Question 1

Is IIPCIC registered with the Information Commissioners Office?

Accepted Answer

Yes, registration number: ZA286529

Question 2

Does IIPCIC have a Data Protection Policy?

Accepted Answer

Yes – please see the Data Protection Policy on our website:

https://www.investorsinpeople.com/data-protection-policy/

Question 3

Are IIP classed as a Data Processor?

Accepted Answer

No, IIP has a controller to controller relationship with our clients and Practitioners who deliver the IIP service. A data controller is an organisation that determines what data is needed, what can be done with it, and how to handle that data – we therefore need to process the data according to our processes, in particular the data used within our online assessment system.

Question 4

What physical security controls are in place to protect personal data?

Accepted Answer

Building entry controls: We work in a secured building where all entries are manned by security personnel. Doors on each floor are electronically locked. ID and access control cards required to enter the floor.

Question 5

What maintenance programme/s do you have in place to ensure that your computer equipment and software is kept running smoothly and to fix any security vulnerabilities?

Accepted Answer

All servers and networking equipment is monitored and proactively managed by our IT Manged Service Provider, this includes 24/7 monitoring and resolution of issues as well as proactive maintenance, updates and security fixes, vulnerability scanning is performed regularly, and actions taken to close any identified issues.

Question 6

Is IIP certified in an industry accepted control standard?

Accepted Answer

We are Cyber Essentials Plus accredited

Question 7

Are your Information Security policies reviewed and updated periodically?

Accepted Answer

Yes. Our Managed Service Provider also provides regular updates, monthly emails, staff training sessions as well as IT Steering Group sessions to ensure we are kept up‐to‐date with current and emerging IT security issues.

Question 8

Do IIP employees receive data protection training?

Accepted Answer

Yes, at recruitment and this is refreshed periodically.

Question 9

Are IIP employees asked to sign a data protection policy as part of their terms and conditions of employment?

Accepted Answer

Question 10

Are contractors and part‐ time/temporary employees bound by your information security policy, and confidentiality and/or non‐ disclosure agreements?

Accepted Answer

Question 11

Do you use Antivirus software on all employee desktops, laptops, and servers?

Accepted Answer

Yes, protection is installed on all user devices, updates and alerts are
monitored.

Question 12

What firewalls/network security are in place?

Accepted Answer

A fully managed 100Mb dedicated wireless solution with a Market‐leading router/firewall is in‐place.

Question 13

Do you perform periodic vulnerability scanning against your systems?

Accepted Answer

Vulnerability scanning is performed every 6 months by Mintivo (IT Managed Service Provider), actions are taken on any issues found, currently there are 0 outstanding risks present.

Question 14

Can I request to see what personal data you hold about me?

Accepted Answer

Yes, as set out in Article 15 of the UK GDPR, data subjects have the right to obtain from IIPCIC, where we are the data controller, confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information.

Please see the Subject Access Request section on our website:

https://www.investorsinpeople.com/data-protection-policy/

Please see the Subject Access Request section on our website:

https://www.investorsinpeople.com/data-protection-policy/

Question 15

Do you have a data breach process?

Accepted Answer

Yes – please see the Data Breach Process section on our website:

https://www.investorsinpeople.com/personal-data-breach-procedure/

Question 16

Who do I contact with questions about data protection?

Accepted Answer

info@investorsinpeople.com

Question 17

Who is your Data Protection Officer?

Accepted Answer

IIP are not required to have a Data Protection Officer, however, have several individuals internally are responsible for our Data Protection Compliance, in addition to the external appointment of Data Protection expert.

Question 18

What information is collected from organisations?

Accepted Answer

Organisations undertaking the IIP survey send us employee names and email addresses so that we can create unique submission links and email their survey links out directly.

Question 19

What information is collected from participants on the IIP survey?

Accepted Answer

All people sent the survey can choose whether or not to complete the survey. Participants will be asked to submit information about themselves when completing the survey. This information may include, for example: their views about their employer, age, managerial level, gender, or length of service. Most such data is collected in the form of responses to the Likert scale (strongly agree, agree, neither agree nor disagree, disagree, strongly disagree), though other data is collected via multiple choice ‘tick boxes’ and IIPCIC Data Protection FAQs: 1018 free‐text fields. Where personal information is asked, participants are given the option to answer with a ‘prefer not to say’ response.

Question 20

Can my organisation see my answers to the IIP survey?

Accepted Answer

No, all data is aggregated and anonymised removing any Personal Identifiable Information (PII) before being shared with your organisation and any third parties such as Practitioners, delivery partners (see Appendix 1) and other administrators. For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question.

Question 21

Where is survey data, including personal data, stored and how is it kept secure?

Accepted Answer

Survey data, including personal data, is stored securely within Amazon Web Services. The entire data application (instances, databases, snapshots, backups) is stored within the EU‐West‐1 (Dublin) data centres, and so adheres to EU controls limiting storage within the EEA. Direct access to the data (databases, snapshots) is limited to senior database architects using asymmetric key‐based authentication, and further secured with strict ACLs requiring access through secure Cisco VPNs. Our architects are all security cleared with an Enhanced DBS, and have all been involved in the IIP projects for more than three years.

Access to servers is restricted with ACLs, Security Groups, and iptables for instance‐specific controls. Backups are run nightly and replicated to a S3 bucket in an AWS region (eu‐west‐1 ‐ Dublin).

For further information on AWS security, including physical access control, auto‐replication (redundancy), hypervisor security, and power/infrastructure redundancy, please see: https://aws.amazon.com/compliance/.

Application passwords are managed using Drupal ‐ passwords are salted and re‐hashed multiple times. Plain‐text passwords are never stored in the database. Brute‐force attacks are mitigated by auto‐blocking login attempts after five failed attempts. Once logged‐in, the system supports full RBAC, with minimum‐granted permissions (user permissions are granted only when needed for a user account, rather than granting system‐wide access).

All communications with the site are via HTTPS, using HSTS and modern cipher suites (TLS1.0+). Ciphers are reviewed regularly to ensure security compliance. The system scores the top mark (A+) with independent access check from SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=www.investorsinpeople.co
m).

Question 22

How long is data stored for and when is it deleted? What happens when data is deleted/archived?

Accepted Answer

Shortly after an online survey closes it has to be archived in order to reveal full results data. Once a survey has been archived, personal names and email addresses are anonymised using asterisks and the email body is wiped. This process occurs weekly and is irreversible.

Question 23

How/when is personal data moved and what measures are in place to ensure its security during transfer?

Accepted Answer

Data is transferred between IIP web systems, including CRM, website and survey platform, using custom built APIs (e.g. between Roden & Gene); these APIs are not publicly documented which provides a layer of security through associated obscurity.

Data is encrypted during transit (both between servers and between web server and client) using industry‐leading HTTPS configurations.

All API transactions are completed at server level; not through Javascript or other frontend code, so cannot be “sniffed” by code inspection from publicly visible code.

Question 24

Can an organisation undertake the IIP survey without providing any of their staff personal data?

Accepted Answer

Yes. Surveys operating using only ‘open access’ links do not require name/email address data. Please let us know if you want to explore this option in more detail.

Question 25

Do we share survey personal data with other organisations?

Accepted Answer

We use an external Development Partner Organisation to build and maintain our online platform and sometimes to resolve issues with the site. As such, they require access to a minimum amount of personal data. As part of their contract with us, they are subject to an NDA agreement, which binds them by confidentiality and data privacy rules.

We select our third‐party service providers with care. We provide these third parties with the information that is necessary to enable them to provide the services for which they are engaged. We take steps to ensure that they comply with their obligations under GDPR and Data Protection Legislation.

In certain geographical locations we may also allow third party delivery partners to deliver services to your organisation using our brand and methodologies. These partners are listed in Appendix 1, and we call them our Delivery Partners.

Question 26

Who has access to Survey personal data?

Accepted Answer

In terms of administering the survey, the following may have access to your survey data:

IIP Head Office staff (only those required to administer the survey)
Where applicable ‐ administrators from the specific Delivery Partner that works with you in order to administer the survey.

Question 27

How are permissions set to ensure only those who truly require it have access to survey data sets?

Accepted Answer

Investors in People permissions are managed carefully to ensure only relevant staff are added to the platform and permission levels set in line with the requirements of their role in administering the survey.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
aka_debug	session	Vimeo sets this cookie which is essential for the website to play video functionality.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
player	1 year	Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1Q90G5K82K	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_63867030_6	1 minute	Set by Google to distinguish users.
_gat_UA-63867030-3	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cusid	30 minutes	ClickDimensions sets this cookie to establish and continue a user session with the site.
cuvid	2 years	This cookie, set by ClickDimensions, is written to the browser upon the first visit to the site from that web browser.
cuvon	30 minutes	ClickDimensions sets this cookie to store the last time a visitor viewed a page.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

Cookie	Duration	Description
_hjSession_3155220	30 minutes	No description
_hjSessionUser_3155220	1 year	No description
kms_ctamuls	session	No description available.
ln_or	1 day	No description

GDPR FAQs

Investors in People Data Security / Protection FAQs

IIP Assessment Survey

Investors in People

Search our website

Useful Info

Follow Us

Contact Us

START YOUR ACCREDITATION JOURNEY

BEFORE YOU GO...

Already accredited?