How your personal data will be processed

Our data processing agreement for candidate insight services

PARTIES

  1. Edgecumbe Clients (Customer)

  2. Edgecumbe Consulting Group Ltd, incorporated and registered in England and Wales with company number 3033236, whose registered address is Whitefriars, Lewins Mead, Bristol, BS1 2NT (Provider)

(a) Edgecumbe’s ICO registration number is Z7461289.

BACKGROUND

(A)   The Customer and the Provider entered into an agreement in the form of a Sales Order with Edgecumbe terms of business (Master Agreement) that may require the Provider to process Personal Data on behalf of the Customer.
(B)   This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation((EU) 2016/679) (UK GDPR) for contracts between controllers and processors.

AGREED TERMS

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

1.1   Definitions:

Authorised Persons: the persons or categories of persons that the Customer authorises to give the Provider written personal data processing instructions that will be agreed at the outset of the services with Edgecumbe’s Client Delivery team and from whom the Provider agrees solely to accept such instructions.

Business Purposes: the services to be provided by the Provider to the Customer as described in the Master Agreement and any other purpose specifically identified in ANNEX A.

Commissioner: The Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller: has the meaning given to it in section 6, DPA 2018.

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and the guidance and codes of practice issued by the Commissioner, and which are applicable to a party.

Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring the Personal Data to third parties.

Personal Data Breach: a breach of security leading to the accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

Records: has the meaning given to it in Clause 12.

Special Category Data: Special categories of personal data are defined in the UK GDPR, and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation. And the processing of special categories of data shall be prohibited unless a permitted exception under article 9 of the UK GDPR applies.

Term: this Agreement’s term as defined in Clause 10.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2  This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.

1.3  The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

1.4  A reference to writing or written includes email.

1.5  In the case of conflict or ambiguity between:

(a) any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail.

(b) the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

(c) any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.

2.  Personal data types and processing purposes

2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) The Customer is the Controller, and the Provider is the Processor.

(b) The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices, and obtaining any required consents, and for the written processing instructions it gives to the Provider.

(c) The Parties acknowledge and accept that upon receipt of the Personal Data from the Customer, the Provider is deemed to be a ‘Controller’ in its own right in respect of its legitimate interest under article 6 of the UK GDPR and its permitted exception under article 9.2.J of the UK GDPR to anonymise the personal data (specifically the psychometric data) for statistical and scientific research purposes.

(d) ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes.

3.  Provider’s obligations

3.1 The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions from Authorised Persons. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation.

3.2 The Provider must comply promptly with any Customer written instructions from Authorised Persons requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court, or regulator (including the Commissioner). If a domestic law, court, or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

3.4 The Provider will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

3.5 The Provider must notify promptly the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider’s performance of the Master Agreement or this Agreement.

3.6 The Provider will only collect Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity, the purpose, or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. The Provider will not modify or alter the notice in any way without the Customer’s written consent.

  4. Provider’s employees

4.1 The Provider will ensure that all its employees:

(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data.

(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

(c) are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

4.2 The Provider will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable domestic law on all of the Provider’s employees with access to the Personal Data.

  5. Security

5.1 The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification,  reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in ANNEX B. The Provider must document those measures in writing and periodically review them at least annually to ensure they remain current and complete.

5.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

(a) the pseudonymisation and encryption of personal data.

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing, and evaluating the effectiveness of the security measures.

  6. Personal data breach

6.1 The Provider will promptly and in any event within 24 hours, notify the Customer in writing if it becomes aware of:

(a) the loss, unintended destruction or damage, corruption, or unusability of part or all the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible.

(b) any accidental, unauthorised or unlawful processing of the Personal Data; or

(c) any Personal Data Breach.

6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:

(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned.

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Immediately following any accidental, unauthorised, or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer’s handling of the matter, including but not limited to:

(a) assisting with any investigation.

(b) providing the Customer with physical access to any facilities and operations affected.

(c) facilitating interviews with the Provider’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors.

(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised, or unlawful Personal Data processing.

6.4  The Provider will not inform any third-party of any accidental, unauthorised, or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by domestic law.

6.5  The Provider agrees that the Customer has the sole right to determine:

(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer’s specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.

6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

  7. Cross-border transfers of personal data

7.1 Other than those subcontractors as set out in ANNEX A, the Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Customer’s prior written consent.

8. Subcontractors

8.1 The Provider confirms that its approved subcontractors are under written obligations which contain terms substantially the same as those set out in this Agreement.  At the Customer’s reasonable request the Provider agrees to liaise with its subcontractors for the purposes of assuring privacy and data protection compliance.

8.2 Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider, the Provider remains fully liable to the Customer for the subcontractor’s performance of its obligations.

8.3 The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors.

8.4 On the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Personal Data and provide the Customer with the audit results.

9.  Complaints, data subject requests and third-party rights

9.1 The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

(b) information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.

9.2 The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

9.3 The Provider must notify the Customer within 3 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.4 The Provider will give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5 The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions, or as required by domestic law.

  10. Term and termination

10.1 This Agreement will remain in full force and effect so long as:

(a) the Master Agreement remains in effect; or

(b) the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term).

10.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.

10.3 The Provider’s failure to comply with the terms of this Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate the Master Agreement OR any part of the Master Agreement involving the processing of the Personal Data effective immediately on written notice to the Provider without further liability or obligation of the Customer.

10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, either party may terminate the Master Agreement on not less than 30 working days on written notice to the other party.

  11. Data return and destruction

11.1 At the Customer’s request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

11.2 On termination of the Master Agreement for any reason or expiry of its term, if requested the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control,

11.3 If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials, or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.4 The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 30 days after it completes the deletion or destruction.

12. Records

12.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Agreement and the Data Protection Legislation and the Provider will provide the Customer with copies of the Records upon request.

12.3 The Customer and the Provider must review the information listed in the Annexes to this Agreement at least once a year to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

13.1 The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its agreement obligations, on at least 7days’ notice, during the Term. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits at no additional cost to the Customer. The assistance may include, but is not limited to:

(a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider’s premises or on systems storing the Personal Data.

(b) access to and meetings with any of the Provider’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and

(c) inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

13.2 The notice requirements in Clause 13.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring, or the Provider is in material breach of any of its obligations under this Agreement or any of the Data Protection Legislation.

13.3 If a Personal Data Breach occurs or is occurring, or the Provider becomes aware of a breach of any of its obligations under this Agreement or any of the Data Protection Legislation, the Provider will:

(a) promptly conduct its own audit to determine the cause.

(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit.

(c) provide the Customer with a copy of the written audit report; and

(d) remedy any deficiencies identified by the audit within 30 days.

13.4 At the Customer’s written request, the Provider will:

(a) conduct an information security audit before it first begins processing any of the Personal Data and repeat that audit on at least an annual basis.

(b) produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit.

(c) provide the Customer with a copy of the written audit report; and

(d) remedy any deficiencies identified by the audit within 30 days.

13.5 At least once a year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

13.6 On the Customer’s written request, the Provider will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as the Provider’s confidential information under the Master Agreement.

13.7 The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.

  14. Warranties

14.1 The Provider warrants and represents that:

(a) its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation.

(b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments.

(c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement’s contracted services; and

(d) considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised, or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:

(i) the harm that might result from such accidental, unauthorised, or unlawful processing and loss or damage.

(ii) the nature of the Personal Data protected; and

(iii) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in Clause 5.1.

14.2 The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

15.  Indemnification

15.1 The Provider agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.

15.2 Any limitation of liability set forth in the Master Agreement will not apply to this Agreement’s indemnity or reimbursement obligations.

16.  Notice

16.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to:

For the Customer: The Customer’s point of contact, agreed at the outset of the services with Edgecumbe’s Client Delivery team.

For the Provider: Johannah Palmer – Data Protection Officer gdpr@edgecumbe.co.uk

Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

This Agreement has been entered into on the date the Customer signed the Sales Order for the services provided by the Provider or if they are not signed, on the date that set up of the services have commenced.

ANNEX A Personal data processing purposes and details

Subject matter of processing:

For Candidate Insight: To provide some/all the following services:

  • psychometrics such as NEO, LJI2, HDS, MVPI, HBRI, HUCAMA Factors, and Matrigma assessments, analysed and interpreted by a business consultant as part of the Candidate Insight Process, to provide an overview of the candidate’s likely strengths, motivators, and potential inhibitors (under pressure), as well as recommended questions to probe development needs/potential inhibitors (under pressure) at final interview.
  • Candidate Insight report.
  • Debrief session with the Customer.
  • Feedback session with the participant.

Duration of processing: for the duration of the master services agreement

Nature of processing: includes collection, transmission, access, storage, deletion and processing of personal data.

The Provider will administer reports such as NEO reports, LJI-2 reports, HDS reports, MVPI reports, HBRI reports, HUCAMA factors reports, and Matrigma reports on behalf of the Customer.

Data is either provided by the Customer or gathered from the Customer’s candidates when providing services and is used to prepare reports such as: Candidate Insight Assessment Reports, NEO reports, LJI-2 reports, HDS reports, MVPI reports, HBRI reports, HUCAMA factors reports and Matrigma reports.

Business purposes:

To provide psychometrics such as NEO, LJI-2, HDS, MVPI, HBRI, HUCAMA Factors, and Matrigma assessments for analysis and interpretation by a business consultant as part of the Candidate Insight Process.

Personal data categories:

Personal data (which could include)

Identity information – Name

Contact information – Email address, mobile telephone number (of candidates)

Professional information – CV, BIO (for corporate candidate insight only)

Professional information – Role, place of qualification, year of qualification, specialty (for health candidate insight only)

Physical characteristics – Age, gender

Special category data

Personal information – Ethnic group (for health candidate Insight only)

Behavioural and opinion information – Psychometric data (e.g., responses to personality, ability and competency questionnaires)

Data subject types: Data subjects are the Customer’s employees (internal candidates applying for senior management level/professional posts within the Customer’s organisation.

Or

Data is provided by the Customer and the data subjects are external candidates applying for senior management level/professional posts within the Customer’s organisation.

Authorised persons: The Customer’s authorised person(s) will be agreed at the outset of the services with Edgecumbe’s Client Delivery team and can give the Provider instructions to process data under this agreement and will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.

Types of candidate reports: Candidate Insight Assessment Reports, NEO reports, LJI-2 reports, HDS reports, MVPI reports, HBRI reports, HUCAMA factors reports and Matrigma reports.

Who will Edgecumbe share the candidates reports with:

Candidate Insight Reports: Members of the Edgecumbe Client Delivery team, Edgecumbe Consultant, or Edgecumbe Associate Consultant (the consultant preparing the report), Candidate (will see a version without interview questions if requested), Persons within the Customer’s organisation who Edgecumbe will share the reports with will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.

Those on the interview panel/debriefing session are to be agreed at the start of each project and confirmed to Edgecumbe via email prior to any reports being shared.

NEO, LJI-2, HDS, MVPI, HBRI, HUCAMA factors and Matrigma Reports: Members of the Edgecumbe Client Delivery team, Edgecumbe Consultant, or Edgecumbe Associate Consultant (the consultant preparing the report), Candidate (if requested), Persons within the Customer’s organisation who Edgecumbe will share the reports with will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.

Retention period: The information we use to communicate with you will be kept until you notify us that you no longer wish to receive information from us, or you want us to delete your personal data. Any personal data that we hold will be kept in line with the requirements of the Customer. If the Customer has not provided a specific deletion policy in this schedule, we will hold the data until we are requested to delete it.

Disposal method:  If requested by the Customer, the Provider will securely delete or destroy or return and not retain all or any of the Personal Data related to this Agreement in its possession or control.

If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Customer would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 30 days after it completes the deletion or destruction.

Approved subcontractors:

Hogrefe Verlag GmbH & Co. KG, Testzentrale, Herbert-Quandt-Str.4, D-37081 Göttingen, GERMANY

ROLE: Hogrefe provide the NEO, which is a general personality questionnaire, and the LJI2. Candidates access Hogrefe online platform via a personal link (sent by Edgecumbe), which allows them to answer the NEO Psychometric questionnaire.

We have a DPA and an SCC in place with Hogrefe.

Advanced People Strategies Ltd (APS), Mulberry House Lamport Drive, Heartlands Business Park, Daventry, Northamptonshire, NN11 8YH

ROLE: Authorised distributor of Hogan Assessments (please see information below on Hogan Assessments)

We have a DPA in place with APS.

Hogan Assessments, 11S. Greenwood, Tulsa, Oklahoma 74120, USA

ROLE: Hogan provide the MVPI – a questionnaire measuring personal motives, values and preferences; the HDS – a measure of likely reactions to pressure which could become counter-productive; the HBRI – a measure of decision-making style and problem-solving skills. Candidates access the Hogan online platform via a personal link (sent by Edgecumbe), which allows them to answer the Hogan Psychometric questionnaires.

Hogan are accredited with the EU-U.S. Data Privacy Framework (DPF).

APS have a DPA and SCCs in place with Hogan Assessments

Hogan Data Center, 322 E Archer, Tulsa, Oklahoma 74120, USA.

ROLE: data centre where Hogan data is stored.

Inpsyght Consultancy Ltd, Cornish & Sussex Suite House 3 Lynderswood Business Park, Lynderswood Lane, Black Notley, Essex, CM77 8JT

ROLE: Authorised distributor of the Matrigma Assessment.

Assessio International AB, Banérgatan 16, 11523 Stockholm, Sweden

ROLE: Provider of the Matrigma assessment which is a non-verbal reasoning test that captures the ability to solve problems with no prior knowledge or experience.  Participants access an online platform via a personal link (sent by Edgecumbe), which allows them to answer the Matrigma questionnaire.

HUCAMA Group, Blegdamsvej 104a, 2100 Copenhagen, Denmark

ROLE: First level service provider of HUCAMA Factors Assessment tools.  HUCAMA Group provide access to online personality, ability and competency assessment tools used to support leadership assessment, training, and development.

We have a DPA in place with HUCAMA Group

Doodle AG, Zürich, Werdstrasse 21, Switzerland.

ROLE: is a meeting scheduling tool.

Microsoft Azure, UK

ROLE: Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers. Edgecumbe servers are held in the Microsoft Azure cloud environment.  Microsoft Azure data centers are in the UK, a specific location is not provided for security.

Smart Computers IT Support, 20 Apex Court, Woodlands, Bradley Stoke, Bristol, BS32 4JT, UK

ROLE: Edgecumbe’s IT support contractor

We have a DPA in place with Smart Computers IT Support

Acronis, Rheinweg 9, Schaffhausen, Switzerland 8200

ROLE: Acronis is a cloud back up hosting solution used by our IT Support company where all Edgecumbe data is backed up, data is stored in a UK datacentre.  Acronis is ISO27001 accredited.  All data within the hosting solution is held in encrypted format, Acronis have no access to data in its unencrypted format.

ASSOCIATE CONSULTANTS

We have a bank of regular associate consultants that we use when additional business consultant resource is required. Where an associate consultant is used, we will ensure that we have up to date contracts, data processing agreements and, where required, standard contractual charges in place that cover confidentiality and adherence to the Data Processing Agreement.

ANNEX B Security measures

The Provider’s technical and organisational data security measures include:

Physical access controls: all data processed via our sub processors is stored within secure data centres, The Provider is situated within a building manned with 24-hour security; our office has electronic access control. All electronic data is held in the cloud, so no physical server exists.  All visitors are managed according to a secure process (access control lists, advanced registration, escorting, sign-in/out, etc.)

System access controls: The provider’s network perimeter is protected by a business grade firewall, all non-essential inbound network ports have been blocked, all essential inbound network ports have been documented and are reviewed on an annual basis or as changes are required., traffic to inbound network ports is monitored and logged using the firewall, a vulnerability scan is performed on the firewall on a quarterly basis or as changes are required.

Data access controls: Access to all key business applications is governed with unique usernames and password conforming to the Provider’s Strong Password Policy, access to data, system utilities and program source libraries is controlled and restricted to those authorised users who have a legitimate business need e.g., systems or database administrators.

Data backups: All business-critical data is held in the cloud and protected by a separate cloud Datto backup service; the back-up Schedule is as follows:

  • Backed up three times a day.
  • Week 1 – Intra-dailies
  • Week 2 – Dailies
  • Week 3 to 6 – Weeklies
  • Week 6+ – Monthlies

Data segregation: Access to data and network resources is granted to Security Groups rather than to named individuals, staff must be added to Security Groups relevant to their role in the business to gain access to these data and resources.

Transfer of sensitive and/or special category data: The Parties shall ensure that Personal Data is transferred between them using the following security measures:

All sensitive and/or special category personal data will be either:

  • Transferred via a password protected encrypted file. The Provider will do this using 7zip with the password being shared by either text or verbally over the phone.
  • Shared via link to a secure area of the Provider’s SharePoint Site.
  • Alternative secure methods of sharing sensitive and/or special category data files can be used but only if agreed in advance between the parties.  

ANNEX C Breach notification procedure

Immediately upon becoming aware of a Personal Data breach, suspected breach or security incident, the Provider must:

  1. Contact the customer at the nominated email address agreed at the outset of the services with Edgecumbe’s Client Delivery team, notification via any other method will not be deemed as being valid under this Data Processing Agreement.
  2. Describe the nature of the Personal Data breach/suspected breach/security incident and whether it is ongoing or contained.
  3. Confirm, where possible:
  • Categories of affected data subjects
  • Number of affected data subjects
  • Categories of data records concerned (for example: contact details, behavioural data, preference information)
  1. Communicate the name and contact details of the Data Protection Officer or other contact point from whom further information can be obtained.
  2. Describe the likely consequences of the Personal Data breach.
  3. Describe the measures taken or proposed to be taken to address the Personal Data breach and/or mitigate its possible adverse effects; and
  4. Where it is not possible to provide all the above information at the same time, provide the information in phases as and when it becomes available and without undue delay.

ANNEX D Data Protection Impact Assessment for Candidate Insight Services provided by Edgecumbe Consulting Group Ltd to Edgecumbe clients

Controller/Processor details

Name of controller Edgecumbe Client’s (Customer)
Name of controller contact / email address To be agreed at the outset of the services with Edgecumbe’s Client Delivery team.
Name of controller contact and Data Protection Officer / email address To be agreed at the outset of the services with Edgecumbe’s Client Delivery team.
Name of processor Edgecumbe Consulting Group Ltd (Provider)
Name of processor contact and Data Protection Officer Johannah Palmer Johannah.palmer@edgecumbe.co.uk

Step 1: Identify the need for a DPIA

Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.
We are carrying out this DPIA because the project requires special category data to be collected, recorded, organised, structured, stored, adapted, retrieved, consulted, disclose by transmission, dissemination or otherwise make available, aligning or combining, restricting, erasing, or destroying of data for the following purposes:

For Candidate Insight: To provide some/all the following services:

·         psychometrics such as NEO, LJI2, HDS, MVPI, HBRI, HUCAMA Factors, and Matrigma assessments, analysed and interpreted by a business consultant as part of the Candidate Insight Process, to provide an overview of the candidate’s likely strengths, motivators, and potential inhibitors (under pressure), as well as recommended questions to probe development needs/potential inhibitors (under pressure) at final interview.

·         Candidate Insight report.

·         Debrief session with the Customer.

·         Feedback session with the participant

Step 2: Describe the processing

Describe the nature of the processing:
What is the source of the data? Data is provided by the Customer and the data subjects are either external candidates applying for senior management level/professional posts with the Customer or Customer employees applying internally for senior management level/professional posts with the Customer.
Will you be sharing data with anyone? Candidate Insight Reports: Members of the Edgecumbe Client Delivery team, Edgecumbe Consultant, or Edgecumbe Associate Consultant (the consultant preparing the report), Candidate (will see a version without interview questions if requested), Persons within the Customer’s organisation who Edgecumbe will share the reports with will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.

Those on the interview panel/debriefing session are to be agreed at the start of each project and confirmed to Edgecumbe via email prior to any reports being shared.

NEO, LJI-2, HDS, MVPI, HBRI, HUCAMA factors and Matrigma Reports: Members of the Edgecumbe Client Delivery team, Edgecumbe Consultant, or Edgecumbe Associate Consultant (the consultant preparing the report), Candidate (if requested), Persons within the Customer’s organisation who Edgecumbe will share the reports with will be agreed at the outset of the services with Edgecumbe’s Client Delivery team.

Edgecumbe sub processors are involved in providing the service. Please see Annex A of this agreement for details.

What types of processing identified as likely high risk are involved? All reports above involve sensitive personal data.  Sharing these reports could be considered high risk if they are sent insecurely or to the wrong person.
Describe the scope of the processing:
What is the nature of the data, and does it include special category or criminal offence data? Racial or ethnic origin Yes (for health candidate insight)
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data
Data concerning health Behavioural and opinion information – Psychometric data (e.g. responses to personality, ability and competency questionnaires).
Data concerning the sex life or sexual orientation of the data subjects
Criminal offence data
Other sensitive/high risk data type (Please specify) Professional information – CV, BIO (for corporate candidate insight only)

Professional Information – Role, place of qualification, year of qualification, specialty (for health candidate insight only)

Behavioural and opinion information – data gathered in interview (where an interview is provided as part of the service)

Preference information – consultant notes taken during interview (where an interview is provided as part of the service)

How much data will you be collecting and using? Each candidate referred to us by the Customer completes the correct psychometric questionnaires for the service chosen, which will be analysed by an Edgecumbe consultant or Edgecumbe Associate Consultant (business consultant) who provides their findings and suitable interview questions in a briefing call or written report to the Customer. (Depending on the level of candidate insight service required)
How often? Used by the Customer when recruiting for senior management or professional posts where a candidate insight assessment using psychometrics is required as part of the recruitment process.
How many individuals are affected Any candidates referred to us by the Customer.
Will the processing involve anonymised information? No unless requested (for corporate candidate insight)

Yes (for health candidate insight)

Will the processing involve pseudonymised personal data? No unless requested (for corporate candidate insight)

Yes (for health candidate insight)

Will the processing involve fully identifiable personal data? Yes
Describe the context of the processing:
What is the nature of your relationship with the individuals? We provide Candidate Insight Assessment services to the Customer, to support recruitment. Data is provided by the Customer and the data subjects are either external candidates applying for senior management level/professional posts with the Customer or Customer employees applying internally for senior management level/professional posts within the Customer.
How much control will they have? Psychometric Reports – the Customer (the controller) shall have a permitted exception to article 9 of the UK GDPR to process an individual’s special category data (psychometric data) and will agree at outset of the services with Edgecumbe’s Client Delivery team and with the candidate who the reports will be shared with. We will also share the psychometrics with the candidate if requested.

Candidate Insight Assessment Report – the Customer (the controller) shall have a permitted exception to article 9 of the UK GDPR to process individual’s special category data (psychometric data) and will agree at outset of the services with Edgecumbe’s Client Delivery team and with the candidate who the report will be shared with. We will also share a version of the Candidate Insight Assessment Report (without interview questions) with the candidate if requested.

Would they expect you to use their data in this way? Yes, it is common practice for candidates to take part in psychometric testing and assessment interviews when applying for senior/professional posts
Do they include children or other vulnerable groups? Pregnant women, ethnic minorities and disabled persons, if there are any among those external or internal candidates shortlisted for candidate insight assessment by the Customer.
What is the current state of technology in this area? Good
Are there any current issues of public concern that you should factor in? Risk of bias and adverse impact in the use of psychometrics
Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? Cyber Essentials Plus, British Psychological Society Professional Standards including Register of Qualified Test Users
Describe the purposes of the processing:
What do you want to achieve? To improve the quality of leadership and support selection and development of leaders and professionals through Candidate Insight Assessments.
What is the intended effect on individuals? Candidate Insight Assessments: To support fair and effective selection of leaders by using standardised, validated psychometric tools to inform selection decisions; typically used as a tool in the recruitment process after shortlisting and before final interview for senior management and professional posts.
What are the benefits of the processing – for you, and more broadly? Processing is essential to provide our contracted services.

Under the UK GDPR Art 89, The Provider has a legitimate business interest to anonymise candidate psychometric data to enable scientific and statistical research such as benchmarking, which allows comparisons to be drawn among people from different organisations, and to support research which improves the effectiveness with which leaders’ capabilities can be measured and developed.  Under Data Protection Legislation to do this we must have a permitted exception to article 9 of the UK GDPR to process a data subject’s special category of data.  Where required the permitted exception to anonymise the data subject’s psychometric data is 2.J for archiving, research and statistics.

Candidates are given the option to opt out of having their data used in this way.

Why would it not be possible to do without personal data? Developing leadership effectiveness is intrinsically concerned with personal attitudes, behaviour and performance and it is not possible to provide the services without processing personal data.

Step 3: Consultation process

Consider how to consult with relevant stakeholders:
Describe when and how you will seek individuals’ views – or justify why it is not appropriate to do so. During contracting process with the Customer.
Who else do you need to involve within your organisation? Jon Cowell (Chairman) and Johannah Palmer (Data Protection Officer, for GDPR and Information security responsibilities)
Do you need to ask your processors to assist? No
Do you plan to consult information security experts, or any other experts? Yes, we have a Specialist Data Protection Solicitor who we consult on a regular basis.

Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures, in particular:
Is there another way to achieve the same outcome? No
How will you prevent function creep? We will not conduct processing which goes beyond that agreed; if the Customer asks us to perform additional processing, we will advise that they must ensure that candidates have been informed of the additional purposes and that a suitable legal basis for the processing has been established.
How will you ensure data quality and data minimisation? System audits are conducted regularly, and all reports go through a quality assurance process before being sent out.  Regular data housekeeping takes place to minimise data held.
What information will you give individuals? Candidates are provided with information at the outset of the service and a link to our privacy statement informing candidates as to the purpose of the testing and how the data will be used.
How will you help to support their rights? We protect their personal data by endeavouring to ensure only those who need to and are permitted to have access to it; we have a subject access request process in place, and we have named information security and data protection post holders. Ultimate accountability for data protection rests with the Chairman.
What measures do you take to ensure processors comply? Data Processing Agreement’s with sub processors and regular due diligence checking
How do you safeguard any international transfers? Standard Contractual Clauses/ International Data Transfer Agreements in place with suppliers outside of EEA who do not have an adequacy agreement with the UK.

Step 5: Identify and assess risks

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. Likelihood of harm Severity of harm Overall risk
  Remote, possible or probable Minimal, significant or severe Low, medium or high
Individual: Breach of Personal Data – Hacker Possible Significant Medium
Individual: Breach of Personal Data – Processor/Sub Processor breach Possible Significant Medium
Individual: Breach of Personal Data – Employee misuse / bad leaver Possible Significant Medium
Individual: Breach of Personal Data – Email Hack Possible Significant Medium
Individual: Breach of Personal Data – Access by unauthorised personnel Possible Significant Medium
Individual: Loss of Personal Data – During transmission Possible Significant Medium
Individual: Loss of Personal Data – Ransomware Possible Significant Medium
Individual: Loss of Personal Data – Fire Possible Minimal Low
Individual: Loss of Personal Data – Lost hard Drive Possible Significant Medium
Individual: Loss of Personal Data – Lost Machine Possible Significant Medium
Individual: Loss of Personal Data – Crypto Virus Possible Significant Medium

Step 6: Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5
Risk Options to reduce or eliminate risk Effect on risk Residual risk Measure approved
Eliminated reduced accepted Low medium high Yes/no
Individual: Breach of Personal Data – Hacker Business grade firewall in place Reduced Low Yes
Individual: Breach of Personal Data – Processor/Sub Processor breach Data Processing Agreement in place managed and monitored Reduced Low Yes
Individual: Breach of Personal Data – Employee misuse / bad leaver Data access restrictions and access logging in place Reduced Low Yes
Individual: Breach of Personal Data – Email Hack Strong passwords in place and changed regularly; regular phishing tests conducted to highlight the risks and reinforce good practice Reduced Low Yes
Individual: Breach of Personal Data – Access by unauthorised personnel Screensavers after 5 mins password protected.  All data held in the cloud, access for users is locked down with Multi Factor Authentication.  All laptops bitlocker protected; no use of removable media Reduced Low Yes
Individual: Loss of Personal Data – During transmission All PII sent by encrypted data transfer; Reduced Low Yes
Individual: Loss of Personal Data – Ransomware Anti- malware in place and updated regularly Reduced Low Yes
Individual: Loss of Personal Data – Lost hard Drive General process and training, users instructed to not save data onto portable drive but to save on backed up areas of the network. Reduced Low Yes
Individual: Loss of Personal Data – Lost machine Process and training, users instructed to not save data onto C drive but to save on backed up areas of the network; all laptops bitlocker protected Reduced Low Yes
Individual: Loss of Personal Data – Crypto Virus Anti- malware in place and updated regularly Reduced Low Yes

Step 7: Sign off and record outcomes

Item Name/position/date Notes
Measures approved by: Johannah Palmer Data Protection Officer Integrate actions back into project plan, with date and responsibility for completion
Residual risks approved by: Jon Cowell Chairman If accepting any residual high risk, consult the ICO before going ahead
DPO advice provided: Approved DPO should advise on compliance, step 6 measures and whether processing can proceed
Summary of DPO advice:

Risks noted are standard for this type of service, mitigations in place are sufficient to reduce the risks to an acceptable level.

DPO advice accepted or overruled by: Jon Cowell Chairman If overruled, you must explain your reasons
Comments: Advice accepted by Jon Cowell
This DPIA will kept under review by: Johannah Palmer The DPO should also review ongoing compliance with DPIA