Insightrix Communities Data Policy
Client: A Third Party who has entered into a contract with Insightrix Research Inc. For the Use of the Insightrix Online Community software to conduct survey research.
Collects, Collecting, Collected and Collection: The act of gathering, acquiring, recording or obtaining Personal Data or PII from any source, including Third Parties and Data Subjects, by any means and in any form.
Consent: The voluntary agreement to the Collection and Use of Personal Data or PII for Permitted Purposes. Consent is expressly provided by the Data Subject. Express Consent can be given orally, electronically or in writing, but is always unequivocal. Consent can be revoked by the Data Subject at any time.
Controller: The person, public authority, agency or other body that, alone or jointly with others, determines the Permitted Purposes, Use(s) and means of processing Personal Data and/or PII. The Controller is the party responsible to the Data Subject for the protection of the Data Subject’s privacy.
Data Protection Officer: The Insightrix Employee appointed to monitor internal compliance with the Data Policy, advise on Personal Data and PII protection impact assessments and be the contact for Data Subjects and Supervisory Authorities.
Data Subject: A member of the public who provides personal data to the Controller.
Employee: An Employee of or independent contractor to Insightrix.
Personal Data: Includes:
A) Any information relating to an identified or identifiable Data Subject, as defined by GDPR, including, but not limited to, sensitive identified or identifiable information and business contact information and work product; and
B) Personal information about an identifiable Data Subject, but not including the name, title, business address or telephone number of an Employee of an organization in the event it does not include descriptive or factual information about the organization, as defined by PIPEDA.
Personally-identifiable Information (“PII”): Information that can be Used to uniquely identify, contact or locate a Data Subject. PII can be “de-identified” so it can no longer be Used to identify the Data Subject and, therefore, is not sensitive.
Permitted Purpose(s): The stated purpose for the Collection of the Personal Data and/or PII from the Data Subject, as communicated to the Data Subject at the time of Collection, which defines the Use of the Personal Data and/or PII by the Controller.
Processor: A person, public authority, agency or other body that processes Personal Data and/or PII on behalf of the Controller. The Processor has obligations to the Controller, not directly to the Data Subject.
Supervisory Authority: The authority overseeing and enforcing privacy rules and regulations including, but not limited to, the Privacy Commissioner of Canada (PIPEDA) and the European Data Protection Board (GDPR).
Third party: An individual or organization outside of Insightrix.
Use and Used: The treatment, handling and management of Personal Data and/or PII in accordance with the Permitted Purpose(s) and with the Consent of the Data Subject, including, but not limited to:
(i) Use by Insightrix Communities in the role of Controller of the Personal Data and/or PII;
(ii) Processing of the Personal Data by Insightrix, where Insightrix is the Processor of the Personal Data and/or PII;
(iii) Disclosure of the Personal Data and/or PII by the Controller to a Third Party; or
(iv) Use of the Personal Data and/or PII by a Third Party.
Scope And Application
Insightrix Online Community software is governed by its “Data Policy”. The Data Policy is a statement of principles and rules related to the protection of Personal Data and PII provided to Insightrix by Data Subjects and provided by Insightrix to Third Parties with the Consent of Data Subjects. The objective of the Data Policy is to promote responsible and transparent Personal Data and PII management practices in a manner consistent with The Personal Information Protection and Electronic Documents Act (“PIPEDA”, Canada), The General Data Protection Regulation (“GDPR”, European Union) and ISO 27001 (“ISO”).
The Data Policy explains how Insightrix protects the Personal Data and PII of Data Subjects. It describes the technical and organizational practices implemented to comply with the data protection principles described in PIPEDA, GDPR and ISO 27001.
Data Subjects are entitled to exercise their privacy rights. The Data Policy applies to Personal Data and PII Collected or Used by Insightrix Communities, acting as Controller in the course of commercial activities. The Data Policy applies to Personal Data and PII Collected in any form, including, but not limited to, oral, electronic and written Personal Data and PII. When Personal Data or PII is provided directly to Insightrix Communities, then Insightrix Communities is the Controller and has obligations to the Data Subject.
By contract, when Personal Data or PII is collected by a Client using the Insightrix Online Community software, Insightrix is the Processor and has obligations to the Client. The Client who is responsible for the Collection or Use of the Personal Data or PII, acts as the Controller, with obligations to the Data Subject. Insightrix Communities takes steps to ensure that Clients understand and comply with the Data Policy while using the Insightrix Online Community. For example, while using the Insightrix Online Community, the Client is encouraged to publish their security and privacy agreement to Data Subjects to obtain the Consent of the Data Subjects before Collecting Personal Data or PII.
What is PIPEDA?
PIPEDA is the Canadian government federal privacy law for private organization. Its 10 principles instruct businesses on best practices for the handling of Personal Data. These 10 principles include:
- Identifying purpose of use
- Limiting collection to only what is necessary
- Limiting Use, disclosure and retention
- Accuracy of information
- Establishing safeguards
- Individual access
- Challenging compliance
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection regulation founded under European Union law that applies to data protection and privacy for all citizens of the Union. It also applies to companies established outside the Union that supply goods or services to, or monitor the behaviour of, individuals within the Union. The commitment of Insightrix to data security is exemplified in our willingness to comply with GDPR requirements.
GDPR has 10 key principles:
- Lawful, fair and transparent processing
- Limitation of purpose, data and storage
- Data subject rights
- Personal data breaches
- Privacy by design
- Data protection impact assessment
- Data transfers
- Data Protection Officer
- Awareness and training
What is ISO 27001?
The International Organization for Standardization (ISO) has various standards for organizations to ensure the safety of their procedures and assets. ISO 27001 is the best-known standard and provides guidelines for an Information Security Management System (ISMS). Meeting ISMS requirements allows companies to manage sensitive information so it remains secure, which is done by applying risk management procedures to all aspects of the business – the people, processes and IT systems.
The three key principles of ISO include:
- Confidentiality – information may only be accessed by those with authorization.
- Integrity – information is accurate and complete.
- Availability – information is easily accessible for those with authorization when they need it.
How does the Data Policy meet all three standards?
Insightrix Communities a division of Insightrix satisfies the strictest requirements of PIPEDA, GDPR and ISO 27001. By doing this, Insightrix complies with the highest standards of privacy and data security. Insightrix is guided by the following data security principles:
Principle 1 – Accountability and Appointment of a Data Protection Officer
Insightrix is responsible only for information under its control and shall designate one or more persons who are accountable for the compliance of Insightrix with data security principles.
The Data Privacy Officer is responsible for ensuring organizational data is managed in a way that complies with data security guidelines, which includes:
Educating Insightrix Employees on compliance requirements
Training Employees involved in data processing
Conducting audits to ensure compliance with the Data Policy and pro-actively address non-compliance with the Data Policy
Serving as the point of contact between Insightrix and Supervisory Authorities
Monitoring performance and providing advice on the impact of Data Protection efforts
Maintaining comprehensive records of all data Collection activities conducted by Insightrix, including the Permitted Purpose(s)
Maintaining comprehensive records of all data processing activities conducted by Insightrix, including the Permitted Purpose(s) stated by the Controller (the Client)
Developing practices to inform Data Subjects about how Personal Data or PII is being Used, the rights to have Personal Data and PII erased and the Personal Data and PII protection measures engaged by Insightrix.
Principle 2 - Lawful, Fair and Transparent Processing
Insightrix has the responsibility to ensure Data Subjects are informed of the purposes for which their data is being Collected and Used (Permitted Purposes).
Insightrix Online Community is a software platform that may be Used to Collect Personal Data or PII from the Data Subject. When Insightrix is Collecting Personal Data or PII from the Data Subject, it is for the following Permitted Purposes:
To create a profile for the Data Subject within the Insightrix Online Community;
To contact the Data Subject with surveys, diary discussions and group discussions in which the Data Subject may Consent to participate; and
Subject to the Consent of the Data Subject to participate in particular research, to conduct quantitative or qualitative marketing and social research for Insightrix, based on the Personal Data or PII Collected by Insightrix.
Personal Data or PII about a Data Subject will be Collected directly from the Data Subject. The Data Protection Officer shall explain the Permitted Purposes to the Data Subject upon request by the Data Subject. Personal Data or PII will not be Used by Insightrix for any purpose other than a Permitted Purpose(s) unless the Use is required by law or the Consent of the Data Subject is obtained for the Use of the Personal Data or PII for the new purpose.
Insightrix may provide Clients or other Third Parties with information from any survey in aggregate form. PII is de-identified in aggregate form to ensure PII about a Data Subject is not disclosed. Insightrix will not sell the Personal Data or PII of Data Subjects to Clients or Third Parties. Data Subjects are free to choose whether or not to participate in a survey, are free to choose not to answer any specific questions and are free to discontinue participation at any time.
When a Client is Collecting Personal Data and/or PII from the Data Subject, Insightrix shall encourage Clients Using the Insightrix Online Community software to specify orally, electronically or in writing the Permitted Purpose(s) to the Data Subject at, or before, the time Personal Data and/or PII is Collected. The Data Subject will be informed to contact the Client with questions about the Permitted Purpose(s)
of the Personal Data or PII Collected because the Client, not Insightrix Communities, is the Controller of the Personal Data and/or PII.
Principle 3 - Limitation of Purpose, Data and Storage
Data Subjects will be informed of the limitations, purposes and storage of their Personal Data and PII. Data Collection, Use and retention will be limited to only what is necessary.
Insightrix limits the amount and type of Personal Data or PII it Collects by Collecting only the amount and type of Personal Data or PII from the Data Subject needed for the Permitted Purpose(s).
Personal Data and PII Collected by Insightrix, and under the control of Insightrix, will be Used for the Permitted Purpose(s). Data Subjects will know why Personal Data is being Collected and how Insightrix will Use the Personal Data or PII. Insightrix complies with privacy standards by ensuring adequate documentation of the Collection and processing of Personal Data and PII is kept
In the case that Personal Data or PII must be disclosed to a Third Party or Used for a purpose additional to, or different from, the Permitted Purpose(s), the new Use will be fair, lawful and transparent. Further processing of Personal Data or PII for achieving purposes in the public interest, scientific or historical research, or statistical purposes will not be considered incompatible with Permitted Purpose.
Principle 4 – Data Subject rights
When Insightrix acts as a Controller, Data Subjects must know and have the ability to exercise their data protection rights, including rights to access, correction, erasure, restrictions, objections, portability and withdrawal of Consent.
As a Controller, Insightrix ensures sufficient safeguards on Personal Data and PII by using the highest possible privacy settings so data is only available with the Consent of the Data Subject.
Insightrix recognizes the right of each Data Subject to access their Personal Data and/or PII for viewing or editing. Data Subjects have the right to request a portable copy of their Personal Data and/or PII in a common format (i.e., .csv, .xlsx, .doc).
To make such requests, Data Subjects must contact the Data Protection Officer and allow Insightrix 30 days to deliver portable data requests. Data deletion requests will also be fulfilled within 30 days, after which the Data Subject will be informed their data has been deleted.
In certain situations, Insightrix may not be able to provide access to all Personal Data or PII of the Data Subject. For example, Insightrix may not provide access to information if doing so would likely reveal Personal Data or PII about a Third Party, or could reasonably be expected to threaten the life or security of another individual. Insightrix may not provide access to information if access to the information would reveal confidential commercial information.
Insightrix can refuse to comply with a Data Subject’s access request if it is unfounded or excessive, taking into account whether the request is repetitive in nature. If a request is manifestly unfounded or excessive, Insightrix can refuse to deal with the request. In that case, Insightrix must provide the reason to justify the decision without undue delay and within 30 days of receipt of the request.
The communication to the Data Subject must include:
- The reason(s) Insightrix is not taking action;
- The Data Subject’s right to make a complaint to a Supervisory Authority; and
- The Data Subject’s right to enforce their privacy rights through a judicial remedy.
Data Subjects are not entitled to access the Personal Data or PII of other Data Subjects. Security measures implemented to prevent improper access to Personal Data and PII include, but are not limited to, providing individualized login information to each Data Subject, Client and Third Party.
In order to safeguard Personal Data and PII, a Data Subject may be required to provide sufficient identification information to permit Insightrix to account for the existence of Personal Data or PII of the Data Subject and the identification information will be Used to authorize access to the Data Subject’s file. Insightrix shall promptly correct or complete any Personal Data or PII found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the Data Subject’s file. Where appropriate, Insightrix shall transmit such corrections or completions to Third Parties having access to the Personal Data and/or PII in question.
The process of Consenting Out of Participation in the Insightrix Online Community Used to Collect Personal Data or PII will be as simple as the process of Consenting into it. There is an unsubscribe button on the footer of every page. Simply click the email link to register or unsubscribe from Insightrix Communities a division of Insightrix.
If Insightrix is not the Controller of the Personal Data or PII, the Data Subject must contact the Client who is using the Insightrix Online Community to access, correct, erase, restrict, object to, relocate or withdraw Consent to the Use of Personal Data or PII provided to the Client on the Insightrix Online Community. The Client is the Controller of the Personal Data or PII. Insightrix is the Processor and, as such, is not authorized to interfere with or otherwise deal with the Personal Data or PII of the Data Subject except as instructed to do so by the Client.
Principle 5 – Consent
A Data Subject must Consent to the Collection or Use of Personal Data.
Participation by Data Subjects in any form of data Collection is always voluntary. As a Controller, Insightrix Communities may obtain Consent at the time of registration or at the time of the initial profile survey. The Consent must be unambiguous and involve a clear affirmative action.
In determining the appropriate form of Consent, Insightrix shall take into account the sensitivity of the Personal Data or PII and the reasonable expectations of the Data Subject.
In obtaining Consent, Insightrix Communities shall employ reasonable efforts to ensure a Data Subject is advised of the Permitted Purpose(s) for which Personal Data or PII will be Used. The Permitted Purposes shall be stated in a manner that can be reasonably understood by the Data Subject.
A Data Subject participating in the Insightrix Online Community must Consent to providing their Personal Data and/or PII to Insightrix by signing a Consent form. The Consent form must identify:
1. The Personal Data and/or PII that will be Collected, including:
a. The Permitted Purpose(s) for gathering the Personal Data or PII and the Use of the Personal Data PII
b. The period the Personal Data or PII will be stored, especially if it differs from the established 30-day period following the survey close date
2. The survey data elements that could be gathered
a. The purpose for gathering this survey data and Use of the survey data
b. The period the survey data will be stored
Generally, any Personal Data or PII Collected is not disclosed to Third Parties. However, a Client sponsoring a research project may want to contact Data Subjects directly. In these cases, Insightrix Communities, as Controller will explain the new purpose and Use to the Data Subjects and obtains Consent from the Data Subject before using the Personal Data or PII in this way. Insightrix offers all Data Subjects the choice to, or not to, Consent to Use of the Personal Data or PII for a purpose other than the Permitted Purpose(s), or a Use not previously disclosed to the Data Subject.
Insightrix may be legally required to disclose Personal Data or PII to Third Parties, including, but not limited to, response to a warrant authorized by law enforcement authorities. In such cases, the Consent of the Data Subject to the Use of the Personal Data or PII may not be obtained.
Data Subjects may revoke Consent at any time.
A Client using the Insightrix Online Community who will act as the Controller of the Personal Data or PII is encouraged to obtain the Consent of the Data Subject in accordance with this principle.
Principle 6 – Accuracy of Information
Personal Data and PII shall be as accurate, complete and up to date as is necessary for the Permitted Purpose(s).
Personal Data and PII controlled by Insightrix shall be sufficiently accurate, complete and up to date to minimize the possibility that inappropriate information may be Used. Insightrix shall update Personal Data and PII about Data Subjects as necessary to fulfill the Permitted Purpose(s), or upon request by the Data Subject.
If Personal Data or PII is discovered to be inaccurate or misleading, steps will be taken to either correct or erase it. Personal Data and/or PII will only be corrected if there is sufficient reason to do so.
If Insightrix is not the Controller of the Personal Data or PII, requests must be made to the Controller (the Client using the Insightrix Online Community).
Principle 7 – Personal Data and/or PII Breaches
The possibility of data breaches will be minimized by ensuring strategies are in place for both reporting and handling compromised data.
In the role of Controller and Processor, Insightrix Communities a division of Insightrix has an ongoing and continuous program to reduce the risk of data breaches. Insightrix implements breach detection, notification and reporting procedures to minimize the risk of a Personal Data or PII breach and any harm which may arise as a result of a privacy breach.
Data breaches will be reported within 72 hours of being identified. Insightrix records will include the measures proposed or taken to deal with the breach.
Principle 8 – Privacy by Design to Establish Safeguards
In the role of Controller and Processor, all Insightrix operations will run with a “data protection by design and default” approach, in which security measures are systematically incorporated into our practices.
Insightrix Communities, a division of Insightrix Research, will implement systems of security measures as outlined in this document. Insightrix Communities will protect your Personal Data and PII using approved and tested security safeguards that meet industry standards. This approach is preventative rather than reactive. We employ the following mechanisms to protect Personal Data and PII:
Pseudonymization – the processing of PII in such a manner that the PII can no longer be attributed to a specific Data Subject without the Use of additional information, and that additional information is stored in a separate place. This is the recommended way to create “data protection by design”.
Tokenisation – the process replaces sensitive Personal Data and/or PII with non-sensitive substitutes, referred to as tokens. This method requires less computational resources to process, and less storage space in databases than traditionally encrypted data. It is achieved by keeping specific data fully or partially visible for processing and analytics while sensitive information is hidden.
Principle 9 – Data Protection Impact Assessment (DPIA)
As Controller or Processor, Insightrix will conduct DPIAs for major projects requiring the processing of Personal Data and/or PII.
Data Protection Impact Assessments (“DPIAs”) are Used to identify and minimize the risks associated with a particular project. They must be done for data processing that is likely to result in a high risk to Data Subjects. DPIAs are Used by Insightrix to:
- Describe the nature, scope, context and Permitted Purpose(s) for Data Collection and Use
- Assess necessity of Personal Data and/or PII and, if it follows, compliance measures
- Identify and assess risks to Data Subjects, taking into account both the likelihood and severity of the risk
- Identify measures to mitigate identified risks
Principle 10 – Data Transfers
Insightrix Communities a division of Insightrix Research will ensure Clients understand their role in data security to follow safety requirements when transferring data.
It is the responsibility of the Controller of Personal Data or PII to ensure privacy laws and regulations are being complied with. This applies even if data processing is being done by a Third Party. Insightrix ensures compliance with the Data Policy when Insightrix is the Controller of the Personal Data and/or PII.
Since Insightrix Communities a division of Insightrix is the software supplier for the research, Insightrix has a role in ensuring Clients understand and follow the principles outlined in this document when using the Insightrix Online Community. In this position, Insightrix will continue to act on our commitment to this document and its principles.
Principle 11 – Awareness and Training
All Insightrix Employees are trained in PIPEDA, GDPR and ISO 27001 requirements.
As Controller or Processor, only Insightrix Employees with a business “need to know” or whose duties reasonably so require are granted access the Personal Data and/or PII of Data Subjects.
Access to information collected on our website is restricted to Insightrix Employees who require the information for research or business reasons. All Employees are trained to, and are required to, respect the rules of data integrity and confidentiality.
Principle 12 – Openness Concerning Policies
As Controller or Processor, Insightrix shall make readily available to individuals specific information about its policies and procedures relating to the management of Personal Data and PII.
Insightrix shall make information about its policies and procedures easy to understand:
- The means of gaining access to Personal Data and/or PII controlled by Insightrix
- A description of the type of Personal Data and/or PII held by Insightrix, including a general account of its Permitted Purpose(s) and Uses
- A description of what Personal Data and/or PII is made available to related organizations (e.g., subsidiaries)
Principle 13 – Challenging Compliance
As Controller or Processor, an individual shall be able to address a challenge concerning compliance with the above principles to the Data Protection Officer.
Insightrix shall maintain procedures for addressing and responding to all inquiries or complaints from individuals regarding the handling of Personal Data and/or PII by Insightrix. Insightrix shall, on written request, inform individuals about the existence of these procedures, as well as the availability of complaint procedures.
The Data Protection Officer may seek external advice, where appropriate, before providing a final response to complaints.
Insightrix Communities shall investigate all complaints concerning compliance with its Data Policy. If a complaint is found to be justified, Insightrix shall take appropriate measures to resolve the complaint, including, if necessary, amending its policies and procedures. The complainant shall be informed of the outcome of the investigation regarding his or her complaint
For more information regarding the Insightrix Communities Data Security Policy, please contact the Insightrix Data Protection Officer by email at firstname.lastname@example.org or by mail to Insightrix Research Inc. 1-3223 Millar Avenue, Saskatoon, Saskatchewan S7K 5Y3.
Publication Date: June 03, 2019