Protecting your data

Data is arguably the most important resource that can be used and stored by a company, and at Cognisess we work hard to protect an maximise the data we collect on your behalf.

Cognisess and Microsoft Azure
Azure safeguards customer data in the cloud and provides support for companies that are bound by extensive regulations regarding the use, transmission, and storage of customer data. Azure meets the broad set of international, industry-specific, and country-specific standards including:

  • Australia CCSL

  • FedRAMP
  • HIPAA/HITECH
  • ISO-IEC-27001
  • Singapore MTCS
  • SOC 1, and SOC 2, and SOC 3
  • UKG-Cloud

Helping to protect data at rest and data in transit
Data is your most valuable and irreplaceable asset, and encryption serves as the last and strongest line of defence in a multilayered data security strategy. Cognisess takes advantage of Microsoft Azure's encryption technology to safeguard data and help maintain control over it. Encryption transforms data so that only someone with the decryption key can access it.

Azure uses industry-standard secure transport protocols for data as it moves through the network - whether between user devices and Microsoft data-centres or within data-centres themselves. We use the Transparent Data Encryption key, which is used by Azure as standard. Encrypting all the data that is collected at rest, ensuring that the data remains entirely protected even when not in direct use.

By doing this, we can guarantee that the data used by Cognisess is as safe throughout the entire life cycle of the data, as the state-of-the-art technology permits.

Security and monitoring alerts
Cognisess monitors for and tries to prevent security breaches. We implement security safeguards designed to protect your data, such as HTTPS. We regularly monitor our systems for possible vulnerabilities and attacks.

Where is your data stored?
All of the data we collect on our platform is stored in Microsoft Azure secure servers, allowing use to ensure that our encryption os of the highest industry standards at an international level, and is constantly updated by experts in the field.

Because the data meets the strict regulations for data storage across the European Union as well as other international standards, Cognisess are able to host data across a wide range of nations. This is often a very important requirement for specific national standards.

By meeting this, Cognisess are able to proudly offer their services to an extremely wide range of businesses across the globe.

ISO/IEC 27018 Code of practice for protecting personal data in the cloud
The International Organisation for Standardisation (ISO) is an independent non-governmental organisation and the world's largest developer of voluntary international standards. The ISO/IEC 27000 family if standards helps organisations of every type and size to keep information assets secure.

In 2014, the ISO adopted ISO/IEX 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on accessing risks and implementing state-of-the-art controls for protecting PII.

At least once a year, Microsoft Azure is audited fro compliance is audited for compliance with ISO/IEC 27001 and ISO/IEC 27018 by an accredited third party certification body, providing independent validation that applicable security controls are in place to and operating effectively. As par of this compliance verification process, the auditors validate in their statement of applicability that Microsoft in-scope cloud services and commercial technical support services have incorporated IS)/IEC 27018 controls for the protection of PII in Azure. To remain compliant, Microsoft cloud services must be subject to annual third-party reviews.

By following the standards of ISO/IEC 27001 and the code of practice embodied in ISO/IEC27018, Microsoft - the first major cloud provider to incorporate this code of practice - demonstrates that its privacy policies and procedures are robust and in line with its high standards. Cognisess and its customers can take advantage of these protocols.

Collecting and handling data

At Cognisess we treat all data with the highest level of security both externally and internally. Data is never sold on to, or shared with, third parties without your consent.

At a personal level, specific users are only contacted by Cognisess when consent is granted by the user or by those responsible within an organisation. By doing this we ensure that both collective and individual data is treated with the highest level of respect and confidentiality.

Privacy
Cognisess understands that when you, our customer, use our business services, you are entrusting us with your most valuable asset - your data. You trust that its privacy will be protected and that it will be used in a way that is consistent with your expectations.

Our approach to privacy is grounded in our commitment to give you control over the collection, use, and distribution of your data. We are transparent about the specific policies and technologies that help ensure the privacy of your data in Cognisess.

You own your own data
You own all your own data that you place in Cognisess - including text, sound, video, or file images and results. You can access your data at any time and we use your data only to provide the services we have agreed upon, and do not mine it for marketing and advertising.

You know where your data is located
Customers who must maintain their data in a specific geographic location, such as within the EU, can rely on Microsoft Azure's expanding network of data-centres around the world (see diagram above). Microsoft Azure complies with international data protection laws regarding to transfers across borders.

Data retention
We retain the personal data you provide while your account is in existence or as needed to provide you with Cognisess services. Even if you only use our services when looking for a new job or as an employee, we will retain your information and keep your profile open until you or your employer decides to close the account.

In some cases we choose to aggregate information in a de-personalised or aggregated form for norming and research purposes.

Rights to access and control your personal data
You can access or delete your personal data at any time and we provide you with options to o this in your profile. if you choose to close your Cognisess account, your personal data will generally stop being visible to others on our service within 24 hours.

Wo do retain some data even after you have closed your account if reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse and enforce our terms and conditions.

The information you provide

When applying for jobs using the Cognisess platform, candidates are not required to give any personal information during the profile creation stage: neither their name, title, age, gender, or any other part of information is mandatory. The username and password created can be entirely anonymous. This way, we ensure that any data we obtain is given willingly by users.

When an employee registers we do request a little more data for the purposes of benchmarking and other analyses; however this data is not used for other purposes unless consent is provided.

Bias free methodology

Most importantly, personal data such as age and gender will never be included in any kind of job suitability profiler, thus eliminating bias as well as keeping data confidential.

When considering more sensitive information, we are aware that it is necessary to give results without compromising the confidentiality we owe to those who use the system.

Therefore, when giving an overview of personality, we only ever display a summary of the user’s general personality traits, without giving specific question responses. By doing this we are able to give out all the information that an employer would need, whilst simultaneously keeping individual data confidential.

Data collected for employee engagement and other staff surveys is collated and released as group data, meaning that if a certain threshold of minimum user completions has not been met, the platform will ‘lock’ the results. This ensures that no user is identifiable when completing anonymous surveys. The normal release groups are 5 or 10 completed responses.

The only information that is required explicitly for Cognisess (as opposed to required for a specific client organisation who is for example advertising the job) is the billing information provided by the organisation administrator. The administrator profile is always attached to a specific individual with password protection, and data is still encrypted to the highest standard, ensuring that all data is safe for both user and manager.

Through these measures we endeavour to keep even the smallest pieces of data safe and secure. Any attempt to breach servers running our platform or hosting our databases will result in immediate notifications of Microsoft security specialists as well as our internal experts. By doing this, we ensure that any attempt to obtain private data will be dealt with extremely quickly by a dedicated professional.

Meeting the new GDPR legislation

Introduction to GDPR
The General Data Protection Regulation, or GDPR, will set a new bar globally for privacy rights, security, and compliance. At Cognisess, we believe privacy is a fundamental right and that the GDPR is an important step forward in protecting and enabling the privacy rights of individuals. Many of the measures required for GDPR have already been met ensuring that our data policies to be of the highest standard moving forward from May 2018.

What is the GDPR?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive ("Directive”), which has been in effect since
1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes,
the GDPR gives individuals greater control over their personal data and imposes many new obligations on organisations that collect, handle, or
analyse personal data. The GDPR also gives national regulators new powers to impose significant fines on organisations that breach the law.

When does the GDPR take effect?
The GDPR takes effect on May 25, 2018. The GDPR actually became law in April 2016, but given the significant changes some organisation's have been given more time to comply.

What are the main requirements of the GDPR?
The GDPR imposes a wide range of requirements on organisations that collect or process personal data, including a requirement to comply with six
key principles:

  1. Transparency, fairness and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data.
  2. Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
  3. Minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
  4. Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
  5. Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
  6. Ensuring security, integrity, and confidentiality of personal data. Your organisation must take steps to keep personal data secure through technical and organisational security measures.

Does the GDPR apply to my organisation?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to
organisations of all sizes and all industries.

Specifically, the GDPR applies to:

  • processing of anyone’s personal data, if the processing is done in the context of the activities of an organisation established in the EU (regardless of where the processing takes place)
  • processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behaviour.
  • The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.

Personal User Security

Cognisess know how important trust in technology is, and want to help make the system and the use of it as safe and reliable as possible. To
ensure this, we need your help. We suggest taking a few measures on the user-end to help keep the platform as secure as it can be:

  • Passwords should be individual, hard to guess, and contain mixtures of numbers, letters and, ideally, symbols. It is easy to retrieve a lost password in case you forget it, so please make it as secure as you can.
  • Do not share your account details with anyone. Cognisess support staff might ask you for your name, username, or email address with which you registered your account to find you on the system, but we never need your password. Please don’t share it with anyone!
  • Please ensure that you are using a secure and encrypted Internet connection. Public networks or non-encrypted shared networks are generally not advisable for sending and receiving confidential information.
  • Screen-Lock: Please ensure to log-off the platform fully once you are done, and do not leave your computer unattended when logged in.

Copyright © 2017 Cognisess Ltd. All rights reserved.