Privacy Impact Assessment
Introduction to Privacy Impact Assessments
TalentQuest conducts a Privacy Impact Assessment, or PIA, in order to analyze how personally identifiable information is collected, used, shared, and maintained. The purpose of the PIA is to identify and reduce privacy risks, as well as to demonstrate that TalentQuest has consciously incorporated privacy protections throughout their Talent Management platform.
What do we mean by privacy?
Privacy, in its broadest sense, is about the right of an individual to be left alone. It can take two main forms, and these can be subject to different types of intrusion:
- Physical privacy – the ability of a person to maintain their own physical space or solitude. Intrusion can come in the form of unwelcome searches of a person’s home or personal possessions, bodily searches or other interference, acts of surveillance and the taking of biometric information.
- Informational privacy – the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others. Intrusion can come in the form of collection of excessive personal information, disclosure of personal information without consent, and misuse of such information. It can include the collection of information through the surveillance or monitoring of how people act in public or private spaces and through the monitoring of communications whether by post, phone or online and extends to monitoring the records of senders and recipients as well as the content of messages.
This PIA is concerned primarily with informational privacy and with minimizing the risk of harm through use or misuse of personal information. Some of the ways this risk can arise is through personal information being:
- inaccurate, insufficient or out of date;
- excessive or irrelevant;
- kept for too long;
- disclosed to those who the person it is about does not want to have it;
- used in ways that are unacceptable to or unexpected by the person it is about; or
- not kept securely.
The outcome of TalentQuest’s Privacy Impact Assessment should be a minimization of privacy risk.
Public bodies need to be aware of their obligations under the Human Rights Act. Article 8 of the European Convention on Human Rights guarantees a right to respect for private life which can only be interfered with when it is necessary to meet a legitimate social need. Organizations which are subject to the Human Rights Act can use a Privacy Impact Assessment to help ensure that any actions that interfere with the right to private life are necessary and proportionate.
The benefits of a Privacy Impact Assessment
Conducting a Privacy Impact Assessment is not a legal requirement of the DPA. TalentQuest promotes Privacy Impact Assessments as a tool which will helps compliance with DPA obligations, as well as brings further benefits for all impacted individuals.
The first benefit to individuals will be that they can be reassured that the organizations which use their information have followed best practice. A platform which has been subject to a Privacy Impact Assessment should be less privacy intrusive and therefore less likely to affect individuals in a negative way.
A second benefit to individuals is that a Privacy Impact Assessment should improve transparency and make it easier for them to understand how and why their information is being used.
A Privacy Impact Assessment can also provide benefits by minimizing the amount of information being collected or used where this is possible and devising more straightforward processes.
Annex one: Privacy impact assessment screening questions
Does working with the TalentQuest system involve the collection of new information about individuals?
Yes. Usually TalentQuest projects involve the data subject completing training, updating their profile and filling out an assessment or survey to complete their Talent Management and Development tasks. Some new data is either derived or directly collected.
Does working with the TalentQuest system compel individuals to provide information about themselves?
No. TalentQuest’s Talent Management and Development processes can be completed with only the data collected from the employer, if the employer chooses to do so.
Will information about individuals be disclosed to organizations or people who have not previously had routine access to the information?
Yes. TalentQuest uses third party processors. Please refer to the list of sub-processors listed on the TalentQuest website at http://www.talentquest.com/sub-processors/
Is information about individuals being used for a purpose it is not currently used for, or in a way it is not currently used?
No. TalentQuest only uses data that it has been assigned as a Processor or data that it has collected consent to use.
Is new technology being used which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
Does TalentQuest make decisions or act against individuals in ways which can have a significant impact on them?
TalentQuest is the data processor. The Data Controller (i.e. the data subject’s employer) makes all the decisions about how data is used.
Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private.
No. Data is only related to employee development and evaluation.
Will the project require TalentQuest to contact individuals in ways which they may find intrusive?
All contact with data subjects is managed by the Controller. All system generated notifications to the data subjects are also managed/configured by the Controller.
Annex two: Privacy impact assessment
Step one: Identify the need for a Privacy Impact Assessment
A PIA is generally not needed for most TalentQuest engagements but is provided here for full compliance with GDPR. TalentQuest does use a cadre of carefully selected partners to help with our development and employee evaluation processes. Those partners are bound by the consent originally given to the Controller, or that we have collected ourselves.
Step two: Describe the information flows
- The initial user data feed into TalentQuest comes from the Controller’s (i.e. customer’s) HRIS system either as an automated user data feed or uploaded manually using Excel or CSV files.
- The Controller or the Data Subjects can then add or modify their information within the TalentQuest system by completing their individual profiles, completing training and going through various other assessments and evaluations as required and configured by the Controller.
- Data can leave the TalentQuest system to go back to the Controller or Data Subject in one of the following ways:
- Reports that can be viewed and exported by the Controller or Data Subjects
- Automated data feeds going back to the Controller systems as setup by the Controller
- Besides the Controller and Data Subject, the list of TalentQuest sub-processors listed on the sub-processors page on the TalentQuest website (http://www.talentquest.com/sub-processors/) have access to only the information needed by them to perform their specific function in order to provide the desired service.
Annex three: Linking the Privacy Impact Assessment to the data protection principles
Personal data shall be processed fairly and lawfully and shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met, and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Have you identified the purpose of the work?
Yes. The purpose and scope of the work is defined in the SoW and/or contract with the data Controller.
How will individuals be told about the use of their personal data?
Data subjects are informed by their employer and opt-in to specific data collection activities.
Do you need to amend your privacy notices?
Have you established for which conditions processing applies?
Yes. These are covered in our Processor agreements that are part of our standard contracts.
If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?
Consent is derived from the Controller or through opt-in banners within our Talent Management and Development platform. If the Controller notifies us of an Article 16, 17, or 18 request, we will comply by means of anonymization or data deletion.
If your organization is subject to the Human Rights Act, you also need to consider: Will your actions interfere with the right to privacy under Article 8? Have you identified the social need and aims of the project? Are your actions a proportionate response to the social need?
The processing actions of TalentQuest are not subject to the Human Rights act. Some TalentQuest customers and their employees within the EU may be subject to the Human Rights act, and Human Rights Act questions or complaints should be directed to firstname.lastname@example.org
Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
Does your project plan cover all of the purposes for processing personal data?
TalentQuest is a Data Processor and is subject to the processing purpose designed and controlled by the Data Controller.
Have potential new purposes been identified as the scope of the project expands?
TalentQuest is a Data Processor and is subject to the processing purpose designed and controlled by the data Controller.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Is the information you are using of good enough quality for the purposes it is used for?
TalentQuest is a Data Processor and is subject to the processing purpose designed and controlled by the data Controller. The data Controller collects and controls the data collected by TalentQuest and is the only entity qualified to determine if it is appropriate for their purpose.
Which personal data could you not use, without compromising the needs of the project?
There are some optional data elements that are used for statistical and research purposes that do not have direct bearing on an individual processing event, but are used to ensure the fairness, effectiveness and validity of the processing program.
Personal data shall be accurate and, where necessary, kept up to date.
If you are procuring new software does it allow you to amend data when necessary?
How are you ensuring that personal data obtained from individuals or other organizations is accurate?
TalentQuest is a processor and uses common data validation techniques on data obtained from the Controller or Data Subjects such as data format validation and required information completeness. Data that is incomplete or inaccurate can be corrected by the Controller or Data Subject by sending in correct information or by correcting it directly within the TalentQuest system.
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.
What retention periods are suitable for the personal data you will be processing?
TalentQuest’s Retention Policy states that all critical customer data will be retained in the system for 7 years past the contract period unless the customer requests their data to be erased sooner.
Are you procuring software which will allow you to delete information in line with your retention periods?
No. TalentQuest has developed data erasure scripts that can be used to delete or anonymize data as required. Anonymized data can be used for long term research and statistical analysis.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Will the systems you are putting in place allow you to respond to subject access requests more easily?
Yes. Data subject’s data set can be pulled up, exported, modified, anonymized, or deleted upon request.
If the project involves marketing, have you got a procedure for individuals to opt out of their information being used for that purpose?
Yes. Marketing communications require a specific opt-in.
Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Do any new systems provide protection against the security risks you have identified?
TalentQuest uses a variety of firewall, network segmentation and end-point security mechanisms to ensure data is protected.
What training and instructions are necessary to ensure that staff know how to operate a new system securely?
TalentQuest has extensive Policy and Procedure documents as well as employee training and attestation processes to ensure compliance.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Will the project require you to transfer data outside of the EEA?
If you will be making transfers, how will you ensure that the data is adequately protected?
Data is transferred to the United States and is protected under the EU-US Privacy Shield accord. Please refer to the EU-US Privacy Shield Policy on the TalentQuest website under http://www.talentquest.com/privacy-shield/.