Effective date: 12 July 2022
At Diversity Atlas, we understand the concerns our clients and their team members may have about the privacy of their data. Users of Diversity Atlas can be confident that we take their privacy very seriously. We will continue to benchmark our privacy and information security practices against the leading legislative and technical standards.
In this document, ‘we’ means Cultural Infusion (Int) Pty Ltd, the company that supplies Diversity Atlas and Inclusive Employer Index. We are a Data Processor as defined by the European Union’s General Data Protection Regulation (GDPR).
The term ‘our service’ refers to the Diversity Atlas website, which includes the Diversity Atlas survey questionnaire and the Diversity Atlas administrator and analytics dashboard.
A client organisation is the entity to whom Diversity Atlas is providing access to our survey tool. This could be a private business, a government agency or non-governmental organisation (NGO). A client organisation is a Data Controller as defined by GDPR.
An employee of a client organisation whom the processor gives access to the Diversity Atlas administrator dashboard in order to view and analyse sectional or departmental results of the survey.
A respondent is a person who provides their personal information as part of their participation in a Diversity Atlas survey. A respondent is a Data Subject as defined by the GDPR.
A note on Client Organisation obligations
Our code of conduct to which all customers must abide is published here.
The Diversity Atlas collects diversity information from respondents within the client organisation for the purpose of promoting cultural harmony. It generates graphs, charts and statistical insights that illustrates the cultural diversity of that entity.
In addition, Diversity Atlas will only proceed with deploying a survey within an organisation after ensuring that its administrator is fully aware of its privacy and security responsibilities regarding its use of respondents’ data, which we outline in a Code of Conduct that our clients have to sign before having access to Diversity Atlas. These privacy obligations are reiterated in the contracts that we sign with our clients.
We strive to ensure optimal handling of data and we help our clients to establish risk management frameworks that include privacy and information security best practices as part of their use of Diversity Atlas.
We encourage respondents to communicate with their organisational contact person or their human resources department to discuss any concerns or seek any clarifications about their own rights, and their organisation’s obligations regarding the handling of personal information collected through Diversity Atlas.
If an employer or authority seeks to make participation in a Diversity Atlas survey mandatory in their workplace, we encourage any respondent to contact Diversity Atlas at [email protected]. If any participant believes that their organisation has mishandled their data, or in any way have not met their obligations with regards to a respondent’s privacy, we encourage them to both contact Diversity Atlas as well as lodge a complaint at the Office of the Australian Information Commissioner, OAIC (if in Australia) or their country / state / jurisdictional Supervisory Authority.
We may collect information on how the Diversity Atlas website is accessed and used, which is known as Usage Data. This Usage Data may include information such as your Internet Protocol address (IP Address), browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages, which type of device you are using, and other diagnostic data.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent by a website. However, if you do not accept cookies, you may not be able to use some portions of our website.
We use google analytics to collect and store the information while participants interact with our services. The information collected is kept confidential and not shared with any outsourcing companies. This is used for internal analysis. The location of the participant is not tracked while tracking their usage.
Your personal information
Your participation in a Diversity Atlas survey involves the provision of personal information—that is, information about you which a third party might be able to use to identify you if they gained access to it.
As a survey respondent, you should understand that there are unavoidable risks involved in the provision of personal information to any entity, however we believe that we have taken every available measure to ensure this will not happen, including but not limited to full encryption, anonymity, ISO27001 certification, systems to ensure pseudonymisation and a decision to lodge the platform in a secure cloud-based server.
We also do not validate and verify the participants’ input.
Your organisational coordinator has access to the overall results, but not any participant’s specific answers, anonymous or not. Cultural Infusion also has this same level of access, but only upon request by the organisation to provide technical, administrative or expert support. Your data is never nor will it ever be disclosed to, shared or sold to a third party.
Anonymous method of surveying:
The beauty of Diversity Atlas is that you are anonymous. Your answers form part of your organisation's diversity snapshot, but cannot be attributed to any participant individually.
Additionally, the Diversity Atlas survey invites respondents to provide information about themselves which is considered ‘sensitive information’ under Section 6(1) of Australia’s Privacy Act and article 9 of the European Union GDPR. This includes information about:
- Ancestral and/or cultural heritage
- Sexual orientation
- Religion / Worldview
Answering these questions is entirely voluntary. Respondents are under no obligation to answer these questions, and can indicate in the Diversity Atlas survey that they prefer not to answer them.
How your information is used
Once a Diversity Atlas survey has been completed, the results are made available to the client organisation’s Organisational Admin via the Diversity Atlas online dashboard.
Using this dashboard, Organisational Administrators can undertake analysis and generate reports based on the results of the survey. Access to this Dashboard is limited to the designated Organisational Contact Person and is protected with SSL-encrypted passwords. Each page of Diversity Atlas has an SSL certificate. Our web server is located in a highly secured domain where its security is guaranteed. All website data is backed up on a daily, weekly and monthly basis.
Diversity Atlas’ administration and analytics dashboard limits the visibility of participants’ data to preserve their confidentiality. Organisational admins can see how many in their organisation have completed the survey but they cannot see respondents’ individual answers to survey questions.
What admins can see:
- How many people responded to the survey
- Overall organisational results
- Diversity metrics disaggregated to the level of teams or departments larger than 10 people
What they can’t see:
- Respondent’s individual answers
- The names of any respondents
- Team-level results for teams within the organisation in which less than 10 people have responded
What can Diversity Atlas see?
Diversity Atlas’ development team do not have access to the results of a survey unless the organisational administrator officially asks for help and allows us ‘View’ consent. Diversity Atlas team members cannot view or modify respondents’ responses.
Data storage and security
We store all users’ information on servers protected by world-leading standards of data integrity.
In Australia, all databases containing users’ data are stored on our Amazon Web Services (AWS) servers in Sydney, Australia. We have the capacity to make our service available to clients off servers located anywhere in the world, pursuant to their needs and any legislative requirements for the storage of personal data. There are no other outsourcing companies involved in collection and data storage. In EU jurisdictions, data is hosted at AWS servers in Berlin, Germany.
The admin dashboard is only accessible to organisational admins with a password. All admin passwords are SSL encrypted using the Hash function, meaning that nobody has access to them—including the Diversity Atlas team.
Diversity Atlas uses column-based encryption to offer additional protection to the information provided by respondents in a Diversity Atlas survey.
Retention of Data
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our website, or we are legally obligated to retain this data for longer periods.
To meet privacy requirements, upon completion of the survey participants are offered options to edit / delete data at any time in the future that the data is still held.
This document was updated July 2022.
Shared responsibility is collaboration between two parties performing their duties to maintain the secure environment. Diversity Atlas and its customers share equal responsibility of security and compliance. This security model helps to establish secure environment with less operational overhead as Diversity Atlas operates, manages, and controls the facilities that they run.
As shown below, there are different responsibilities that refers to the security of the platform versus security in the platform.
This shared responsibility model offers IT controls. There are few shared controls like operation of IT environment like management and verification of IT controls. Diversity Atlas helps to reduce the overload of operating controls by managing controls deployed in platform that were managed by customers before. Following are the controls managed by customers, Diversity Atlas, or both:
Shared Controls: In a shared control, AWS gives the information of requirements for the infrastructure and the customer comes up with their own control implementation within their use of AWS services. For example:
- Patch management.
- Configuration management
- Awareness and training.