Privacy Notice for BroadShield Customers using Myrus
Introduction
Welcome to BroadShield's privacy notice. We are committed to protecting your privacy and personal data. As a provider of workforce development solutions, using Myrus, BroadShield acts as a data processor on behalf of our Customers. This means we process personal data according to our Customers’ instructions to deliver and manage our services effectively.
Data protection is a shared responsibility between BroadShield (as the data processor) and our Customers (as the data controllers). Whilst BroadShield ensures that technical and organisational measures are in place to protect personal data processed through Myrus, our Customers are responsible for defining the purposes and legal bases for processing personal data, as well as responding to individual’s rights regarding their data.
This policy explains how we collect, use, and protect personal information when our Customers use our Myrus platform, which includes eLearning, Performance Management, and Competence Management and Apprenticeship modules. When delivering our services, we are the Data Processor of the personal data that you supply to Myrus under your contract with us.
Purpose of this Privacy Notice
This privacy notice aims to inform you about how BroadShield collects and processes personal data on behalf of our Customers through the use of the Myrus platform. This includes any data provided by the Customers about their employees, such as names, email addresses, information about learning and courses completed, and any other information uploaded in relation to the Performance Management and Competence Management modules.
Roles and Responsibilities
BroadShield: We act as the data processor for personal data processed through the Myrus platform on behalf of our Customers, who are the data controllers. This means we process personal data based on our Customers' instructions and assist them in meeting their obligations under data protection laws.
Customers (Employers): Our Customers are the data controllers responsible for determining the purposes and legal bases for processing personal data of their Delegated Users (employees). They are also responsible for managing Delegated Users' rights regarding their personal data. Delegated Users should refer to their employer's privacy notices/policies for comprehensive information on how their personal data is processed and protected.Â
Delegated Users:Â If you are a Delegated User whose personal data is processed through the Myrus platform by BroadShield on behalf of your employer (Customer), it is important to understand that your employer is responsible for managing and responding to your requests related to your personal data.
Â
Data Controller and Data Processor Information
For the purposes of the UK General Data Protection Regulation (UK GDPR), your employer (the Customer) is the data controller of your personal data. BroadShield acts as a data processor, processing your personal data on behalf of your employer.
Delegated Users
For questions regarding the handling of your personal data, please contact your employer directly as they are the data controller.
Personal Data We Collect
The type and frequency of any personal data collected will always depend on how our services are used.
When using the Myrus platform, we process various types of personal data on behalf of our Customers. The types of personal data collected and processed may include:
Identification Information
•         Name
•         Email address
Contact Information
•         Phone number (if provided)
Employment Details
•         Job title
•         Department
•         Manager/Supervisor
Personal Information
•         Date of birth
•         Gender
•         National insurance number
Learning and Course Information
•         Courses enrolled in and completed
•         Training schedules
•         Performance in assessments
•         Certifications achieved
Performance Management Data
•         Performance reviews and ratings
•         Feedback from managers and peers
•         Goals and objectives
•         Development plans
Competence Management Data
•         Skills assessments
•         Competence ratings
•         Training needs analysis
Technical and Usage Data
•         IP address
•         Browser type and version
•         Time zone setting
•         Operating system and platform
•         Log-in data and User activity on the platform
Other Information
Any additional information uploaded by the User in relation to Delegated User development and performance.
We collect this data directly from our Customers who input and manage the data on the Myrus platform. As a processor, BroadShield only processes this data based on the instructions of our Customers, the data controllers.
How We Collect Personal Data
BroadShield collects personal data in the following ways:
Directly from Our Customers
•         Our Customers input and manage their employees' data on the Myrus platform. This includes registration details, employment information, learning and performance data, and other relevant information.
•         Customers may also provide data directly to us via secured shared locations (e.g. SharePoint) during onboarding.
Through Automated Technologies
•         As employees interact with the Myrus platform, we automatically collect technical data about their equipment, browsing actions, and usage patterns. We collect this data using cookies, server logs, and other similar technologies. This includes:
o     IP addresses
o     Browser type and version
o     Time zone setting
o     Operating system and platform
o     Log-in data
o     User activity on the platform
From Third-Party Integrations
•         If our Customers choose to integrate third-party services with the Myrus platform (such as HR systems, email services, or other software applications), we may receive data from these third parties as instructed by our Customers.
Purpose and Legal Basis for Processing Personal Data
BroadShield processes personal data on behalf of our Customers for the following purposes and based on the following legal bases:
Provision of Services
To deliver and manage the Myrus platform and its features, including eLearning, Performance Management, Competence Management and Apprenticeship modules.
Legal Basis: Performance of a contract with our Customers.
Customer and Delegated User Management
To maintain and administer accounts for our Customers and their Delegated Users, including setting up profiles and managing access permissions.
Legal Basis: Performance of a contract with our Customers.
Training and Development Tracking
To track and manage learning activities, course enrolments, and completions for Delegated Users.
Legal Basis: Performance of a contract with our Customers.
Performance Management
To assist Customers in managing performance reviews, setting goals, and providing feedback for Delegated Users.
Legal Basis: Performance of a contract with our Customers.
Competence Management
To evaluate skills, identify training needs, and manage development plans for Delegated Users.
Legal Basis: Performance of a contract with our Customers.
Customer Support
To provide technical support and respond to inquiries from our Customers and their Delegated Users.
Legal Basis: Performance of a contract with our Customers.
Service Improvement
To analyse usage data and feedback to improve the functionality and User experience of the Myrus platform.
Legal Basis: Legitimate interests in improving our services.
Security and Compliance
To ensure the security and integrity of the Myrus platform and to comply with legal obligations.
Legal Basis: Compliance with a legal obligation and legitimate interests in maintaining platform security.
Communication
To communicate with Customers and their Delegated Users about updates, features, and service-related information.
Legal Basis: Performance of a contract with our Customers and legitimate interests in keeping Customers informed.
BroadShield processes personal data based on the instructions of our Customers and in compliance with applicable data protection laws. Our Customers, as data controllers, are responsible for ensuring that they have a valid legal basis for the collection and processing of personal data of their Delegated Users.
Data Sharing and Disclosure
BroadShield only shares personal data with third parties in accordance with our Customers' instructions and as necessary to provide the Myrus platform services. The circumstances under which we may share personal data include:
With Service Providers
We may share personal data with third-party service providers who perform functions on our behalf, such as IT services and data hosting. These providers are contractually obligated to safeguard the data and use it only for the purposes for which it was provided.
With Third-Party Integrations:
If our Customers choose to integrate third-party services with the Myrus platform (e.g., HR systems, email services, other software applications), we may share data with these third parties as instructed by our Customers. The integration and data sharing are governed by agreements between our Customers and the third-party service providers.
For Legal and Compliance Reasons
We may disclose personal data to comply with legal obligations, respond to legal requests, or protect the rights, property, or safety of BroadShield, our Customers, Delegated Users, or others. This includes:
•         Complying with applicable laws and regulations.
•         Responding to court orders, or other legal processes.
•         Enforcing our agreements and policies.
•         Protecting the security and integrity of the Myrus platform.
In Business Transfers
If BroadShield undergoes a business transition such as a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify our Customers of any such change in ownership or control of personal data.
With Customer Consent
We may share personal data with other third parties when we have the Customer’s explicit consent to do so. The scope and purpose of such sharing will be specified at the time of obtaining consent.
International Transfers
BroadShield does not process personal data outside of the European Union. All personal data is stored and processed within the EU.
BroadShield does not sell personal data to third parties. We ensure that any third parties with whom we share data are subject to appropriate data protection and confidentiality obligations.
Data Security
BroadShield takes the security of personal data seriously and implements appropriate technical and organisational measures to protect it against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Here are some of the security measures we employ:
1.       Encryption: We use encryption technologies to protect personal data during transmission and at rest.
2.       Access Control: Access to personal data is restricted to authorised personnel and strictly based on roles and responsibilities.
3.       Data Minimisation: We collect and process only the personal data that is necessary for the purposes outlined in this privacy notice.
4.       Security Monitoring: We regularly monitor our systems for vulnerabilities and attacks to ensure the ongoing security and availability of our services.
5.       Training: We provide regular training to our employees on data protection and security best practices.
6.       Incident Response: In the event of a data breach or security incident, we have procedures in place to respond promptly to mitigate any potential impact and notify affected Customers as required.
While we take robust measures to safeguard personal data, it is important to note that no method of transmission over the internet or electronic storage is entirely foolproof so while we implement stringent measures to protect personal data, absolute security cannot be guaranteed.
Data Retention
BroadShield retains personal data only for as long as necessary to fulfil the purposes for which it was collected and processed, including as required by legal, regulatory, accounting, or reporting obligations. As we are a processor, we cannot keep data longer that is necessary unless specified by the Customer. We do not retain copies of data once the Customer account has been shut down. When you become a Customer we will retain information relating to your contract terms and our mutual business relationship as per our legitimate interests for up to 7 years.
Customer Data
We retain personal data related to our Customers as long as they maintain an active account with BroadShield and for a reasonable period thereafter as necessary to fulfil contractual obligations and legal obligations.
Personal data of Delegated Users on Myrus is retained for 3 months from the payment of the last invoice or the contract end date, whichever is later. This retention allows us to manage service-related issues and provide adequate support to our Customers.
Legal and Regulatory Requirements
We may retain personal data for longer periods as necessary to comply with legal obligations, resolve disputes, enforce agreements, and protect our rights.
Data Deletion
When personal data is no longer necessary for the purposes for which it was collected and there are no legal or regulatory requirements to retain it, we securely delete or anonymise the data.
Customers are responsible for determining the appropriate retention periods for the personal data of their Delegated Users and for ensuring compliance with applicable data protection laws.
Your Data Protection Rights
Under data protection laws, you have certain rights regarding your personal data. If you are a Delegated User whose personal data is processed through the Myrus platform by BroadShield on behalf of your employer (Customer), you may have the following rights:
1.       Access: You have the right to request access to your personal data and information about how it is being processed. BroadShield can provide guidance on how to request this information from the Customer, how holds the detailed records.
2.       Rectification: You have the right to request correction of inaccurate or incomplete personal data. BroadShield can assist in directing the request to the Customer for necessary corrections.
3.       Erasure: You have the right to request deletion of your personal data when it is no longer needed for the purposes for which it was collected, or if you withdraw consent (where applicable) and there is no other legal ground for processing. BroadShield will facilitate this request by informing the Customer, who will manage the process.
4.       Restriction: You have the right to request restriction of processing of your personal data under certain circumstances, such as when the accuracy of the data is contested or processing is unlawful. BroadShield will refer such requests to the Customer for assessment and action.
5.       Portability: You have the right to receive the personal data concerning you, which you have provided to BroadShield, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller. BroadShield can facilitate this process by coordinating with the Customer to provide the data.
6.       Objection: You have the right to object to processing of your personal data, including profiling, unless BroadShield demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms. BroadShield will notify the Customer of the objection.
7.       Withdrawal of Consent: If you have provided consent to the processing of your personal data, you have the right to withdraw your consent at any time.  BroadShield will notify the Customer of a withdrawal request and will cease processing the Delegated User’[s personal data for the specified purposes as instructed by the Customer.
Exercising Your Rights
To exercise any of these rights, please contact your employer (the Customer) directly, as they are the data controller responsible for managing your personal data. The Customer is responsible for responding to your requests and taking appropriate actions regarding the personal data processed through the Myrus platform.
If you need assistance or have questions about how your personal data is processed through the Myrus platform, you can also contact BroadShield using the contact details provided below.
Contact Us
If you have any questions, concerns, or requests regarding this privacy notice or the processing of your personal data, you can contact us at:
BroadShield Ltd
Address: Â Â Â Â Â Â Â Â 1st Floor Bank House, Primett Road, Stevenage, Hertfordshire, SG1 3EE
Email: Â Â Â Â Â Â Â Â Â support@broadshield.co.uk
Phone: Â Â Â Â Â Â Â Â 0345 8801818
Â
Issue 1 June 2024