

9. We will never sell your information to anyone

We do not sell any of your information and we carry out all processing in strict compliance with European privacy laws.
Back to top

 

 

10. How to complain

We hope that we can resolve any query or concern you raise about our use of your information.

The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, if you believe we are infringing the UK data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
Back to top

 

 

11. Changes to this Privacy Notice

If we make any changes to this privacy notice these changes will be detailed on our website to ensure that you are fully aware of what information is collected, how it is used and under what circumstances it will be disclosed. If we make any significant changes we may advertise this on the website or, contact you directly with the information.
Back to top

 

 

Appendix 1

Our Delivery Partners

Delivery of advice only:

Back to top

START YOUR ACCREDITATION JOURNEY

Ready to make work better? Complete the form below and one of our team will be in touch to discuss your accreditation enquiry.