Privacy Notice

WorkingWell have been processing Assessment Tools for over 25 years and recognise your right to privacy. Not only do we have a legal duty, but we strongly believe in our ethical obligations too. We take all necessary security precautions to make sure any information we collect about you remains private and is held in accordance with applicable data protection and privacy laws. Our ICO Data Protection registration number is ZA026672. We are Cyber Essentials Certified and proud to be JOSCAR and FSQS Accredited.

This notice applies across all websites that we own and operate and all services we provide, including our online workplace wellbeing services, and any other services or products we may offer (for example, webinars training, coaching, counselling services, etc).

Contact

Questions, comments and requests regarding this privacy policy should be addressed to team@workingwell.co.uk or mail WorkingWell Ltd, 1-2 Bolt Court, London, EC4A 3DQ, United Kingdom.

How we collect your information

When you visit our websites or use our services, we collect certain information about you. The ways we collect it can be broadly categorised into the following:

Information you provide to us directly through our company website: When you visit or use some parts of our website we might ask you to provide personal data to us. For example, we ask for your contact information when you sign up for a free download, join us on social media, take part in events, contact us with questions or request support. If you don’t want to provide us with personal data, you don’t have to, but it might mean you can’t use some parts of our websites or services.

Information you provide to us directly through our online platform(s): We use our online platform (called Unity), to collect and process your responses to our online questionnaires. We will provide an introduction to each questionnaire so that you know what purpose it is being used for. You will be asked to confirm your consent at the start of each questionnaire which will set out what will happen to your data and whether it will be shared with your organisation.

Information we collect automatically: We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you’re using our websites and services so that we can continue to provide the best experience possible (e.g., by personalising the content you see).

Some of this information is collected using cookies and similar tracking technologies.

Information we get from third parties: The majority of information we collect, we collect directly from you. Sometimes however we might be provided with additional information about you from your organisation such as department, grade, job function, etc. We use this information to supplement the personal data you provide us with, in order to better inform, personalise and improve our personal profile to you and the anonymised group reports to your organisation.

What type of information we collect and what we do with it

Where we collect personal data, we’ll only process it:

  • to perform a contract with you, or you and your organisation, or

  • where we have legitimate interests to process the personal data and they’re not overridden by your rights, or

  • in accordance with a legal obligation, or

  • where we have your consent.

If we don’t collect your personal data, we may be unable to provide you with all our services, and some functions and features on our websites may not be available to you.

Contact information such as name and email address

WorkingWell uses contact information to:

  • Provide services where an email account is required in order to sign up. We consider this to be a contractual obligation.

  • Improve our services by requesting feedback from users. We consider this to be a legitimate interest but you still have the right to object.

  • Support and troubleshooting, if required. We consider this to be a contractual obligation.

  • Update and inform e.g. to send email reminders, provide release updates and support communications. We consider this to be a contractual obligation.

Demographic information such as department, grade, age, gender

  • If you are part of an organisation account, data may be presented to your organisation for the purpose of identifying patterns and trends across different groups. Data will always be anonymous and not personally identifiable unless you have specifically given your consent by clicking through an Informed Consent at the start of the questionnaire.

Device information and technical characteristics such as operating system, time zone, IP address and HTTP codes

WorkingWell uses device information and technical characteristics to:

  • Improve the product by understanding what operating systems and devices we should support as well as the uptake and impact of new product releases. We consider this to be a legitimate interest but you still have the right to object.

  • Support and troubleshooting, if required. We consider this to be a contractual obligation.

  • Keep your data safe and secure. We consider this to be a legitimate interest but you still have the right to object.

Questionnaire data such as your answers to questionnaires in the platform about energy, resilience and wellbeing 

WorkingWell uses your questionnaire answers to:

  • To provide you with a score for the online questionnaires you complete. They are also used to recommend personal goals and details of your company employee assistance contact details if required. We consider this to be a contractual obligation.

  • In order to use our platform, you must give consent to process this data. Not providing your consent will prevent you from continuing with the questionnaire.

  • Support and troubleshooting, if required. We consider this to be a contractual obligation, but still require consent.

  • If you are part of an organisation account, data may be presented to your organisation for the purpose of identifying patterns and trends across different groups and provide insights into overall company wellbeing. Data will always be anonymous and not personally identifiable unless you have specifically given your consent by clicking through an Informed Consent at the start of the questionnaire.

Usage such as last login, when you start/finish a questionnaire and error reporting

WorkingWell uses usage data and error reporting and logs data to:

  • Support and troubleshooting if required. We consider this to be a contractual obligation.

  • Create a more reliable and stable product for our users. We consider this to be a legitimate interest but you still have the right to object.

  • Keep our servers secure and your data protected. We consider this to be a legitimate interest but you still have the right to object.

Information we share with third parties

Information in relation to an organisation account

WorkingWell platform(s) are designed for companies, organisations and workplaces, who make the platform(s) available to their employees or members of their organisation. If you have registered to use the platform(s) through a code or other registration credential provided by a company or organisation (“organisation account”) the organisation will have access to aggregated usage information. We go to great lengths to make sure that the information shared with your employer or organisation is not personally identifiable unless you have specifically given your consent by clicking through an Informed Consent at the start of the questionnaire.

Groups with fewer than 6 members will not be aggregated into a group level report without prior consent from everyone in the group to protect the identity of individuals in that group. Their responses will be counted in any overall aggregations.

The data is used by your employer to inform their wellbeing strategy and understand the uptake of the platform(s)across the organisation. This will help your employer create a better working environment for you, and all of their staff. We require your consent to process your information for this purpose.

Our Duty of Care

We do, however, have a duty to ensure that you, and others, are safe from serious harm. As a result of this, there may be very exceptional circumstances when, if we believe that you or someone else is at immediate and significant risk, or if the law requires us to do so, that the normal limits of confidentiality are required to be overridden. In these circumstances we would be required to inform relevant parties of such risk and any decision will always be made in your best interest and with your knowledge and consent as far as possible. Where this applies, you will be notified within the informed consent prior to completing the questionnaire. If you don’t want to provide us with this consent, you don’t have to, but it might mean you can’t use some parts of our websites or services.

Third party data controllers and processors outside the EEA

We do not share data with any third party recipients who may collect and/or process the data. We will not disclose any data to government agencies except where required by law.

Data Storage

How we keep your personal information safe and secure

WorkingWell understands that it is a privilege to have you as a user of our systems and is committed to protecting your personal information. Our security standards are in line with industry "best practices" to protect our systems and the information stored on our servers against loss, unauthorised access and misuse.

  • We maintain appropriate physical, electronic and procedural safeguards to protect an individual’s data. This includes firewalls, individual passwords and encryption. We take all appropriate measures to safeguard an individual’s data against unauthorised or unlawful processing and use, accidental loss, destruction, damage, theft, disclosure or modification and to ensure its integrity.

  • We do not share sensitive information to any third party without an individual’s specific consent or unless required by law.

  • Our security practices are reviewed on a regular basis and we routinely update our security technologies to ensure that your data is protected.

Any information users provide to us through our questionnaire platform is hosted by https://www.voltadatacentres.com who use state-of-the-art, multi-layered security methods, and in accordance with applicable privacy laws. Their accreditations which include ISO27001 can be found here https://www.voltadatacentres.com/about-volta/accreditations-and-certifications/

In addition, we use the following controls to safeguard your personal information:

1.     Use of security controls to restrict access to databases housing personal information,

2.     Use of encryption for sensitive personal information, such as user names and questionnaire responses and personal identifiers,

3.     Restrict employee access to databases containing personal information and impose confidentiality requirements upon employees who do.

4.     Use of a hardware firewall appliance which blocks access to unauthorised ports on the server. Stateful packet inspection, Application layer gateways and advanced DOS protection provide best of class network security protection from potentially malicious traffic.

5.     Administrative access is restricted to authorised management work stations based on IP address. Remote Desktop is used providing an encrypted administrative session to protect against man-in-the-middle or sniffing attacks.

Personal, Group and Aggregate Reporting

Anonymised group and aggregate data is available to the client organisation and WorkingWell for group analysis and generation of management reports. The following measures are used as a means to protect the privacy of individual data within a group selected for analysis:

1.     Exporting personal data for group analysis removes all identifiers required to access individual data.

2.     The number of users in a selected group report must meet the minimum group size of at least 6.

Please note that by completing any of our online questionnaires, you are granting us permission to use the anonymised data for statistical analysis and general reporting of group data as outlined in the informed consent you are asked to complete at the start of each questionnaire. However, please be assured that your personal data is completely private and confidential. Nobody within the client organisation will ever see your individual answers or results unless you have specifically given your consent by clicking through an Informed Consent at the start of the questionnaire. WorkingWell will not share any personally identifiable or private information submitted online with any third party unless stated. You have a right to withdraw this consent at any time by emailing team@workingwell.co.uk.

Access to report generation is restricted to administrators designated by the client organisation and who have been granted express permissions to generate group reports within certain designated parameters as assigned by WorkingWell.

Passing information between your computer and the server

When you login to any WorkingWell web based solution, you start a private session between your browser and the server hosting your application. For the period of time that you are actively involved in your session, you will be issued an application and language cookie. All personal information contained in HTTP headers sent between your browser and the server will be encrypted.

We treat any personal information that may be contained in cookies with the same level of confidentiality as other information you provide to us.

Passing information from your profile to other parties

The whole process is strictly confidential and nobody within the client organisation will see your completed questionnaire or your individual responses unless you have specifically given your consent by clicking through an Informed Consent at the start of your questionnaire.

Individual data cannot be accessed directly by the client organisation and unless specified, the only information they will receive will be the aggregate group reports and any suggestions for improvement that you have provided. WorkingWell will not share any personally identifiable or private information submitted online unless stated in the consent notice.

The profile data from your assessment sessions is stored on the server hosting our application. It is not provided to any other external party for any reason. There are no advertisers or other external commercial interests on any WorkingWell site, other than the client organisation offering this service to you.

All communications with the database server are via Secure Sockets (HTTPS).

Links to other sites

WorkingWell sites may be linked from and linked back to a site maintained by your employer who has made the assessment systems available for your use. Your employer may have security systems in place to prevent access to other internet sites available to the public. It is the responsibility of your employer to control access to other sites on the Internet.

WorkingWell is not responsible or liable for the practices of such other sites, including the privacy practices of such sites. You should read the privacy policies of each site you visit to determine what information that site may be collecting, using or disclosing about you.

Optional Services

In some implementations of our products, the client organisation may offer incentives, external services or professional resources to support you in making positive changes that can reduce your risks and improve your health.

These offers may be based on your profile data and will be presented to you for your consideration in connection with your WorkingWell experience. Where such offers require you to provide your e-mail or other contact information, you can choose to accept or decline participation. Such offers are the sole responsibility of the client and are not provided by WorkingWell.

Retention

The length of time we keep your personal data depends on what it is and whether we have an ongoing business need to retain it.

We’ll retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices. Following that period, we’ll make sure it’s deleted or anonymised.

Your data protection rights

It’s your personal data and you have certain rights relating to it. 

As outlined earlier, we have a lawful basis for processing your data, but you also have the right to:

  • know what personal data we hold about you, and to make sure it’s correct and up to date

  • restrict the processing of your personal data where you have a particular reason for wanting the restriction e.g. while you wait for your data to be corrected. Please let us know by emailing us.

  • withdraw from our products and services or wish to remove the information which we hold about you, Please let us know by emailing us.

  • request a copy of your personal data, or ask us to restrict processing your personal data or delete it

  • object to our continued processing of your personal data

You can exercise these rights at any time by sending an email to team@workingwell.co.uk.

When it comes to marketing communications, you can ask us at any time not to send you these – just send your request to team@workingwell.co.uk

If you’re not happy with how we are processing your personal data, please let us know by sending an email to team@workingwell.co.uk. We will review and investigate your complaint and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint. You are not required to pay any charge for exercising your rights.