Effective date: May 20, 2020
At Diversity Atlas, we understand the concerns our clients and their team members may have about the privacy of their data. Users of Diversity Atlas can be confident that we take their privacy very seriously. We will continue to benchmark our privacy and information security practices against the leading legislative and technical standards.
In this document, ‘we’ means Cultural Infusion (Int) Pty Ltd, the company that supplies Diversity Atlas. We are a Data Processor as defined by the European Union’s General Data Protection Regulation (GDPR).
The term ‘our service’ refers to the Diversity Atlas website, which includes the Diversity Atlas survey questionnaire and the Diversity Atlas admin and analytics dashboard.
A client organisation is the entity to whom Diversity Atlas is providing access to our survey tool. This could be a private business, a government agency or non-governmental organisation (NGO). A client organisation is a Data Processor as defined by GDPR.
An employee of a client organisation whom we give access to the Diversity Atlas admin dashboard to view and analyse the results of a survey.
A respondent is a person who provides their personal information as part of their participation in a Diversity Atlas survey. A respondent is a Data Subject as defined by the GDPR.
A note on Client Organisation obligations
The data respondents generate when they take the Diversity Atlas survey is being compiled and stored by us on behalf of our client organisation, for the primary purposes of generating graphs, charts and statistical insights illustrating the diversity within their organisations.
In addition, Diversity Atlas will only proceed with deploying a survey within an organisation after ensuring that its administrator is fully aware of its privacy and security responsibilities regarding its use of respondents’ data, which we outline in a Code of Conduct that our clients have to sign before having access to Diversity Atlas. These privacy obligations are reiterated in the contracts that we sign with our clients.
We strive to ensure optimal handling of data and we help our clients to establish risk management frameworks that include privacy and information security best practices as part of their use of Diversity Atlas.
We encourage respondents to communicate with their organisational contact person or their human resources department to discuss any concerns or seek any clarifications about their own rights, and their organisation’s obligations, regarding the handling of personal information collected through Diversity Atlas.
Generally, an employer can only require an employee to provide personal information that is directly related to the employment relationship, and can only collect ‘sensitive information’—of the kind that some questions in the Diversity Atlas survey touch on—after having obtained their explicit consent to do so. An employee cannot be penalised for choosing not to participate in the survey, or for only providing certain forms of information as part of the survey.
If their employer seeks to make participation in a Diversity Atlas survey mandatory in their workplace, we encourage any respondent to contact Diversity Atlas at [email protected] If any respondent believes that their organisation has mishandled their data, or in any way not met their obligations with regards to a respondent’s privacy, we encourage them to consult the advice offered by the Office of the Australian Information Commissioner (if in Australia) or their country’s Supervisory Authority (if in the European Union) about the appropriate responses.
We may collect information on how the Diversity Atlas website is accessed and used, which is known as Usage Data. This Usage Data may include information such as your computer’s Internet Protocol address (IP Address), browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages, which type of device you are using, and other diagnostic data.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent by a website. However, if you do not accept cookies, you may not be able to use some portions of our website.
Your personal information
Your participation in a Diversity Atlas survey involves the provision of personal information—that is, information about you which a third party might be able to use to identify you if they gained access to it.
We also provide options for users to maximise the privacy of their responses. When you begin a Diversity Atlas survey, you are given the option of completing the entire survey anonymously. In this case, you will not be able to provide your name or email address and your responses will not be able to be linked to your name or contact details
If you do not choose to complete the survey anonymously, then you will be asked for your name and email address. Your responses will be associated with this name and email address but the organisational administrator in charge of the survey will not be able to view any names or email addresses associated with a particular user’s responses.
Whether you provide your name or complete the survey anonymously, the only fields which you are required to answer to successfully complete the Diversity Atlas survey are:
- Age Group
- Country of Birth
- Primary Languange
Additionally, the Diversity Atlas survey invites respondents to provide information about themselves which is considered ‘sensitive information’ under Section 6(1) of Australia’s Privacy Act and article 9 of the European Union GDPR. This includes information about:
- Ethnic Background and Race
- Sexual Orientation
- Religious and/or Philosophical Beliefs
- Disability and Mental Health
Answering these questions is entirely voluntary and not mandatory. Respondents are under no obligation to answer these questions, and can indicate in the Diversity Atlas survey that they prefer not to answer them. Please also see the note above about client organisations’ responsibilities with regards to the handling of this personal information, and the circumstances in which they are allowed to collect it.
How your information is used
Once a Diversity Atlas survey has been completed, the results are made available to the client organisation’s Organisational Admin via the Diversity Atlas online dashboard.
Using this dashboard, Organisational Admins can undertake analysis and generate reports based on the results of the survey. Access to this Dashboard is limited to the designated Organisational Contact Person and is protected with SSL-encrypted passwords.
Diversity Atlas’ administration and analytics dashboard limits the visibility of respondents’ data to preserve their confidentiality. Organisational admins can see who in their organisation has completed the survey if these respondents have provided their names and emails, but they cannot see respondents’ individual answers to survey questions apart from their responses on their age, country of birth, and gender. Organisational admins can see the number of anonymous respondents, but neither their responses nor their name and emails, because Diversity Atlas will not ask respondents for this information if they choose to complete the survey anonymously.
What admins can see:
- How many people responded to the survey
- Overall organisational results
- The following information about respondents who have chosen not to complete the survey anonymously:
- Country of Birth
- Diversity metrics disaggregated to the level of teams or departments larger than 10 people
What they can’t see:
- The worldviews, sexual orientation, ethnic/racial identifications, ability status, and position levels of any individual respondent, whether or not they have completed the survey anonymously
- The names or email addresses of any respondents who have chosen to complete the survey anonymously
- Team-level results for teams within the organisation in which more than 10 people have responded
What can Diversity Atlas see?
Diversity Atlas’ development team do not have access to the results of a survey unless the organisational admin officially asks for help and discloses their password to us. Diversity Atlas team members cannot view or modify respondents’ responses.
Data storage and security
We store all users’ information on servers protected by world-leading standards of data integrity.
In Australia, all databases containing users’ data are stored on our Amazon Web Services (AWS) servers in Sydney, Australia. We have the capacity to make our service available to clients off servers located anywhere in the world, pursuant to their needs and any legislative requirements for the storage of personal data.
Please see this document for more detailed information about Diversity Atlas’ information security practices.
The admin dashboard is only accessible to organisational admins with a password. All admin passwords are SSL encrypted, meaning that nobody has access to them—including the Diversity Atlas team
Diversity Atlas uses column-based encryption to offer additional protection to the most sensitive information provided by respondents in a Diversity Atlas survey. Responses to the following questions are encrypted:
- Ethnic background and race
- Sexual orientation
- Disability and mental health
- To provide customer support
Retention of Data
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our website, or we are legally obligated to retain this data for longer periods.