Question | Response |
Is IIPCIC registered with the Information Commissioners Office? | Yes, registration number: ZA286529 |
Does IIPCIC have a Data Protection Policy? | Yes – please see the Data Protection section on our website: http://www.investorsinpeople.com/data-protection/ |
Are IIP classed as a Data Processor? | No, IIP has a controller to controller relationship with both clients and Practitioners who deliver the IIP service. A data controller is an organisation that determines what data is needed, what can be done with it, and how to handle that data – we therefore need to process the data according to our processes, in particular the data used within our online assessment system. |
What physical security controls are in place to protect personal data? | Building entry controls: We work in a government secured building where only people with valid photo identification can enter and all entries to our building are manned by security personnel. Doors on each floor are electronically locked. ID and access control cards required to enter the floor. |
What maintenance programme/s do you have in place to ensure that your computer equipment and software is kept running smoothly and to fix any security vulnerabilities? | All servers and networking equipment is monitored and proactively managed by our IT Manged Service Provider, this includes 24/7 monitoring and resolution of issues as well as proactive maintenance, updates and security fixes, vulnerability scanning is performed regularly, and actions taken to close any identified issues. |
Is IIP certified in an industry accepted control standard? | We are working towards Cyber Essentials Plus. |
Are your Information Security policies reviewed and updated periodically? | Yes, annually. Our Managed Service Provider also provides regular updates, monthly emails, staff training sessions as well as IT Steering Group sessions to ensure we are kept up-to-date with current and emerging IT security issues. |
Do IIP employees receive data protection training? | Yes, at recruitment and this is refreshed periodically. |
Are IIP employees asked to sign a data protection policy as part of their terms and conditions of employment? | Yes |
Are contractors and part- time/temporary employees bound by your information security policy, and | Yes |
IIPCIC Data Protection FAQs: 1018
confidentiality and/or non- disclosure agreements? | |
Do you use Antivirus software on all employee desktops, laptops, and servers? | ESET Endpoint protection is installed on all user devices, updates are monitored. |
What firewalls/network security are in place? | A fully managed 100Mb dedicated wireless solution with a Cisco 891 router/firewall is in-place. |
Do you perform periodic vulnerability scanning against your systems? | Vulnerability scanning is performed every 6 months by Mintivo (IT Managed Service Provider), actions are taken on any issues found, currently there are 0 outstanding risks present. |
Can I request to see what personal data you hold about me? | Yes, as set out in Article 15 of the GDPR, data subjects have the right to obtain from IIPCIC, where we are the data controller, confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information. Please see the Subject Access Request section on our website: http://www.investorsinpeople.com/data-protection/ |
Do you have a data breach process? | Yes – please see the Data Breach Process section on our website: http://www.investorsinpeople.com/data-protection/ |
Who do I contact with questions about data protection? | info@investorsinpeople.com |
Who is your Data Protection Officer? | IIP do not have a Data Protection Officer, Richard Bellinfo@investorsinpeople.com is responsible for overseeing our Data Protection strategy. |
IIP Assessment Survey
Question | Response |
What information is collected from organisations? | Organisations undertaking the IIP survey send us employee names and email addresses so that we can create unique submission links and email their survey links out directly |
What information is collected from participants on the IIP survey? | Participants may be asked to submit information about themselves when completing the survey. This information may include, for example: their views about their employer, age, managerial level, gender, or length of service. Most such data is collected in the form of responses to the Likert scale (strongly agree, agree, neither agree nor disagree, disagree, strongly disagree), though other data is collected via multiple choice ‘tick boxes’ and free-text fields. Multiple choice questions include a ‘prefer not to say’response. |
IIPCIC Data Protection FAQs: 1018
Can my organisation see my answers to the IIP survey? | No, all data is aggregated and anonymised removing any Personal Identifiable Information (PII) before being shared with your organisation and any third parties such as Practitioners, delivery partners and other administrators. For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question. |
Where is survey data, including personal data, stored and how is it kept secure? | Survey data, including personal data, is stored securely within Amazon Web Services. The entire data application (instances, databases, snapshots, backups) is stored within the EU-West-1 (Dublin) data centres, and so adheres to EU controls limiting storage within the EEA. Direct access to the data (databases, snapshots) is limited to senior database architects using asymmetric key-based authentication, and further secured with strict ACLs requiring access through secure Cisco VPNs. Our architects are all security cleared with an Enhanced DBS, and have all been involved in the IIP projects for more than three years. Access to servers is restricted with ACLs, Security Groups, and iptables for instance-specific controls. Backups are run nightly and replicated to a S3 bucket in an AWS region (eu-west-1 – Dublin). Application passwords are managed using Drupal – passwords are salted and re-hashed multiple times. Plain-text passwords are never stored in the database. Brute-force attacks are mitigated by auto-blocking login attempts after five failed attempts. Once logged-in, the system supports full RBAC, with minimum-granted permissions (user permissions are granted only when needed for a user account, rather than granting system-wide access). All communications with the site are via HTTPS, using HSTS and modern cipher suites (TLS1.0+). Ciphers are reviewed regularly to ensure security compliance. The system scores the top mark (A+) with independent access check from SSL Labs(https://www.ssllabs.com/ssltest/analyze.html?d=www.investorsinpeople.co m). |
How long is data stored for and when is it deleted? What happens when data is deleted/archived? | Shortly after an online survey closes it has to be archived in order to reveal full results data. Once a survey has been archived, personal names and email addresses are anonymised using asterisks and the email body is wiped. This process occurs weekly and is irreversible. |
How/when is personal data moved and what measures are in place to ensure its security during transfer? | Data is transferred between IIP web systems, including CRM, website and survey platform, using custom built APIs (e.g. between Roden & Gene); these APIs are not publicly documented which provides a layer of security through associated obscurity. |
Can an organisation undertake the IIP survey | Yes. Surveys operating using only ‘open access’ links do not require name/email address data. |
IIPCIC Data Protection FAQs: 1018
without providing any of their staff personal data? | |
Who has access to Survey personal data? | In terms of account management, the following users have access to anorganisation’s data:
|
How are permissions set to ensure only those who truly require it have access to data sets? | Permissions are managed in house – as part of the new starter process, staff are added to the platform and permission levels set in line with their role. |
Do we share personal data with other organisations? | All data is for the sole purpose of providing the services to the organisation that is undertaking the survey or other associated project. However, for the purposes of providing the Survey product only, it is sometimes necessary for us to share/make accessible personal data and/or email data with third party organisations. |
Which third parties do we share data with? What data do they have access to and how do they keep it secure? | We use an external Development Partner Organisation to build and maintain our online platforms and sometimes to resolve issues with the site. As such, they require access to a minimum amount of personal data. As part of their contract with us, they are subject to an NDA agreement, which binds them by confidentiality and data privacy rules. |
167-169 Great Portland Street
5th Floor
London
W1W 5PF
Business Registration: 10420361
Tel: 0300 303 3033
These numbers cost no more than a national rate call to an 01 or 02 number, please note that our calls may be recorded for training purposes.
Ready to make work better? Complete the form below and one of our team will be in touch to discuss your accreditation enquiry.
Hopefully you found what you were looking for. We’re always releasing new content and scheduling events to tackle some of the hottest topics in the news right now, so do check back soon.
Have you considered how your organisation would benefit from becoming accredited? Let’s talk! You can book a meeting directly using the link below.
Please email support@investorsinpeople.com or phone us on 0300 303 3033 and we will deal with your enquiry promptly.
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
__hssc | 30 minutes | HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. |
aka_debug | session | Vimeo sets this cookie which is essential for the website to play video functionality. |
bcookie | 1 year | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
bscookie | 1 year | LinkedIn sets this cookie to store performed actions on the website. |
lang | session | LinkedIn sets this cookie to remember a user's language setting. |
li_gc | 5 months 27 days | Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes. |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
player | 1 year | Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo. |
UserMatchHistory | 1 month | LinkedIn sets this cookie for LinkedIn Ads ID syncing. |
Cookie | Duration | Description |
---|---|---|
__hstc | 5 months 27 days | This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_1Q90G5K82K | 2 years | This cookie is installed by Google Analytics. |
_gat_gtag_UA_63867030_6 | 1 minute | Set by Google to distinguish users. |
_gat_UA-63867030-3 | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
_hjAbsoluteSessionInProgress | 30 minutes | Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie. |
_hjFirstSeen | 30 minutes | Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user. |
_hjIncludedInPageviewSample | 2 minutes | Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit. |
_hjIncludedInSessionSample | 2 minutes | Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit. |
_hjTLDTest | session | To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails. |
AnalyticsSyncHistory | 1 month | Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
cusid | 30 minutes | ClickDimensions sets this cookie to establish and continue a user session with the site. |
cuvid | 2 years | This cookie, set by ClickDimensions, is written to the browser upon the first visit to the site from that web browser. |
cuvon | 30 minutes | ClickDimensions sets this cookie to store the last time a visitor viewed a page. |
hubspotutk | 5 months 27 days | HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. |
vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
Cookie | Duration | Description |
---|---|---|
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
Cookie | Duration | Description |
---|---|---|
_hjSession_3155220 | 30 minutes | No description |
_hjSessionUser_3155220 | 1 year | No description |
kms_ctamuls | session | No description available. |
ln_or | 1 day | No description |