WHO IS KINVERSE
Kinverse is the trading name of Kinsman Technologies Ltd, a company registered in England under registration number 12117459, (collectively “KinsmanTech.com”, “Kinverse.io”, “Kinverse” or “we”, “us” or “our”) is committed to protecting and respecting your privacy.
When you visit the website www.kinverse.io or www.Kinsmantech.com (the “Website”), or use our App https://MyKinverse.io (the “Platform”) and more generally use any of our services (the “Services”) which include the Website and Platform, we will collect data. This is all explained in the following couple of pages.
The regulations relating to “your” data can be quite complex and confusing. To make sure that we put your mind at ease, we will use the definitions that the ICO (Information Commissioner’s Office, the governing body in the UK, for all matters concerning data) use, as well as explaining how, when and what we are doing with your data.
If you ever need to get hold of us, the best way is to email.
Our contact details
Name: Kinsman Technologies Limited
Address: Kemp House, 152-160 City Road, London, EC1V 2NX
Phone Number: +44 (0) 207 617 7369
Review Date: 1st July 2021
WHAT IS GDPR & THE DPA 2018 AND WHY IS IT IMPORTANT
GDPR is a regulation that lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. This is specifically a European legislation, but each country has its own laws that support or enhances these basic principles. In the UK, this is the Data Protection Act 2018.
These regulations protect fundamental rights and freedoms of a natural persons and in particular their right to the protection of personal data.
Throughout our policy, we will refer to the relevant “article” (how the legislation is divided up) that we are highlighting and any supporting information, as well as explaining how, when and what we are doing with your data.
*Indicates where we have cut out the “legal” text to reduce the length of this policy. You can find the complete GDPR Regulations and the DPA 2018 text on the www.ico.org.uk website.
WE SAID THAT IT COULD BE COMPLEX, SO LET’S START WITH WHAT THINGS MEAN.
Article 4 – Definition (GDPR & DPA2018)
For the purposes of these regulations:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he, she or they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him, her or them;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his, her or their health status;
‘main establishment’ means:
as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
the controller or processor is established on the territory of the Member State of that supervisory authority;
data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
a complaint has been lodged with that supervisory authority;
‘cross-border processing’ means either:
processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
‘Users’ means individuals that access and use our Services.
UNDERSTANDING THE WHO, WHAT, WHY AND HOW OF IT ALL
Article 5 - Principles relating to processing of personal data (GDPR)
1. Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Kinverse takes its responsibilities extremely seriously and as such will detail and show you how we use your data and when.
Article 6 - Lawfulness of processing (GDPR) *
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
a. the data subject has given consent to the processing of his, her or their personal data for one or more specific purposes;
b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Kinverse is 100% transparent in what we are doing with your data. The term “Legitimate Interest” enables us to collect data that we request, however, we still ask for your “Consent” as this demonstrates the co-operative relationship between the parties.
Specifically, “your Consent” is required for certain data that we collect, and this is detailed in Article 9 & 10 below.
Within this policy, we explain:
what data we collect about you
what we do with your data;
when you authorise your data to be used;
how you authorise your data to be used.
When we ask for your consent, there are four things that need to be considered.
1. We ask your consent before you give us any details;
2. We will ask for your consent on our Platform before submitting your details to the recruiting company or the employee for which Kinverse is working on behalf of;
3. NONE of the data that you give us in the “Sensitive Personal” section is ever shared on an individual basis;
4. Your “Sensitive Personal” data is not stored with your personal contact details and is covered specifically under “pseudonymisation” of your data (we call this ‘anonymised data’).
Kinverse, will never ask for any data on minors or children. You must be over the age of 16 and either employed or looking for employment.
YOUR CONSENT, ALLOWING US TO USE YOUR DATA
Article 7 - Conditions for consent (GDPR)*
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his, her or their personal data;
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding;
3. The data subject shall have the right to withdraw his, her or their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
In response to this segment, section 1 & 2, we ask for your consent when you first sign up to our Platform. We have a clear and concise way for you to read our Terms of Conditions as well as this Data Policy Document. You will need to read these documents and agree that you have read these documents, in order to access the Service.
Your Consent, should you ever wish to withdraw your consent, as per section 3 of Article 7, you can do this by contacting us at Privacy@Kinverse.io
OUR REASONS FOR USING YOUR PERSONAL DATA
We will process your personal data for the following reasons:
1. you have given us explicit consent;
2. processing is necessary for our legitimate business interests or those of a third party: provided this does not override any interests or rights that you have as an individual.
Our legitimate interests are:
a. managing our business and relationship with you or your company or organisation;
b. understanding and responding to inquiries and User feedback;
c. understanding how our Users use the Platform;
d. identifying what our Users want and developing our relationship with you, your company or organisation;
e. improving our Platform and offerings;
f. managing our supply chain;
g. developing relationships with business partners;
h. sharing data in connection with acquisitions and transfers of our business.
WHAT DATA ARE WE COLLECTING?
This applies to Article 13 & 14 below.
Kinverse is focused on using data to help individuals and organisations understand their diversity composition. We do this by collecting data to ensure that organisations can understand what they need to do to attract the right candidates, support their employees and ensure a just and fair process.
This is achieved through a combination of different types of personal data and questionnaires. The combination of these allows us to support individuals and organisations in removing bias from the recruitment process and the workplace.
We collect personal information that you voluntarily provide to us when you register on the Platform. The personal information we collect includes the following:
Employment notice period;
User name & password when you register for an account;
Answers to skill assessment questions.
Article 9 - Processing of special categories of personal data (GDPR)*
1. Processing of personal data revealing:
a. racial or ethnic origin;
b. political opinions;
c. religious or philosophical beliefs;
d. trade union membership;
e. genetic data;
f. biometric data;
h. sex life;
i. sexual orientation
Shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
b. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;*
j. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).*
Article 10 - Processing of personal data relating to criminal convictions and offences (GDPR)*
1. Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
DPA 2018 - PART 2 General processing – Chapter 2 - Special categories of personal data
Section 10 - Special categories of personal data and criminal convictions
Subsection 5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.
Schedule 1 – Part 3 - Subsection 29
This condition is met if the data subject has given consent to the processing.
You are trusting us with some of the most sensitive information that you have, as such Kinverse has taken great care to protect this data. We separate the data and securely allocate your personal data into two distinct data silos on our Platform.
1. Personal Data
a. This data is considered as identifiable, as such, this data is only shared directly with the organisations that you are applying to join, or if your existing employer, depending on the services offered;
b. This data is only shared once you have given specific consent for it to be shared with the organisation.
2. Sensitive Personal Data
a. Data in this section is covered specifically under the GDPR Articles 9&10 mentioned above, and is supported by Part2-Chapter2-Section10-Subsection5 of the DPA 2018;
b. There is other data, that is not captured in the regulations, but we deem “Sensitive” such as Veteran status is also in this section;
c. This data is stored under “pseudonymisation” (‘anonymised data’).
d. This data is never shared on an individual basis;
e. There is a minimum threshold for our “Anonymised” datasets to be shared, ensuring that your profile and data is secure.
Data on clients and contacts are collected under the same legislation as above. The information that we specifically collect is:
User name and password;
WHAT OTHER DATA WE COLLECT AND WHY?
This specifically relates to Article 14. We automatically collect information when you visit, use, or navigate our Services. The information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
The information we collect includes:
Log file information: We collect information that your browser sends whenever you visit our Platform. This log file information may include your computer’s Internet Protocol address, browser type, browser version, the pages of our Platform that you visit, the time and date of your visit, the time spent on those pages, and other statistics;
Device data: We collect device data such as information about your computer, phone, tablet or other devices you use to access the Services. Depending on the device used, this device data may include IP address (or proxy server), device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system and system configuration information.
This information is primarily needed to maintain the security and operation of our Platform, for troubleshooting and for our internal analytics and reporting purposes.
YOUR RIGHTS AND WHAT YOU CAN EXPECT(GDPR)*
Article 12: Your right to transparent information, and communication – you have the right to be able to understand, we do not use excessive legal terms yet are bound by strong rules and regulations, so will always try and explain our position in a way that you don’t have to have a law degree to understand.
Article 13: Your right to understand what data you are specifically giving – you have the right to understand what, when, how and why we are asking this for this data.
Article 14: Your right to understand what other data we collect – What other data do we collect.
Article 15: Your right of access - You have the right to ask us for copies of your personal information.
Article 16: Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Article 17: Your right to erasure (your right to be forgotten)- You have the right to ask us to erase your personal information in certain circumstances.
Article 18: Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Article 20: Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
Article 21: Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
HOW DO WE USE YOUR INFORMATION?
Here is how we use the information we collect or receive:
Service provision: we use the information to facilitate account creation and the logon process, to administer candidate or employee assessments and status notifications;
Statistics and analytics: monitor metrics such as total number of visitors, traffic, demographic patterns in our candidate skills assessment data and personal data/sensitive personal data (on an anonymised and aggregated basis);
Business communication: sending emails, newsletters, and other messages to keep you informed of the Platform. You may opt-out of receiving any, or all, of these communications from us by following the unsubscribe link. If you do choose to unsubscribe, you will still be sent information that is relevant to the administration of your profile. We also use the customer personal data to deal with inquiries and complaints made by you relating to the Platform and to address your questions, issues, and concerns;
Website monitoring: to check the Platform and our other technology services are being used appropriately and to optimise their functionality;
Platform optimisation: improve, test, and monitor the effectiveness of our Platform and diagnose or fix technology problems;
Managing suppliers: who deliver services to us;
Easy access: to help you efficiently access your information after you sign in and to remember information so you will not have to re-enter it during your visit or the next time you visit the Platform;
Development: develop and test new products and features;
Benchmarks: use aggregated and anonymised candidate skills assessment data, candidate personal data, candidate sensitive personal data, client data and aggregated demographics to provide benchmarks to our customers and improve our services.
PROCESSING IN THE CONTEXT OF EMPLOYMENT
Article 88 specifically deals with all data regarding employment. It brings more focus on the usage of the data to safeguard the individual. We address this in the design of the Platform and the usage of Silos for data collection. The data that you agree to share, is only ever shared after a specific stage in the process has been reached.
No “Sensitive Personal” data is ever shared, so is not part of the selection process. If you are successful in your application, promotion or training, any information that you provided to the Platform will not be shared with the client/employer. We do not have the capability to extract individual datasets from our “Sensitive Personal” data silo.
DATA PROTECTION BY DESIGN AND BY DEFAULT
We created the data silos in order to give peace of mind and best practice. The processes that we have installed exceed the requirements of Article 25.
“Sensitive Personal” data is not accessible to a human. Once you have loaded your “Sensitive Personal” data, it is assigned a unique key that only the system can retrieve, and only able to do so when correlating data for aggregated analytics. This enables us to achieve pseudonymisation, which are designed to implement data-protection principles.
WHO WILL YOUR INFORMATION BE SHARED WITH?
We process and share information that we hold with others as described below:
Skill assessment results: We only share skill assessment data directly with the customer and or their end-user client, who has entered into a contract to administer the assessment, for the intent of delivering our services;
Candidate/employee personal data: is only shared directly with the customer and or their end-user client who has entered into a contract. It is only shared once you have given specific consent;
Candidate sensitive personal data: is stored in a pseudonymised form as defined in Article 32 of the GDPR. The data cannot be attributed to a specific data subject and data is only ever shared on an aggregated basis with customers and research;
OTHER REASONS WE SHARE YOUR PERSONAL INFORMATION
Unless you specifically ask us under Article 20 to send the data to a 3rd party. If you do make a request under this process, we would only be able to share data that does not reside in the “Sensitive Personal” data silo, as we are unable to retrieve that data, by design.
Suppliers who support our business including IT and communication suppliers, outsourced business support, business intelligence, marketing, and advertising agencies, and back-up vendors, will only be provided data in line with their function and will have to meet standards regarding information security.
We may also gather aggregated data about our customers and website visitors and disclose the results of such aggregated (No personally identifiable (Article 32)) information to our partners, service providers, advertisers and/or other third parties for marketing or promotional purposes.
SECURITY OF PROCESSING
Article 32 is the backbone of how we process our data. With stringent security protocols and a “Secure Data is first and foremost” policy, there are a number of tools and processes that we engage to ensure that we do everything we can to secure your data.
1. pseudonymisation of all personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
THIRD-PARTY APPLICATIONS, WEBSITES, AND SERVICES
HOW WE STORE YOUR PERSONAL INFORMATION
Kinverse provides Software as a Service to a variety of clients across the globe, enabling them to attract candidates and manage their employees around the world. Our platform is available anywhere you can get onto the internet, but we store our data in secure sites in the most appropriate location, with a backup held remotely. Our Platform is hosted in secure servers in the USA, but they can only be accessed by employees of Kinverse.
Depending on the operational requirements of our business, we reserve the right to utilise other locations, as and when required.
Your identifiable information will be stored for a period not less than 5 years and not exceeding 10 years, unless you contact us, requesting your right to erasure under Article 17.
HOW TO COMPLAIN
If you have any concerns about our use of your personal information, you can make a complaint to us at:
Our contact details
Name: Kinsman Technologies Limited
Address: Kemp House, 152-160 City Road, London, EC1V 2NX
Phone Number: +44 (0) 207 617 7369
Review Date: 1st July 2021
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address: Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
*Indicates where we have cut out the “legal” text to reduce the length of this policy. You can find the complete text on the www.ico.org.uk website.