How your personal data will be processed
Our data processing agreement for 360° feedback and psychometric tools
PARTIES
-
Edgecumbe Clients (Customer)
-
Edgecumbe Consulting Group Ltd, incorporated and registered in England and Wales with company number 3033236, whose registered address is Whitefriars, Lewins Mead, Bristol, BS1 2NT (Provider)
(a) Edgecumbe’s ICO registration number is Z7461289.
BACKGROUND
(A) The Customer and the Provider entered into an agreement in the form of a Sales Order with Edgecumbe terms of business (Master Agreement) that may require the Provider to process Personal Data on behalf of the Customer.
(B) This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation((EU) 2016/679) (UK GDPR) for contracts between controllers and processors.
AGREED TERMS
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions:
Authorised Persons: the persons or categories of persons that the Customer authorises to give the Provider written personal data processing instructions that will be agreed at the outset of the services with Edgecumbe’s Client Delivery team and from whom the Provider agrees solely to accept such instructions.
Business Purposes: the services to be provided by the Provider to the Customer as described in the Master Agreement and any other purpose specifically identified in ANNEX A.
Commissioner: The Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller: has the meaning given to it in section 6, DPA 2018.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and the guidance and codes of practice issued by the commissioner, and which are applicable to a party.
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EEA: the European Economic Area.
Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring the Personal Data to third parties.
Personal Data Breach: a breach of security leading to the accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
Records: has the meaning given to it in Clause 12.
Special Category Data: Special categories of personal data are defined in the UK GDPR, and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation. And the processing of special categories of data shall be prohibited unless a permitted exception under article 9 of the UK GDPR applies.
Term: this Agreement’s term as defined in Clause 10.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.
1.3 The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
1.4 A reference to writing or written includes email.
1.5 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail.
(b) the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
(c) any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.
2. Personal data types and processing purposes
2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) The Customer is the Controller, and the Provider is the Processor.
(b) The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices, and obtaining any required consents, and for the written processing instructions it gives to the Provider.
(c) The Parties acknowledge and accept that upon receipt of the Personal Data from the Customer, the Provider is deemed to be a ‘Controller’ in its own right in respect of its legitimate interest under article 6 of the UK GDPR and its permitted exception under article 9.2.J of the UK GDPR to anonymise the personal data (specifically the psychometric and/or 360° feedback data) for statistical and scientific research purposes.
(d) ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes of the Master Agreement.
3. Provider’s obligations
3.1 The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions from Authorised Persons. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instructions would not comply with the Data Protection Legislation.
3.2 The Provider must promptly comply with any written instructions from the Customer’s Authorised Persons requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court, or regulator (including the Commissioner). If a domestic law, court, or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
3.4 The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.
3.5 The Provider must promptly notify the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider’s performance of the Master Agreement.
3.6 The Provider will only collect Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity and its appointed data protection representative, the purpose, or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. The Provider will not modify or alter the notice in any way without the Customer’s written consent.
4. Provider’s employees
4.1 The Provider will ensure that all its employees:
(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data.
(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
4.2 The Provider will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of the Provider’s employees with access to the Personal Data.
5. Security
5.1 The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in ANNEX B. The Provider must document those measures in writing and periodically review them at least annually to ensure they remain current and complete.
5.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data.
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing, and evaluating the effectiveness of the security measures.
6. Personal data breach
6.1 The Provider will promptly and in any event within 24 hours, notify the Customer in writing if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or unusability of part or all the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible.
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.
6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned.
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3 Immediately following any accidental, unauthorised, or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:
(a) assisting with any investigation.
(b) providing the Customer with physical access to any facilities and operations affected.
(c) facilitating interviews with the Provider’s employees, former employees and others involved in the matter.
(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised, or unlawful Personal Data processing.
6.4 The Provider will not inform any third-party of any accidental, unauthorised, or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by domestic law.
6.5 The Provider agrees that the Customer has the sole right to determine:
(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer’s specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.
7. Cross-border transfers of personal data
7.1 Other than those subcontractors as set out in ANNEX A, the Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Customer’s prior written consent.
8. Subcontractors
8.1 The Provider confirms that its approved subcontractors are under written obligations which contain terms substantially the same as those set out in this Agreement. At the Customer’s reasonable request the Provider agrees to liaise with its subcontractors for the purposes of assuring privacy and data protection compliance.
8.2 Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider, the Provider remains fully liable to the Customer for the subcontractor’s performance of its obligations.
8.3 The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
8.4 On the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Personal Data and provide the Customer with the audit results.
9. Complaints, data subject requests and third-party rights
9.1 The Provider must, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.
9.2 The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
9.3 The Provider must notify the Customer within 3 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions, or as required by domestic law.
10. Term and termination
10.1 This Agreement will remain in full force and effect so long as:
(a) the Master Agreement remains in effect; or
(b) the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term).
10.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.
10.3 The Provider’s failure to comply with the terms of this Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate the Master Agreement OR any part of the Master Agreement involving the processing of the Personal Data effective immediately on written notice to the Provider without further liability or obligation of the Customer.
10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, either party may terminate the Master Agreement on not less than 30 working days on written notice to the other party.
11. Data return and destruction
11.1 At the Customer’s request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
11.2 On termination of the Master Agreement for any reason or expiry of its term, if requested the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control,
11.3 If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials, or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
11.4 The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 30 days after it completes the deletion or destruction.
12. Records
12.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).
12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Agreement and the Data Protection Legislation and the Provider will provide the Customer with copies of the Records upon request.
12.3 The Customer and the Provider must review the information listed in the Annexes to this Agreement regularly to confirm its current accuracy and update it when required to reflect current practices.
13. Audit
13.1 The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its agreement obligations, on at least 7days’ notice, during the Term. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
(a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider’s premises or on systems storing the Personal Data.
(b) access to and meetings with any of the Provider’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
(c) inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.
13.2 The notice requirements in Clause 13.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring, or the Provider is in material breach of any of its obligations under this Agreement or any of the Data Protection Legislation.
13.3 If a Personal Data Breach occurs or is occurring, or the Provider becomes aware of a breach of any of its obligations under this Agreement or any of the Data Protection Legislation, the Provider will:
(a) promptly conduct its own audit to determine the cause.
(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit.
(c) provide the Customer with a copy of the written audit report; and
(d) remedy any deficiencies identified by the audit within 30 days.
13.4 At the Customer’s written request, the Provider will:
(a) conduct an information security audit before it first begins processing any of the Personal Data and repeat that audit on at least an annual basis.
(b) produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit.
(c) provide the Customer with a copy of the written audit report; and
(d) remedy any deficiencies identified by the audit within 30 days.
13.5 At least once a year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
13.6 On the Customer’s written request, the Provider will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as the Provider’s confidential information under the Master Agreement.
13.7 The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.
14. Warranties
14.1 The Provider warrants and represents that:
(a) its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation.
(b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments.
(c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement’s contracted services; and
(d) considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised, or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:
(i) the harm that might result from such accidental, unauthorised, or unlawful processing and loss or damage.
(ii) the nature of the Personal Data protected; and
(iii) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in Clause 5.1.
14.2 The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
15. Indemnification
15.1 The Provider agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.
15.2 Any limitation of liability set forth in the Master Agreement will not apply to this Agreement’s indemnity or reimbursement obligations.
16. Notice
16.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to:
For the Customer: The Customer’s point of contact, agreed at the outset of the services with Edgecumbe’s Client Delivery team.
For the Provider: Johannah Palmer – Data Protection Officer gdpr@edgecumbe.co.uk
Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
This Agreement has been entered into on the date the Customer signed the Sales Order for the services provided by the Provider or if they are not signed, on the date that set up of the services have commenced.
ANNEX A Personal data processing purposes and details
Subject matter of processing:
To provide some/all the following services:
- 360° feedback tools to be used by the Customer for employee development.
- Psychometrics tools used by trained facilitators, appointed by the Customer for employee development.
Duration of processing: for the duration of the master services agreement
Nature of processing: includes collection, transmission, access, storage, deletion and processing of personal data.
The Provider will administer reports such as 360° feedback reports, NEO reports, LJI-2 reports, HDS reports, MVPI reports, HPI reports, HBRI reports, HUCAMA factors reports, and Matrigma reports on behalf of the Customer.
Business purposes:
To support the Customer in the development of their teams through providing psychometric and/or 360° feedback questionnaires. To track/chase participant completions. To download completed reports from sub processor online portals / or to provide access to completed reports through the Edgecumbe Assessment Hub.
Personal data categories:
Personal data (which could include)
Identity information – Name
Contact information – Email address (of participants and raters), mobile telephone number (of participants)
Professional information – Rater’s relationship to the participant – e.g. senior colleague / peer / direct report, other team info
Physical characteristics – Age, gender (if specifically requested by Customer)
Sensitive personal data
Opinion information – Responses from participants and raters to 360° feedback questionnaires
Special category data
Behavioural and opinion information – Psychometric data (e.g., responses to personality, ability and competency questionnaires)
Data subject types: Data subjects are the Customer’s employees
Authorised persons: The Customer’s authorised person(s) will be agreed at the outset of the services with Edgecumbe’s Client Delivery team and can give the Provider instructions to process data under this agreement and will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.
Types of participant reports: 360° feedback reports, NEO reports, LJI-2 reports, HDS reports, MVPI reports, HBRI reports, HUCAMA factors reports and Matrigma reports.
Who will Edgecumbe share the participant reports with:
360° feedback, NEO, LJI-2, HDS, MVPI, HPI, HBRI, HUCAMA factors and Matrigma Reports: Members of the Edgecumbe Client Delivery team, Edgecumbe Consultant, Participant, persons within the Customer’s organisation who Edgecumbe will share the reports with will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.
Retention period: The information we use to communicate with you will be kept until you notify us that you no longer wish to receive information from us, or you want us to delete your personal data. Any personal data that we hold will be kept in line with the requirements of the Customer. If the Customer has not provided a specific deletion policy in this schedule, we will hold the data until we are requested to delete it.
Disposal method: If requested by the Customer, the Provider will securely delete or destroy or return and not retain all or any of the Personal Data related to this Agreement in its possession or control.
If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Customer would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 30 days after it completes the deletion or destruction.
Approved subcontractors:
James Massey Design (JMD) Ltd, 1 Sheffield Stables, Southborough, Tunbridge Wells, Kent, TN4 0PD, UK
ROLE: JMD take overall responsibility for the delivery of services and are a specialist design and development company responsible for the design, build and maintenance of the code and hardware that runs the 360° feedback tool, as well as the service provider of the 360° feedback tool which is a brief survey completed by the participant, their boss, peers and direct report team about an individual’s behaviour and performance. JMD outsource specialist hosting services to Memset Limited.
We have a DPA in place with JMD
Heart Internet Limited, Units 4 – 5 Tristram Centre, Brown Lane West, Leeds, England, LS12 6BF.
ROLE: Heart Internet Limited is a datacenter based in the UK and provides all the hardware, networking and internet connectivity for the service.
SMPT2GO, EPIC Centre, 96-106 Manchester Street, Christchurch 8011, New Zealand
ROLE: SMTP2GO is our outgoing email delivery service that delivers all 360 emails from the 360 systems. Data is held in EU data center.
We have a DPA in place with SMPT2GO.
Hogrefe Verlag GmbH & Co. KG, Testzentrale, Herbert-Quandt-Str.4, D-37081 Göttingen, GERMANY
ROLE: Hogrefe provide the NEO, which is a general personality questionnaire, and the LJI2. Candidates access Hogrefe online platform via a personal link (sent by Edgecumbe), which allows them to answer the NEO Psychometric questionnaire.
We have a DPA and an SCC in place with Hogrefe.
Advanced People Strategies Ltd (APS), Mulberry House Lamport Drive, Heartlands Business Park, Daventry, Northamptonshire, NN11 8YH
ROLE: Authorised distributor of Hogan Assessments (please see information below on Hogan Assessments)
We have a DPA in place with APS.
Hogan Assessments, 11S. Greenwood, Tulsa, Oklahoma 74120, USA
ROLE: Hogan provide the MVPI – a questionnaire measuring personal motives, values and preferences; the HDS – a measure of likely reactions to pressure which could become counter-productive; the HBRI – a measure of decision-making style and problem-solving skills; and the HPI – describes bright-side personality – qualities that describe how we relate to others when we are at our best. Participants access the Hogan online platform via a personal link (sent by Edgecumbe), which allows them to answer the Hogan Psychometric questionnaires.
Hogan are accredited with the EU-U.S. Data Privacy Framework (DPF).
APS have a DPA and SCCs in place with Hogan Assessments
Hogan Data Center, 322 E Archer, Tulsa, Oklahoma 74120, USA.
ROLE: data centre where Hogan data is stored.
Inpsyght Consultancy Ltd, Cornish & Sussex Suite House 3 Lynderswood Business Park, Lynderswood Lane, Black Notley, Essex, CM77 8JT
ROLE: Authorised distributor of the Matrigma Assessment.
Assessio International AB, Banérgatan 16, 11523 Stockholm, Sweden
ROLE: Provider of the Matrigma assessment which is a non-verbal reasoning test that captures the ability to solve problems with no prior knowledge or experience. Participants access an online platform via a personal link (sent by Edgecumbe), which allows them to answer the Matrigma questionnaire.
HUCAMA Group, Blegdamsvej 104a, 2100 Copenhagen, Denmark
ROLE: First level service provider of HUCAMA Factors Assessment tools. HUCAMA Group provide access to online personality, ability and competency assessment tools used to support leadership assessment, training, and development.
We have a DPA in place with HUCAMA Group
Doodle AG, Zürich, Werdstrasse 21, Switzerland.
ROLE: is a meeting scheduling tool.
Microsoft Azure, UK
ROLE: Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers. Edgecumbe servers are held in the Microsoft Azure cloud environment. Microsoft Azure data centers are in the UK, a specific location is not provided for security.
Smart Computers IT Support, 20 Apex Court, Woodlands, Bradley Stoke, Bristol, BS32 4JT, UK
ROLE: Edgecumbe’s IT support contractor
We have a DPA in place with Smart Computers IT Support
Acronis, Rheinweg 9, Schaffhausen, Switzerland 8200
ROLE: Acronis is a cloud back up hosting solution used by our IT Support company where all Edgecumbe data is backed up, data is stored in a UK datacentre. Acronis is ISO27001 accredited. All data within the hosting solution is held in encrypted format, Acronis have no access to data in its unencrypted format.
ANNEX B Security measures
The Provider’s technical and organisational data security measures include:
Physical access controls: all data processed via our sub processors is stored within secure data centres, The Provider is situated within a building manned with 24-hour security; our office has electronic access control. All electronic data is held in the cloud, so no physical server exists. All visitors are managed according to a secure process (access control lists, advanced registration, escorting, sign-in/out, etc.)
System access controls: The provider’s network perimeter is protected by a business grade firewall, all non-essential inbound network ports have been blocked, all essential inbound network ports have been documented and are reviewed on an annual basis or as changes are required., traffic to inbound network ports is monitored and logged using the firewall, a vulnerability scan is performed on the firewall on a quarterly basis or as changes are required.
Data access controls: Access to all key business applications is governed with unique usernames and password conforming to the Provider’s Strong Password Policy, access to data, system utilities and program source libraries is controlled and restricted to those authorised users who have a legitimate business need e.g., systems or database administrators.
Data backups: All business-critical data is held in the cloud and protected by a separate cloud Datto backup service; the back-up Schedule is as follows:
- Backed up three times a day.
- Week 1 – Intra-dailies
- Week 2 – Dailies
- Week 3 to 6 – Weeklies
- Week 6+ – Monthlies
Data segregation: Access to data and network resources is granted to Security Groups rather than to named individuals, staff must be added to Security Groups relevant to their role in the business to gain access to these data and resources.
Transfer of sensitive and/or special category data: The Parties shall ensure that Personal Data is transferred between them using the following security measures:
All sensitive and/or special category data will be either:
- Transferred via a password protected encrypted file. The Provider will do this using 7zip with the password being shared by either text or verbally over the phone.
- Shared via link to a secure area of the Provider’s SharePoint Site.
- Alternative secure methods of sharing sensitive and/or special category data files can be used but only if agreed in advance between the parties.
ANNEX C Breach notification procedure
Immediately upon becoming aware of a Personal Data breach, suspected breach or security incident, the Provider must:
- Contact the customer at the nominated email address agreed at the outset of the services with Edgecumbe’s Client Delivery team, notification via any other method will not be deemed as being valid under this Data Processing Agreement.
- Describe the nature of the Personal Data breach/suspected breach/security incident and whether it is ongoing or contained.
- Confirm, where possible:
- Categories of affected data subjects
- Number of affected data subjects
- Categories of data records concerned (for example: contact details, behavioural data, preference information)
- Communicate the name and contact details of the Data Protection Officer or other contact point from whom further information can be obtained.
- Describe the likely consequences of the Personal Data breach.
- Describe the measures taken or proposed to be taken to address the Personal Data breach and/or mitigate its possible adverse effects; and
- Where it is not possible to provide all the above information at the same time, provide the information in phases as and when it becomes available and without undue delay.
ANNEX D Data Protection Impact Assessment for Psychometric and/or 360° Feedback Tools provided by Edgecumbe Consulting Group Ltd to Edgecumbe clients
Controller/Processor details
| Name of controller | Edgecumbe Client’s (Customer) |
| Name of controller contact / email address | To be agreed at the outset of the services with Edgecumbe’s Client Delivery team. |
| Name of controller contact and Data Protection Officer / email address | To be agreed at the outset of the services with Edgecumbe’s Client Delivery team. |
| Name of processor | Edgecumbe Consulting Group Ltd (Provider) |
| Name of processor contact and Data Protection Officer | Johannah Palmer Johannah.palmer@edgecumbe.co.uk |
Step 1: Identify the need for a DPIA
| Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA. |
| We are carrying out this DPIA because the project requires special category data to be collected, recorded, organised, structured, stored, adapted, retrieved, consulted, disclose by transmission, dissemination or otherwise make available, aligning or combining, restricting, erasing, or destroying of data for the following purposes:
To provide some/all the following services:
|
Step 2: Describe the processing
| Describe the nature of the processing: | |||
| What is the source of the data? | Data is provided by the Customer and gathered for the Customer’s employees during the service. | ||
| Will you be sharing data with anyone? | 360° feedback, NEO, LJI-2, HDS, MVPI, HPI, HBRI, HUCAMA factors and Matrigma Reports: Members of the Edgecumbe Client Delivery team, Edgecumbe Consultant, participant, persons within the Customer’s organisation who Edgecumbe will share the reports with, will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.
Edgecumbe sub processors are involved in providing the service. Please see Annex A of this agreement for details. |
||
| What types of processing identified as likely high risk are involved? | All reports above include special category data and/or sensitive personal data. Sharing these reports could be considered high risk if they are sent insecurely or to the wrong person. | ||
| Describe the scope of the processing: | |||
| What is the nature of the data, and does it include special category or criminal offence data? | Racial or ethnic origin | ||
| Political opinions | |||
| Religious or philosophical beliefs | |||
| Trade union membership | |||
| Genetic data | |||
| Biometric data | |||
| Data concerning health | Behavioural and opinion information – Psychometric data (e.g. responses to personality, ability and competency questionnaires). | ||
| Data concerning the sex life or sexual orientation of the data subjects | |||
| Criminal offence data | |||
| Other sensitive/high risk data type (Please specify) | Behavioural and opinion information – Responses to 360° feedback questionnaires. | ||
| How much data will you be collecting and using? | Each participant referred to us by the Customer completes the correct 360° feedback and/or psychometric questionnaires for the service chosen (where 360° feedback services are provided, data from the participant and their raters will be collected and collated). | ||
| How often? | Used by the Customer where psychometrics and/or 360° feedback is required for employee development. | ||
| How many individuals are affected | Any participants (and their raters when 360° feedback services are provided) referred to us by the Customer. | ||
| Will the processing involve anonymised information? | Yes (anonymising psychometric and 360° feedback data for research). | ||
| Will the processing involve pseudonymised personal data? | No unless requested | ||
| Will the processing involve fully identifiable personal data? | Yes | ||
| Describe the context of the processing: | |||
| What is the nature of your relationship with the individuals? | The Customer’s employees are participants in the project commissioned by their employer. | ||
| How much control will they have? | Psychometric reports – the Customer (the controller) shall have a permitted exception to article 9 of the UK GDPR to process an individual’s special category data (psychometric data) and will agree at outset of the services with Edgecumbe’s Client Delivery team and with the participant who the reports will be shared with. We will also share the psychometrics with the participant if requested.
360° feedback reports – the Customer (the controller) will agree at outset of the services with Edgecumbe’s Client Delivery team and with the participant who the report will be shared with. |
||
| Would they expect you to use their data in this way? | Yes, it is common practice for employees to take part in psychometric testing and 360° feedback for development purposes.
Yes, the process is a commonly adopted approach to leadership team development. |
||
| Do they include children or other vulnerable groups? | Pregnant women, ethnic minorities and disabled persons, if there are any among those employed by the Customer involved in the process. | ||
| What is the current state of technology in this area? | Good | ||
| Are there any current issues of public concern that you should factor in? | Risk of bias and adverse impact in the use of psychometrics | ||
| Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? | Cyber Essentials Plus, British Psychological Society Professional Standards including Register of Qualified Test Users | ||
| Describe the purposes of the processing: | |||
| What do you want to achieve? | To improve the quality of leadership and support selection and development of leaders through 360° feedback and/or psychometric assessments. | ||
| What is the intended effect on individuals? | 360° feedback reports: Used to support/develop the individual, improving their awareness of their impact on colleagues as part of the Customer’s programme of development for employees/leaders.
Psychometric assessment reports: Analysed by a trained facilitator and used to support/develop the individual as part of the Customer’s programme of development for employees/leaders. |
||
| What are the benefits of the processing – for you, and more broadly? | Processing is essential to provide our contracted services.
Under the UK GDPR Art 89, The Provider has a legitimate business interest to anonymise participant 360° Feedback and/or psychometric data to enable scientific and statistical research such as benchmarking, which allows comparisons to be drawn among people from different organisations, and to support research which improves the effectiveness with which leaders’ capabilities can be measured and developed. Under Data Protection Legislation to do this we must have a permitted exception to article 9 of the UK GDPR to process a data subject’s special category of data. Where required the permitted exception to anonymise the data subject’s psychometric test data is 2.J for archiving, research and statistics. Participants are given the option to opt out of having their data used in this way. |
||
| Why would it not be possible to do without personal data? | Developing leadership effectiveness is intrinsically concerned with personal attitudes, behaviour and performance and it is not possible to provide the services without processing personal data. | ||
Step 3: Consultation process
| Consider how to consult with relevant stakeholders: | |
| Describe when and how you will seek individuals’ views – or justify why it is not appropriate to do so. | During contracting process with the Customer. |
| Who else do you need to involve within your organisation? | Jon Cowell (Edgecumbe Chairman) and Johannah Palmer (Data Protection Officer, for UK GDPR and Information security responsibilities) |
| Do you need to ask your processors to assist? | No |
| Do you plan to consult information security experts, or any other experts? | Yes, we have a Specialist Data Protection Solicitor who we consult with on a regular basis.
We had our 360° feedback platform externally penetration tested in February 2023 and have fixed identified risks. It is our policy to carry out retesting whenever significant changes are made to the platform. |
Step 4: Assess necessity and proportionality
| Describe compliance and proportionality measures, in particular: | |
| Is there another way to achieve the same outcome? | No |
| How will you prevent function creep? | We will not conduct processing which goes beyond that agreed; if the Customer asks us to perform additional processing, we will advise that they must ensure that participants have been informed of the additional purposes and that a suitable legal basis for the processing has been established. |
| How will you ensure data quality and data minimisation? | System audits are conducted regularly, and all reports go through a quality assurance process before being sent out. Regular data housekeeping takes place to minimise data held. |
| What information will you give individuals? | Candidates are provided with information at the outset of the service and a link to our privacy statement informing candidates as to the purpose of the testing and how the data will be used. |
| How will you help to support their rights? | We protect their personal data by endeavouring to ensure only those who need to and are permitted to have access to it; we have a subject access request process in place, and we have named information security and data protection post holders. Ultimate accountability for data protection rests with the Chairman. |
| What measures do you take to ensure processors comply? | Data Processing Agreement’s with sub processors and regular due diligence checking |
| How do you safeguard any international transfers? | Standard Contractual Clauses/ International Data Transfer Agreements in place with suppliers outside of EEA who do not have an adequacy agreement with the UK. |
Step 5: Identify and assess risks
| Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. | Likelihood of harm | Severity of harm | Overall risk |
| Remote, possible or probable | Minimal, significant or severe | Low, medium or high | |
| Individual: Breach of Personal Data – Hacker | Possible | Significant | Medium |
| Individual: Breach of Personal Data – Processor/Sub Processor breach | Possible | Significant | Medium |
| Individual: Breach of Personal Data – Employee misuse / bad leaver | Possible | Significant | Medium |
| Individual: Breach of Personal Data – Email Hack | Possible | Significant | Medium |
| Individual: Breach of Personal Data – Access by unauthorised personnel | Possible | Significant | Medium |
| Individual: Loss of Personal Data – During transmission | Possible | Significant | Medium |
| Individual: Loss of Personal Data – Ransomware | Possible | Significant | Medium |
| Individual: Loss of Personal Data – Fire | Possible | Minimal | Low |
| Individual: Loss of Personal Data – Lost hard Drive | Possible | Significant | Medium |
| Individual: Loss of Personal Data – Lost Machine | Possible | Significant | Medium |
| Individual: Loss of Personal Data – Crypto Virus | Possible | Significant | Medium |
Step 6: Identify measures to reduce risk
| Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 | ||||
| Risk | Options to reduce or eliminate risk | Effect on risk | Residual risk | Measure approved |
| Eliminated reduced accepted | Low medium high | Yes/no | ||
| Individual: Breach of Personal Data – Hacker | Business grade firewall in place | Reduced | Low | Yes |
| Individual: Breach of Personal Data – Processor/Sub Processor breach | Data Processing Agreement in place managed and monitored | Reduced | Low | Yes |
| Individual: Breach of Personal Data – Employee misuse / bad leaver | Data access restrictions and access logging in place | Reduced | Low | Yes |
| Individual: Breach of Personal Data – Email Hack | Strong passwords in place and changed regularly; regular phishing tests conducted to highlight the risks and reinforce good practice | Reduced | Low | Yes |
| Individual: Breach of Personal Data – Access by unauthorised personnel | Screensavers after 5 mins password protected. All data held in the cloud, access for users is locked down with Multi Factor Authentication. All laptops bitlocker protected; no use of removable media | Reduced | Low | Yes |
| Individual: Loss of Personal Data – During transmission | All PII sent by encrypted data transfer; | Reduced | Low | Yes |
| Individual: Loss of Personal Data – Ransomware | Anti- malware in place and updated regularly | Reduced | Low | Yes |
| Individual: Loss of Personal Data – Lost hard Drive | General process and training, users instructed to not save data onto portable drive but to save on backed up areas of the network. | Reduced | Low | Yes |
| Individual: Loss of Personal Data – Lost machine | Process and training, users instructed to not save data onto C drive but to save on backed up areas of the network; all laptops bitlocker protected | Reduced | Low | Yes |
| Individual: Loss of Personal Data – Crypto Virus | Anti- malware in place and updated regularly | Reduced | Low | Yes |
Step 7: Sign off and record outcomes
| Item | Name/position/date | Notes |
| Measures approved by: | Johannah Palmer (Data Protection Officer) | Integrate actions back into project plan, with date and responsibility for completion |
| Residual risks approved by: | Jon Cowell (Edgecumbe Chairman) | If accepting any residual high risk, consult the ICO before going ahead |
| DPO advice provided: | Approved | DPO should advise on compliance, step 6 measures and whether processing can proceed |
| Summary of DPO advice:
Risks noted are standard for this type of service, mitigations in place are sufficient to reduce the risks to an acceptable level. |
||
| DPO advice accepted or overruled by: | Jon Cowell (Edgecumbe Chairman) | If overruled, you must explain your reasons |
| Comments: Advice accepted by Jon Cowell | ||
| This DPIA will kept under review by: | Johannah Palmer | The DPO should also review ongoing compliance with DPIA |