Investors in People Data Security / Protection FAQs



Is IIPCIC registered with the Information Commissioners Office?

Yes, registration number:  ZA286529

Does IIPCIC have a Data Protection Policy?

Yes – please see the Data Protection Policy on our website:


Are IIP classed as a Data Processor?

No, IIP has a controller to controller relationship with our clients and Practitioners who deliver the IIP service. A data controller is an organisation that determines what data is needed, what can be done with it, and how to handle that data – we therefore need to process the data according to our processes, in particular the data used within our online assessment system.

What maintenance programme/s do you have in place to ensure that your computer equipment and software is kept running smoothly and to fix any security vulnerabilities?


All servers and networking equipment is monitored and proactively managed by our IT Manged Service Provider, this includes 24/7 monitoring and resolution of issues as well as proactive maintenance, updates and security fixes, vulnerability scanning is performed regularly, and actions taken to close any identified issues.


Is IIP certified in an industry accepted control standard?

We are Cyber Essentials Plus accredited

Do IIP employees receive data protection training?

Yes, at recruitment and this is refreshed periodically. 

Are IIP employees asked to sign a data protection policy as part of their terms and conditions of employment?


Are contractors and part-time/temporary employees bound by your information security policy, and confidentiality and/or non-disclosure agreements?


Do you use Antivirus software on all employee desktops, laptops, and servers?

Yes, protection is installed on all user devices, updates and alerts are monitored.


Do you perform periodic vulnerability scanning against staff devices?

Vulnerability scanning is performed every 6 months by Mintivo (IT Managed Service Provider) on staff devices, actions are taken on any issues found, currently there are 0 outstanding risks present.


Can I request to see what personal data you hold about me?

Yes, as set out in Article 15 of the UK GDPR, data subjects have the right to obtain from IIPCIC, where we are the data controller, confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information.  Please see the Subject Access Request section on our website:

Do you have a data breach process?

Yes – please see the Data Breach Process section on our website:


Who do I contact with questions about data protection? 

Who is your Data Protection Officer? 

IIP are not required to have a Data Protection Officer, however, we have several individuals internally who are responsible for our Data Protection Compliance. In addition to an consultation with an externally appointed Data Protection experts


What systems do we use to store data?



Microsoft Dynamics 365 (our internal database)

The CRM database is used by IIP CIC staff to administrate accreditations.


Personal details of leads and clients are stored in our CRM – and are reviewed for consent. Those who have removed previously given consent (unsubscribe), are flagged to immediately stop receiving emails sent by our marketing team. A regular review is done to anonymise and remove such details from our systems. The exception to this are existing clients who have opted out of marketing emails but still have a legitimate interest in receiving transactional emails relating to their accreditation.


CRM data, including personal data, is stored securely within Amazon Web Services. The entire data application (instances, databases, snapshots, backups) is stored within the EU-West-1 (Dublin) data centres, and so adheres to EU controls limiting storage within the EEA. Direct access to the data (databases, snapshots) is limited to senior database architects using asymmetric key-based authentication, and further secured with strict ACLs requiring access through secure VPNs. Our architects are all security cleared with an Enhanced DBS, and have all been involved in the IIP projects for more than three years.

Access to servers is restricted with ACLs, Security Groups, and iptables for instance-specific controls. Backups are run nightly and replicated to a S3 bucket in an AWS region (eu-west-1 – Dublin).

For further information on AWS security, including physical access control, auto-replication (redundancy), hypervisor security, and power/infrastructure redundancy, please see:


The Investors in People Portal

During an Assessment you will be able to access information through our online platform, we call this ‘the portal’. Using the portal, you will be able to download your plan & report, see key dates and share other files with your practitioner.


Here are some key points about the security measures implemented in Portal system:


· Java Spring Secure: Java Spring Secure is a robust framework that provides comprehensive security features. It protects against session fixation, clickjacking, and cross-site request forgery (CSRF), which are common attack vectors exploited by hackers. By leveraging Java Spring Secure, the Portal system is equipped with industry-standard security mechanisms to safeguard against these threats.


· AWS Hosting and Deployment: Hosting the Portal system on AWS and deploying it using AWS Elastic Beanstalk offers numerous security benefits. AWS provides a highly secure infrastructure with features such as DDoS protection, network isolation, and regular security updates. Elastic Beanstalk simplifies deployment while ensuring scalability and reliability, without compromising security.


· Private AWS S3 Storage: Storing documents in a private AWS S3 bucket enhances security by restricting access to authorized users only. AWS S3 offers robust encryption options and access controls, ensuring that sensitive documents are protected from unauthorized access or data breaches.


· AWS Presigned URLs: Using AWS Presigned URLs with expiration times adds an extra layer of security to document downloads. These URLs grant temporary access to specific documents, limiting exposure and reducing the risk of unauthorized access. Once the URL expires, access to the document is revoked automatically, mitigating the risk of data leakage.


· SSL Encryption: Securing the domain with SSL (Secure Sockets Layer) encryption ensures that data transmitted between the client and the Portal system is encrypted and protected from interception by malicious actors. SSL encryption prevents eavesdropping and tampering, enhancing the overall security posture of the system.


· Authentication and Authorization by CAS SSO: Requiring authentication and authorization for every request to the Portal system using CAS (Central Authentication Service) Single Sign-On (SSO) further strengthens security. CAS SSO provides a centralized authentication mechanism, allowing users to authenticate once and access multiple applications securely without the need for multiple logins. With CAS SSO, the Portal system can enforce access controls based on user roles and permissions effectively, enhancing overall security.


· Protection of Personal Identifiable Information (PII): During the development stage, the Portal system ensures that real data containing PII is not used. Instead, synthetic or anonymized data is employed for testing and development purposes to prevent any exposure of sensitive information. Additionally, access to production data, including PII, is strictly limited to authorized personnel only, adhering to the principle of least privilege. This ensures that PII is protected from unauthorized access or misuse throughout the development lifecycle.


By combining these security measures, Portal system is well-protected against a wide range of security threats, ensuring the confidentiality, integrity, and availability of sensitive data and resources. These robust security practices demonstrate our commitment to safeguarding client’s data and instil confidence in the security of Portal system.



We use a platform called Qualtrics to host surveys (that is to create surveys and collate raw data responses).


The raw data is then transferred into The Investors in People Portal to apply our analysis and calculations.


Our Qualtrics data centre is in France and as such meet EU GDPR privacy standards, but we are the administrators, from a data protection perspective.


The Investors in People Website

If you make an enquiry through our website (by filling in a form or emailing us directly), we will store your enquiry in our CRM to allow us to respond to your enquiry as effectively as possible. If you consent to us contacting you via email, post or telephone/SMS, we will hold your contact information in our email marketing platform (if email contact consent was given).

We store your information to ensure you’re kept updated with relevant news and complimentary services and promotions.

If you wish to withdraw your consent at any time, and don’t want us to contact you in the future, that’s no problem. Simply call, email or write to us, and we will ensure you are removed from our contact databases.



Survey Data FAQ

We invest in people & We invest in wellbeing



What system do you collect survey data?

We use a platform called Qualtrics to host surveys (that is to create surveys and collate raw data responses).

How will people access the survey?

We will provide you with a survey link & QR code which everyone in the organisation can use.

What information do you require to set a survey up?


Investors in People our surveys are 100% anonymous. We don’t ask for staff to enter their names, numbers, or email addresses when they provide their feedback. This is so people feel they can give honest feedback about their manager, department, or company without being identified.


As a minimum we will ask you to provide your desired start and end date and confirmation of number of people in the organisation.


If you have chosen our most detailed survey package. We will also ask you if you would like to include any of our set demographic questions or our group question. 


What information is collected from participants on an IIP survey?

All people given access to the survey can choose whether or not to complete the survey. Participants will be asked to submit information about themselves when completing the survey.  This information may include, for example: their views about their employer, age, managerial level, gender, or length of service. Most such data is collected in the form of responses to the Likert scale (strongly agree, agree, neither agree nor disagree, disagree, strongly disagree), Where personal information is asked, participants are given the option to answer with a ‘prefer not to say’ response.


Can an organisation see individual answers to the IIP survey?

No, all data is aggregated and anonymised removing any Personal Identifiable Information (PII) before being shared with your organisation and any third parties such as Practitioners, delivery partners (see Appendix 1) and other administrators.  For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question.


How long is survey data stored for?

All survey data collocated is anonymous (due to the nature of the survey link); it is used as part of the accreditation process, and held securely on our Portal indefinitely (to be used for benchmarking comparison for future accreditations)

Do we share survey data with other organisations?



We use an external Development Partner Organisation to build and maintain our Portal and sometimes to resolve issues with the site. As such, they require access to a minimum amount of personal data. As part of their contract with us, they are subject to data protection protocol which limits the amount of data they can process and which binds them by confidentiality and data privacy rules.

We select our third-party service providers with care. We provide these third parties with the information that is necessary to enable them to provide the services for which they are engaged.  We take steps to ensure that they comply with their obligations under GDPR and Data Protection Legislation.


In the Philippines we allow a third-party delivery partner (IIP Philippines: Inspiring Partners Inc) to deliver services to originations using our brand and methodologies.  


Who has access to the survey data?

In terms of administering the survey, the following may have access to your survey data:

· Investors in People Head Office staff (only those required to administer the survey)

· Where applicable – administrators from IIP Philippines: Inspiring Partners Inc to administer surveys in the Philippines.

How are permissions set to ensure only those who truly require it have access to survey data sets?


Investors in People permissions are managed carefully to ensure only relevant staff are added to the platform and permission levels set in line with the requirements of their role in administering the survey.


Survey Data FAQ - We invest in apprentice



Is anything different for your apprentices survey?

For our apprentices survey the above FAQ points apply. In addition to this, our apprentices survey also asks questions via multiple choice ‘tick boxes’ and free-text fields.


Ready to make work better? Complete the form below and one of our team will be in touch to discuss your accreditation enquiry.