OneSmartWorld^®

Security and Privacy

OneSmartWorld^® is a Canadian company. We offer assessment tools, productivity improvement tools and education to HR specialists, talent development practitioners and related partnering organizations. We have developed a proprietary learning methodology called LEAP to teach the practical knowledge and skills of the 21st Century.  We work directly, or through international partners, with numerous multinational corporations and public sector bodies globally.

Under data protection legislation every individual has rights as to how their personal data is handled and we recognize the need to treat all such data in an appropriate and lawful manner, according to the nature and classification of such data. We are committed to complying with current legislation including PIPEDA (Personal Information Protection and Electronic Documents Act) and the General Data Protection Regulation (EU) 2016/ 679 (GDPR), together with any applicable, enacting, successor or amending legislation. The GDPR has strengthened the rights that individuals have regarding their personal data and seeks to unify data protection laws, governing the rights of user data subjects, regardless of where their data is processed or stored.

Our Approach to Data Protection and Privacy. 

We are committed to global GDPR compliance, providing robust privacy and security protections which have been built into our services and contracts. We apply a layered approach to data protection and privacy, including our public Privacy Policy and privacy notices at various data collection points in our operations and systems. 

PRIVACY POLICIES AND NOTICES

Our public Privacy Policy sets out how we handle data including how we collect, store and use personal data and special category data (previously known as sensitive personal data), our legal bases for processing personal data, information on transfers to third parties and outside the European Economic Area (EEA), as well as the rights of data subjects, including the right to withdraw consent. Our privacy notices include information, and consents where applicable, at the relevant data collection point.

TECHNICAL AND ORGANIZATIONAL MEASURES

Our internal policies and procedures, including our Data Protection Policy and Data Retention and Destruction Policy, explain how our officers, employees and consultants shall operate in respect of handling of personal data, special category data and other data protection matters, including collection, storage, processing and destruction of such data. These internal policies and procedures set out the technical and organizational measures that we take in order to prevent unauthorized and unlawful processing, accidental loss or destruction or damage to personal data that we hold on behalf of our customers and others. We expect all our officers, employees, and consultants to comply with all applicable data protection policies and procedures in all aspects of their day-to-day work.

In our role as a data controller, we are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR. Our data controller obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data, together with only using data processors that operate in such a manner that their data processing will also meet the requirements of GDPR.

In our role as a data processor, we are responsible for implementing appropriate technical and organizational measures to meet the requirements of GDPR, ensuring a level of information security appropriate to the risk, and acting in accordance with the relevant data controller’s instructions. We enter into contractual agreements as appropriate with the applicable data controller, and also with sub-processors, to provide sufficient representations to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR.

Data Protection Officer and reporting of concerns. 

If you have any questions about our stance on data protection matters generally or how we process personal data, please refer to our Privacy Policy.

Our DPO is supported by a multi-functional data protection team.

We are fully committed to ensuring that we act in accordance with data protections laws as applicable, including GDPR, and will take seriously any data protection concerns you raise with us.

The Canadian Federal government has fully implemented the Personal Information Protection and Electronic Documents Act (PIPEDA), which provides guidelines on how personal information is collected, used, and disclosed. In addition, British Columbia, Alberta, and Quebec have passed legislation governing the collection, use or disclosure of personal information in those provinces.

This Privacy Policy sets out how we handle data, including how we collect, store and use personal data, our legal basis for processing your personal data, information on transfers to third parties and international transfers, as well as your rights as a data subject. This version has been updated to reflect the strengthened rights of individuals under the General Data Protection Regulation (GDPR), to make it easier to understand and to provide more fairness and transparency to you by making additional information available.

OneSmartWorld^® collects personal information about individuals for the administration of our business, administration of our web sites, administration of the 4 Dimensions Inventory (4D-i^®) and the Smart Agenda Manager (SAM) and to help us provide a service that meets our clients’ needs and expectations. Below is a comprehensive statement of our Privacy Policy, which we encourage you to take the time to read.

Privacy protection requirements form a code of fair information practices relating to the collection, use, disclosure, accuracy, and protection of personal information in our custody. As well, there is a requirement to provide individuals with access to information about themselves and the means to correct or annotate such personal information. Individuals are entitled to privacy protection in all information systems under the custody and control of OneSmartWorld^®.

Please note that there is no completely secure method of transmitting information or storing data. While the characteristics of each method may vary, facsimile transmission, telephone calls, mail, and transmissions over the Internet, are all vulnerable, some more than others, to potential loss, interception, or misuse. OneSmartWorld^®. cannot be held responsible for any such loss, interception or misuse prior to taking custody of personal information.

OneSmartWorld^® 

PRIVACY POLICY

Updated July 2020

This Privacy Policy sets out how we handle data, including how we collect, store, and use personal data, our legal basis for processing your personal data, information on transfers to third parties and international transfers, as well as your rights as a data subject. This version has been updated to reflect the strengthened rights of individuals under GDPR, to make it easier to understand and to provide more fairness and transparency to you by making additional information available.

CONTENTS

This Privacy Policy comprises of:

1. Collection of Personal Data
2. How and when information data is collected
3. Third Party Intermediaries
4. Retention of 4D-i^® Results
5. Personal Data Storage
6. Personal Data Disclosure Policies
7. Communications from OneSmartWorld^® 
8. Your Legal Rights
9. PIPEDA44
10. Changes to Personal Data
11. Notification of Changes
12. Legal Disclaimer

1. COLLECTION OF PERSONAL DATA

Reasonable measures will be taken to protect the security of the personal data collected by OneSmartWorld^®, and our agreements with any third parties with whom we share Personal Information require similar protections. OneSmartWorld^® will process your information only when necessary to comply with a current judicial proceeding, a court order or legal process served on our company.

Information data that will/may be collected at various points include:

• Identity data (including full name, username or similar identifier, title/ gender, sex)
• Contact data (including billing address, delivery address, email address, telephone numbers)
• Financial data (including bank account, payment card details)
• Transaction data (including details about payments to and from you and/or your organization and other details of products and services you have purchased from us)
• Technical data (including internet protocol (IP) address, login data, browser type and version and other technology on the device used to access our websites)
• Profile data (including username, password, purchases or orders made by you, your interests, preferences, feedback and survey responses)
• Usage data (including information about how you use our websites, products and services)
• Marketing and Communications data (including your preferences in receiving marketing from us and your communication and cookie preferences)

Data may be used in an aggregate form (without personal identifiers) to build profiles of test usage and to aid in the development of tests and reports. Aggregate data may be shared with third parties.

 2. How and When Information Data is Collected

 2.1. Website Data Collection

Our web sites may log a user’s IP address, browser type and version, dial-up domain, and computer operating system when he/she visits the site. We use the tracked information to help diagnose problems with our server and to administer our website. IP addresses of our web site users are used to diagnose problems with our server, and to administer our web site.

Our web site provides a store for clients to purchase products and services. We collect clients’ contact information (such as their address and email address) and financial information (such as their account or credit card numbers).

Contact information from the store is used to fulfill orders to our clients. We also provide mailings and other marketing collateral regarding product information and releases. We may also conduct surveys during which non-personally identifiable information is collected but will not be used other than to garner survey results. We reserve the right to aggregate or compile and use data obtained from the scoring or other processing of products listed on this site or otherwise sold or licensed by OneSmartWorld^®. web sites, and to utilize this data for research, product development, and statistical analysis. Be assured that such data is only used in aggregate and never discloses any individual’s identity.

2.2. Website Cookies

Our site uses but does not require session cookies. A cookie is a piece of data stored on the user’s computer tied to information about the user. We use session ID cookies, which are not stored on the hard drive, but no persistent cookies. Once users close the browser, the cookie simply terminates.

2.3. Marketing Communications

In order to receive our marketing communications, a user must first have given us “Expressed Consent” and have opted-in to receive various marketing communication materials from OneSmartWorld^®. During this process a client will provide us contact information including their name and email. This information is used to send the proper marketing communication preferences that is specified by the user. The user can also opt-out or change their preferences at any time, by either clicking the ‘unsubscribe’ link located on the bottom of OneSmartWorld^®. emails or by contacting [email protected]

Please note that this will not apply to personal and contact data provided subsequently if you then choose to purchase products or services and in relation to other subsequent associated activities or transactions.

2.4. Interaction with a third party regarding our products or services

We may receive Personal Information about you from third parties, such as from our certified Associates. Some of this information pertains to a specific individual; other information can only be linked to an access point or a device.

3. THIRD PARTY INTERMEDIARIES

3.1. Service Providers

We may engage certain third parties to perform functions and provide services to us, including, without limitation, client relationship management, contract management, order fulfillment, mass mailing, hosting and maintenance, database storage and management, business analytics, and direct marketing campaigns. As of the effective date of this Privacy Policy, the current list of service providers to whom we disclose Personal Information is as follows:

• Canada Post Corporation (for shipping services);
• Purolator Inc. (for shipping services);
• Shopify (for e-commerce services);
• FreshBooks   (for payment processing services); and
• PayPal (for payment processing services)

Pursuant to written agreements between OneSmartWorld^®. and these service providers, each of these service providers only has access to such Personal Information as necessary to fulfil its obligation to OneSmartWorld^®, is not permitted to use Personal Information for any purposes other than those directed by OneSmartWorld^® and is required to act in a manner consistent with the privacy principles articulated in this Privacy Policy and applicable law.

3.2. Website Links

OneSmartWorld^® web sites may contain links to other sites. Please be aware that we, OneSmartWorld^®, are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by OneSmartWorld^®. websites.

4. RETENTION OF 4D-i^® RESULTS

As the 4D-i^® is a personal development tool to be used for ongoing learning, coaching and performance improvement we retain the results of 4D-i^®’s indefinitely. This allows our members to continue to refer to their personal 4D-i^® portfolio of results and resource materials as a benchmark for continued development. All of our clients have the opportunity to refer to their results over an extended period of years as a way of informing their progress. A client may at any time request in writing the removal of their 4D-i^® results from our database. This request will be accommodated as soon as possible and within a maximum of 5 business days, from date of the written request. 

5. PERSONAL DATA STORAGE 

5.1. Data Retention 

Client information collected through various marketing activities is housed in our client database. OneSmartWorld^®. will retain this information i) as long as your account remains active ii) as long as you do business with OneSmartWorld^®. iii) as long as required by law. If a client communicates to OneSmartWorld^®. that he/she is no longer a client, OneSmartWorld^® will destroy the client’s information 5 years from the notification. At any time, a client can contact OneSmartWorld^® and inquire about his/her profile and ask that information be removed from the profile. Each OneSmartWorld^® employee signs confidentiality agreements upon employment with the company and is trained to carry out and implement OneSmartWorld^®’ s privacy policy. 

5.2. Data Security 

This website takes every precaution to protect our users’ information. When users submit sensitive information via the website, their information is protected both online and off-line. When our clients create user ids and passwords that information is encrypted and is protected with the best encryption software in the industry – SSL. While we use SSL encryption to protect sensitive information online, we also do everything in our power to protect user information off-line. All of our users’ information, not just the sensitive information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job are granted access to personally identifiable information. Finally, the servers that store personally identifiable information are in a highly secure environment in a locked facility in Canada. The physical location of our headquarters office is located in locked offices in a locked commercial building.  

5.3. Data Breach Notification 

In the case of OneSmartWorld^®, undergoes a data breach, for purposes of the General Data Protection Regulation (GDPR), it is our responsibility to inform the competent supervisory authorities. Within the EU this must generally be informed within 72 hours of a personal data breach. Our Privacy and Data Controller will implement the necessary actions to ensure the protection of our client’s personal data. 

6. PERSONAL DATA DISCLOSURE POLICIES 

We do not sell, trade, or rent or otherwise give to any other entity or organization the individual information our clients submit when placing an order or taking an instrument on our site except as noted in this privacy policy.  

6.1 4D-i® Results 

Individual results are provided to members immediately they have completed their 4D-i^® questionnaire. Through the OneSmartWorld^® administrative system OneSmartWorld^® does provide its certified associates with the individual member information they need to properly counsel or advise their clients. In other words, if you are taking an instrument on our site at the direction of a consultant, coach, counselor or other individual, that consultant, coach, counselor or other individual will receive from OneSmartWorld^®, individually identifiable information so that he or she may properly counsel or advise you. Each administrator on our system must agree in writing to abide by our Code of Ethics in advance of accessing member’s personal information. Associates and administrators are also responsible for acting in accordance with our Code of Ethics in the provision and interpretation of the results produced by our system. 

Once a member has completed their 4D-i^® they have the option to share their results with fellow 4D-i^® members in the same organizational unit.  In order to share results the member is directed to go to the “My Profile” tab on their 4D-i^® dashboard to access the option to turn on the sharing capability. The member is then asked again, if they choose to share their results with their colleagues and they must agree to the statement outlining in detail the implications of sharing their results. If the member chooses this option, their results will only be shared with their colleagues in their organizational “group” who have also agreed to share their results. The option to turn the “share” function off is available to the member by unclicking the opt in option at any time. For privacy reasons Personal Spirit scores are not included in this sharing function. If a member chooses to share their Personal Spirit results with others this would need to be done outside of our system either verbally or physically by another means. We feel Personal Spirit results are particularly impactful and we have put many safeguards in place to ensure that these scores will never be shared by OneSmartWorld^® or our associates, without the express permission of our members. 

6.2 Service Providers

We use outside shipping companies to fulfill orders, and a credit card processing company to bill you for goods and services. Similarly, from time-to-time OneSmartWorld^® uses third party vendors to assist in the preparation and mailing of its marketing materials. These companies do not use personally identifiable information for any other purposes other than those directed by OneSmartWorld^®.

Other than the above, if we provide a third party with client information, it will be in the form of aggregate data and used for the purposes of product development, research, or statistical analysis. The information will remain anonymous, stripped of all personally identifiable data, and compiled among all of our visitors’ answers to survey questions and instrument responses as well as grouped on-site behaviour. Again, all identifiable individual information will be removed.

OneSmartWorld^®  may release account information when we believe, in good faith, that such release is reasonably necessary to (i) comply with law; (ii) enforce or apply the terms of any of our user agreements; or (iii) protect the rights, property or safety of OneSmartWorld^®, our users, or others.

7. COMMUNICATIONS FROM OneSmartWorld^® 

Established clients will occasionally receive information on products, services, and special deals. Information sent includes leaflets, marketing flyers, catalogues and other marketing communications. We may use pixel tags to monitor the open rate of our communications. This helps us understand the effectiveness of the communications that we send. We give you the ability to opt out of marketing communications at any time. 

7.1. Service Announcements

On rare occasions it is necessary to send out a strictly service-related announcement. For instance, if our web service is temporarily suspended for maintenance, we might send clients an email. Generally, clients may not opt-out of these communications, though they can deactivate their account. However, these communications are not promotional in nature.

7.2.  Client Service

We communicate with clients on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone, in accordance with the user’s wishes. 

8. RIGHTS FOR INDIVIDUALS 

We respect your rights as a data subject. As the data controller determining the purposes and means of the processing of Personal Information, we provide you with the rights described below.

8.1. Right of access

You have the right to obtain confirmation as to whether or not your Personal Information is being processed. If your Personal Information is being processed, you have the right to access your Personal Information and the following information: (a) the purposes of the processing; (b) the categories of Personal Information concerned; (c) the recipients or categories of recipients to whom your Personal Information has been or will be disclosed (including international organizations and recipients in other countries); (d) where possible, the period for which your Personal Information will be stored or the criteria used to determine that period; (e) the existence of your right to request that the data controller rectify or erase your Personal Information, or restrict processing of your Personal Information, or to object to processing of your Personal Information; (f) the source of your Personal Information (if it was not obtained from you directly); and (g) the existence of any automated decision-making (including profiling) along with meaningful information about the logic of such automated decision-making and its consequences.

8.2. Right to rectification

You have the right to rectify inaccurate Personal Information concerning you. We generally rely on personal data provided by you (or your authorized representative). In order to ensure that your personal data is current, complete. and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer at the contact details provided below. Taking into account the purposes of the processing, in some instances you will have the right to have incomplete Personal Information completed by providing supplementary written statements to us. 

8.3. Right to erasure

You have the right to request erasure of your Personal Information when one of the following applies: (a) your Personal Information is no longer needed to achieve the purpose(s) for which it was originally collected or processed; (b) the processing of your Personal Information is based on your consent, you choose to withdraw that consent, and we have no other legal basis for ongoing processing; (c) you object to the processing and we have no overriding legitimate grounds for ongoing processing; (d) your Personal Information has been processed unlawfully; or (e) your Personal Information must be erased for compliance with applicable law. In those instances where you exercise this right against OneSmartWorld^®. as the data controller, we will accommodate your request to the extent practicable, and to the extent that it does not otherwise conflict with any of our other obligations. We reserve the right to retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our contractual agreements.

8.4. Right to withdraw consent

The consent that you provide for the processing of your Personal Information will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop processing your Personal Information for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below. Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing the Products and Services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing or via email to our Data Protection Officer. Please note that withdrawing consent does not affect our right to continue processing Personal Information where such processing without consent is permitted or required under applicable laws.

8.5. Right to restriction of processing

You have the right to restrict processing of your Personal Information where one of the following applies: (a) you contest the accuracy of your Personal Information, in which case processing will be restricted for a period allowing the data controller to verify or rectify the accuracy of your Personal Information; (b) processing of your Personal Information is unlawful; (c) processing of your Personal Information is no longer necessary for the purpose(s) for which it was collected or processed but you require it for the establishment, exercise, or defense of legal claims; or (d) you object to the processing, in which case processing will be restricted for a period allowing the controller to demonstrate whether legitimate grounds exist that override your objection.

8.6. Right to data portability

Where technically feasible, and as related to Personal Information you have provided to a data controller based on your consent or a contract with you, you have the right to receive that Personal Information in a structured, commonly used and machine-readable format and to transmit that Personal Information to another controller if the processing of that Personal Information is performed by automated means. 

8.7. Right to object to processing

In certain instances, you may have the right to object to processing of your Personal Information. Should you so object, the controller of your Personal Information must stop processing your Personal Information unless the controller can demonstrate (i) compelling legitimate grounds for ongoing processing of your Personal Information that override your objection; or (ii) the need for the establishment, exercise, or defense of legal claims.

8.8. Right not to be subject to automated decision-making

In certain instances, you have the right not to be subject to decisions based solely on automated processing (including profiling) that produces legal effects concerning you or otherwise significantly affects you. As of the effective date of this Privacy Policy, we do not engage in any such automated decision-making or profiling. 

8.9. Right to opt-out of marketing communications

If you are receiving marketing communications from us and you wish to unsubscribe, you may do so by clicking on the “unsubscribe” link provided in the communication or by managing your marketing communication preferences on the Site(s).

8.10. Right to block cookies

You have the right to block pixel tags and certain cookies. Most browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies, or prompt you before accepting a cookie from the Site that you visit. If you decide not to accept our cookies, you may not be able to access portions of our Products or Services. Some cookies are strictly necessary for us to deliver the Sites or Products or Services, and those cookies cannot be disabled.

If OneSmartWorld^®.  is the controller of your Personal Information and you wish to exercise any of the rights described above, please contact us, as provided in the “Contact Us” section.

9. PIPEDA

The Canadian Psychological Association (CPA) and leading Canadian test developers, including OneSmartWorld^®. believe that Test Record Forms or Protocols may not be disseminated to persons who claim that they are entitled to copies under the Personal Information Protection and Electronic Documents Act (PIPEDA). It is OneSmartWorld^®’s position, along with CPA and other leading test developers that test items are trade secrets and that such information is not required to be disclosed under PIPEDA.

10. CORRECTING/UPDATING/DELETING/DEACTIVATING PERSONAL DATA

If a user’s personally identifiable information changes (such as postal code, phone, email, or postal address), or if a user no longer desires our services, we provide a way to correct, update or delete/deactivate users’ personally identifiable information. This can be done  by contacting Client Support at [email protected] or 1-800-387-6278

11. NOTIFICATION OF CHANGES

If we decide to change our privacy policy, we will post changes to this privacy statement in places we deem appropriate, so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If, however, we are going to use users’ personally identifiable information in a manner different from that stated at the time of collection we will notify users via email.

12. LEGAL DISCLAIMER

Though we make every effort to preserve user privacy, we may need to disclose personal information when required by law wherein we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order or legal process served on our Web site.

13. For Further Information

 If you have further questions about our security and privacy policies please contact Mandy St. Germaine, Director of OneSmartWorld^® Academy at [email protected]  or 1-800-387-6278.

Privacy Statement that must be agreed to in order to complete the 4D-i^®.

OneSmartWorld^® complies with Canadian legislation regarding the collection and use of personal information protection and the use of electronic documents.

The OneSmartWorld^®’s 4D-i^® system is designed to provide a personalized report from the data requested for demographics that require one’s first and last names and e-mail address along with responses to a series of questions, words, or statements that will be used to create the customized report. Optionally, demographic information such as age, location, education, and employment are used by OneSmartWorld^® for continued validation of this report. This personalized report is forwarded to the member’s email address submitted.

The Associate and/or Organizational administrator of the 4D-i^® has access to the personal data of the report and can use the data only for the purpose for which it was intended. Access to one’s personal data for the correction of inaccuracies or deletion is available upon request through the contact information below. A response to such requests is forthcoming within 5 business days.

Contact information: [email protected]

The administrator has the right to use demographics and item responses for research, statistical, or scholarly study purposes only. Personal names or identifiable personal information of an individual will not be provided to any third parties.

We reserve the right to use or sell aggregated data for the purposes of research and/or in the sale of all or substantially all of the assets of OneSmartWorld^® where the data in the system will be assigned as part of the sale provided that the data is not linked to any specific individual.

Security

The security of personal information is critical to OneSmartWorld^®. Upon registration for the 4D-i^® assessment, information is encrypted through the use of secure socket layer technology (SSL). Our entire site is SSL encrypted.

We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and after it is received. No method of transmission over the Internet or method of electronic storage is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security.

Log Files

As is true of most Websites, we gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data.

We use this information, which does not identify individual users, to analyze trends, to conduct research, to administer the site, to track users' movements around the site, and to gather demographic information about our user base as a whole.

We do not link this automatically collected data to personally identifiable information.

Changes in this Data Privacy Statement

If we decide to change our privacy policy, we will post those changes to this privacy statement, the home page, and other places we deem appropriate so that clients are aware of what information has been collected, how it is used, and under what circumstances, if any, it is disclosed.

We reserve the right to modify this privacy statement at any time. Frequent review of this statement is recommended. When material changes to this policy are made, we will notify our clients by email or by means of a notice on our home page.