In what follows Stuart Robertson & Associates Ltd is referred to as such, or as ‘SR&A’, or, where the context allows, ‘we’. Persons assessed on our web systems are referred to as assessees, participants, or respondents throughout the text. Persons who assess others are referred to as assessors, testers, account holders, or data controllers.
This policy explains how we deal with personal data supplied to us by users of our services and web sites, viz. those at sr-associates.com, quintaxonline.co.uk, quintax.co.uk, careermotivation.co.uk, and sra360.co.uk. It also deals with how we treat personal data derived from digital and other marketing activity. ‘Personal data’ refers to any information relating to an identifiable person who can be directly or indirectly identified as an individual ‘natural person’ by reference to an identifier.
As business psychologists we are committed to high standards of ethical practice in the acquisition, storage and processing of personal data. We are committed to dealing with the issue of privacy in a sensitive and careful manner, and this policy is intended to document how we achieve this.
However, as a policy it is also intended to indicate how we ensure compliance with all relevant legislation governing data protection and privacy issues including but not limited to the EU-wide GDPR framework. In doing this, our policy should not be read as an authoritative indication of the legal position on GDPR – readers wishing to understand this should consult the detailed reviews of GDPR given by the UK Information Commissioner’s Office (ICO) and/or by their own legal advisers. The ICO web pages are updated regularly with information about the meaning and implementation of the legislation. There are many helpful sources of guidance on GDPR now available in the public domain, as organisations are increasingly providing advice via their website for their members and/or for members of the public.
It is likely that over time, custom and practice will develop in the way that organisations deal with GDPR, and there may be more information sharing about standardised ways of approaching its requirements. We look forward to being able to develop and improve this policy in the light of experience and best practice views within our own industry of work-based psychometric assessment.
Types of data we collect
We collect, process and manage two main types of personal data by electronic means. The first type is data collected through our client services. This type of data involves personal information captured when people visit our websites to be assessed. It comprises the assessee’s personal data together with their questionnaire responses and assessment results. These assessments are generally conducted by persons that we, or others, have trained in key aspects of psychometric testing competency. Such people act as ‘account holders’ on our systems and invite people for assessment independently of ourselves. Our role in such cases is to provide an electronic, web-based platform by which our account holders can conduct and manage assessments.
The second main type of personal data we collect relates to our marketing activities utilising email promotions, Newsletters, event promotions, etc. In this we make use of other providers viz., Constant Contact Inc., for the distribution of marketing literature by email.
In addition, we collect personal and assessment data by non-digital means in the conduct of face-to-face activities such as selection assignments, assessment centres and development workshops commisioned by our clients. These may be in paper and/or electronic form.
Data collected through Client Services
Data Processors vs Data Controllers
GDPR legislation distinguishes two important roles – Data Processor and Data Controller. A processor is responsible for processing personal data on behalf of a controller. A controller determines the purposes and means of processing personal data. In our case, by providing a web service by which our customers can create assessments and produce reports without our intervention we are operating as data processors. In doing this we make use, under contract, of data sub-processors who are responsible variously for maintaining and developing our web sites and web services, writing underlying code to present tools such as Quintax via the web, and for trouble shooting technical problems that may arise in client use of our systems that cannot be addressed by SR&A consultants. Our data sub-processors abide by a confidentiality agreement regarding the protection of assessees’ personal data while working on our websites.
Occasionally SR&A also operate as data controllers, for example when we offer a Bureau Service for assessing people using Quintax, the Career Motivation Indicator (CMi), or 360 assessment, or by offering an open gateway to paying members of the public for completion of CMi .
Importantly, GDPR places different obligations upon data processors and data controllers – these obligations can be reviewed via the descriptions given on the ICO website. Based on this distinction, account holders on our Quintax, CMi, and 360 websites fall into the category of Data Controllers and should review the requirements that they face as a result of GDPR. In particular, they should consider, for example, that they, as data controllers, are responsible for, and should be able to demonstrate, compliance with the principles of GDPR. Although insufficient in itself, we expect that data controllers will want to use this privacy statement as a critical element when they need to demonstrate compliance with GDPR.
Where we collect data on behalf of clients through face-to-face services we are acting primarily as Data Processors. While our clients take the main role of Data Controllers, we provide the professional infrastructure and activities that enable the data they require to be collected.
What data do we collect and process in the course of providing client services?
We collect and process the following data from our web sites:
- We collect data electronically from users of our corporate web site (sr-associates.com) in the form of completed order forms for test and other materials, registration forms for the use of our main products, booking forms for public training places, and via general queries regarding information about our services. These data typically include personal data such as name, email and business address details. They are collected and stored securely in SR&A office systems.
- A group of our web site users – all pre-registered and qualified as users of the Quintax questionnaire – have access to a site (quintaxonline.com/admin) for administering and scoring the Quintax questionnaire on-line. This involves them in entering personal data on the server regarding the individuals they wish to invite to complete the questionnaire so that invitations can be automatically sent out to them. Quintax users are only able to access their own accounts (i.e. data regarding the people they have invited to complete Quintax) on the Quintax server. Access is governed by confidential usernames and passwords, and for this reason, there is no public access to these data.
- A further group of our web site users – invited respondents to the Quintax questionnaire – have access to a site for its completion at quintaxonline.com. This requires them to check and confirm their personal data, and then to complete the questionnaire itself. Access to the site is governed by confidential, individual and unique access codes provided to respondents for the purpose of completing the questionnaire. As a result no respondent can gain access to the personal data of any other respondent.
- At SR&A we have access to a ‘supersite’ view of all the data on the Quintax server. This enables us to set up accounts, generate usernames and passwords, and generally troubleshoot the on-line assessment process. Access is governed by password and is not therefore available to Quintax respondents, other Quintax users, or to members of the public.
- Members of the public, including Quintax Users, may visit a further website at quintax.co.uk. If they wish they can login by registering their names, email addresses, and (optionally) details of their qualifications/experiences in testing, if any. The website is intended as an informational and marketing support to the Quintax assessment system. A resource page containing downloadable materials is available to Quintax Users exclusively. Access is available by login subject to an initial registration upgrade manually performed by SR&A on the website.
- A further website is open to respondents and professional users (account holders) of the Career Motivation Indicator at careermotivation.co.uk. This requires users to provide some personal data in order to login. They are also given the opportunity to provide other data optionally to support our research effort. In all cases respondents are provided with confidential access codes. As in the Quintax case, no respondent can, as such, gain access to the personal data of any other respondent. Account holders on the CMi website can only gain access to the details of individual respondents whom they have invited to complete CMi. Access is controlled by confidential usernames and passwords in each case, and for this reason there is no public access to these data.
- We run a website for 360 degree assessment of managerial and other staff from our client companies at sra360.co.uk. In this case, nominated colleagues provide rated and written feedback on an assessee’s levels of performance at work. The data controller may be SR&A, or a client system user depending upon who is managing the assessment process. Access to the system is governed by a username and password system and in each case feedback providers are unable to see the comments and ratings of others. An output report summarises the data for the assessee to consider and use as a development platform.
- Where we conduct face-to-face assessments on behalf of clients we may maintain both paper and electronic records of application forms, assessment scores, exercise and interview reports. We may also make video recordings of, for example, group or one-to-one assessment exercises. Assessment records are passed to clients who then take primary responsibility for the data as controllers. SR&A typically maintain copies of records of assessments for a retention period, agreed with clients, based upon the specific assessment process. SR&A may also maintain anonymised records for the purposes of evaluation or research. All such data is held securely either on our computer systems, which can only be accessed by login and password, or by being held securely in locked cabinets on our premises.
- A further source of data arises because we maintain a manually created electronic database of training records and related certification which details the names and company details of people we have trained in psychometric testing and assessment centre use, the courses they have undertaken and the outcomes in each case. We also maintain similar databases recording qualified users of our various products. These databases are maintained in order to validate claims made by our former delegates about the type, duration, and date of training that they received via SR&A Ltd, or simply to provide information to our past delegates when they request it for the purpose of applying to join other training courses with other training providers.
- We maintain a database of customer details (including details of name, email, company affiliation, job role) via an online tool viz., Zoho. As with Constant Contact, Zoho provides a secure environment with access to our data provided via username and password. We also maintain details of customer information (name, company invoicing address, email) for the purpose of invoicing and customer credit management via Quickbooks online. Again, access is exclusively via username and passwords held only by SR&A Ltd.
Data collected for Marketing Purposes
What data do we collect and process for Marketing Purposes
We maintain a mailing list for the purpose of email newsletters and marketing, and this list is stored securely on the website of our email marketing provider, Constant Contact Inc. Constant Contact maintain a security system to protect against the loss, misuse and alteration of data used by their systems. Access to our Newsletter list via the Constant Contact web site is governed by the use of a username and password. Consequently membership details on the list cannot be accessed directly by persons on the list. However, all email communications sent through Constant Contact include a ‘safe unsubscribe’ facility to enable list members to remove themselves. They cannot then be re-activated unless they sign up themselves again via their own email address. In addition Constant Contact have a Privacy Statement which can be consulted at www.constantcontact.com.
The sources of data for the list include
- Visitors to our corporate site who click on our ‘Join our Mailing List’ button and thus ‘opt in’ to receiving our communications. If visitors wish to, they can leave their email address together with details of their name, job title, and company. A similar opt-in facility is included on our quintax.co.uk website.
- People who have otherwise expressly shared their address for the purpose of receiving information about us, our products, and/or services.
- People who have purchased from us or have registered with us as users of our products or services, or who otherwise have an existing relationship with us.
- Purchased lists of relevant professionals in other organisations – for example in HR, Learning & Development, Career Coaching, etc. – who could reasonably be expected to have a legitimate need for a range of psychometric services.
SR&A Data Protection Principles
Lawful Basis of Processing in Relation to Assessment Activity:
SR&A process personal data gathered during client services via our assessment websites (for Quintax, CMi, and 360 degree assessment) as part of a contract with data controllers or account holders. This enables them to offer services to their own clients, also on a contractual basis, for example for the purposes of: assessing the suitability of candidates in recruitment for specified job roles; assessing candidates for development, promotion, or other career advancement; assessing candidates’ personal styles of behaviour in a coaching or career counselling context; etc. All respondents are expressly asked to indicate their consent to assessment via acceptance of terms on each assessment website.
When operating as data controllers ourselves (e.g. by offering Bureau Assessment Services) SR&A do so on a contractual basis with the person requesting the assessment, whether that person is an assessee or a third party.
SR&A retain and process anonymised assessment data as part of a legitimate interest in the development of research into the reliability, validity, norms and fairness of the tools we develop (such as Quintax, CMi, 360). This is to ensure that they remain applicable and suitable for use in assessing people in occupational settings into the future. While the key data we need to retain relates to questionnaire responses, validation research is enhanced by collection of biographical data (such as gender, age, job role) and respondents are asked to give this information at assessment time on the understanding that:
- It is for SR&A research use only.
- It is not provided to the data controller conducting the assessment, although gender, if given, is used to condition the selection of pronouns (he/she/etc) in some narrative output reports.
- They (respondents) can opt out of this part of the assessment.
Lawful Basis of Processing in Relation to Marketing and Other Business Functions:
SR&A process personal data of customers as a function of our contract with them for the provision of services or products. For some data processing a legitimate interest is also involved – for example in the retention of customer training records to support, validate, or respond to delegate queries about qualifications and achievements gained on our training courses. Customers’ personal data is also processed as a function of a legal obligation in relation to accounting and invoicing, with retention required by HMRC/VAT reporting purposes.
SR&A may acquire and utilise personal data as part of a legitimate interest in marketing our products and services by communicating with potential B2B customers who occupy relevant roles in businesses that have a legitimate need for psychometric services, and for information to help them consider alternative providers. Direct marketing to a relevant person’s business email address, with a clear ‘unsubscribe’ option is a proportionate way to achieve this in a business context. As a business-related communication not involving personal email or a ‘scattergun’ approach, it also passes the test of balance with the individual rights of recipients.
Individual Rights under GDPR
The GDPR provides the following rights for individuals: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; rights in relation to automated decision making and profiling.
Advice to Assessees
If you have been assessed either on one of our web sites or by SR&A consultants and you wish to exercise your rights under GDPR, you should contact the person who invited you to complete your assessment. This may be someone from your organisation, an independent consultant, or an SR&A consultant, but in any case they will have initiated the invitation to you. They may be able to deal with your request directly, or they may pass part of it on to ourselves, but as the responsible party they should be your first port of call!
Advice to Data Controllers/Assessors
In supporting and enabling exercise of these rights in relation to people assessed via our web sites, SR&A expects data controllers (including SR&A consultants when acting in this role) to adopt the following approaches:
The right to be informed
Ensure that preliminary communications (e.g. utilising email invitation templates, letters, or other devices) include privacy information. This refers to the purpose for processing the respondent’s personal data, how long it will be retained, and who it will be shared with.
The right of access
Be aware that individuals have the right to access their personal data and can make an access request verbally or in writing. A response should be provided within one month, and no fee should be charged. In time SR&A may have functionality in place on its websites to enable data controllers to perform this task, but in the meantime any ‘subject access’ request should be referred to SR&A as early as possible so as to meet the 1 month criterion. Note that our response to this will be to provide details of personal data provided to us at the time of assessment (e.g. name, email address, biographical data).
It is our view that GDPR does not justify the provision of access to privileged data that is non-identifying – for example questionnaire responses, scoring algorithms, or inferred outputs that are not open to lay interpretation. Publication of this type of data could threaten the integrity and validity of the assessment process, as it would potentially allow the reverse engineering of an assessment tool, and thus also compromise the intellectual property rights of the publishers and authors of the assessment. We nonetheless expect data controllers on ethical and professional grounds to provide appropriate feedback to respondents as a natural part of dealing with the assessment outcome in the normal manner by oral and/or written feedback.
The right to rectification
Data controllers may also refer requests for the rectification of errors in personal data to SR&A. Such requests are probably less likely on a web site used for short, intensive, ‘one-off’ assessments than one a user might engage with for a variety of purposes and over a long period of time, for example in social media settings. However, we will undertake corrections as required to errors in information such as name, email, and biographical data provided at assessment time. The right of rectification does not extend to changing questionnaire or other responses on our standardised tools given at the time of assessment, as this would impact the validity and integrity of the assessment itself.
The right to erasure
Requests for erasure of personal data submitted during an assessment should be referred to SR&A by data controllers. In time, the functionality required to complete this task may become available on our websites for this to be carried out by the controller. We operate a process of full anonymisation as a means of erasure (see ‘Other Principles’, point 5).
The right to restrict processing
There may be occasions when an individual respondent might request a restriction of processing – for example if there is a dispute over the accuracy of personal data. Such requests may be more likely to involve a temporary halt to processing while necessary validity checks are carried out. As this is a fairly unlikely scenario in an objective assessment context, data controllers might want to review the ICO advice on the matter and involve us as required.
The right to object
Data subjects have the right to object to processing under certain circumstances and to give their reasons. Individuals have an absolute right of objection, for example, if their data is to be used for direct marketing. While unlikely in an assessment context, any objection that data controllers judge to be valid in relation to processing of data via our websites should be referred to SR&A for handling.
The right to data portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller. If required, SR&A can provide personal data collected at assessment time (as before excluding privileged data such as questionnaire responses) in CSV format to data controllers for onward transmission to data subjects or other data controllers.
Rights in relation to automated decision making and profiling
Use of automated individual decision-making, including profiling with legal or similarly significant effects without human intervention is restricted under GDPR. SR&A regard automated decision making – for example in employment or career contexts – which is based solely on the outcome of an online or computer-based assessment as fundamentally unethical. The outcome of an assessment should be placed alongside other information about the person assessed and considered in the round before any decision is taken as to final outcome. Data controllers should follow this principle and inform respondents that this is their approach.
A Note on Data Archiving
SR&A account/holders may realise that our websites already permit the ‘deletion’ of respondents or participants in assessment. The effect of this is to remove respondents from public view in the assessment website, so that they cannot be seen by anyone who logs in to the website in the normal manner, whether they be account holders or website administrators. Deletion in this form does not remove a respondent from the underlying database, but as respondents cannot be seen without navigating the underlying database code, deletion in this form provides a strong protection for confidentiality against risks such as the leakage of a username/password to unauthorised people. As such it is excellent housekeeping for data controllers to occasionally go through their folders of respondents to delete completed assessments pending full anonymisation. People who are accidentally deleted or archived in this way can be returned to the website view by SR&A and its data sub-processors if required. Similarly, their questionnaire responses and test results can still be garnered for research purposes. Archiving in this way is not a substitute for full data anonymisation, but it is part of a best practice approach to confidentiality in the use of our websites.
- Ethical Standards. We expect Quintax users to conform to high ethical standards in the use of personal data regarding the people they have assessed. This includes but is not limited to ensuring that respondents complete the questionnaire only under conditions of informed consent, that respondents are provided with feedback on their results in an interpretable form, and that they protect the confidentiality of their usernames and passwords to prevent unauthorised access. Under GDPR, Quintax Users as data controllers need to feel confident that they can demonstrate their own compliance with the legislation.
- Terms of Supply. All Quintax users are required to abide by our Terms of Supply for the sale of both paper assessment materials (where these are still on sale to a client) and on-line services involving the questionnaire. The right to use Quintax may be withdrawn in the event of a demonstrated failure to meet the professional and ethical standards we require of users.
- CMi Issues. With regard to CMi we place similar expectations on users as are described in the last two paragraphs. This includes following our Terms of Supply which provides for ethical and professional use of the questionnaire, guarding of usernames and passwords etc.
- SR&A Research/Data Retention. We make use of the database of on-line assessment data stored securely on our Quintax, CMi, and 360 servers for research purposes. This is so that we can add to existing studies of these measures. This enables us to assess their reliability and validity, offer supplementary norm tables, and check on the fairness of our tools with regard to issues such as age and gender. It is also used to design and build new scales or metrics and to help add to the range of reports to enhance the value of the assessment tools for users. When used for research purposes, the data is fully anonymised so that the individuals assessed cannot be traced due to the elimination of the key personal identifiers of forename, surname, and email address. In such a form, the fully anonymised data no longer falls within the provisions of the data protection legislation. As our research needs tend to rely upon use of large samples (involving thousands of cases), such data is collected over long periods, which necessitates long retention times before it can be fully deleted.
Aggregate statistics of website usage (not involving personal data) are maintained by our ISP regarding our corporate website, and these are occasionally consulted by us to determine the visibility of our web pages.
Questions and queries regarding this policy should be directed to Stuart Robertson via email at email@example.com or via post at the address shown below. If at any time you wish to make a complaint in respect of SR&A’s handling of personal information, you may do so by contacting Stuart Robertson in writing at the address below. We will investigate and advise you of the outcome of the complaint promptly.
If you have a specific complaint about our use of email marketing you may also report this directly to Constant Contact by email at firstname.lastname@example.org for review by them.
Stuart Robertson & Associates Ltd
380 Chester Road
Tel: 0161 877 3277 Fax: 0161 877 4500
This policy was last updated on 23/05/2018