Privacy Policy
Purpose
This Privacy Policy describes the data practices related to the Diversity Atlas survey, its dashboard (for users who have access to it) as well as the use of our websites (diversityatlas.io and membership.diversityatlas.io) and our membership program. We aim to ensure transparency and compliance with applicable privacy laws and regulations.
For any questions or clarifications on the contents of this Privacy Policy, please contact us at [email protected]
This document was last updated 9 October 2024.
DEFINITIONS
We
In this document, ‘we’ means Diversity Atlas Pty Ltd, the company that supplies Diversity Atlas and the Inclusive Employer Index. We are a Data Processor as defined by the European Union’s General Data Protection Regulation (GDPR).
Our Service(s)
‘Our service(s)’ or ‘Diversity Atlas services’ refers to Diversity Atlas websites and platforms, including any Diversity Atlas survey, the Diversity Atlas administrator dashboard, and the Diversity Atlas membership program. Diversity Atlas websites are at https://diversityatlas.io and may include subdomains, including https://membership.diversityatlas.io. Diversity Atlas may support organisations with additional types of work, including but not limited to on-the-ground research, custom survey design, advice or project support. In such cases, unless other agreements are made following a privacy risk assessment, this privacy policy continues to apply.
Client Organisation
An entity to whom Diversity Atlas is providing services. This could be a private business, a government agency, an event organising body, or non-governmental organisation (NGO). A client organisation is a Data Controller as defined by GDPR.
Organisational Administrator
An employee or contractor of a client organisation designated by that organisation to have administrator access to Diversity Atlas services, particularly, the Diversity Atlas dashboard that allows that administrator to view and analyse results of a survey.
(Individual) User
An individual user refers to a person who uses Diversity Atlas services, whether by interacting with the Diversity Atlas websites (diversityatlas.io and membership.diversityatlas.io), participating in surveys, signing up for membership, or using any other services provided by Diversity Atlas. Individual users are considered among other applicable laws, Data Subjects under GDPR, meaning they have specific rights regarding their personal data, including the right to access, correct, delete, and restrict processing of their data.
(Survey) Respondent/Participant
A respondent is a person who provides their personal information as part of their participation in a Diversity Atlas survey. A respondent is a Data Subject as defined by the GDPR.
Table 1: Overview of GDPR roles
Data Controller
A note on Client Organisation obligations
Our code of conduct to which all client organisations and organisational administrators must abide is published here.
Diversity Atlas anonymously collects diversity information from survey respondents within the client organisation for the purpose of promoting cultural harmony. It generates graphs, charts and statistical insights that illustrates the cultural diversity of that entity.
Survey respondents should note that our Privacy Policy covers Diversity Atlas’s obligations and does not specifically cover client organisations’ responsibilities with regards to the information provided by participants in a Diversity Atlas survey, however, we make clear contractually that client organisations must handle the information provided by respondents in accordance with all national and local privacy laws and regulations that apply to them, as well as understand and observe a shared responsibility model, and contractually agree to accept as a minimum our own Code of Conduct, Privacy Policy (this document), and Terms & Conditions.
In addition, Diversity Atlas will only proceed with deploying a survey within an organisation after ensuring that its administrator is fully aware of its privacy and security responsibilities regarding its use of respondents’ data, which we outline in a Code of Conduct liked to our Terms & Cinditions that our clients must sign before having access to Diversity Atlas. These privacy obligations are reiterated in the contracts that we sign with our clients.
We strive to ensure optimal handling of data and we help our clients to establish risk management frameworks that include privacy and information security best practices as an essential part of their use of Diversity Atlas.
We encourage respondents to communicate with their organisational contact person or their human resources department to discuss any concerns or seek any clarifications about their own rights, and their organisation’s obligations regarding the handling of demographic and cultural information collected through Diversity Atlas.
If an employer or authority seeks to make participation in a Diversity Atlas survey mandatory in their workplace, we encourage any respondent to contact Diversity Atlas at [email protected]. If any survey participant believes that their organisation has mishandled their data, or in any way not met their obligations regarding a respondent’s privacy, we encourage them to both contact Diversity Atlas and lodge a complaint at the Office of the Australian Information Commissioner, OAIC (if in Australia), or the equivalent Supervisory Authority in their country / state / region.
Using our Websites
Our websites, diversityatlas.io and membership.diversityatlas.io, are built using WordPress. These websites utilise various plugins including GravityForms, Paid Membership Pro, Modern Events Calendar, Zoho SalesIQ, CloudFlare, and WPML. Additionally, we use Zoho CRM for customer relationship management.
Our website servers are based in Australia and the EU, and website content is distributed using Cloudflare per below.
What are cookies, and how do we use them?
Cookies are files with small amounts of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and are stored on your device. We do not use advertising cookies or share data with third parties, except for functional purposes as mentioned below.
We may collect information on how the Diversity Atlas websites are accessed and used, which is known as Usage Data. For survey participants, this Usage Data does not include your Internet Protocol address (IP Address) or any other Personal Identifiable Information (PII) but can give us information about browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages, which type of device you are using, and other diagnostic data. This helps us to continuously improve the accessibility of our survey for use on different devices.
We use cookies and similar tracking technologies to monitor and hold certain information about your use of our websites including the membership program. We use beacons, tags, and scripts to collect and track information about how people use our website, and to improve our services. For example, these technologies allow us to understand if people are spending large amounts of time on one page, or whether things such as our contact forms are working correctly.
You can instruct your browser to refuse all non-essential cookies or to indicate when a cookie is being sent by a website. If you do not accept cookies, you may not be able to use some portions of our website. Note that if you select options like “do not allow cookies”, you will still have one cookie added to your device so that we remember your preferences the next time you visit the site.
Data Collection and Usage
We collect personal data through forms on our websites, which may include but are not limited to contact forms, registration forms, and membership sign-ups. This data is collected using WordPress’ inbuilt features and the GravityForms plugin, and is stored securely within our systems.
For users who sign up for our membership program via membership.diversityatlas.io, we collect additional data required for membership management. This data is handled through the Paid Membership Pro plugin and integrated with Zoho CRM for administrative purposes.
Cookies and Tracking Technologies
Our websites use cookies and similar tracking technologies to enhance user experience and collect information about user interactions. These cookies include essential cookies for login and session management, functionality cookies for user preferences, and analytics cookies for usage statistics.
As is standard, we use Google Analytics to collect and store information about how visitors interact with our websites (diversityatlas.io and membership.diversityatlas.io). This helps us analyse website traffic and improve our services. The information collected by Google Analytics may include your IP address, browser type, pages visited, and the time and date of your visit. This data is kept confidential and is used solely for internal analysis. We do not share this information with any third-party companies. You can opt-out of Google Analytics tracking by taking steps such as installing the Google Analytics opt-out browser add-on.
We use Zoho SalesIQ to chat with website visitors, as well as to track visitor interactions on our websites. Information you give us during a chat session may be stored in our CRM, Zoho CRM. These integrate so that we remember our past interactions and can follow up with you appropriately. For example, say you start a chat with us on the website, because you have a question about the Diversity Atlas survey. We’ll store that interaction in our CRM, and next time we connect, we’ll be able to refer back to our previous chat so you don’t need to repeat yourself.
We use Cloudflare to enhance the security and performance of our websites. In straight-forward terms, this service stores parts of our website around the world, so that when you visit us, the data gets to you more quickly. Cloudflare may place cookies on your browser to assist with content delivery and security measures. Data collected by Cloudflare is subject to their privacy policy.
Our websites also utilise WPML (WordPress Multilingual) to enable language translation switching. WPML may use cookies to remember your language preferences. The authoritative version of our website is in English.
Table 2: Useful third-party privacy policies
Third-Party Plugins and Embedded Content
Articles on our websites may include embedded content from other websites (e.g., videos posted from our YouTube account, images, or articles). These third-party websites may collect data about you, use cookies, and monitor your interaction with the embedded content. We advise reviewing the privacy policies of these external sites for more information.
User Rights and Data Management
Users who have accounts or have left comments on our websites can request to receive an exported file of the personal data we hold about them, including any data provided to us. Users can also request that we erase any personal data we hold about them, except for data we are obliged to retain for administrative, legal, or security purposes.
We retain user data collected through our websites for as long as necessary to provide our services and fulfil the purposes outlined in this privacy policy. Users can request deletion of their data at any time, subject to legal and operational requirements.
Security Measures
We implement robust security measures to protect personal data collected through our websites. This includes SSL encryption for data transmission, secure storage solutions, and regular security audits. Our WordPress installations and plugins are regularly updated to mitigate security vulnerabilities.
Membership program
Our membership program, available via membership.diversityatlas.io, is managed using the Paid Membership Pro plugin. This program allows users to sign up for different membership tiers, access exclusive content, and participate in member-only events. During the sign-up process, we collect various types of personal information necessary for membership management and service provision.
Types of Data Captured: When users sign up for our membership program, we collect the following information:
- Personal Information: This includes your name, email address, mailing address, and phone number. It may include organisational information, particularly for organisational memberships.
- Account Information: Username, password, and membership tier details.
- Payment Information: Credit card details or other payment method information, which are securely processed through our payment gateway and not stored on our servers. This information is necessary to process your payment.
- Demographic Information: Age, gender, and other optional information that helps us tailor the membership experience.
- Usage Data: Information about how you interact with the membership site, including login times, pages visited, and services used.
Use of Stripe for Payment Processing: We use Stripe as our payment processor to handle payments made for the membership program via our websites. Stripe is a secure and trusted payment gateway that complies with industry standards for payment processing and data protection. When you make a payment, your payment details are securely transmitted to Stripe for processing. We do not store your full credit card information on our services. Stripe handles all sensitive payment data in accordance with their strict security protocols and compliance requirements. To facilitate payment processing, we share relevant personal data with Stripe. This includes transaction details and the personal information required to authenticate and complete the payment. Stripe’s privacy policy governs the use and protection of this data, and that can be found on their website here: https://stripe.com/privacy
Integration with OpenLearning platform: Our membership website is integrated with the OpenLearning course platform to provide a seamless learning experience for our members. When you log in to the OpenLearning platform using your Diversity Atlas membership, we share basic information such as your name, email address, membership status, and course status between the two systems. Additionally, any information about badges or certificates you complete via OpenLearning will also be shared with the membership site to keep your records up to date. This integration allows us to offer you a cohesive and efficient learning journey. All data shared between Diversity Atlas and OpenLearning is handled securely and in compliance with our privacy policy and applicable data protection regulations. Similar data may also be shared with certification platforms (such as, but not necessarily, Badgr.io or Accredible) so that we can provide you with badges that can be shared on your social profiles. OpenLearning’s privacy policy may be found at: https://solutions.openlearning.com/privacy-policy
Data Storage and Security: All personal data collected through the membership program is stored securely on our servers, which are protected by industry-standard security measures. We use SSL encryption to safeguard data during transmission and implement robust security protocols to prevent unauthorized access to stored data. Payment information is handled by Stripe as described above.
Data Retention: We retain personal data for as long as necessary to provide our membership services and fulfill the purposes outlined in this privacy policy. This includes maintaining user profiles, processing payments, and managing membership subscriptions. Users can request to view, update, or delete their personal information at any time by contacting our support team. However, certain data may be retained for legal, administrative, or security purposes.
By participating in our membership program, you consent to the collection, storage, and use of your personal data as described in this privacy policy. We are committed to protecting your privacy and ensuring that your data is handled with the utmost care and respect.
The Diversity Atlas Survey and your privacy
Your participation in a Diversity Atlas survey involves the provision of cultural and demographic information—that is, information about you that a third party might be able to use to identify you if they gained access to it. For example, if you say that you are a white Australian woman aged 38 who works at ‘Organisation X’, and there is only person that meets that description at Organisation X, you would be identifiable from your responses. For this reason we have special rules in place around the data we collect, including the ‘Rule of 20’, which you can read about below.
As a survey respondent, you should understand that there are unavoidable risks involved in the provision of personal information to any entity, however we believe that we have taken every available measure to ensure this will not happen, including but not limited to full encryption, anonymity, ISO/IEC 27001:2022 certification, systems to ensure pseudonymisation, and a storing the platform in a secure cloud-based server.
We do not validate and verify participants’ input—so you will never hear from us saying that your response was wrong, as we do not know who has answered what in the survey, and we are not in a position to decide how other people describe themselves.
Anonymous method of surveying:
The beauty of the Diversity Atlas survey is that you are anonymous. Your answers form part of your organisation's diversity snapshot but cannot be attributed to any individual participant.
In its default configuration, the Diversity Atlas survey invites respondents to provide information about themselves which is considered ‘sensitive information’ under Section 6(1) of Australia’s Privacy Act and article 9 of the European Union GDPR. This includes information about:
- Ancestral and/or cultural heritage
- Sexual orientation
- Religion / Worldview
- Disability
Answering these, or any, of the survey questions is entirely voluntary. Respondents are under no obligation to answer these questions and can indicate in the Diversity Atlas survey that they prefer not to answer them.
Organisations may have custom questions added to the survey by the Diversity Atlas team, or have default questions removed from the survey, and they must ensure ongoing compliance with the principles of privacy and anonymity as described in this document.
How your information is used
Once a Diversity Atlas survey has been completed, the results are made available to the client organisation’s Organisational Admin via the Diversity Atlas online dashboard.
Using this dashboard, Organisational Administrators can undertake analysis and generate reports based on the results of the survey. Access to this Dashboard is limited to the designated Organisational Administrator(s) and is protected with SSL-encrypted passwords. Each page of Diversity Atlas has an SSL certificate. Our web server is located in a highly secured domain. All website data is backed up on a daily, weekly and monthly basis.
The Diversity Atlas dashboard used by Organisational Administrators limits visibility of participants’ data to preserve their confidentiality. Organisational Administrators can see how many people in their organisation have completed the survey, but they cannot see who has completed the survey, or any participant’s specific answers.
What admins can see:
- How many people responded to the survey
- Overall organisational results
- Diversity metrics at the level of teams or departments, as long as there are at least 20 participants (see the Rule of 20)
What they can't see:
- Respondents’ individual answers
- The names of any respondents
- Results for any teams within the organisation (eg: a business unit, or region) in which fewer than 2 people have responded
Diversity Atlas has this same level of access, only if the Client Organisation requests it and enables ‘view’ consent. This is typically granted so that we can provide technical, administrative, or expert support. Otherwise, Diversity Atlas team members cannot view a Client Organisation’s survey data. Diversity Atlas team members cannot view or modify respondents’ survey answers.
Your individual data is never, under any circumstances, disclosed, shared, or sold to a third party. Aggregated anonymised data where you as an individual are not identifiable may be used for research projects, whether by Diversity Atlas directly, or affiliated researchers, but only with consent by your administrator.
Rule of 20
No survey results are shown unless 20 people have submitted a survey. This applies not just at the level of an organisation, but also to any sub-unit of that organisation such as department, or office, or business unit. For example, if you are part of a marketing department that has fewer than 20 people, in an organisation with 200 people, your Organisational Administrator would be able to view the overall diversity results for your organisation, but not for the marketing department. This is to protect your privacy, while still allowing your personal results to matter for the organisation.
Filter enquiries are also subject to the rule of 20. For example, the dashboard allows Organisational Administrators to filter results by gender or age. If the query is to show results for ‘women’ between the ages of 20 and 40, no results will be shown unless there are at least 20 women in that age range.
Sometimes organisations ask for different thresholds. For instance, for the DCA Inclusive Employer survey, the ‘all’ figure is even higher, at ‘36’, but the filter queries across diversity demographics is set at ‘10’. Where there are deviations from the Rule of 20, Client Organisations and/or their Organisational Administrators are responsible for telling their potential survey respondents, so that individuals can decide for themselves whether they take part or not.
Survey data storage and security
We store all users’ information on servers protected by world-leading standards of data integrity.
In Australia, all databases containing survey users’ data are stored on our Amazon Web Services (AWS) servers in Sydney, Australia. We have the capacity to make our services available to clients using other servers located anywhere in the world, pursuant to their needs and any legislative requirements for the storage of personal data. In EU jurisdictions, survey data is hosted at AWS servers in Berlin, Germany.
Encryption
The Diversity Atlas survey administrator dashboard is only accessible to Organisational Administrators with a password. These passwords are SSL encrypted using the Hash function, meaning nobody has access to them—including the Diversity Atlas team.
Diversity Atlas uses column-based encryption to offer additional protection to the information provided by respondents in a Diversity Atlas survey.
Retention of survey data
We will retain your Personal Data only for as long as it is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our website, or we are legally obligated to retain this data for longer periods.
To meet privacy requirements, upon completion of the Diversity Atlas survey participants are offered options to edit / delete data at any time in the future that the data is still held.
Shared responsibilities
Shared responsibility is collaboration between two parties performing their duties to maintain the secure environment. Diversity Atlas and its customers (Client Organisations/Organisational Administrators and individual users) share equal responsibility of security and compliance. This security model helps to establish secure environment with less operational overhead as Diversity Atlas operates, manages, and controls the facilities that they run.
As shown below, there are different responsibilities that refers to the security of the platform versus security in the platform.
Shared Controls: In a shared control, AWS gives the information of requirements for the infrastructure and the customer comes up with their own control implementation within their use of AWS services. For example:
- Patch management.
- Configuration management.
- Awareness and training.
Contact Us
If you have any questions about this Privacy Policy, please contact us:
By email: [email protected]
By completing a contact form on our website: Contact us page
By phone: +61394126666
By mail: 2/273-277 Wellington St, Collingwood, Victoria, Australia, 3088