Diagnostic privacy notice
For the purposes of data protection laws in the UK and EU, Mind Gym plc (referred to as “Mind Gym”, “we”, “us” and “our” in this notice) is the controller of personal data we collect in connection with our surveys. See the Introduction section for our company details and the Contact section for our contact details.
We collect the following types of personal data in connection with your use of the Diagnostic:
• Technical user data: information automatically collected by our platform when you use the Diagnostic, including your device’s IP address and your completion status (not started/started/completed).
• User login data: your name (first and last name) and work email address, which you submit when you register on the Diagnostic to set up your user account.
• Job role data: information about your job which you submit in response to questions in the Diagnostic, which may include your job role/level, length of time in role, office location and the number of people you manage.
• Diagnostics data: information relating your behaviour, experience, judgement and decisions at work, which you submit in response to questions in the Diagnostic.
• 360° reviewer data: you may be asked to provide information relating to your 360° reviewers, including their first and last name, email address and relationship to you (manager, direct report, peer), and your 360° reviewers may provide feedback on your behaviour, experience, judgement and decisions at work, IF this is a feature of the Diagnostic and you choose to request 360° reviewer feedback using the Diagnostic.
• Personalised report data: your name and work email address, psychometric data about you (including a unique profile) relating to your behaviour, experience, judgement and decisions at work, which is generated by the Diagnostic using the diagnostics data you submit, plus your reflections on the report, IF you choose to submit any.
• Support request data: information contained in any request for support or communications between you and our support team such as your name and email address, date and time of your request or communication and details of your support request.
Information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation or genetic or biometric data is known as ‘special category personal data’. The Diagnostic questions do not specifically ask for this type of information, but you may choose to provide it in the free-text questions within the Diagnostic.
Below we describe the purposes we use the personal data for, the types of personal data we use for those purposes and our legal bases for doing so.
| Purpose | Type of personal data used | Legal basis |
|---|---|---|
| Enabling, monitoring and controlling user access to the Diagnostic. | Technical user data, User login data | Legitimate interests – enabling our clients’ users to access and use the Diagnostic and ensuring the security and integrity of the Diagnostic and information stored within the Diagnostic. |
| Compiling a personalised report for you, which you will be able to view and print via your Diagnostics user account. | Technical user data, User login data, Job role data Diagnostics data, 360° reviewer data (if you request this), Personalised report data | Legitimate interests – our interests in providing our products and services to our clients. Explicit consent in respect of any special category personal data included in diagnostics data via free text questions. |
| Producing an aggregate report for your employer with a breakdown of the overall results, derived from data obtained from you and from your colleagues. | Job role data, Diagnostics data, 360° reviewer data Support request data (in each case anonymised and aggregated so that individual users cannot be identified) | Legitimate interests – reporting to our clients to enable them to assess the success and value of the Diagnostic and have oversight of their employees’ engagement, progress and attainment. |
| Running statistical analyses to evaluate trends for different industries, job roles/levels and employer types and to compile and improve accuracy of the Diagnostic benchmarking data which we may provide to your employer and our other clients as part of our service offering. | Job role data, Diagnostics data,360° reviewer data (in each case anonymised and aggregated so that individual users cannot be identified) | Legitimate interests – our interests in providing our products and services to our clients. |
| Analysing users’ use of and feedback on the Diagnostic and producing other anonymised aggregate reports to inform improvement and development of the Diagnostic and other/new Mind Gym products and services. | Technical user data, User login data, Job role data, Diagnostics data, 360° reviewer data, Support request data (in each case anonymised and aggregated so that individual users cannot be identified) | Legitimate interests – our interests in improving and developing our products and services. |
| Helping users to use the Diagnostic and resolving any problems with accessing and using the Diagnostic. | Support request data | Legitimate interests – our interests in providing a convenient platform for our clients’ employees to access the Diagnostic and our clients’ interests in their employees having a convenient platform to access the Diagnostic. |
Who does Mind Gym share the personal data with?
Service providers
We use a number of service providers to provide the Diagnostic. We have set out below the service providers we use, the services they provide and the types of personal data they might process. These service providers only process personal data in accordance with our instructions and only to the extent necessary to provide their services, and their processing is subject to contracts with us to ensure they process personal data in accordance with data protection laws in the UK.
| Service provider | Service provided | Types of personal data used |
|---|---|---|
| Seven49.net AG | HTML-PDF conversion (to provide downloadable/printable personalised reports) | Personalised report data |
| Jira Service Desk | Support desk ticketing | Support request data |
If you contact our support team for help with using the Diagnostic, they will receive your support request data and, depending on the nature of your support request, might access data within your Diagnostic account with your permission to help resolve problems, for example using a remote connection to your device.
Your employer will not have access to your personalised report or any of the information stored within your Diagnostic user account, and we will not share any of this information with your employer.
However, we will derive anonymous statistical data from technical user data, job role data, diagnostics data, 360° reviewer data and support request data for the purposes of reporting to your employer in respect of its employees’ engagement, progress and attainment (as a cohort rather than as individuals). The data we use for this purpose is anonymised so that it is no longer possible to identify the individuals to whom it relates. Analysis data shared with your employer will always meet a minimum group size of participants in order to retain anonymity. It will not be possible to combine multiple groups to isolate an individual participant.
Our use of the service providers referred to above involves transfers outside the UK, as some are based outside the UK and their service infrastructure involves processing of data by them and their subcontractors in various countries outside the UK. We ensure that any transfers we make to our service providers comply with the conditions for transfers stipulated by data protection law, including making transfers subject to Standard Contractual Clauses or Adequacy Decisions. If you would like to know what that means in respect of your personal data collected via the Diagnostic, please contact us by emailing dpo@themindgym.com.
We will retain the data we obtain via the Diagnostic only for so long as is necessary for the purposes described in this notice. The applicable retention periods are set out in our Data Retention Policy. If you would like to know what that means in respect of your personal data collected via the Diagnostic, please contact us by emailing dpo@themindgym.com.
You have various rights under data protection law in respect of our processing of your personal data. Please see our website privacy notice for detail about these rights and how to exercise them. Please contact dpo@themindgym.com with any requests, questions or concerns relating our use of your personal data.
Any changes we make to this privacy notice in the future will be posted on the Diagnostic and, where appropriate, notified to you by e-mail or other suitable method.
Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to dpo@themindgym.com.