Effective: June 30, 2020
We reserve the right to revise this Policy at any time. We will notify you of any material changes to the Policy by posting the new Policy on the Websites. Therefore, we encourage you to periodically read this Policy to check on any revisions. We recommend that you print a copy of this Policy and any future versions that may be applicable to you from time to time for your records.
Statement of Data Privacy
The Companies provide assessments and assessment-related services to employers, corporations, educational institutions, government agencies, clinical psychologists and other counsellors, and trade and professional associations that cover a wide variety of areas from career planning, employee selection, leadership development, and clinical/counseling services.
First, we collect information about our clients who purchase tests and testing services. Personal information collected in these situations includes, but is not limited to, name, contact information (e.g., postal address, email), demographic information, and information proving eligibility for purchasing tests and/or services. We use this data to fulfill the assessment services under contracts with our clients.
Second, on behalf of our clients, we collect certain personal data from test takers, whether these individuals are residents of the United States, Canada, the EU, or any other country. We also may collect personal information from visitors to the Websites. As an individual Test Taker you may have an employment or other contractual relationship with one of our clients. Examples of the services we offer clients include various employment-related assessments, and personality and cognitive ability assessments. We may share your personal data with the organization(s) to whom you are providing your test results, but otherwise, we will not provide it, or sell it, to any third party who is unrelated to the Companies. In all instances, we only share personal information necessary to securely fulfill the required assessment services under a specific client agreement to purchase tests or testing services. This Policy provides an overview of how we obtain, store, and use your personal information. It is intended to provide a general overview and answer questions you may have about specific privacy issues.
Organizations covered by the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), or any of the six provincial privacy laws that have been declared “substantially similar” to PIPEDA, must obtain an individual’s consent when they collect, use, or disclose the individual’s personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected; thus, if the Companies subsequently decide to use your information for another purpose, we must obtain consent again. The Companies want to assure you that your information will be protected by appropriate safeguards.
While it is important to note that under PIPEDA, business contact information, including a person’s name, title, business address, telephone number, facsimile number, or business email addresses, which we collect, use, or disclose solely for the purpose of communicating with a person in relation to their business or profession, is NOT covered by this Policy nor is such information considered “personal.” Nevertheless, when we enter into a business contract or similar professional relationship with your organization (i.e., to purchase tests or assessment-related services), and you are the contact person, your information will still be treated by us as confidential information.
The Policy applies to every covered person, regardless of where you reside, who has dealings with us that results in the collection of personal information. However, please be aware that if you reside in Canada, this explanation and summary of the Policy is designed to meet the requirements of PIPEDA. If you are a resident of the European Union (“EU”), this explanation and summary of the Policy is designed to meet the requirements of the EU General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018. Similarly, this Policy is designed to meet the requirements of the California Consumer Privacy Act (“CCPA”), which became effective on January 1, 2020.
The Policy is described here in a concise, transparent, intelligible, and easily-accessible form. It is set forth in a series of specific components describing how the Policy operates and how it meets certain privacy rights. The Policy applies equally to both our clients and individual test takers unless otherwise specified; in some specific instances, the Policy indicates where it may apply differently to clients and to individual test takers.
- Achieving accountability;
- Identifying purposes;
- Obtaining consent;
- Limiting collection;
- Limiting use, disclosure, and retention;
- Assuring accuracy;
- Implementing safeguards;
- Achieving openness;
- Providing individual access; and
- Challenging compliance.
Identity of the Data Controller
For purposes of this Policy, the data controller is the organization that collects and processes personal data, or arranges for such actions taken on its behalf by its agents (i.e., the Companies in these situations). The data controller is responsible for deciding the purposes for which personal information is used and processed, and the means by which such processing is done. Thus, it is the data controller’s responsibility to inform you in advance of the processing of your personal information and to explain your privacy rights. You should make any inquiries and/or requests about your data directly to the actual data controller, if you have that information, or you may request that information from us when we are not the controller. When asked, we will provide that request to our client (i.e., the data controller) so they can handle it.
By comparison, the Companies are the data controllers for only a limited amount of data that we collect for research-related purposes and for specific project management/service bureau roles. In research situations, we conduct a variety of analyses on test taker data in order to optimize the use of our assessments for their intended purpose. These analyses are conducted on large anonymized data sets that combine/aggregate test responses from individual test takers with test responses from large numbers of other test takers. Personal information (i.e., names, email addresses) has been removed from these data sets. Demographics (e.g., gender) are retained when available and analyzed. In project management/service bureau situations, we present your test score interpretations or score reports to the organization that pays for any test you take.
Apart from the above situations, in most instances related to you as a Test Taker, we merely function as the data processor or the data collection agent for the actual controller who is our client (e.g., your employer or another organization with whom you have a contract or other business relationship).
In order to facilitate your contacting the actual data controller where we are acting merely as agents, if you request it, we will pass along your inquiries and/or requests to the relevant data controller. As a data processor, we will follow the instructions we receive from our data controller clients in responding to your request. Details on how to contact the Companies can be found in the Contact section of this Policy.
How do we collect or obtain your information?
We collect your personal information, or receive it from one or more data controllers (i.e., our clients), in the following ways: (1) when you use our Websites; (2) through applications when registering for testing services; (3) when scheduling testing events; (4) during testing activities; (5) through interactions with an employer test program’s online portal; and/or (6) from client testing organizations and/or their authorized delegates.
What personal information do we collect?
For our clients, we may collect your name, contact information (e.g., telephone, email, or account password), demographic information, photograph, information proving eligibility for our services, scheduling information, and testing-related information and results. If online payment by you is required as part of our services, we process the credit/debit card transaction through secure, third party service providers; however, we do not retain any payment card information except the last four digits and expiration date.
For individuals taking tests on behalf of one of our clients, we may collect your name, address, email address, IP address, test responses, and demographic information (e.g., gender, age). In addition, the Companies create test scores for assessments taken by an individual test taker; those responses and raw scores, along with any written observations/comments from the rater may be considered personal information. However, in most instances we provide the client only with score interpretations that have been derived from raw test data and thus, we do not consider those interpreted results/scores to be “personal information.”
What are the legitimate interests we have for collecting/using your personal information?
If you are a client, we collect and use your information because you have contracted with us. If you are an individual test taker, you have a legal relationship with, and/or have given your affirmative consent, to an employer or testing organization, and/or directly to us. Accordingly, we use the information given to us by you and/or the relevant data controller to fulfill the testing service(s) that they or you contracted to receive. These services can include: taking a proctored test or practice test; providing scoring services to our client; verifying that you, and only you, have access to confidential testing materials; conveying your test responses, results, location, and time of testing to the employer or other organization for their decision-making, and aggregating anonymous test responses pooled from many test takers to help ensure that future examinations are properly constructed, valid, and reliable.
How do we use your personal information?
If you are an individual test taker, the Companies use your personal information: 1) to fulfill the assessment services listed above for which you have contracted with one of our clients, the employer, or testing organization with whom you have a relationship, 2) to contact you for testing-related services, and 3) to facilitate an exam. In other situations, where the Companies are in fact the data controllers, we are providing you with notice about the legitimate interest we have to collect and use your personal information; in some instances we may also obtain affirmative consent from you to collect and use your personal information.
If you are a client, we have a legitimate interest to use your personal information to fulfill the assessment services for which you have contracted with us. As noted above, if you are the business contact for one of our clients, your contact information is only considered to be confidential information.
Disclosure of your personal information to third parties
For individual test takers, we may disclose your personal information, plus your derived test scores/interpretations, to the organization that has asked you to take an assessment (e.g., the organization with which you are seeking employment, your existing employer and/or their authorized agents), to the test administrator administering your exam, to our service agents, and to others for whom you request that we share your test information and/or results. In addition, we will report your derived test scores or interpretations or score reports to third parties designated by you, or designated by the organization that pays for any test you take. We will not provide your personal information, or sell it, to any third party who has not been designated to receive it.
We also may use test results from individual test takers for research and test development purposes. In addition, in very limited circumstances, third-party researchers, such as the original test author(s), may be granted access to anonymized test data if qualified and approved by the Companies. In research and test development instances, ALL identifying personal information about you, except for demographic information (e.g., gender, age) is removed so that the results are anonymous. Then those de-identified/anonymous results are aggregated into a data pool that is used for research. For example, such a database may be used to calculate how many test takers were male or female and the ages of test takers, but no individual information about you is connected to that database. Among the research uses of such aggregated anonymized data are development of test norms and new test items.
Do we sell personal information to third parties?
No, the Companies will never sell your personal data to any third party that is unrelated to them. For clarity, as affiliated businesses, the Companies may share personal information between themselves where appropriate for a legitimate business purpose related to underlying testing agreements. Such sharing between the Companies is never done for marketing/advertising purposes. As such, the Companies do not need to provide individuals with a “Do Not Sell” button to ensure that their personal information is not sold.
How long will we retain your personal information?
For our clients, we do not retain personal information longer than is necessary, taking into account any legal obligations we have (e.g., to maintain records for tax purposes, to comply with contract terms). For individual test takers, we retain your personal information for only as long as there is a lawful basis related to the use of your personal information by us or our client (e.g., performance of services to you and/or our clients, or our legitimate interests as a testing organization, or in some instances, augmented by your consent).
Preventing unqualified individuals from accessing our assessments and protecting your personal information is important to us. Additionally, some of our clients require access to test scores for an extended period following test administrations. Therefore, some information, such as qualifications data and test scores, are kept indefinitely. If you would like to have that information deleted, please submit a request in writing. Details regarding address and email information can be found under the Contact heading. Please be advised that if the Companies delete your personal information and test scores, we will not be able to provide your test scores to any organizations after deletion.
How do we secure your personal information?
No method of securing information transmitted over the Internet, or method of electronic storage, is 100% secure; therefore, we cannot guarantee the absolute security of any personal information. However, in securing personal information, we utilize reasonable, generally accepted technical and organizational security measures to protect personal data against loss, misuse, or alteration throughout collection, transmission, processing, and storage, including the physical security of our facilities.
For individual test takers, wherever we collect personal information, it is encrypted and transmitted to us using the latest secure socket layer (SSL/TLS) encryption methods. You can verify this in different ways on different browsers: by looking for a closed lock icon, a green location bar, or verifying that “https” is used at the beginning of the address of the web page. Furthermore, we use third-party tools to verify that they are conforming to the latest security methods, protocols, and best practices to maintain safe transmissions.
If you have any questions about security of your personal information, you are requested to contact us. Details regarding address and email information can be found under the Contact heading.
For those clients or individual test takers providing information outside of Canada
Personal information is stored encrypted at rest on SIGMA’s servers, which are located in the United States. Backups are stored in Canada, also in encrypted form. Thus, client information and individual test taker personal information is usually sent to the United States in order to process it, as well as to store the information for future use. When we transfer personal data, we take all reasonable steps to ensure that the information is protected, including protection by contractors and/or subcontractors, and to ensure that your information is not shared in any manner that is inconsistent with this Policy. Specifically, we have provided in our third-party agreements that any personal information leaving Canada and/or the EU will be transferred to us for processing in compliance with the PIPEDA and/or the GDPR.
What are your rights?
Whether you are a client or an individual test taker, your rights in relation to your personal information are to: (1) be informed about its use; (2) have access to your information; (3) correct your personal information; (4) have your personal information deleted in certain situations; and (5) restrict how we use your personal information. Other rights under PIPEDA, CCPA, and GDPR are addressed below.
The right to be forgotten (i.e., to have us delete your personal information) is limited in a testing environment. If you are an individual test taker and you ask us to delete your personal information, you may not be able to continue to take tests with us and in most situations, we cannot delete your previous test results because they may be necessary to establish, exercise, or defend legal claims, or they are required by your current or prospective employer or to exercise various business obligations/rights related to your test results (e.g., when you may take a retest, when you may have the opportunity to take related tests, or for other similar business purposes for which you agreed when you registered for a test).
You also have the right to have your personal information transferred to others; however, because our use of your personal information is limited to fulfilling contracted assessment services with our clients, it is usually not technically feasible for us to honor such a request because we are not able to exchange that information with another organization with which we have no direct interface or where we have no existing business reason to exchange personal information (e.g., a different employer or testing organization that requires the test taker to register directly with it).
For individual test takers, you are also entitled to know if we are using any automated decision-making (including profiling). We do not use any such automated technologies in the processing of your personal information.
For individual test takers, you are also entitled to know if we are using biometrics as part of any identification of test takers or other individuals using our Websites, including its testing website/test delivery platform. We do not employ any biometric technology in the identification of individual test takers.
Health Insurance Portability and Accountability Act (HIPAA) Statement
We are committed to protecting the privacy of any personal health information (PHI) that we may receive from any business under HIPAA (“Covered Entity”). Part of that commitment is complying with our obligations under the HIPAA or Department of Health and Human Services (DHHS) regulations, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. In the event of a discrepancy or conflict between this Policy and our HIPAA obligations, our obligations under HIPAA will govern.
For individual test takers, we want to assure you that we meet all of our obligations to comply with HIPAA, as well as the privacy and security regulations promulgated under HIPAA, the administrative regulations issued by the DHHS, and the HITECH Act, as such laws and regulations may be amended from time to time. Because we are in most instances merely acting as a Business Associate of a Covered Entity under the HITECH Act and its regulations, we provide strong support and assurances about our compliance to the Covered Entity with which you may be dealing.
How to exercise your rights regarding the collection and use of your personal information
Whether you are a client or an individual test taker, you have the right to seek to withdraw from the collection and use of your personal information; however, we may reject that attempt in order to protect our ongoing legitimate interest in your personal information. In other circumstances, you may have the right to withdraw your acceptance of legitimate interest and/or any consent you have given at any time during or subsequent to your use of our Websites by emailing us at email@example.com. However, any data processing performed by us prior to your withdrawal cannot be undone. In situations where the data controller is a different organization, such as one of our clients, you will need to exercise your rights directly with that organization, who will notify us of its handling of your request so that we can follow its instructions. In any such situation, we will assist in directing your request to the proper data controller on your behalf, so that we can obtain appropriate instructions from the data controller in response.
Whether you are a client or individual test taker, you also have the right to object to our collection and/or use of your personal information, or to request access to your information as well as to request that we correct any information we have or to remove you from our records. If your personal information changes (e.g., phone, email or postal address), you can change most personal information by contacting us as shown above. If you wish to correct/update/delete information or no longer desire to receive information from us, you can notify us by using any of the information in the Contact section of this Policy. We will respond to your request to access within 30 calendar days, unless we give you notice that an additional 30 days will be required to respond.
Whether you are a client or individual test taker, you may file a complaint with us by emailing us at firstname.lastname@example.org, and we will respond without undue delay, within at least 30 calendar days, unless we inform you that additional time will be required. In addition, you have the right to file a complaint with your relevant Supervisory Authority (i.e., Data Protection Authority) or other such appropriate regulatory body.
How do the Companies obtain your acknowledgement of our legitimate interest or your consent?
At the end of this Policy, whether you are a client or individual test taker, you will be asked to acknowledge that we have given you notice about our legitimate interests related to a client account and/or purchase agreement or a Test Taker Agreement, and that you agree with the Terms and Conditions related to the collection and use of your personal information.
In some situations, you also may be asked to indicate your affirmative consent to allow us to collect and use your personal information. If you are an individual test taker, we may rely on the consent you previously gave your employer or the company from whom you are seeking employment or are already employed, or those with whom you have a contractual relationship, which may provide an alternative legitimate basis for collecting and using your personal information.
We do not knowingly collect information from children under the age of 13. If you have reason to believe that we collected or are in possession of personal information from someone under 13 years of age, please contact us at email@example.com. For individual test takers who are under the age of 18, we require that the qualified user obtain either affirmative written consent from a parent or guardian or the parent or guardian signs the Test Taker Agreement for each specific test.
Special Notice to California Residents
Individual test takers who are California residents have the right under the California Consumer Privacy Act to request in writing the following information from a business that collects and uses your personal information to: (1) see what data companies collect on them; (2) request that it be deleted; (3) know what third-party companies their data has been sold to; and (4) direct a business to stop selling that information. As stated in this Policy, we do not sell personal information to any third parties, so we do not provide the so-called “Do Not Sell” button on the Websites. If you qualify to request the above information, please contact us. We will respond to such requests for information access within 30 calendar days following receipt at the email, unless we notify you that additional time will be required. Please note that we are only required to respond to each person once per calendar year. If you desire to make a request under the CCPA, you should write to us. Details regarding address and email information can be found under the Contact heading.
Additionally, California law requires that we indicate whether we honor “Do Not Track” settings in your browser concerning targeted advertising. “Do Not Track” is an online procedure that is currently unavailable. Instead, we adhere to the procedures set out in this Policy and do not monitor or follow any Do Not Track browser requests. However, we may provide follow-up notifications to individual test takers on behalf of our clients in order to provide test takers with information about retesting or other test requirements. As an individual test taker, you may request withdrawal from such communications by writing to your current or prospective employer or other organization with which you have a contractual relationship.
You may contact us by writing to SIGMA Assessment Systems, Attn: Privacy Coordinator, or by sending an email to: firstname.lastname@example.org. You may also write to us at: SIGMA Assessment Systems, P.O. Box 610757, Port Huron, Michigan, USA 48061-0757, or SIGMA Assessment Systems, P.O. Box 3292, Station B, London, Ontario, Canada N6A 4K3.
Recognition of Legitimate Interest/Affirmative Consent