Data
protection

Published on 01 September 2022

1. Scope

Everyone has rights with regard to how their personal information is handled, and we recognise that the lawful and correct treatment of personal data is vital to our continued success in an increasingly regulated global marketplace. “Personal information” (which is essentially any information that is capable of identifying a living individual) is collected and processed every day in our business. During the course of our activities we collect, store and process personal information about our staff, suppliers, clients and our client’s customers; and we are committed to ensuring that it is treated in an appropriate and lawful manner.

Iress Limited is our parent company based in Australia, however, we have operations in several other countries, including the United Kingdom, France, South Africa¹, Canada, New Zealand, and Singapore. This document does not set out a detailed explanation of the data protection laws in each country in which we operate, but its aim is to establish a uniform minimum standard that applies to all of our employees, agency and temporary staff and contractors. In addition, where we engage subcontractors, consultants, suppliers and business partners who handle personal information on our behalf, we expect these third parties (irrespective of where they are based) to have in place appropriate policies and procedures which provide an equivalent level of protection in relation to the processing of personal information as those set out in this document.

2. When does this policy apply?

This policy applies when we are collecting and/or processing personal information. Where third parties are processing personal information on our behalf we expect them to have in place an appropriate data protection/ privacy policy which includes equivalent protections as those set out in this document.

What is personal information?

For the purpose of this policy, personal information is information that relates to living individuals² (“data subjects”) who can be identified from that information, or from that information put together with other information to which we have, or are likely to have access.

Personal information can include a wide variety of information, such as names, addresses (physical or email), telephone numbers, an identification number, location data, online identifiers and economic information. It can also include an opinion about an individual, their actions and behaviour. Personal information which is more sensitive could include details about a person’s health or genetics, racial or ethnic origin, gender, marital status, political opinions, religious beliefs and criminal background⁴. It is important for us to understand whether the nature of the personal information being processed is sensitive³ as this may impact whether we are able to lawfully process it, as well as the technical and operational measures we adopt to ensure the information is appropriately protected.

Personal information may be collected, stored and processed either in hard copy or electronic form.

What is processing?

The definition of processing is very wide. Activities such as obtaining, collecting, receiving, storing, recording, holding, using, disclosing, updating, hosting, analyzing, viewing, accessing, making available, copying, transferring or deleting personal information can be considered “processing”.

--
¹ In South Africa, the Protection of Personal Information Act 2013 (PoPI) gives a ‘juristic person’ (which is defined as a company, entity, community or other legally-recognised operation), the right to the protection of its personal information. This means that our South African operation must also safeguard the information it holds about clients who are companies, as well as business partners, integrators, suppliers etc.

² As well as juristic persons in South Africa, and deceased individuals in Singapore and Canada.

³ Sensitive personal information is also known as a ‘special category of personal information’ under the General Data Protection Regulation.

⁴ This is not an exhaustive list of what may amount to personal information in each jurisdiction in which we operate. If you are in doubt as to whether information is included within the scope of this document, please consult the legal team.
--

3. Collection of personal information

In cases where we collect personal information from data subjects and we determine the manner and purpose for which it is processed, then we must ensure that we are open and transparent with data subjects by providing them with certain information regarding how we use their personal information - this is usually in the form of a ‘privacy notice’⁵.

The specific information to be included in a privacy notice can vary depending on where our operations are located, and/or where the data subject is located, and may also vary depending on whether we collect the personal information directly from the data subject or we obtain it from a third party.

For more detailed advice on when a privacy notice is required and the specific information to be provided within it, please consult the legal team.

In cases where we process personal information in connection with the services we provide to our clients, we rely on our clients to ensure that they provide all required information to data subjects (including customers of our clients) which is sufficient in scope to enable us (and, if relevant, any third-party service/ data providers who provide services to that client via Iress) to process the personal information in the course of the provision of services. In some circumstances, and in certain jurisdictions in which we operate, it may be necessary for our clients to obtain the explicit consent of the data subject in order for Iress to process the data subject’s personal information. In these circumstances, we will rely on our clients to ensure that such consents are in place.

4. Global data protection principles

Please note that in certain countries in which we operate, responsibility for compliance with the principles set out below will depend on the specific privacy laws of that country and the capacity in which Iress acts. For example, in the United Kingdom, not all of these principles may apply if we are acting only as a processor. If you are in doubt as to which principles apply in light of the capacity in which we are acting, please contact the legal team.

a - Personal information must be processed fairly and lawfully - for personal information to be processed lawfully, certain conditions have to be met. Whilst a common way of establishing compliance with this principle may be to obtain the consent of the data subject to the processing, there may be a more appropriate basis upon which we can rely to show that we are processing information fairly and lawfully. The legal basis to show lawful processing can vary dependent on jurisdiction – examples include where the processing satisfies a legal obligation (as opposed to a contractual obligation), where the processing is necessary to enter into or carry out a contract to which the data subject is party (for example to process a job application or to administer employee pensions or payroll) or where the processing is necessary for the purposes of the legitimate interests pursued by the data controller (except where those interests are overridden by the interests, rights or freedoms of the data subject).

Where we are carrying out processing activities on behalf of our clients we will rely on our clients collection of personal information, and the making available of such personal information to us, being in compliance with the fair and lawful processing principle.

--
⁵ In the UK, EU and South Africa, this information must be provided when we collect personal information, or, if the personal information is obtained from a third party, within a reasonable period after having obtained it.

⁶ When Iress does rely on consent as the basis of lawful processing, certain rules apply in relation to the manner in which we collect consent, particularly where data subjects are based in the UK, EU or South Africa. For further information regarding the rules on collecting consent please consult the legal team.
--

b - Personal information must be processed for limited specified purposes -personal information may only be processed for the specific purposes notified to the data subject or for a purpose which is compatible with that specific purpose(s) or for any other purposes specifically permitted by legislation. This means that we must not collect personal information for one purpose and then use it for another. If it becomes necessary to change the purpose for which the information is processed, the data subject must be informed of the new purpose, and, in some jurisdictions, this must happen before any processing for that purpose occurs. In addition, (depending on how the new purpose relates to the initial purpose in terms of compatibility), it may be necessary to obtain the data subject’s prior consent before starting processing under the new purpose.

We must also ensure that where we are processing personal information in connection with services provided to clients we do so only in accordance with the purposes we have agreed with that client – whether in our contract with that client or otherwise.

c - Personal information must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed – in circumstances where we collect personal information we should consider what is necessary to collect in light of the purpose of the processing. Personal information should not be collected for some general or as yet unspecified future use. If there is no apparent need for the information being collected then it should not be collected - for example, we should not ask for or keep information about an employee’s religious or political beliefs, as this would not be considered relevant for the purposes of his or her employment.

d - Personal information must be kept accurate and, where necessary, up to date – where we are collecting personal information reasonable steps should be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Every reasonable step should be taken to ensure that personal information that is inaccurate or out-of-date is rectified or destroyed without delay.

Where we are processing personal information on behalf of our clients we should ensure that we have appropriate processes in place to enable us to respond to a request to amend inaccurate data which we may process on our clients’ behalf.

e - Personal information must not be kept for longer than is necessary – personal information must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the information is collected and processed. Personal information should be destroyed or erased from our systems when it is no longer required, unless it is necessary to retain it.

Determining how long it is necessary to retain personal information can sometimes be difficult. It should be noted that we may have certain legal obligations to retain personal information and/or documents for specified time periods before we are able to destroy them. In other situations, we may need to keep personal information after the completion of the purposes for which the information was originally collected and processed, but we will do this based on our legitimate interests, for example when we need to keep information to defend future legal claims.

--
⁷ When deciding whether a purpose is compatible with another, we may consider the nature of the personal data, if there is any relation between the two purposes, what the data subject would reasonably expect from the processing and any possible consequences the new processing might have on the data subject.

⁸ For those processing in the UK and South Africa, please refer to our Data Retention Policy for further guidance on our legal obligations to retain certain documents and guidance on setting retention periods.
--

f - Personal information must be processed in line with the data subject’s rights - data subjects generally have a right to:

a - be informed about the collection and use of their personal data.

b - request access to any personal information held about them (see paragraph 8 below – Dealing with Subject Access Requests);

c - ask to have inaccurate personal information amended, or to have any incomplete or out-of-date personal information completed or updated;

d - object to or prevent the processing of their personal information on reasonable grounds, including where the processing is likely to cause damage or distress to themselves or anyone else;

e - object to the processing for direct marketing purposes at any time;

f - request the restriction of processing in certain circumstances;

g - request that personal information concerning him or her is deleted without undue delay⁹;

h - lodge a complaint with a supervisory authority.

--
⁹ There may be grounds for refusing to comply with this type of request – for example, if the data remains necessary in relation to the purpose for which they were collected, if it needs to be retained for legal reasons or where the data controller has overriding legitimate grounds for the processing. Please consult the legal team if a request of this nature is received and further guidance is required.
--

In certain countries in which we operate, data subjects have additional rights, including: (i) the right to obtain from the data controller a copy of all personal information which the data subject has provided to the controller in a structured, electronic format that is commonly used and which permits further use by the data subject; (ii) the right not to be subject to automated decision making, including profiling; (iii) the right not to have his/her personal information processed for the purposes of direct marketing by means of unsolicited electronic communications and (iv) the right to initiate proceedings before the competent courts against a decision of a supervisory authority.

Where we are processing personal information on behalf of our clients we should ensure that our systems and processes enable us to assist our clients in responding to requests made by data subjects exercising these rights.

g - Personal information must be kept secure - appropriate technical and organisational measures must be put in place to protect personal information against unlawful or unauthorised processing of personal information, and against the accidental misuse, unauthorised access to, loss of, or damage to, personal information. Procedures and technologies must be put in place to maintain the security of all personal information from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal information.

For more information on the steps we take to ensure the security of personal information we process please refer to our information security policies and procedures.

h - Personal information should be transferred to third parties with caution – we must be transparent in relation to any transfers of personal information, and any transfer should be in accordance with what we have communicated to our data subjects (in a privacy notice or otherwise). In certain jurisdictions in which we operate we must ensure that we do not transfer personal information to a third party unless the data subject has consented to such transfer.

Where we are processing personal information on behalf of our clients, any transfers must be made in accordance with our contractual commitments, as well as any relevant privacy laws. Whenever we are transferring data to our sub-processors, care must be taken to ensure that any recipient treats information transferred to it appropriately – this is usually achieved through due diligence and a written agreement between Iress and the other party (see paragraph 6 below).

i - Personal information can only be transferred by Iress outside of the country in which it is collected in certain circumstances - as Iress is a global organisation this principle is particularly important to our business – we have therefore covered cross border transfers in more detail in paragraph 7 below.

5. Data protection impact assessments

Before commencing any processing which is likely to result in a high risk to data subjects, when engaging a third party who will process personal data on our behalf, and when implementing major system or business change programs involving the processing of personal data (for example, new technologies, programs, systems or processes), Iress will review the envisaged processing to assess the privacy risks, and identify measures to address these risks and demonstrate compliance with the privacy legislation in the relevant jurisdiction. This is documented in a Data Protection Impact Assessment (DPIA).¹⁰

6. Appointment of Another Party to Process Data on Iress’ Behalf ¹¹

Where we appoint another party to process personal information on our behalf then we will put in place a contract with that other party which imposes certain obligations on them, including obligations to comply with security requirements, to process personal information only in accordance with our instructions and not to engage further sub-processors without Iress’ consent. If a person to whom this policy applies is contemplating engaging another party to process personal information on our behalf - whether personal information Iress collects or personal information that we process on behalf of our clients – advice should be sought from the Iress legal team to ensure we have appropriate contracts in place.

7. Cross border tranfers

Transfer or Transit?

Any action that allows personal information to be accessed or makes the personal information available, or potentially available, to someone outside of the country in which the information was collected could amount to a ‘transfer’ of that personal information.

A transfer will not be deemed to have occurred if the personal information simply passes through another country on the way to a final destination unless some processing takes place in the other country en-route. In the context of the electronic transmission of personal information, this means that even though information may be routed through a third country on its journey from one country to another, this mere transit through a third country/ countries does not bring the transfer within the scope of the privacy legislation.¹²

--
¹⁰ For those processing personal data relating to data subjects based in the UK, EU or South Africa, please refer to the DPIA templates available on Iress HQ page for further information on when to carry out this type of assessment.

¹¹ Paragraph only applicable to Iress companies in the UK, EU and South Africa.

¹² Case law in the United Kingdom has held that uploading personal information onto a webpage only constitutes a transfer to another country if the relevant webpage is actually accessed by a person located in that country. The process of merely uploading the data does not fall within the scope of the legislation.
--

Can information be transferred outside of the country in which it was collected?

The rules in each jurisdiction are different, and a brief summary is below. However, if you require specific advice regarding cross-border transfers please contact the legal team.

United Kingdom and France

Personal information may be transferred outside of the UK or the European Economic Area (EEA) if any one of the following conditions are met:

a - the European Commission has made a finding of adequacy in relation to the country to which the personal information is being transferred (note that findings have been made for the UK, Canada and New Zealand¹³);

b - the transfer is covered by standard contractual clauses approved by the European Commission or by the UK Information Commissioner's Office (ICO).

c - the data subject consents explicitly to the transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

d - the transfer is necessary for the performance of a contract between the data subject and Iress, and the transfer is occasional (the transfer may happen more than once, but not regularly);

e - the transfer is necessary for the conclusion of performance of a contract concluded in the interest of the data subject between Iress and another individual or company, and the transfer is occasional (the transfer may happen more than once, but not regularly).

Where the condition in (b) is relied upon, the transfer may only be carried if the parties involved in the transfer have provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available in the country outside of the EEA or the UK (as applicable).

--
¹³ The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations concerning data subject to PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, (private organisations) Jersey, New Zealand, Republic of Korea Switzerland, the UK and Uruguay as providing adequate protection.
--

Australia

As a general rule, personal information may be transferred to an overseas recipient where the entity disclosing personal information takes reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles (APPs). However, such reasonable steps are not required in any of the following situations:

a - the recipient of the personal information is subject to laws which offer a level of data protection substantially similar to APPs and the data subject has access to mechanisms to take action to enforce the protection of those laws;

b - the individual consents to the transfer (noting that the organisation must, prior to receiving such consent, expressly inform the individual that if he consents to the overseas disclosure of the information, the organisation will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs);

c - a "permitted general situation" exists (this includes circumstances where disclosure is necessary to prevent a serious threat to life; where an organisation suspects unlawful activity or serious misconduct; for locating an individual reported as missing; or where disclosure is necessary to establish or defend a legal or equitable claim);

d - the disclosure is required or authorized by law or a court/tribunal order.

Canada

The federal private sector privacy legislation (the Personal Information Protection and Electronic Documents Act 2000 (“PIPEDA”) does not prohibit organizations from transferring personal information outside of Canada. However, the transferring entity is accountable under the privacy legislation, and is expected to use contractual means to ensure a comparable level of protection of the personal information. In addition, the federal Privacy Commissioner has issued guidelines requesting that the transferring entity will give notice of such transfers to the data subjects.

Singapore

As per the Personal Data Protection Act 2012 (“PDPA”), the transfer of personal information out of Singapore is allowed, provided that the transfer is made in accordance with the requirements of Singapore privacy legislation in order to ensure that a comparable standard of protection is accorded to personal information that is to be transferred overseas.

Mechanisms to achieve a comparable level of protection may include: data transfer agreements (which the Commission has released - including model clauses); the individual has given consent (with prior notices in place); where transfers are considered necessary in certain circumstances (which include in connection with performance of contracts between the transferring organization and the individual, subject to certain conditions being met).

New Zealand

Transfer of personal information outside of New Zealand is permitted provided that the country to which the data is transferred provides comparable safeguards to NZ privacy legislation and the transfer complies with the basic principles set out in paragraph 4 above. If these conditions are not met, the New Zealand Commissioner (the local supervisory authority) may serve a transfer prohibition notice on the organization that intends to transfer the personal information concerned.

8. Dealing with subject access requests

Any member of staff who receives a written request from an individual (whether an employee, a job applicant, a client, a customer of a client or any other individual) for information that we hold about them should forward it to the legal department immediately.¹⁴

--
¹⁴ If you are based in the UK, EU or South Africa, please refer to Iress’ policies on Subject Access Requests for further information.
--

9. Implications of non-compliance

The implications of non-compliance are serious, and range from regulatory enforcement action (the level of fine that could be imposed upon us in certain countries in which we operate is potentially very high), commercial penalties under our client contracts and reputational damage.

In some jurisdictions in which we operate, more serious contraventions could amount to a criminal offence and our directors could be found personally liable.

Non-compliance with this policy by Iress employees can result in serious consequences including disciplinary action, and potentially dismissal.

10. Breach Reporting

If you have any concerns in relation to data protection issues, you should report these concerns immediately to the legal team, our Privacy Adviser (if you are based in the UK, EU or South Africa) or the Information Security team.

Where you have knowledge of or suspect that a data breach may have occurred then you must report it immediately. For more information on breach reporting please refer to our Data Breach/Security Incident Management Policy.

In all cases we undertake to treat details of individuals who report matters with the utmost confidence. This means that your identity will not be disclosed unless it is absolutely necessary to do so and no-one within our business should feel at a disadvantage in raising legitimate concerns.

11. Review of the Policy

We will regularly review this policy and we will amend it from time to time. Any questions or concerns about the content of this document, or recommendations for any amendments, should be referred to the legal team.

12. Version control

Procedural & Technical Information Security Controls employed by IRESS

In our capacity as both a data processor and a controller, we adopt and maintain a formal framework of procedural and technical Information Security controls. Our control set is aligned to and independently certified to ISO27001, the international standard for information security management. The table below lists the ISO27001 information security controls we apply, together with a description of how we apply them. The effectiveness of these controls is reviewed on an ongoing basis through internal and external assessments as well as automated health check metrics.

If you have entered into a data processing addendum/ variation with us to reflect the requirements of Article 28 of the GDPR, then these clauses form part of our agreement with you.  They apply where we transfer personal data (in relation to which you are a Controller) to members of the Iress group based outside of the European Union in the course of providing our solutions and services to you. 

Iress has not appointed a Data Protection Officer in the UK and is not required to do so pursuant to Article 37 of the GDPR. The role and responsibilities that would typically be assumed by a Data Protection Officer are spread across our legal, information security, compliance and risk functions within Iress.  

Queries in relation to Iress’ processing operations should be directed to Iress’ Compliance Officer who can be contacted at compliance@iress.com.

Any actual or suspected privacy breaches should be reported to our information security team who will manage the incident in accordance with its incident management procedure.

If you are resident in the EU you may raise any issues or queries relating to our processing of your personal data with our EU representative (appointed pursuant to Article 27 of the GDPR).

Our EU representative is Iress SAS, a member of the Iress Group incorporated in France. Our EU representative can be contacted directly by emailing them at the following address: qhhr@iress.com