Everyone has rights with regard to how their personal information is handled, and we recognise that the lawful and correct treatment of personal data is vital to our continued success in an increasingly regulated global marketplace. “Personal information” (which is essentially any information which is capable of identifying a living individual1) is collected and processed every day in our business. During the course of our activities we collect, store and process personal information about our staff, suppliers, customers and our customer’s clients; and we are committed to ensuring that it is treated in an appropriate and lawful manner.
Iress Limited is our parent company based in Australia, however we have operations in several other countries, including the United Kingdom, South Africa, Canada, New Zealand, Hong Kong, Malaysia and Singapore. This document does not set out a detailed explanation of the data protection laws in each country in which we operate, but its aim is to establish a uniform minimum standard which applies to all of our employees, agency and temporary staff, contractors, sub-contractors, consultants, suppliers and business partners who handle personal information, irrespective of where they are based.
2. When does this policy apply
This policy applies when we are collecting and/or processing personal information, or where third parties are doing so on our behalf.
What is personal information?
For the purpose of this policy, personal information is information which relates to living individuals2 (“data subjects”) who can be identified from that information, or from that information put together with other information to which we have, or are likely to have access.
Personal information can include a wide variety of information, such as names, addresses (physical or email), telephone numbers, an identification number, location data, online identifiers and economic information. It can also include an opinion about an individual, their actions and behaviour. Personal information which is more sensitive3, could include details about a person’s health or genetics, racial or ethnic origin, gender, marital status, political opinions, religious beliefs and criminal background4. It is important for us to understand whether the nature of the personal information being processed is sensitive as this may impact whether we are able to lawfully process it, as well as the technical and operational measures we adopt to ensure the information is appropriately protected.
What is processing?
The definition of processing is very wide. Activities such as obtaining, collecting, receiving, storing, recording, holding, using, disclosing, updating, hosting, analyzing, viewing, accessing, making available, copying, transferring or deleting personal information can be considered “processing”.
3. Collection of personal information
In cases where we collect personal information from data subjects and we determine the manner and purpose for which it is processed, then we must ensure that we are open and transparent with data subjects by providing them with certain information regarding how we use their personal information (this is usually in the form of a ‘privacy notice’).5
The specific information to be included in a privacy notice can vary depending on where the data subject is located, and may also vary depending on whether we collect the personal information directly from the data subject, or we obtain it from a third party. For more detailed advice on when a privacy notice is required and the specific information to be provided within it, please consult with the legal team.
In cases where we process personal information in connection with the services we provide to our customers, we rely on our customers to ensure that when they are collecting personal information they provide all required information to data subjects which is sufficient in scope to enable us (and, if relevant, any third party service/ data providers who provide services to that customer via Iress) to process the personal information in the course of the provision of services. In some circumstances, and in certain jurisdictions in which we operate, it may be necessary for our customers to obtain the explicit consent of the data subject for Iress to process the data subject’s personal information. In these circumstances we will rely on our customers to ensure that such consents are in place.
4. Global data protection principles
Please note that in certain jurisdictions in which we operate, responsibility for compliance with the principles set out below will depend on the specific privacy laws of that jurisdiction and the capacity in which Iress is acting. For example, in the United Kingdom not all of these principles may apply if we are acting only as a data processor. If you are in doubt as to which principles apply in light of the capacity in which you may be acting, please contact the legal team.
a) Personal information must be processed fairly and lawfully - For personal information to be processed lawfully, certain conditions have to be met. Whilst a common way of establishing compliance with this principle is to obtain the consent of the data subject to the processing6, there may be another basis upon which we can rely to show that we are processing information fairly and lawfully – the legal basis’ to show lawful processing vary dependent on jurisdiction – examples include where the processing satisfies a legal obligation (as opposed to a contractual obligation), where the processing is necessary to enter into or carry out a contract to which the data subject is party (for example to process a job application or to administer employee pensions or payroll) or where the processing is necessary for the purposes of the legitimate interests pursued by the data controller (except where those interests are overridden by the interests, rights or freedoms of the data subject).
Where we are carrying out processing activities on behalf of our customers we will rely on our customers collection of personal information, and the making available of such personal information to us, being in compliance with the fair and lawful processing principle.
b) Personal information must be processed for limited specified purposes - personal information may only be processed for the specific purposes notified to the data subject or for a purpose which is compatible with that specific purpose(s) or for any other purposes specifically permitted by legislation. This means that we must not collect personal information for one purpose and then use it for another. If it becomes necessary to change the purpose for which the information is processed, the data subject must be informed of the new purpose, and in some jurisdictions, this must happen before any processing for that purpose occurs.
We must also ensure that where we are processing personal information in connection with services provided to customers we do so only in accordance with the purposes we have agreed with that customer – whether in our contract with that customer or otherwise.
c) Personal information must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed – in circumstances where we collect personal information we should consider what is necessary to collect in light of the purpose of the processing. Personal information should not be collected for some general or as yet unspecified future use. If there is no apparent need for the information being collected then it should not be collected - for example, we should not ask for or keep information about an employee’s religious or political beliefs, as this would not be considered relevant for the purposes of his or her employment.
d) Personal information must be kept accurate and, where necessary, up to date – where we are collecting personal information reasonable steps should be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Every reasonable step should be taken to ensure that personal information that are inaccurate or out-of-date is rectified or destroyed without delay.
Where we are processing personal information on behalf of our customers we should ensure that we have appropriate processes in place to enable us to respond to a request to amend inaccurate data which we may process on our customers’ behalf.
e) Personal information must not be kept for longer than is necessary – personal information must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the information is collected and processed. Personal information should be destroyed or erased from our systems when it is no longer required, unless it is necessary to retain it.
Determining how long it is necessary to retain personal information can sometimes be difficult – and it should be noted that we may have certain legal obligations to retain personal information and/or documents for specified time periods before we are able to destroy them. These legal obligations will mean that it is ‘necessary’ to keep the data for longer than we might otherwise require it7.
f) Personal information must be processed in line with the data subject’s rights - data subjects generally have a right to:
(a) request access to any personal information held about them (see paragraph 8 below – Dealing with Subject Access Requests).
(b) prevent the processing of their personal information in certain circumstances - including for direct-marketing purposes.
(c) ask to have inaccurate personal information amended, or to have any incomplete personal information completed.
(d) object to or prevent processing of their personal information on reasonable grounds, including where the processing is likely to cause damage or distress to themselves or anyone else.
(e) the right to request that personal information concerning him or her is deleted without undue delay8.
In certain jurisdictions in which we operate, data subjects also have the right to obtain from the data controller a copy of all personal information which the data subject has provided to the controller in a structured, electronic format that is commonly used and which permits further use by the data subject.
Where we are processing personal information on behalf of our customers we should ensure that our systems and processes enable us to assist our customers in responding to requests made by data subjects exercising these rights.
g) Personal information must be kept secure - appropriate technical and organizational measures must be put in place to protect personal information against unlawful or unauthorised processing of personal information, and against the accidental misuse, unauthorized access to, loss of, or damage to, personal information. Procedures and technologies must be put in place to maintain the security of all personal information from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal information.
For more information on the steps we take to ensure the security of personal information we process please refer to our information security policies and procedures.
h) Personal information should be transferred to third parties with caution – We must be transparent in relation to any transfers of personal information, and any transfer should be in accordance with what we have communicated to our data subjects (in a privacy notice or otherwise). In certain jurisdictions in which we operate we must ensure that we do not transfer personal information to a third party unless the data subject has consented to such transfer9.
Where we are processing personal information on behalf of our customers, any transfers must be made in accordance with our contractual commitments, as well as any relevant
privacy laws. Whenever we are transferring data to a third party who is acting as our sub-processor, care must be taken to ensure that any third party recipient treats information transferred to it appropriately – this is usually achieved through due diligence and a written agreement between Iress and the relevant third party (see paragraph 6 below).
i) Personal information can only be transferred by Iress outside of the country in which it is collected in certain circumstances – as Iress is a global organization this principle is particularly important to our business – we have therefore covered cross border transfers in more detail in paragraph 7 below.
5. Data protection impact assessment
Before commencing any processing which is likely to result in a high risk to data subjects, and when implementing major system or business change programs involving the processing of personal data (for example, new technologies, programs, systems or processes), Iress will review the envisaged processing to assess the privacy risks, and identify measures to address these risks and demonstrate compliance with the privacy legislation in the relevant jurisdiction.
6. Appointment of a third party to process data on Iress' behalf
Where we appoint a third party to process personal information on our behalf then we will put in place a contract with that third party which imposes certain obligations on that third party, including obligations to comply with security requirements, to process personal information only in accordance with our’ instructions and not to engage further sub-processors without our consent. If a person to whom this policy applies is contemplating engaging a third party to process personal information on our behalf - whether personal information we collect, or personal information that we process on behalf of our customers – advice should be sought from the legal team to ensure we have appropriate contracts in place.
7. Cross border transfers
Transfer or Transit?
Any action that allows personal information to be accessed or makes the personal information available, or potentially available, to someone outside of the country in which the information was collected could amount to a ‘transfer’.
A transfer will not be deemed to have occurred if the personal information simply passes through another country on the way to a final destination unless some processing takes place in the other country en-route. In the context of the electronic transmission of personal information, this means that even though information may be routed through a third country on its journey from one country to another, this mere transit through a third country/ countries does not bring the transfer within the scope of the privacy legislation.11
Can information be transferred outside of the country in which it was collected?
The rules in each jurisdiction are different, and a brief summary is below. However, if you require specific advice regarding cross-border transfers please contact the legal team.
Personal information may be transferred outside of the European Economic Area (EEA) if any one of the following conditions are met:
a) the data subject consents;
b) the European Commission has made a finding of adequacy in relation to the country to which the personal information is being transferred (note that findings have been made in Canada and New Zealand);
c) the transfer is covered by standard contractual clauses approved by the European Commission; or
d) for a transfer to the US – if the transferee has signed up to the Privacy Shield.
Personal information may be transferred to an overseas recipient where at least one of the following applies:
a) the recipient of the personal information is subject to laws which uphold principles for the fair handling of the information and those laws are substantially similar to the Australian Privacy Principles (APPs);
b) the individual consents to the transfer (noting that the organisation must, prior to receiving such consent, expressly inform the individual that if he consents to the overseas disclosure of the information, the organisation will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs);
c) a "permitted general situation" exists (this includes circumstances where disclosure is necessary to prevent a serious threat to life; where an organisation suspects unlawful activity; or where disclosure is necessary to establish or defend a legal or equitable claim)
Personal information may be transferred to an overseas recipient where at least one of the following applies:
a) the recipient of the personal information is subject to a law or contract which provides for an adequate level of protection;
b) the data subject consents to the transfer;
c) the transfer is necessary for the performance of a contract, or for the implementation of pre-contractual measures at the data subject’s request;
d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
e) the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject’s consent, and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
The privacy legislation does not prohibit organizations from transferring personal information outside of Canada. However, the transferring entity is accountable under the privacy
legislation, and is expected to use contractual means to ensure a comparable level of protection of the personal information.
Transfer of personal information out of Singapore is allowed, provided that the transfer is made in accordance with the requirements of Singapore privacy legislation to ensure that a comparable standard of protection is accorded to personal information that is to be transferred overseas.
Transfer of personal information outside of New Zealand is permitted provided that the country to which the data is transferred provides comparable safeguards to NZ privacy legislation and the transfer complies with the basic principles set out in paragraph 8 above.
Under Malaysian privacy laws, personal information may be transferred to jurisdictions outside of Malaysia if any one of the following applies:-
a) the data subject has given his consent to the transfer;
b) were the transfer is necessary for the performance of a contract between the data subject and the data processor;
c) where the data processor has taken all reasonable steps and exercised all due diligence to ensure that the personal information will be processed in a manner which would not contravene Malaysian privacy laws.
There are currently no restrictions for transfer of personal information outside of Hong Kong, however there are good practice guidelines (Personal Data Ordinance (Cap. 486) section 33) which suggest cross border transfers may only occur where an entity has obtained consent from the data subject, or, where the recipient resides in a jurisdiction with comparable safeguards.
8. Dealing with subject access requests
Any member of Staff who receives a written request from an individual (whether an employee, a customer, a client of a customer, or any other individual) for information that we hold about them should forward it to the legal department immediately.12
9. Implications of non compliance
The implications of non-compliance are serious, and range from regulatory enforcement action (the level of fine that could be imposed upon us in certain countries in which we operate is potentially very high), commercial penalties under our customer contracts, and reputational damage.
In some jurisdictions in which we operate, more serious contraventions could amount to a criminal offence and our directors could be found personally liable.
Non-compliance with this policy by Iress employees can result in serious consequences including disciplinary action, and potentially dismissal.
10. Breach reporting
If you have any concerns in relation to data protection issues, you should report these concerns immediately to our Information Security team. For more information on breach reporting please refer to breach reporting section of our Information Security Policy.
In all cases we undertake to treat details of individuals who report matters with the utmost confidence. This means that your identity will not be disclosed unless it is absolutely necessary to do so and no-one within our business should feel at a disadvantage in raising legitimate concerns.
11. Review of the policy
We will regularly review the effectiveness of this policy to ensure it is achieving its stated objectives and we will amend it from time to time. Any questions or concerns about the content of this document, or recommendations for any amendments, should be referred to the legal team.
The General Data Protection Regulation (“GDPR”), which comes in to force on 25 May 2018, provides that personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
The GDPR does not set out specified time limits for the retention of data or guidance on the application of this principle, leaving the onus on organisations to determine what is "necessary" in any particular circumstances.
This policy is intended to assist business areas in determining data retention periods for the data it uses, processes and stores, and defines Iress' key requirements regarding the retention of data. It is intended to ensure that all data that we use within our business is retained only for as long as is necessary for legal, regulatory and business purposes.
What is covered by “data”?
“Data” includes all information held, stored or processed by Iress regardless of media, and includes electronic records, databases, systems (for example: SharePoint, Outlook, Workday, shared drives), paper documents, recorded voice data, correspondence (including personal diaries and notebooks), plans, drawings, facsimiles, disks, CD-Roms, imaging materials and any other hard copy or electronic information used within our business.
Who does this policy apply to?
This policy applies to all business areas within Iress and it covers all individuals working at Iress, including employees, consultants, contractors, casual and agency workers. Where Iress uses sub-contractors, or third party service providers, it is the responsibility of the relevant business area to ensure that the third party is adhering to their data retention standards in the activities it undertakes on Iress' behalf. These requirements should also be defined and expressed as an obligation on the third party service provider within the contract.
Information Asset Register
Each business area must maintain an Information Asset Register. This register must capture the type of data being processed, the business function to which it relates, the media on which the data is held (e.g. paper, shared drive, electronic database) and the relevant retention period - with a justification for that retention period if appropriate. A template Information Asset Register is available from the Information Security or Legal Team.
Each business area must ensure that its Information Asset Register is reviewed regularly and updated where appropriate.
Legal and Regulatory Requirements
Iress must adhere to all relevant legal and regulatory data retention requirements and each business area must consider whether there are any legal / regulatory data retention requirements applicable to its operations.
Schedule* contains details of relevant legal / regulatory retention periods applicable to certain types of documents - this is not intended to be an exhaustive list.
If you believe or have been informed that there are any ongoing, anticipated or threatened legal or regulatory proceedings involving Iress, or if you are aware of anything that could give rise to such legal or regulatory proceedings, you must keep all documents that are in any way related to the subject of that investigation or those legal proceedings and must not destroy or amend these in any way – even if the assigned retention period has passed. All such documents should be brought to the attention of the Legal Team. If you have any concerns, these should be raised with your line manager or the Legal Team BEFORE any documents are destroyed.
How do I set a data retention period?
It is up to each business area to determine appropriate data retention periods applicable to the types of data it holds. When determining how long specific categories of data should be retained, consideration should be given to the current and future value of the data, the costs and risks associated with retaining the data and the ease or difficulty of making sure the data remains accurate and up to date. In particular, consideration should be given to the following questions:
*Legal (legitimate) bases for processing personal data
If you determine that a document should be destroyed, the document should be destroyed confidentially and securely. If you are destroying a significant number of documents, you may wish to keep a record of the destruction and the reason for the destruction. If you require more information in relation to secure and permanent destruction, please consult the Information Security team.
Each business area should ensure that it reviews the retention policies that it sets on a regular basis, and that it updates its Information Asset Register accordingly. Business areas should also ensure that it has systems in place for ensuring that retention periods are adhered to in practice.
Archiving personal data
Information that is archived is subject to the same requirements as live information. This is particularly the case where the data is archived in a structured, retrievable manner. Data should therefore only be archived (rather than deleted) if there is a need for it to be retained. The rights of a data subject to request access to their personal data, and to have it amended, apply to personal data for as long as it is archived. However, under the current ICO Guidance** on deletion of data, the ICO acknowledges that archived data that is in effect dormant is much less likely to have an unfair or detrimental effect on a data subject and it is likely that it will take this fact into account when considering potential sanctions for a breach of the privacy principles. When considering how to deal with personal data that is stored within historic archives of Iress, business areas should make a risk-based decision based upon whether continued storage of the personal data is likely to have a detrimental effect on a data subject. If the data is to be retained, then business areas should put this data beyond use. Data will be beyond use if Iress:
The guidance on archiving is taken from the current ICO Guidance on the deletion of data – the ICO has said that the deletion guidance will remain “relevant” under the GDPR, but it will be publishing updated guidance in the future. This guidance may be considered by business areas when setting data retention policies and making risk based decisions. Where this guidance is used to justify a decision on a retention period, please refer to this in the Information Asset Register.
Where data is put beyond use this doesn’t need to be provided in response to a subject access request. However, the data may still need to be provided in response to a court order. We should therefore work towards technical solutions to prevent deletion problems recurring in the future.
Suspension of compliance
As a general rule, data controllers should aim for the physical deletion of personal data as soon as it is no longer necessary for the purposes for which it was originally collected. However, in the context of modern IT systems, it is not always possible to completely delete information from all equipment under the control of the data controller or one of his data processors. For example, personal data processed in the context of a cloud computing contract is often "virtualised" or stored on a variety of different servers (some of which may be outside the EU). The ICO takes a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter. It will consider that data compliance should be "suspended" in the following situations:
In order to comply with Article 30 of GDPR, a record of processing document, details for each of our products is available as PDF listed below for download:
Procedural & Technical Information Security Controls employed by IRESS
In our capacity as both a data processor and a controller, we adopt and maintain a formal framework of procedural and technical Information Security controls. Our control set is aligned to and independently certified to ISO27001, the international standard for information security management. The table below lists the ISO27001 information security controls we apply, together with a description of how we apply them. The effectiveness of these controls is reviewed on an ongoing basis through internal and external assessments as well as automated health check metrics.
If you have entered into a data processing addendum/ variation with us to reflect the requirements of Article 28 of the GDPR, then these clauses form part of our agreement with you. They apply where we transfer personal data (in relation to which you are a Controller) to members of the IRESS group based outside of the European Union in the course of providing our solutions and services to you.
Iress has not appointed a Data Protection Officer in the UK and is not required to do so pursuant to Article 37 of the GDPR. The role and responsibilities that would typically be assumed by a Data Protection Officer are spread across our legal, information security, compliance and risk functions within Iress.
Queries in relation to Iress’ processing operations should be directed to Iress’ Compliance Officer who can be contacted at firstname.lastname@example.org.
Any actual or suspected privacy breaches should be reported to our information security team who will manage the incident in accordance with its incident management procedure.
|ssasa||None||incident management procedure||None||asas incident management procedure incident management procedure incident management procedure|
|incident management procedure incident management procedure||None||asa||None||sas|
|asas||None||asas incident management procedure||None||asa|