To comply with the requirements of the General Data Protection Regulation (GDPR), this document covers the specific requirements and business practices around privacy and data processing for MindMill (HR) Software Ltd. If you have any questions in relation to the terms, please contact us at info@mindmill.co.uk
This Privacy Notice aims to give you information on how we collect and process your personal data in a variety of circumstances including when using our website www.mindmill.co.uk or any associated MindMill domain and any data you may provide through these websites when you use any interactive features such as our Contact forms, Recruitment Systems, Assessments or otherwise. It is important that you read this privacy policy so that you are fully aware of how and why we are using your data. Our website is not intended for children younger than 15 years old and we do not knowingly collect data relating to children. This version was last updated on the 1st of July 2021
Standard Statement Aim:
This policy aims to protect the individual as well as provide reassurance
regarding the confidential treatment of information relating to Mindmill (HR)
Software Ltd employees /clients / client’s employees and candidates.
Data protection compliance should be seen as an integral part of employment practises to develop a culture in which respect for security and confidentiality of personal/ client data is recognised.
Introduction
As an HR Technology company MindMill takes our responsibility as Data
Controller to safeguard our client data, very seriously. Even though user data
via our Assessment Platform is almost immediately anonymised and retained only
in accordance with the data policies of our clients, we take utmost care to
ensure compliance to Data Protection legislation.
Basic Principles
The General Data Protection Regulation (GDPR) standardizes data protection law
across all 28 EU countries and imposes strict new rules on controlling and
processing personally identifiable information (PII). GDPR came into force on
25 May 2018. The UK GDPR which mirrors the EU version of the GDPR, has been
converted into UK law om 1 January 2021.
"Data protection by design and by default", means that business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate), and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
The Acts works in two ways:
Giving individuals (data subjects) certain rights with regard to information
held about them requiring those who decide how and why individual personal data
are processed (data controller) to be open about their use of this data and to
comply with the data protection principles in their information handling
practises.
The Company is registered with the Information Commissioner’s Office under the Act as processors of personal information and will adhere strongly to the principles of the Act and the obligations to act correctly and transparently in how the information held on all employees and clients is processed.
This policy should be considered as complimentary to Company policies and rules regarding computer/ internet, and confidentiality.
Data Protection Principles
Central to the Act are eight data protection principles which all data
controllers must follow to ensure that personal data is:
· Processed lawfully and fairly
· Obtained for one or more specified and lawful purpose
· Adequate, relevant and not excessive
· Accurate and, where necessary, kept up to date
· Not kept for longer than is necessary
· Secure
· Not transferred to countries that do not protect personal data adequately
These principles protect the individual and also make sound business sense (for example, if we send out mailing based upon incorrect or out of date records; not only may we be in breach of the act and could annoy clients/ candidates, but we could ultimately waste our own time and money).
Overall Principles
· Only information relevant to our needs is collected and processed
· Your personal information is only seen by those in our employ or under service contract with us, who need to do their jobs
· Personal information will only be retained for as long as it is required. This means that until an individual has deleted the profile or until we are required to delete the data according to a client’s retention policy, the data remains available. If an account has been deleted, we will anonymise the data.
·
Decisions affecting individuals are made on the basis of reliable
and up to date information
Your information is protected from unauthorised or accidental disclosure
· We will provide you with a copy of your personal information on request
· Inaccurate or misleading data will be corrected as soon as possible
· Procedures are in place for dealing promptly with any disputes
The Right of Subject Access
Under the GDPR, MindMill respects the right of data subjects to access
and control their personal data and has provisions in place for:
· Access to personal information
· Correction and deletion of information
· Withdrawal of consent (if processing data on condition of consent)
· Data portability
· Restriction of processing and objection
· Lodging a complaint with the Information Commissioner’s Office
Mindmill (HR) Software Ltd will endeavour to provide:
· A copy of the information held
· A description of why this information is processed
· Who has the right to see this information
· And where applicable, the logic involved in arriving at automated decisions based on the information held
· Concerns or objections to the information held should be made to the Management, formally in writing
Please note that MindMill may not always be able to allow you to access your information, particularly where disclosure would provide information about another individual.
Goals for This Notice
This document should ensure the governance framework and implicitly ensure that
the Information Security Program implements adequate:
· Confidentiality
· Integrity
· Availability and accessibility
· Compliance with all relevant laws and regulations
· Compliance with all internal requirements, policies, and standards
· Control and reporting of all of the above
Management Commitment to
Information Security
The Board of Directors, the CEO, and the other approvers (Head of
Operations / Client Service Executive) realize how important Information
Security is to Mindmill, and have the responsibility for:
· Defining the risk appetite and acceptable risk levels
· Budgeting so that risks can be managed according to the risk appetite
· Publishing and promoting internally the Information Security Policy
· Formulating the Business requirements for strategic systems in writing
· Defining responsibility for strategic systems including documentation requirements for these
· Subjecting Third parties to recurring audits and managing risks for third parties and third-party subcontracting
· Establishing and maintaining Business Continuity and Business Recovery plans, which must be tested annually. These should be level 2 documents.
What information may be collected?
Personal Information is stored separately on two core systems at MindMill. The
Assessment System and the Recruitment system. A list of Key Information that
may be stored on each system is as listed below. Not all fields are applicable
in every deployment, and the list lists data fields irrespective of the length
of time that data is stored on our systems.
Assessment System
· Name and Surname
· Age
· Gender
· Email Address
· Contact Number
· Job Level
· Education Level
· Psychometric-, Motivational- and Engagement Data
· Custom fields as specified by client campaign
Recruitment System
· Name and Surname
· Age
· Gender
· Email Address
· Contact Number
· Address Details
· Education History
· Employment History
· List of Skills
· Any information contained within user uploaded documents such as Curriculum Vitaes and Qualifications
· Custom fields as specified by client campaign
Data Controller
Users can get in touch if they have questions or concerns about your
privacy practices, their personal information, or if they wish to file a
complaint. The MindMill data controller can be reached via info@mindmill.co.uk
How is personal information
used/shared?
No personal or personally identifiable information is used/shared within
MindMill’s internal processes. Personal and identifiable data is only used or
shared to and by the commissioning client and that information protection falls
under the scope and responsibility of the commissioning client, their Privacy
Policies and Data Protection process.
MindMill may use anonymized data to create/update Psychometric norms, but no identifiable data is kept or used for this purpose.
By using MindMill and providing your End User Data, you are storing your data on our platform. You may at any time grant access to your End User Data to other users registered on the platform should you wish to be notified of a suitable job opening. You may at any time revoke access to your End User Data.
Also note that in addition to recruitment, our commissioning clients use the MindMill Platform, which is an assessment platform. for performance management, engagement surveys, staff development etc.
Marketing
If you are a customer of ours, we may contact you from time to time by call or
email to provide some information about our products or services. You can ask
us or third parties to stop sending you marketing messages at any time by
contacting us, as appropriate Where you opt out of receiving these marketing
messages, this will not apply to personal data provided to us because of a
service experience or other transactions.
MindMill does not provide users’ personal data to third parties for marketing purposes. However, should this need arise we will get your express opt-in consent before we share your personal data with any company outside of our own for marketing unrelated to our company.
What legal basis do we have for
processing your personal data?
MindMill provides a means of capturing and analysing data. The data we
collect from you may include personal data as defined by the Data Protection
Act 1998 as amended. By providing any data to us through your use of Mindmill
(any such data, End User Data), you acknowledge and consent to the End User
data being transferred or stored within or outside the EEA. Please note that
some places outside the EEA may offer lower levels of data protection than the
UK. By submitting End User Data, you agree to this transfer, storing or
processing.
Where do we store and process
personal data?
All MindMill services are cloud-based and servers and databased are hosted in
London (UK) with www.webhosting.co.uk. Their specific terms of service can be
found and reviewed at https://www.webhosting.uk.com/terms-of-service/
MindMill also makes use of Microsoft’s Azure Cloud services with data storage facilities in their UK South region with Service Agreement and terms available at https://azure.microsoft.com/en-us/support/legal/
How do we secure personal data? Enterprise Threat Modelling: Enterprise threat modelling means the exercise of identifying who could be a threat to your organization, what their motives might be and how they would go about accomplishing these motives. It is important to note that threat modelling isn’t something you only do for applications, but something you do for the entire enterprise, hence “enterprise threat modelling”
This threat modelling should include all of the three aspects of the CIA triad and include also for example system failure and manual error. It should model expected or unexpected attackers against the company, their likely TTP (tools, tactics, and procedures), their motivation and intent and what they might be likely to do if they breach the company. Using the threat modelling proactively can be used for budgeting investments and for prioritizing tasks in the day-to-day work by IT and Security personnel.
Based upon risk assessments and risk/consequence estimations preventive, discovering and corrective security controls should be implemented to iteratively until residual risks are within acceptable thresholds i.e., within the risk appetite. The areas to be included in risk assessment are:
· Management responsibility
· Organization of Information Security
· Asset Management
· Human resource security
· Physical and environmental security
· Communications and operations management
· Access control
· Information systems acquisition, development and maintenance
· Information security incident management
· Business continuity management
· Application Security
· All business applications shall be developed using the OWASP SAMM framework for application security.
Data Classification
Different classification levels for assets/systems should be defined, for
example:
· Public
· Internal
· Classified
System/Business Application/Infrastructure
Prioritization
All systems/business applications/infrastructure should be assigned a
business criticality between 1 and 3 where 1 means business critical and 3
means a not very critical system /application /infrastructure element. Example
of a criticality rating of 3 could be a test system.
Only the business part of the company can prioritize these appropriately, so it’s a project that Information Security can lead but also needs the approvers and relevant business stakeholders. A list of all relevant systems/business applications/infrastructure with a given priority is required and should be updated annually.
We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Business Continuity & Business
Recovery Planning
To re-establish a business-as-usual condition following a disaster or a major
incident, the company must maintain a Business Continuity Plan and a Business
Recovery Plan. The plans must ensure that the company can re-establish systems
and data within a predefined time frame. The plans must contain detailed
emergency plans for all infrastructure within scope. To accomplish this a scope
must be established and approved by the approvers.
The BCP and BRP must be tested at least once per year by for example moving the active systems to the disaster recovery site or by conducting a similar simulation.
The maximum accepted downtime for priority 1 systems is: 2
hours
The maximum accepted downtime for priority 2 systems is: 4 hours
The maximum accepted downtime for priority 3 systems is: 8 to 24 hours
The CEO and/or approvers are responsible for defining acceptable downtime. IT
and Information Security are responsible for creating plans that can implement
the requirements and testing them.
Continuous improvement
All policies, risk assessments, and controls should be periodically
re-evaluated/audited at least annually and whenever appropriate to ensure a
continuous improvement of Information Security.
Outsourcing and Vendor Management
The overall goal of defining the rules of outsourcing and vendor management is
to:
Retain control of information resources in an outsourcing
situation
Manage the handover securely to a partner that has been through the necessary
audits/controls/due diligence
Attain the information/tools required to be able to monitor and report on
expected significant benefits including any expected financial benefits related
to the outsourcing services.
The purpose of this notice is also to satisfy legal and regulatory requirements
and to manage the risks involved with outsourcing of significant activities.
Outsourcing should be used:
Only in a situation where this does not in any way impact
customers/clients negatively
Strategically to obtain pre-defined significant benefits, the realization of
which must be transparently verified and reported on periodically
Only if the process of entering and handing over responsibility to an outsourcing
partner is controlled and managed.
How long do we keep your personal
data for?
MindMill complies to and operates as an extension to the Data Retention
Policies of its clients and project initiators. As all data entering the
Mindmill system belongs to MindMill, MindMill operates as an outsourced
provider or 3rd party to the commissioning client. MindMill thus processes
data, provides packaged data to the customer and destroy or anonymize the data
in accordance the applicable data retention policy.
Use Of Automated Decision-Making and
Profiling
In certain instances, MindMill makes use of Automated Decision making to
streamline workflow and the processing of information. MindMill’s technology is
used to help select appropriate candidates for our commissioning clients based
on criteria expressly identified by such client, or typical in relation to the
role for which you have applied, the screening/filtering of suitable candidates
is therefore automatic to a point, based on predetermined job-related criteria.
However, any decision as to who the commissioning client will engage to be shortlisted
to fill the job opening will be made by a staff member of such client.
By submitting your End User Data:
You grant a worldwide, royalty-free, non-exclusive licence to use the End User
Data to us and any third parties with which we may work from time to time in
the provision of our services;
you also explicitly consent to your End User Data being analysed and forming
the basis of a report to be passed to the third party (such as our
commissioning client) at whose request you are undergoing the Assessment (such
content, Report); and
you represent and warrant that you have the lawful right to provide such End
User Data and the necessary rights, power and authority to grant the licence at
clause
above and you further represent and warrant that the use by us of the End User
Data will not infringe the rights (including intellectual property rights) of
any third party.
By using MindMill and providing your End User Data, you are storing your data on our platform. You may at any time grant access to your End User Data to other users registered on the platform should you wish to be notified of a suitable job opening. You may at any time revoke access to your End User Data.
Data Subject’s Rights
Under the
General Data Protection
Regulation
and the UK GDPR, you have a number of important
rights free of charge. In summary, those include rights to:
· access to your personal data and to certain other supplementary information that this Privacy Notice is already designed to address
· require us to correct any mistakes in your information which we hold
· require the erasure of personal data concerning you in certain situations
· receive the personal data concerning you which you have provided to Us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations
· object at any time to processing of personal data concerning you for direct marketing
· object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
· object in certain other situations to our continued processing of your personal data
· otherwise restrict our processing of your personal data in certain circumstances
· claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the UK GDPR .
If you would like to exercise any of those rights, please:
· contact us using our Contact details below
· let us have enough information to identify you,
· let us have proof of your identity and address, and
· let us know the information to which your request relates.
Definitions and Abbreviations
Significant outsourcing activity: Outsourcing of an activity that has a
significant size either in financial terms or in impact on the company’s
operations and/or clients.
Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, and printers. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Incident: Any event that does or could have caused an unintentional effect on the company’s IR with regards to the CIA triad Confidentiality, Integrity and Availability. Also covers security incidents.
SLA: Service Level Agreement. An agreement with a third party.
OLA: Operational Level Agreement. A company-internal SLA.
BCP: Business Continuity Planning.
DR: Disaster Recovery
Facebook | Instagram | Twitter | LinkedIn
© 2021 Mindmill (HR) Software LTD | All Rights Reserved
48-60 High Street,
Belfast, BT1 2BE,
United Kingdom,
Tel: +44 845 0755 844
