Last revised 30/01/2020
Interact Learning Pty Ltd ABN 20 095 674 28 & Flexible Learning Network Limited NZBN 9429034435434 trading as Kineo (Sitepass a product created by Interact Learning (Sitepass)) and all other subsidiaries, business units and entities associated with The City and Guilds of London Institute (City & Guilds Group) (we, us, our) are part of the City & Guilds Group (C&GG) and are committed to data security and the fair and transparent processing of Personal Information or Personal Data (herein Personal Information) when providing services to corporate and government Clients across Australia, New Zealand, the United Kingdom and the United States of America.
Interact Learning Pty Ltd ABN 20 095 674 28 & Flexible Learning Network Limited NZBN 9429034435434 trading as Kineo (Sitepass a product created by Interact Learning (Sitepass)) (we, us, our) are part of the City & Guilds Group and are committed to data security and the fair and transparent retention and use of “personal information”, “personally identifiable information” or similar terms or words with similar meaning or effect (hereinafter, collectively “personal information”) relative to residents in the United States of America (“U.S.”) who are afforded legal protections under U.S. federal law or any individual U.S. state laws. Among other protections for personal information of U.S. residents received or maintained by Sitepass, Sitepass will:
- Take reasonable measures to protect the personal information that we hold, including maintaining industry standard electronic protections (such as encryption, firewalls, anti-virus software, access controls and both login and password protection), using secure credit, debit and payment processing facilities, retaining any paper documentation in secure on-site or archived off-site facilities, and ensuring and complying with secure office access, personnel security and training and workplace policies;
- Maintain and regularly update on not less than an annual basis a confidential written information security plan (“WISP”) that identifies such protections and annually updates the foregoing processes;
- Promptly destroy or permanently de-identify personal information that is no longer needed for any purpose by City and Guilds Group in compliance with applicable US federal and state laws; and
- Promptly identify any unauthorized access to and/or breaches of personal information and promptly comply with any US laws relative to security breach reporting or other obligations applicable to Sitepass users and client companies.
Please read this Policy carefully as it contains important information on who we are, how and why we collect, store, use and share Personal Information, your rights in relation to your Personal Data, how to contact us and supervisory authorities in the event that you would like to report a concern about the way in which we process your Personal Information.
We are required to comply with all privacy laws applicable in the jurisdiction in which you reside (including, but not limited to, the Australian Privacy Principles (APPs), the Privacy Act 1988 (Cth) in Australia, the Privacy Act 1993 in New Zealand, Data Protection Act 2018 in UK, General Data Protection Regulation (EU) 2016/679 (GDPR) and all applicable US legislation). The APPs regulate the way Personal Information is handled. We are also required to comply with more specific privacy legislation in some circumstances, such as applicable State and Territory health privacy legislation, the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
For the purposes of the GDPR, ‘we, us, our’ refers to the ‘processor’ of the Personal Information you provide to any entity within the City & Guilds Group.
Kineo, & City & Guilds (“we”, “our” or “us”) has subscribed to the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Kineo, & City & Guilds adheres to the Privacy Shield Principles including the Supplemental Principles, (collectively, the “Privacy Shield Principles”) for Personal Information received from entities in the European Economic Area (the “EEA”) and the United States of America.
If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles as concerns the Personal Information received under the Privacy Shield, the Privacy Shield Principles shall govern to the extent of the conflict. To learn more about the Privacy Shield program visit www.privacyshield.gov, and to view our certification, please visit https://www.privacyshield.gov/list.
For the purposes of this Privacy Shield Policy:
“Personal Information” means personal or sensitive information (as those terms (or similar terms) are defined in the jurisdiction in which the Client resides including, but not limited to the Australian Privacy Principles (APPs), the Privacy Act 1988 (Cth) in Australia, the Privacy Act 1993 in New Zealand, Data Protection Act 1998 in UK, General Data Protection Regulation (EU) 2016/679 (GDPR) and all applicable US legislation) or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.
What types of information and Personal Information/Personal Data do we collect?
We may collect and process the following Personal Information/Personal Data, which is reasonably necessary for, or directly related to, one or more of our functions or activities:
Information you provide to us:
- complete a form on one of our Websites;
- answer questions on one of our Websites;
- complete a survey;
- correspond with us by phone, e-mail, or in writing;
- report a problem;
- sign up to receive our communications;
- create an account with us;
- enter into a contract with us to receive products and/or services,
we may collect your name, gender, e-mail address, postal address, telephone number, job role, driver’s licence and/or passport details, student ID number username, password, security question and answer, work site details such as name, and address. If we need to communicate with you, we may collect your email, residential and postal addresses and telephone numbers if a work site we may collect your work site phone number and your worksite contact email. If you apply to enrol in a training course or otherwise access our services, we may collect details of your employment and employer (or, if you are a contractor, your head contractor), training and compliance history, qualifications, banking and payment details.
Other information we collect about you
If you visit any of our Websites, we may automatically collect the following information:
- technical information, including the internet protocol (IP) address used to connect your computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit to our Websites such as the products and/or services you searched for and view, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
How we collect information and Personal Information about you
We will collect information about you, and when we collect Personal Information about you it will be by lawful and fair means, as follows:
- directly from you in person, over the phone, through written communications (either on paper or electronic) or by you completing forms or answering questions on our Websites;
- from third parties if it is unreasonable and impracticable for us to collect it from you, including your employer, (or, if you are a contractor, your head contractor), direct marketing database providers, government agencies, our related companies and your authorised representatives;
- from our own records of your use of our services which we have collected from you.
Information and Personal Information we receive from other sources
We may also receive information about you, and Personal Information about you that is collected from you, if you use any of the other websites we operate or the other services we provide.
If it is unreasonable and impracticable for us to collect any Personal Information from you and you are a tutor, apprentice, learner, contractor or supplier we may also receive Personal Information or other information about you from your centre, training provider, or employer when they register to receive products and/or services from us, or a supplier or contractor when you register to receive products and/or services from us.
We use this information to help us improve our services. We may aggregate this information for our own statistical purposes. Provided that it remains anonymous, we may disclose that aggregated information to third parties or publish it for marketing or research purposes.
Information about other people
If you provide information to us about any person other than yourself, such as your relatives, next of kin, your advisers, your suppliers or contractors, you must ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it.
Sensitive personal information
In certain limited cases, we may collect certain sensitive personal information from you (that is, information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or activities, physical or mental health, sexual life or orientation, or genetic or biometric data for the purpose of uniquely identifying a natural person) in one of the relevant ways described above. However, we will only do so on the basis of your explicit consent (being a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of your agreement to the processing.
Site visit information
We may record your server address, the date, time and duration of your visit, search terms you used, the pages you viewed, any documents you downloaded and the type of device, browser and operating system you used.
How do we use your Personal Information?
When we ask you to supply us with Personal Information we will make it clear whether the Personal Information we are asking for must be supplied so that we can provide the products and services to you, or whether the supply of any Personal Information we ask for is optional.
Contract performance: we may use your Personal Information to fulfil a contract, or take steps linked to a contract:
- to provide the products and/or services to you;
- to communicate with you in relation to the provision of the contracted products and services;
- to provide you with administrative support such as account creation, security, and responding to issues; and
- provide you with industry information, surveys, information about our awards and events, offers and promotions, related to the products and/or services.
Legitimate interests: where this is necessary for purposes which are in our, or third parties, legitimate interests. These interests are:
- providing you with newsletters, surveys, information about our awards and events, offers, and promotions, related to products and services offered by a member of the City & Guilds Group which may be of interest to you;
- communicating with you in relation to any issues, complaints, or disputes;
- mproving the quality of experience when you interact with our products and/or services, including testing the performance and customer experience of our Websites;
- performing analytics on sales/marketing data, determining the effectiveness of promotional campaigns.
- send you newsletters, surveys, information about our awards and events, offers, and promotions, related to products and services offered by a member of the City & Guilds Group which may be of interest to you;
- developing, improving, and delivering marketing and advertising for products and services offered by a member of the City & Guilds Group.
The main purposes for which we collect, hold, use and disclose Personal Information are:
- to identify you and verify your identity;
- to communicate with you about our services;
- to provide our services to you, including:
- facilitating your enrolment in online training; facilitating your access to online training materials;
- verifying and validating your compliance history;
- facilitating your communications with others via our Websites; and
- obtaining payment for our services;
- for purposes required or authorised by or under law;
- to help us improve our services;
- for any other purposes that you have consented to.
NOTE: you have the right to object to the processing of your Personal Information on the basis of legitimate interests as set out below, under the heading Your rights.
Where required by law: we may also process your Personal Information if required by law, including responding to requests by government or law enforcement authorities, or for the prevention of crime or fraud.
Who do we share your personal data with?
We may share your personal data with members/entities forming part of the City & Guilds Group. You can read more about our group companies at www.cityandguildsgroup.com
We take all reasonable steps to ensure that our staff protect your personal data and are aware of their information security obligations. We limit access to your personal data to those who have a genuine business need to know it.
We may also share your personal data with trusted third parties including:
- legal and other professional advisers, consultants, and professional experts;
- service providers contracted to us in connection with provision of the products and services such as providers of IT services and customer relationship management services; and
- analytics and search engine providers that assist us in the improvement and optimisation of our Websites.
We will ensure there is a contract in place with the categories of recipients listed above which include obligations in relation to the confidentiality, security, and lawful processing of any personal data shared with them.
We may disclose your Personal Information to any of the organisations that we deal with in the ordinary administration of our business for the purposes set out above, including:
- your employer, (or, if you are a contractor, your head contractor);
- financial institutions;
- our service delivery partners, including:
- information technology service providers (including cloud services providers);
- mailing houses, postal, freight and courier service providers;
- printers and distributors of client communications;
- external business advisers (such as recruitment advisers, auditors and lawyers).
In each case, we may disclose Personal Information or data to the service provider and the service provider may in turn provide us with Personal Information collected from you.
We may de-identify and aggregate the Personal Information of you and others for our own statistical purposes. Provided that it remains permanently de-identified, we may disclose that aggregated information to third parties or publish it for marketing or research purposes.
If you apply for a job with us, we may discuss your application with your nominated referees.
If you have an online account via any one of our Websites, and you need to change your privacy settings of your account, you will need to contact us, some of the Personal Information in your user profile may be disclosed to other users.
If you post comments or otherwise communicate publicly with other users via any of our Websites, any information about yourself that you include in the communication may be stored on that Website and accessed by other users. For this reason, we encourage you to use discretion when deciding whether to post any information that can be used to identify you.
Australia / New Zealand / United States / South Africa
Where a third-party recipient is located outside Australia, New Zealand, the United States of America and/or South Africa, we will ensure that the transfer of Personal Information will be protected by appropriate safeguards, to comply with the requirements of applicable privacy laws in the relevant jurisdiction and any provisions of the Privacy Act and the Australian Privacy Principles, the requirements of the Privacy Act 1993 in New Zealand and any applicable privacy laws in the United States and South Africa that apply to cross border disclosures.
European Economic Area
Where a third-party recipient is located outside the European Economic Area, we will ensure that the transfer of Personal Information will be protected by appropriate safeguards (including but not limited to compliance with the Data Protection Act 2018 in UK and General Data Protection Regulation (EU) 2016/679 (GDPR)), namely the use of standard data protection clauses adopted or approved by the European Commission where the data protection authority does not believe that the third country has adequate data protection laws.
We will share personal data with law enforcement or other authorities if required by applicable law.
How long will we keep your personal data?
Where there is a contract between us, we will retain your personal data for the duration of the contract, and for a period of six years following its termination or expiry, to ensure we are able to comply with any contractual, legal, audit and other regulatory requirements, or any orders from competent courts or authorities.
Direct marketing Where we have your express or implied consent, or where we are otherwise permitted by law, we may use your Personal Information to send you information about the services we offer, as well as other information. We may send this information by mail, email, SMS and telephone.
Marketing and events-related communications We may send you email marketing communications about City and Guilds Business, Kineo, Oxford Group products and services, invite you to participate in our events or surveys, or otherwise communicate with you for marketing purposes, provided that we do so in accordance with the consent requirements that are imposed by applicable law. When we collect your business contract details through our participation at trade shows or other events, we may use the information to follow- up with you regarding an event, send you information that you have requested on our products and services and, with your permission, include you on our marketing information campaigns.
Interest-based advertising when you visit our Sites or online services, both we and certain third parties collect information about your online activities over time and across different sites to provide you with advertising about products and services tailored to your individual interests (this type of advertising is called “interested-based advertising”). These third parties may place or recognise a unique cookie or other technology on your browser (including the use of pixel tags). Where required by applicable law, we will obtain your consent prior to processing of your information for the purpose of interest-based advertising.
You may see our ads on other websites or mobile apps because we participate in advertising networks. Ad networks allow us to target our messaging to users based on a range of actors including demographic data, users’ inferred interests and browsing context (for example, the time and date of your visit to our Sites, the pages that you viewed, and the links that you clicked on). This technology also helps us track the effectiveness of our marketing efforts and understand if you have seen one of our advertisements.
We work with Google Ads, Google Display Network, LinkedIn & Twitter and other advertising networks.
Opting out You can opt out of receiving these communications at any time, in the following ways:
- if you have an online account via one of our Websites, you can update your communications preferences by logging in to your account and following the instructions on the relevant Website;
- contact us and tell us;
- Where you receive marketing communications from us, you may change your preferences or unsubscribe from marketing communications at any time by clicking the unsubscribe link in an email from us.
To Learn how to opt out of behavioural advertising delivered by Network Advertising Initiative member companies, please visit the Network Advertising Initiative and Digital Advertising Alliance. You may download the AppChoices app to opt out in mobile apps. At present there is no industry standard for recognising Do Not Track browser signals, so we don’t respond to them.
Where do we store your personal data and how it is protected?
Australia / New Zealand / UK / European Union
We store your personal information (including if you reside in the UK or the European Union) in secure data centres in Australia although we may use third parties to store your data outside of Australia, whenever this happens we take reasonable steps to protect your personal data/information from loss or destruction. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data/information security breach where we are legally required to do so.
Where you have a username or password (or other identification information) which enables you to access certain services or parts of any one of our Websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data/information, we cannot guarantee the security of your personal data/information transmitted to any one of our Websites; any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
Your rights in respect of Personal Information collected
Under this Policy, you have various rights with respect to our use of your Personal Information:
Right to Access
You have the right to request a copy of the Personal Information that we hold about you by contacting us at the email or postal address given below. Please include with your request information that will enable us to verify your identity. We will respond within 30 days of request. Please note that there are exceptions to this right. We may be unable to make all information available to you if, for example, making the information available to you would reveal Personal Information about another person, if we are legally prevented from disclosing such information. Or if your request is manifestly unfounded or excessive.
Right to rectification
We aim to keep your Personal Information accurate and complete. We encourage you to contact us using the contact details provided below to let us know if any of your Personal Information is not accurate or changes, so that we can keep your Personal Information up to date.
Right to erasure
You have the right to request the deletion of your Personal Information where, for example, the Personal Information are no longer necessary for the purposes for which they were collected, where you withdraw your consent to processing, where there is no overriding legitimate interest for us to continue to process your Personal Information, or your Personal Information has been unlawfully processed. If you would like to request that your Personal Information is erased, please contact us using the contact details provided below.
Right to object
In certain circumstances, you have the right to object to the processing of your Personal Information where, for example, your Personal Information is being processed on the basis of legitimate interests and there is no overriding legitimate interest for us to continue to process your Personal Information, or if your data is being processed for direct marketing purposes. If you would like to object to the pressing of your Personal Information, please contact us using the contact details provided below.
Right to restrict processing
In certain circumstances, you have the right to request that we restrict the further processing of your Personal Information. This right arises where, for example, you have contested the accuracy of the Personal Information we hold about you and we are verifying the information, you have objected to processing based on legitimate interests and we are considering whether there are any overriding legitimate interests, or the processing is unlawful and you elect that processing is restricted rather than deleted. Please contact us using the contact details provided below.
Right to data portability
In certain circumstances, you have the right to request that some of your Personal Information is provided to you, or to another data controller, in a commonly used, machine-readable format. This right arises where you have provided your Personal Information to us, the processing is based on consent or the performance of a contract, and processing is carried out by automated means.
While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third-party organisation’s systems. We are also unable to comply with requests that relate to Personal Information of others without their consent.
If you would like to exercise any of the above rights and request that your Personal Information is ported to you, please contact us using the contact details provided below.
Please note that the GDPR sets out exceptions to these rights and that most of the above rights are subject to limitations and exception. If we are unable to comply with your request due to an exception, we will explain this to you in our response.
To the extent that we are processing your Personal Information based on your consent, you have the right to withdraw your consent at any time. You can do this by contacting us using the details in the Contact section below.
Cross border disclosure of Personal Information
Processing Outside of the European Economic Area (“EEA”), Australia (AUS), New Zealand (NZ), United States of America, South Africa
To the extent that any Personal Information is provided to third parties outside the EEA, AUS, NZ, USA, South Africa or who will access the information from outside the EEA, AUS, NZ, USA, South Africa we will ensure that approved safeguards are in place to ensure that we comply with Privacy and GDPR, such as the standard contractual clauses approved by the European Commission or the EU/US Privacy Shield or the Australian Privacy Principles or NZ Privacy Act.
We process/collect Data and Personal Information on our server with the application located in Australia, however we may process your Personal Information on a server located outside the country where you live, including outside the EEA, AUS or NZ. The primary location of user data and data uploaded to our Platform is a datacentre in the AUS operated by our third-party cloud hosting provider, Amazon Web Services (“AWS”). AWS is an ISO 27001 and Data Protection certified and participant in the EU/US Privacy Shield, under which transfers of Personal Information to the U.S. are authorised.
Third Party Service Providers
As mentioned above, we will share your Personal Information with trusted third parties (with whom we have a contractual relationship) where we have retained them to provide services that you or our clients have requested, and to perform maintenance or respond to technical incidents affecting our services.
Where we disclose Personal Information to third parties, we require minimum standards of confidentiality and data protection from such third parties and the Information Security Handbook applies.
Automated decision-making takes place when an electronic system uses Personal Information to make a decision without human intervention. It is specifically regulated under GDPR where such decisions are taken which have legal or other significant effects on individuals. It is permitted in the following circumstances:
- Where it is necessary to enter into or perform our contract with you and appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
- You will not be subject to decisions that will have a significant impact on you based solely on automated processing, unless we have a lawful basis for doing so, we have notified you and given you a right to challenge the decision or to require that the decision be taken by a person.
Data quality and security
We hold Personal Information in a number of ways, including in electronic databases, email contact lists, and in paper files held in secure premises. Paper files may also be archived offsite in secure facilities. We take reasonable steps to:
- make sure that the Personal Information that we collect, use and disclose is accurate, up to date and complete and (in the case of use and disclosure) relevant;
- protect the Personal Information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure;
- destroy or permanently de-identify Personal Information that is no longer needed for any purpose that is permitted by the APPs.
The steps we take to secure the Personal Information we hold include ICT security (such as encryption, firewalls, anti-virus software and login and password protection), secure office access, personnel security and training and workplace policies.
We process payments using PayPal/Stripe and online technologies. All transactions processed by us meet industry security standards to ensure payment details are protected.
While we strive to protect the Personal Information and privacy of users of our Websites, we cannot guarantee the security of any information that you disclose online, and you disclose that information at your own risk. If you are concerned about sending your information over the internet, you can contact us by telephone or post
You can also help to protect the privacy of your Personal Information by maintaining the confidentiality of your account (including your password), and by ensuring that you log out of your account on the relevant Website when you have finished using it. In addition, if you become aware of any security breach, please let us know as soon as possible.
How can you access and correct your Personal Information?
You can request access to the Personal Information that we hold about you and request corrections by contacting our Privacy Officer (see section below).
If you have an online account via any of our Websites, you can access and change some of your Personal Information by logging in to your account and following the instructions on the relevant Website.
If you have a complaint about how we have handled your Personal Information, please contact our Privacy Officer who will endeavour in the first instance to deal with your complaint and take any steps necessary to resolve the matter within a week.
If your complaint can’t be resolved at first instance, we will ask you to complete a Privacy Complaint Form.
We will endeavour to acknowledge receipt of the Privacy Complaint Form within 5 business days of receiving it and to complete our investigation into your complaint in a timely manner.
In most cases, we expect that complaints will be investigated, and a response provided within 30 days of receipt of the Privacy Complaint Form. If our investigation may take longer, we will let you know.
If you are unhappy with our response, you can refer your complaint to the Office of the Australian Information Commissioner or, in some instances, other regulatory bodies, such as the Australian Communications and Media Authority.
If you are unhappy with our response, you can refer your complaint to the Office of the Privacy Commissioner Please visit https://www.privacy.org.nz/your-rights/making-a-complaint/ for more information on how to report a concern
United Kingdom / European Union
If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint to the applicable supervisory authority or to seek a remedy through the courts. Please visit https://ico.org.uk/concerns/ for more information on how to report a concern to the UK Information Commissioner’s Office.
If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint to the applicable supervisory authority or to seek a remedy through the courts. E-mail us at email@example.com or Contact us
If you have any queries about this Policy, the way in which Kineo, Sitepass or City & Guilds Group processes Personal Information, or about exercising any of your rights, please send an email to us, our contact details for Privacy queries are set out below.
Data Protection Officer
or Mail: write to Data Protection Officer,
City & Guilds,
5-6 Giltspur Street,
London EC1A 9DD.
Australia & New Zealand
Interact Learning Pty Ltd (Kineo)
Mail: P.O. Box 6815 Halifax Street,
Adelaide, SA 5000, Australia
Email: For online enquiries you can contact us or email to firstname.lastname@example.org
Telephone: +61 1300 89 89 76
For New Zealand:
Changes to this Policy