II. Collection and Usage of personal data
1. The data and its collection
Caliper collects and uses personal data from individuals in countries throughout the world. The data collected is relevant to creating a profile of the intrinsic weaknesses and strengths for a defined business role, i.e. data for measuring personality traits, individual motivations, likely behaviors, and potential for success in a specific job.
Data is only collected through standardized questionnaires, either in a paper-and-pencil version or online. Both methods collect the same type and amount of data. Caliper does not collect personal information such as age, race, gender, except when given completely voluntarily. Data is collected directly from the individuals. Caliper does not obtain information without the knowledge of the individuals.
Initial data analysis is handled in Caliper’s Princeton, New Jersey headquarters. Regional offices will transfer the data to Caliper’s headquarters.
The Caliper Corporation US headquarters’ stores its employee’s data with regard to their e-mail traffic (content and connection information), connection information about the usage the company’s software, the personal information in the file system, as well as information about the visited websites on the internet.
Data is only used for interpretation based on the Caliper Profile as well as related services, such as the Caliper Three Sixty Plus. Caliper creates a personal profile to find out the intrinsic personal strengths and weakness or to show the personality traits relevant for a business requirement. The kind of profile depends by the assignment.
From time to time, data is used for ongoing research and improvement of the Caliper Profile instrument. The data used and analyzed is rendered completely anonymous. Caliper does not use the data for any other purposes.
Data is not used to observe the behavior of employees or to evaluate the activity of an employee. Data is used exclusively for the purposes of data protection control or data security or to ensure the proper operation of a data processing system.
3. How the data is used
Data is used anonymously as extensively as possible. The answers of the questionnaire are stored with an identification number and without any personal identification. This anonymous data is professionally analyzed only by Caliper employees. Only employees with the appropriate access rights are able to view and analyze the individual’s personal data. After the scoring by the Caliper IT Systems, trained consultants use the data to create a report. The report is maintained in a confidential, secure, access-controlled system. The report and the basic claim data (name, firm, etc.) are stored in two different IT systems and are merged for consulting purposes only. The IT connection information is used only by the IT department for working on continuous improvements to IT security.
4. Transfer to third parties
In Caliper’s processes, no third party is involved; Caliper never transfers the collected data to others. The final reports are given only to the person who ordered them, predominantly the clients unless client requests transmittal to a third party.
5. Storage and retention
The basic claim data (name, firm, language, etc.), the answers of the questionnaire, and the report each are stored separately. We keep the basic claim data for a minimum of 24 months after sending the report. This personal claim data is erased if the individual wishes that it is not kept on file. The answers of the questionnaires and the reports are kept anonymous and without connection to the individual for an unlimited time for the purpose of scientific research and product improvement. We also erase this data on demand of the individual.
III. Technical Security Measures
Caliper’s IT operates under a security guideline. All types of IT systems that are utilized by Caliper to store personal data are housed, maintained and operated in the central Caliper IT area in Princeton, New Jersey, USA and are managed under the general security guideline. Systems cannot be operated without compliance with these rules. The IT department is responsible for enforcing the necessary measures and for educating staff regarding these measures.
7. Access control (Entrance)
a) Server Room protection
The central processing and data storage servers in Princeton, NJ, USA are maintained in a specific secured environment with physical security provided in the form of video surveillance and a keypad lock access with a PIN code controlled by IT management. Only authorized IT personnel are provided entry to this space. Any vendors servicing hardware in the server room are required to be accompanied by Caliper IT personnel. The building, both the main entrances to the building and those that are utilized to access Caliper’s specific work spaces on specific floors, are protected against burglary and access by non-authorized personnel with key-accessed magnetic locks and video camera surveillance on all entry doorways and elevators.
b) System hardware protection
Caliper systems are protected by firewall hardware and software. The settings are proofed by penetration tests that check typical risk situations and typical danger moments for a system. In general, the effectiveness of the security settings are tested on an ongoing basis by Caliper network security personnel. Unique user identification numbers and passwords are required to access all networks and subsystems. Caliper does not store customer specific data on laptops or any mobile devices. All Caliper employees must utilize identification numbers and passwords to access central processing and storage systems to subsequently gain entry to sub-systems and databases that house customer specific and/ or personal data.
c) System hardware and application access
Remote access to Caliper’s server environment where relational databases are housed with customer data and personal information is provided to just for a small number of employees in the IT-department. All of these permitted individuals are employees of Caliper Cooperation and subject to the supervision and directive of the Caliper IT departmental management. Caliper does not provide direct access rights to any Caliper vendors or customers. The access is established only by secure connection. To establish a connection and to get access to a device, the user must be identified and confirmed as having the permissions to gain access. The identification management is operated utilizing identification numbers, passwords and certificates. The password procedure adheres to the following variables: combinations of numerals and letters, appropriate length (between 8 and 20); and use of ordinary words, the individual’s name, telephone number, birth date, or other easily guessed passwords are forbidden. Periodic modification of users passwords is required, minimum of every 120 calendar days. Only two Caliper IT managers possess the administrative rights and knowledge to establish permissions and administrative rights for Caliper employees. A user who forgets a password shall apply to the IT Department for a new password, which the information systems manager shall issue upon confirming the identity of the requesting user.
8. Access control (rights)
Access to the personal data (e.g. assessee names, month and date of birth, name of employer, and responses to Caliper Profile questionnaires) are only provided to people with established permissions to view the information. Rights behind the permission are determined in light of the individual employee’s job function and relationship to the customer and/or data. Only department supervisors in the IT and Customer Service departments can make decisions about permissions for an employee and request that they are expanded or contracted. With this authorization and directive, rights are then expanded or contracted through reconfigurations that are performed by Caliper IT department personnel. Personal data that is gathered for the purpose of doing business are gathered via encrypted web pages that are completed by customers. The responses are stored in separate data MS SQL server databases in Caliper, Princeton, NJ, USA. Access to each database requires a separate and unique set of permissions. Simply stated, Caliper Corporation in Princeton, NJ, USA captures, separates, and stores the following:
1) Basic demographic data captured and stored for purposes of identification (e.g. First Name, Last Name, Company Name, Position Applied For, Month of Birth, Date of Birth)
2) The responses, or keystrokes, that are recorded when an assessee completes a personality questionnaire. These responses are compiled and are compared to a normative database, and then reported on in the form of a single page encrypted, encoded proprietary “score sheet”
The resulting “score sheets” are then transferred in an encrypted and secure manner to a Consultant/Account Advisor in the office that deals with the customer. The Consultants/Account Advisors then de-crypt and interpret the coded score sheets and provide verbal interpretation to the customer, and generate a narrative report for consumption by the customer. This written report is stored in the local office and is not provided to Caliper Princeton, NJ USA.
9. Transfer control
Every transfer of personal data between data subject, or the assessee, and Caliper is submitted via Caliper’s online assessment instrument, which captures the subject’s responses and provides them to Caliper Princeton, NJ, USA in an encrypted manner. When transferring personal data and storage media containing information assets between Caliper US and an international office, media is protected against theft and misuse or defacement either via an encrypted VPN connection or in a non-electronic manner utilizing mediums such as a courier service.
10. Availability control
All information housed on Caliper servers are incorporated into a corporate data backup policy. This policy includes a daily backup of all critical and personal data.
All personal data, customer specific data, individual data, and subject-specific data is stored on a central server (SQL databases, CRM applications) but not mobile devices so that all data is included in the backup circle.
11. Input control
The changing of settings in configurations, the installation, changing, and erasing of access rights for the data bases with personal data is controlled by just two Caliper IT managers and is recorded. These log files are stored for six months.
IV. Internal organization
12. Relevance in general
The department leaders are in charge for the realization and implementation of this guidelines in their departments (enforce the rules). The manager of the IT department is responsible for the IT security rules (Section III). The manager of the Legal Department is responsible for the right of the data subject (individuals) (Section V).
The Executive Committee is responsible for the enforcement (Section VI). Every department manager is responsible for the correct collection and usage of personal data (Section II).
14. Responsibility for data protection
Every office appoints a person who is the contact person for data protection. He/She receives all questions from outside, the complaints of individuals; he/she has the right to investigate and makes suggestions for improvements. Annually, he/she gives a report to the office management about the development in data protection.
V. Rights of data subjects
15. Information to individuals
Individuals have the opportunity to choose (opt in) whether their personal information can be used for supplemental research. It is done by consent. Individuals are advised that they need not answer these questions and that the answers, including whether they were answered at all, is not shared with the customer and does not impact on the test results in any way.
This information is never shared with a third party.
17. Access to data
Individuals get access to their data as follows:
With their personal login on the caliper platform, the individual can check and ensure the correctness of the storage information. The individual can change the basic data online. The answers to the questionnaires cannot be changed after submission, which would be contrary to the purpose of the collection. But the answers can be changed before finishing each section of the questionnaire. Reports can be obtained by individuals from the local offices.
In other countries, please contact the office manager or the Caliper main office in Princeton, NJ, USA.
Individuals who feel that their privacy may have been violated based on the Safe Harbor privacy principles should contact the person in charge in the appropriate office. (Section IV) Caliper also offers a contact form for complaints at the website. The receipt of a complaint will start an investigation in line with to Section VI.
The statement is published and available for individuals on demand.
21. Handling of complaints
Individuals who feel their privacy is violated should contact the person in charge for data protection in the appropriate office. The person in charge has to record the content of the complaint in writing and the contact data of the person. He/She has all rights to investigate the situation, including the right to interview people and to see all relevant documents. He/She should ensure the confidentiality of the individual as far as possible. After the investigation, he/she must provide a (short) final report to the complainant. Involved department leaders should provide written comment. The procedure must be completed within 4 (four) weeks of the initial complaint. The individual receives an answer from the person in charge, including the final result. If threatened or subject to violence, the person in charge informs the office manager.
22. Dispute resolution
If the individual and Caliper do not agree in their judgment regarding a situation, a third party must be called upon. Because of this, Caliper cooperates with European Union Data Protection Authorities (DPA) in the following way:
- Caliper has elected to satisfy the requirement of the Safe Harbor Enforcement Principle by committing to cooperate with the DPAs.
- Caliper will cooperate with the DPAs in the investigation and resolution of complaints brought under the safe harbor.
- Caliper will comply with any advice given by the DPAs where the DPAs take the view that Caliper needs to take specific action to comply with the Safe Harbor Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.
23. Remedial action
Non-compliance will be reversed or corrected by the Executive Board of Caliper.
In the event of a violation of the rules, Caliper is obliged to conform with the rules within 3 weeks. Caliper is in compliance with the rules of the DPA after acceptance and implementation of their recommendations and amendments. If data is collected and stored contrary to the guidelines without the express consent of the individual, this data must be deleted. If data is disclosed without authorization to a third party, the individual has the right of compensation up to $20,000.
Employees who fail to adhere to the data protection policy must receive instruction in this area. In the event of a violation of an individual’s data protection rights, the Executive Board will take appropriate action against the responsible employees. In the event of serious or substantial harm by the violation, the individuals have the right to claim for damages in the US. If Caliper fails to comply with the principles 3 times in one year, it is no longer entitled to benefit from the Safe Harbor. The Executive Board of Caliper must notify the Department of Commerce and the DPAs.
For any questions or for further information, please contact: Dan Reiss Caliper Corp. 506 Carnegie Center, Suite 300 Princeton, NJ 08543 USA +1-609-524-1200