Privacy Policies

1.0 Our commitment

At Zircon Talent we recognise that the personal information we handle in our business activities is held by us in a position of trust. We respect its confidential nature and accept our responsibility to keep it secure. In the course of our business activities some of us will hold or have access to personal information (being any information which makes an individual identifiable) about colleagues, customers, suppliers, consumers and other individuals. It is essential that we respect and protect this information and ensure we meet the requirements of the Data Protection Legislation in effect where we do business. Any personal information which we hold, or which others collect, hold or process for us, or to which we have access must only be used for legitimate Zircon Talent business purposes.

Sensitive data is a sub-category of personal information that needs to be handled with particular care. This is information typically relating to an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual life and sexual orientation and any genetic data and biometric data processed to uniquely identify a person.

2.0 About personal information

Zircon Talent holds written (offline) and electronic (online) personal information about our employees, customers, suppliers, consumers and other individuals. As an employer we process personal information about our employees (and, in limited circumstances, their family members) for employment administration purposes, from recruitment and reference checks through to performance, payroll and pension administration.

We also handle personal information of customers, suppliers, consumers and other individuals for a variety of other business purposes, including customer and supplier administration, credit checking, consumer research, marketing and promotion of our products and crime prevention or detection.

This information may be held in paper format (notebooks) or electronically within computers, mobile devices, email systems, HR systems, other applications (including communications and sharing applications and marketing databases some of which may be owned and operated by third parties. Where we engage with such third parties, they are required to protect personal information.

3.0 Data protection principles

• Fairly, Lawfully and Transparently: We should process personal information fairly, lawfully and transparently.
• Purpose Limitation: We should collect personal information only for specified, explicit and legitimate purposes and only use it only in this way unless other uses are permitted by law, the individual has consented or it is within their reasonable expectation.
• Minimisation: The personal information we handle should be enough and limited to what is relevant and necessary for the purpose.
• Accuracy: Personal information should be accurate and where necessary kept up to date.
• Storage Limitation: Personal information should be in a form which does not allow the identification of individuals for longer than is necessary for the handling purpose.
• Confidentiality and Integrity: Processed with appropriate confidentiality and integrity.
• Accountability: Zircon Talent must also be able to demonstrate its compliance.

Fairly, lawfully and transparently and purpose limitation

We should ensure that personal information is processed fairly, lawfully and transparently. This means we need to check what legal basis we have to process personal information and inform individuals what categories of personal information we have collected, or will collect, and explain the purpose(s) for which their personal information will be used.

We should collect personal information only for specified, explicit and legitimate purposes and only use it in this way unless other uses are permitted by law, the individual has consented or it is within their reasonable expectations. This ensures that there are 'no surprises' for the individual regarding how we use their personal information. Usually Zircon Talent will provide this information to individuals through the use of a Privacy Notice or Privacy Policy. Please ask Sarah Linton for any support you need preparing a Privacy Notice. Sensitive personal information needs to be handled with particular care. We should try not to collect or use sensitive personal information at all unless the individual has made the information public themselves (e.g. political beliefs) or the person explicitly consents to Zircon Talent using it for a specific purpose (e.g. to receive occupational health services) or, in exceptional circumstances, as permitted or required by law. We should apply the data minimisation principle and comply with the Information Handling Standard to protect sensitive data.

We are committed to keeping data confidential. The data supplied to us may differ depending upon whether from a client or a candidate. We process information for the purpose of providing consulting services to our clients, which may include the carrying out of Questionnaires of personal characteristics, performance and workplace, and generating analysis, research, comment and reports in relation to such Questionnaires. We may also process personal information for the purposes of using and refining Questionnaire tools, research, analysis, accounting, billing and audit, credit or other payment card verification, security, administration, enforcing and defending legal rights, systems testing, maintenance and product development, customer relations, performing our obligations to individuals and our clients whether under contract or otherwise, and to help us in future dealings with you. The Questionnaire reports and services we provide to our clients may be used by them for purposes which may include the selection and development of individuals in an employment or human resources context.

If you are an existing client, we may email you with information about further questionnaires, reports and services similar to those which were the subject of a previous contact with you.

Information disclosure

Information is disclosed to our clients in the context of the provision of services and reports to them in connection with the Questionnaires that have been performed. We do not control the further dissemination or use of this information by our clients.

To facilitate the questionnaire process, information may also be passed to other companies within the Zircon Talent company and its agents from time to time. We may also pass data containing information in an anonymised and/or statistically aggregated form to our approved agents, current or future potential clients or research institutions. We may from time to time appoint third parties to process data containing information on our behalf as a data processor. We research responses to our tests and questionnaires in the light of areas such as gender, age and ethnic origin over the longer term; this is considered best practice and allows us to monitor our tools for fairness in use.

Due to the international nature of internet-based questionnaire services, the persons to whom we may disclose this information may be located in countries outside of the European Economic Area (“EEA”). These countries may not have data protection laws equivalent to those which are in force in the EEA to protect your information. Where data is transferred to third parties, these parties are bound by the terms of the Zircon Talent Privacy Policy contained on the Zircon Talent website and other data sharing agreements. By submitting personal data, it is agreed to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. All information you provide to us is stored on our secure servers and the backup data is encrypted.

We may disclose your personal information to third parties:

• In the event that we sell any part of our business or assets of our business, in which case we may disclose your personal data to the prospective buyer of the business or assets. We may also disclose your personal data to a vendor of another business or assets that we are acquiring or to a joint venture or merger partner.
• If Zircon Talent assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets.
• If we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use or our applicable Standard Terms and Conditions and other agreements; or to protect the rights, property, or safety of Zircon Talent, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Data minimisation/storage limitation/accuracy

We should only handle personal information that is adequate, relevant, and limited to what is necessary for the purpose it was collected. For example, we should strip out irrelevant data fields when collecting personal information from individuals and when disclosing information to a third party (e.g. to a service provider) we should only provide the minimum amount of personal information the third-party needs. We should ensure that personal information is accurate and allow individuals to update their personal information taking all reasonable steps to amend or delete inaccurate or irrelevant data.

We should securely destroy or delete redundant or excessive data (or suppress in the case of consumer data) in line with applicable retention schedules. Data is deleted, or anonymised, after 18 months. Where practical, we should consider whether to anonymise personal information or use an alias which replaces personal identifiers in a data set with other values (pseudonyms). For personal information to be truly anonymous it needs to fulfil certain legal requirements so check with Sarah Linton.

Confidentiality and integrity

We should handle personal information with appropriate confidentiality and ensure data integrity.

Accountability

The accountability principle covers the range of requirements for organisations to demonstrate data protection compliance. Other requirements explained in this section cover High Risk Processing and when a Privacy Impact assessment is needed; Security; Individual Rights; Third Party Data Handling and International Data Transfer.

1. High risk processing and privacy impact assessments - Data Protection Legislation in some countries requires that a privacy impact assessment (PIA) should be carried out when the processing of personal information is likely to result in a high risk to individuals (e.g. this includes material damage or any harm to them). For example, if you are engaging in an innovative marketing activity or a new third party service provider, new technology, product or service or any monitoring activity we should assess the risk posed to individuals and if that risk is likely to be high then a PIA should be conducted. You must consult with Sarah Linton on the need to complete a PIA. “Privacy by design” needs to be demonstrated in many countries. The PIA should be carried out early to ensure any new processing activity, tool or functionality involved in the handling of personal information is designed and built in a way that allows it to comply with the Data Protection Principles listed at the start of this Policy.
   If you are involved in any new digital marketing activities and /or profiling involving personal information you must comply with our Digital Code and consult Sarah Linton early on to ensure that the legal requirements are met. In some markets such as the EU and the UK there are potentially significant restrictions on direct marketing and profiling and you may need to complete a PIA and check whether you need consumer consent or adaptions to your transparency notice for direct marketing activities.
2. Security - We should store personal information securely and follow applicable security policies and guidance. All systems that hold personal information should have clear well-managed and documented organisational access controls and protocols (which are appropriate to the sensitivity of the personal information) and ensure any bulk personal information removed from the system is appropriately secure at all times.
3. Individual Rights - Individuals may ask us to access, correct, obtain a copy of or delete personal information that we hold about them. Immediately Sarah Linton if an individual makes a request. Statutory time periods within which we must respond could apply and may be as short as 14 or 30 days so it is important to contact with Sarah Linton promptly. Individuals also have the right to object to our using their personal information for certain purposes, such as direct marketing. Individuals may also have the right to file a formal complaint in relation to the collection and processing of their personal information to the relevant supervisory authority (e.g. the Information Commissioner's Office in the UK or the Data Protection Commissioner in Ireland).
4. Third party data processing - Whenever personal information is processed by a third party for our business purposes you should consult Sarah Linton to identify any contractual protections or steps required such as the completion of a PIA. In the EU and UK, for instance, the GDPR requires processing clauses to be included in contracts which involve handling personal information. Generally, the disclosure and/or transfer of personal information to third parties should not occur unless an agreement exists confirming that they will give the data the appropriate level of protection and ensure that appropriate security measures are in place. Zircon Talent should not disclose an individual’s personal information to third parties unless they have agreed to this or it is otherwise permitted or required by law. Sometimes, Zircon Talent may be legally obliged to make disclosures or there may be a legitimate business requirement to disclose the data which does not prejudice the interests of individuals or breach local privacy laws. All requests for disclosure of personal information to third parties should be referred to Sarah Linton unless we know how to deal with the request in line with applicable Data Protection Legislation and this Policy. Personal information of individuals within the UK and EU may not be shared with any with government bodies outside the EU without prior consultation with Sarah Linton on any EU clearances needed (e.g. in the context of an investigation or litigation).
5. International transfer - If you are transferring personal information to another country, Data Protection Legislation may require us to put certain safeguards in place before the transfer happens.

How to report a breach

Breaches of this policy will be dealt with in accordance with the Data Breach policy.

Data Breach Policy

1.0 Purpose

The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g. to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.

Zircon Talent’s Information Security's intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how Zircon Talent’s established culture of openness, trust and integrity should respond to such activity. Zircon Talent Information Security is committed to protecting Zircon Talent's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

2.0 Background

This policy mandates that any individual who suspects that a theft, breach or exposure of Zircon Talent confidential or Zircon Talent highly confidential data which would include any information relating to individuals has occurred must immediately provide a description of what occurred via e‐mail to sarah.linton@zircon-mc.co.uk. The leadership team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the leadership team will follow the appropriate procedure in place.

3.0 Policy

Confirmed or suspected theft, data breach or exposure of Zircon Talent confidential / highly confidential data and personal information.

As soon as a theft, data breach or exposure containing Zircon Talent confidential or highly confidential data is identified, the process of removing all access to that resource will begin. The initial assessment and categorisation of each incident is carried out by the leadership team.

The Incident Response Playbook (Highly Confidential document) is intended to be the first point of instruction in the event of a computer security incident, and is intended to be used primarily by Zircon Talent leadership team.

The leadership team will be made up from the IT Director, COO and CEO of Zircon Talent.

Audience

This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Zircon Talent’s confidential/highly confidential information in addition to the Zircon Talent leadership and other teams involved in supporting the Incident / Breach response process.

Scope

The scope of this policy is applicable to all confidential and highly confidential data for which there is a breach or a suspected breach.

Exceptions

Exceptions to this standard can only be granted by the Zircon Talent Chief Operating Officer.