PerSight Assessments Data Protection Policy
Policy brief & purpose
PerSight Assessments Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
This policy refers to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to us.
Who is covered under the Data Protection Policy?
Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.
Our products involve the assessment of individuals’ psychological traits (e.g., personality) on behalf of our customers. This information necessarily includes information that makes a person identifiable – for instance names, email addresses, and phone numbers. Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties.
Data Protection risks:
PerSight Assessment acknowledges security risks, including:
Breaches of confidentiality. For instance, information being accessed inappropriately via outside parties or by internal PerSight Assessment employees and contractors.
Reputational damage. Customers and individuals completing our assessment products could suffer if hackers successfully gained access to sensitive psychological data.
As a result of these risks, we pledge the following:
Our data will be:
- Collected fairly and for lawful purposes only
- Processed by the company within its legal and moral boundaries
- Protected against any unauthorized or illegal access by internal or external parties
Our data will not be:
- Communicated informally
- Transferred to organizations, states or countries that do not have adequate data protection policies
- Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities). In other words, we will never sell or share names, email addresses, phone numbers, or any other sensitive data to organizations other than our customers. Our customers will only have access to data gathered on their behalf. Anonymized data (e.g., personality trait scores with no information about the source of the scores) may be used or shared for research purposes with express consent of the data owner.
In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically we:
- Inform our customers what data is collected
- Inform our customers about how we’ll process their data
- Inform our customers about who has access to their information
- Have provisions in cases of lost, corrupted or compromised data
- Inform our customers to request that we modify, erase, reduce or correct data contained in our databases
To exercise data protection we are committed to:
- Restrict and monitor access to sensitive data to only those who need it for their work.
- Develop transparent data collection procedures
- Data will not be shared informally. When access to confidential information is required, employees can request it from their manager. Access to sensitive information is on an need-to-access basis only.
- Train employees in online privacy and security measures such as but not limited to using strong passwords and security protocols for both work and personal devices.
- Build secure networks to protect online data from cyberattacks
- Establish clear procedures for reporting privacy breaches or data misuse including requesting help from a manager or data protection officer if unsure about any aspect of data protection.
- Include contract clauses or communicate statements on how we handle data
- Establish data protection practices (secure locks, data encryption, frequent backups, limited access authorization etc.)
When working with personal data, employees should ensure their computers are always locked, when unattended.
Personal data should never be shared informally via email or through non-secure communication.
Data must be encrypted before being transferred electronically.
Employees may not save copies of personal data on their own personal computers
It is the responsibility of all who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary.
- Staff should take every opportunity to ensure data is updated
- As inaccuracies are discovered they should be corrected immediately
Subject Access Requests
All individuals who are the subject of personal data held by PerSight Assessments are entitled to:
- Ask what information the company holds about them and why.
- Ask how to gain access to said information
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
If an individual contacts the company requesting this information it is called a subject access request.
Subject access requests should be made via email, addressed to the CEO/Data Controller at firstname.lastname@example.org. The identity of anyone making a subject access request will always be verified before handing over information.
In certain circumstances, personal data may be disclosed to law enforcement agencies’ without consent of the data subject. The Data Controller must verify the request is legitimate seeking legal advisement if necessary.
All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.