Privacy Notice

Introduction

This policy is very much a statement of principle which explains why and how data protection is vitally important to Yoke consultancy.

This policy achieves two aims.

First it sets out our commitment to the new standards for protecting personal data set by Regulation (EU) 2016/679 (otherwise known as the General Data Protection Regulation (GDPR)). Second, it shows how we implement that commitment in everything we do at Yoke from the collection, use, and processing of personal data through to its hosting, cloud-storage, and end-uses.

Our 12 Data Commitments:

Yoke is committed to:

Ensuring that we comply with the very latest data protection principles, as initially set out in the Data Protection Act 1998 and subsequently developed in the GDPR (and any successor legislation after the UK withdraws from the European Union);
Processing data-sets lawfully, fairly and in a transparent manner. Transparency for Yoke means clearly documenting our privacy statement, our cookie policy, this data protection policy, and being live to information security and reporting obligations in the event of a suspected data breach. In this way we are upfront with stakeholders, clients, their end-users, our strategic partners, and regulatory authorities including the Information Commissioner;
Living the new GDPR principle of accountability. In other words we are a corporately responsible company, acutely aware that we are in the business of information and compliance. Accordingly, our own internal standards regarding the control, processing and use of data have to meet and exceed these expected standards;
Acting with a clear and valid purpose when using personal data. We therefore handle personal data in order to meet our operational needs, to fulfil contractual agreements, to respond to system-critical issues and to adhere to a variety of legal obligations;
Delivering data optimisation (and data-minimisation where possible) in our work. We are an efficient, agile and lean business, so we seek to minimise data duplication and endeavour to remove obsolete data from our systems;
Establishing and honouring appropriate retention periods for holding on to personal data. Part of this necessarily means honouring individuals’ right to be forgotten where appropriate to do so;
Ensuring that our end-product is delivered accurately and without fuss whenever a data subject exercises his or her statutory right to call for and receive personal information held by Yoke about them;
Providing high quality security measures to protect personal data from unwanted exposure, hacking, manipulation or other form of unlawful activity, theft or abuse;
Ensuring that we provide a clear signal of leadership to our regulator, our clients and our peers by appointing our founder Rachel Fellowes as Data Champion for the business.
Embedding a culture of accountability and awareness which flows throughout the whole organisation rather than staying only with the most senior officers;
Ensuring that all staff are made aware of good practice and are trained in evolving data protection standards with the help of key strategic partners and external legal experts in the fields of corporate governance, information law, and compliance;
Ensuring that everyone at Yoke feels encouraged to raise concerns about data protection vulnerabilities – this will prompt internal dialogue about our standards so that we remain on top of our brief and aware of data protection issues going forward.

Information we collect

The types of personal data that Yoke may be required to handle depends on the services carried out. This can include information about current, past and prospective employees, suppliers, strategic partners, corporate clients, and end-users of Yoke services (who may be individuals). The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards.

Yoke collects this data from information:

Provided directly to us (when people join our organisation, contract with us, supply to us, or become a client)
Created when our services our used and we need to develop tools and a bespoke plan for a particular client
And on rarer occasions from other sources such as third parties and strategic partners (such as tax authorities, professional advisers, recruitment agencies)

Examples of information we may collect includes “identifiers” such as:

Business/company name
Job title
Contact information including email address and telephone
IP address
Web browser type
Operating system
Industry information
Client preferences
Client testimonials and feedback

Why and how we use personal information

Yoke collects and uses personal information to enable it first and foremost to function as an employer and company, responsible for its people, protecting shareholder-value, and delivering its corporate objectives. We also collect and use information for the effective delivery of our portfolio of services. Examples of how we use the information we collect:

To communicate with staff, clients, individual employees of a client, and others
To enhance the safety and security of our staff (through ID protocols)
For client support
For research and development
Personalising and tailoring experiences and service enhancement
To meet contractual obligations
To comply with applicable legal or regulatory requirements, which may include personal information, for example, where we are involved in legal proceedings, where we are complying with the requirements of the Information Commissioner or a court order, or a governmental authority. We do not require any further consent in order to share data in such circumstances and will comply as required with any legally binding request that is made of us.

Examples of information we may collect (subject to project scope and third party provider) includes:

Full name (first and last)
Date of birth, gender, height, weight
Self assessed wellbeing data, including:
– personalised responses to Yoke’s Human Sustainability Index assessment
– Self-documented events noteworthy of interest to the Subject
– Information about chronic diseases and medication provided by the Subject
Third party assessed wellbeing data, including:
– Activity class, maximum and resting heart rate, maximal oxygen consumption
– Heart rate measurements and diary entries created by the Subject during the measurement period, e.g. alcohol consumption, current and recent illnesses and medications
Contact information, e.g. address, email address and telephone number
Role type and Geographical location
Information about the employer, e.g. name, contact information and personnel group
Information about the use of the service
The results report created for the Subject based on the data analysis

Yoke does not sell or share personal information to third parties for third party direct marketing purposes.

Access & control of personal data

Yoke will ensure that any personal data we process is optimised and where possible minimised. By this we mean our data sets are accurate, adequate, relevant and not excessive, given the purpose for which they were obtained (rather than used for a whole series of unconnected and different purposes). We will not process personal data obtained for one purpose (recruitment and employment with us) for any unconnected purpose (marketing/sales exercises) unless the person concerned has agreed to this or would otherwise reasonably expect this kind of broader use of their data as part of a wider assessment of our legitimate interests as a business.

In all instances (unless otherwise agreed by the client) individual permission to collect personal data is obtained via either online consent at the start of an assessment or via a consent form at Programme Induction. This consenting process outlines the purpose and scope of the data collected and where relevant the sharing of personal data with Yoke’s third party providers (e.g. Firstbeat and the HSI Lab newsletter platform). The consent form outlines an individual’s ability to retract consent (via email to Yoke) at any stage throughout the process. Yoke will respond to the retraction request within 30 days of receipt.
Where relevant, if a programme is part of a sponsored initiative with a partner (e.g. an insurance provider) the consent form will also state what anonymised output will be shared with this additional party.

Data portability

Upon receipt of a subject access request, the individual making the request is entitled to receive a copy of the personal data in a structured, commonly used and machine-readable format (this will most likely be sent by email, or provided via USB to disc direct to you). We will endeavour to process without undue delay and within one month, provided the request is not particularly complex and it does not compromise the privacy of other individuals. In line with GDPR expectations, we will not charge for this service except in the most complex of cases.

Retention of data and the new right of erasure

Yoke retains information collected on its staff, clients, and employees at client organisations for the purpose of contract law, limitation periods, for follow up requests from people, or if necessary for its legitimate business interests, such as fraud prevention, trend-analysis, contract performance reviews, and enhancing the end-user experience at the end of a particular assignment or project.

Individuals may also request that any information we hold is deleted or removed (and we will upon receipt try our best to accommodate such request). There are certain circumstances in which we may have to refuse an erasure request, for example, in order to comply with a legal obligation under contract or legal proceedings, or in connection with a regulatory matter.

Please discuss with us if there are certain personal data sets or personal identifiers that are to be erased as per your preference – we will investigate if this is possible. You can also make choices about Yoke’s collection and use of personal data by informing and engaging with the our Data Champion Rachel (who will endeavour to respond in 30 days from the date of receipt of the request).

Security

Data integrity and cyber security is important to us. To protect personal data we have put in place suitable measures to safeguard our network, our data storage, and through the communication systems we use (voice, email, computing) as part of a responsible approach to the general conduct of our business.

Notwithstanding the security measures that we take, it is important to remember that the transmission of data over any IP connection or for example through a less secure email account will not be completely secure. Anyone doing business with or contacting Yoke is advised to take suitable precautions when transmitting information to us.

Links to our partner organisations

Our website may contain links, testimonials, or references to case studies and clients, which may encourage individuals to visit other websites of interest easily. You should note that we do not have any control over those other websites, and retain no liability nor responsibility for them. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this policy. You should exercise caution and review the privacy policy applicable to the website in question.

Updates to this policy

The world of risk management, information law, and corporate compliance is rapidly changing. We are pleased to be a business which is cognisant of those changes, and which sees the commercial value and the ethical value in being vigilant where data protection is concerned. Data protection is vitally important to us and to our clients. We therefore will periodically update this policy to reflect changes in the world around us.

For more information on the data collected or further detail on the items below, please get in touch via info@yokeconsultancy.com