Insperity Privacy Statement

The purpose of this Insperity Data Privacy Statement (“Statement”) is to provide the recipient with an understanding of how the Insperity Data Privacy Team seeks to address a myriad of data privacy requirements. The information contained in this Statement is intended as a summary of our data privacy measures for existing and prospective clients and is for informational purposes only. This Statement does not and is not intended to create, supplement or change any binding terms or obligations contained in written agreements between Insperity and any client for Insperity products and/or services. Insperity reserves the right to make changes to this Statement and any of its published privacy notices at any time without prior notice to existing or prospective clients.

1.1  Scope

The Insperity Data Privacy Team is responsible for data privacy, third-party risk management (TPRM), software compliance, and incident response.  The inclusion of these four areas provides a broad view of Insperity’s data and protection requirements.  

1.2 Team Overview

The Insperity Data Privacy Team is led by a Managing Director who reports directly to the Senior Vice President of Innovative Technology Solutions, who serves as Insperity’s chief technology officer. The team maintains relevant professional designations and actively participates in professional organizations and training opportunities relevant to the areas of the team’s responsibilities. The team implements practices in coordination with the Insperity Information Security Team.

Insperity is committed to lawful and ethical privacy practices. We have embedded the seven foundational principles of Privacy by Design into the way privacy is operationalized:

• Proactive not Reactive: There is clear and sustained executive support for the data privacy function within Insperity. As mentioned above, the function reports directly to the Senior Vice President of Innovative Technology Solutions, who is a member of the Insperity Management Team. The Senior Vice President of Innovative Technology Solutions provides updates to the Insperity Board of Directors on matters related to data privacy and data protection multiple times a year. The Insperity Data Privacy Team is part of an Information Governance Committee comprised of key individuals within the company whose job functions oversee the handling of sensitive data, and regularly collaborates to discuss data-related issues and how to effectively resolve them.
   
  The Insperity Data Privacy team also participates in an enterprise wide Data Governance Working Group to discuss potentially disruptive technology and enhancements that shape business operations. The Insperity Data Privacy Team also participates in technology product and service design sessions to review and discuss projects that will impact multiple areas of the business.
  
  On an annual basis, the Insperity Data Privacy Team reviews and updates, as necessary, the privacy module included in the corporate compliance training that all corporate employees must complete annually.
  
  The Insperity Data Privacy Team engages an independent third party on a periodic basis to assess the maturity of Insperity’s data privacy practices and to identify opportunities for improvement.

• Privacy as the Default: Insperity’s privacy notice, discussed in further detail below, describes the categories of personal information collected and its usage. The Insperity Data Privacy Team focuses on identifying where sensitive data is collected, used and stored, and what additional mechanisms may be needed to either protect the data or obtain consent for its usage.   Key to this effort is the processing inventory that the Insperity Data Privacy Team maintains.  This inventory provides a mapping of business systems and data elements to key business processes.  The Data Privacy Team routinely works with product development teams and other stakeholders to support our goal of attaining and retaining only the minimal dataset required to accomplish objectives.  Additionally, the Insperity Data Privacy Team conducts detailed assessments of new functionality to determine if there are risks or impacts to what a user should expect in terms of how their data is managed or used by Insperity.
• Privacy Embedded into Design: The Insperity Data Privacy Team is embedded in strategic processes that support product development. The Insperity Data Privacy Team participates in design sessions where requirements for new features and products are first surfaced and also attends weekly release management meetings to keep abreast of any anticipated changes in the production environment. Additionally, the Insperity Data Privacy Team participates in recurring product roadmap meetings to anticipate where new privacy requirements should be implemented and embedded into a product offering.
• Full Functionality: The Insperity Data Privacy Team collaborates with the Insperity Information Security Team, product development teams, and business stakeholders to align privacy objectives, business requirements, design objectives, and technical capabilities. The focus is on implementing privacy best practices to enable market-leading HR products and services by viewing good privacy practices for optimization and as a accelerator to these endeavors in a manner that does not impair the full functionality of our technology, processes or systems.
• End-to-End Security: Insperity maintains a robust security and network infrastructure program with an end-to-end secure lifecycle management focus for stored data.  The Insperity security strategy is generally modeled after the CIS Critical Security Controls framework.  Security infrastructure, processes and procedures are implemented and maintained to meet each objective of the framework.  The security controls are frequently evaluated for gaps or advances in technology that could be addressed. For additional details, please see our Insperity Technology Security Statement. | New Window
• Visibility and Transparency: The Insperity Data Privacy Team reviews Insperity’s privacy practices and notices on an annual and/or as-needed basis to ensure Insperity is effectively communicating the way data is collected and used. Individuals have the ability to raise privacy questions and concerns directly to the Insperity Data Privacy Team. When transferring data to third parties in the manners disclosed within our published privacy notices, we seek to limit the use of transferred data in a manner consistent with our privacy notice.
• Respect for User Privacy:  Insperity provides mechanisms for users to receive access to data they provide and to utilize resources that allow them to modify their personal information that we maintain in our records and systems. Many of our technology systems have a self-service component for users. The Data Privacy Team also evaluates new functionality to determine if there are impacts to what a user should expect in terms of how their data is managed or used by Insperity. To the extent that any user consents or opt outs are required by law, Insperity creates measures for collection of such consents and management of applicable opt outs.

Insperity currently communicates its privacy practices through two privacy notices:

• Insperity Privacy Notice: this notice is our public statement regarding our enterprise-wide privacy practices. It covers data collected from Insperity.com website visitors as well as clients and users of our Insperity Premier™ human capital management platform and Insperity mobile applications.
• Insperity, Inc. California Privacy Notice: this supplement to Insperity’s Privacy Notice covers the collection, use, and disclosure of Consumer and Personal Information as both Consumer and Personal Information are defined by the California Consumer Privacy Act (CCPA).  

Individuals seeking to exercise their data privacy rights are able to submit requests to Insperity through three main channels:

• Submitting an online form through the Insperity Privacy Center website
• Contacting one of Insperity’s client support functions (such as the Insperity Contact Center) which results in an internal ticket being created and forwarded to the Insperity Data Privacy Team for review.
• Contacting the Data Privacy Team directly at [email protected] | Opens Email or 1-866-824-0505.  

Individuals are able to submit requests related to the following rights:

• Right to Know: Ability to request information regarding what Personal Information Insperity has collected and how it has been used and disclosed.
• Right to Delete: Ability to request that Insperity delete Personal Information about the individual that Insperity has collected from them. 
• Do Not Sell: Ability to request that Insperity not sell Personal Information to a third-party (“sale” as defined by the CCPA); however, as stated in our Privacy Notice, we do not sell data as defined in the CCPA. 
• Opt-Out of Email Communications: Ability to request Insperity to block any non-essential communications.
• File a Complaint: Ability to escalate privacy issues to the Insperity Data Privacy Team.

After confirming the identity of the requestor, the Insperity Data Privacy Team evaluates the request in relation to applicable privacy laws and regulations to determine the appropriate response.

5.1  California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020.  This landmark regulation  provides California Consumers with greater control over their Personal Information.   Our current understanding of how the regulation applies to Insperity’s product and service offerings include the following:

• In relation to our Professional Employer Organization (PEO) clients, we are considered a co-employer and thus HR data managed by Insperity as an employer within the context of a PEO relationship is excluded until a future date based on the CCPA carve-out provided for employers. There are some cloud-based service offerings made available to PEO clients that require Insperity to operate as a service provider for those offerings, but those scenarios are detailed accordingly in our service agreements. 
• For traditional HR clients who use our business performance products and services outside of the PEO relationship, we are considered a Service Provider as defined by the CCPA.
• Insperity does not sell data as defined by the CCPA.
• We continue to actively monitor California privacy legislation, including the passage of the California Privacy Rights Act (CPRA) and associated rule making, and are prepared to modify our practices as needed.

5.2 General Data Protection Regulation (GDPR)

The GDPR requires processors and controllers of the personal data of individuals located within the European Economic Area (EEA) and the United Kingdom (UK) to enter into data processing agreements that state the rights and obligations related to the protection and processing of such personal data.   

Insperity’s requirements for GDPR compliance depend on the nature of the relationship with our clients. We will evaluate the need to enter into additional agreements on a case-by-case basis with our clients. Insperity will collaborate with clients to assess data processing needs as applicable for privacy compliance and will make good faith efforts to enter into any new contractual terms that may be required for cross-border data transfers.

Within the framework of our PEO co-employment model, Insperity serves as co-employer and a controller of data received from its U.S. employees and is not considered a processing vendor or hosting service provider with respect to client-provided employee data stored on Insperity servers. Because personal data of employees is stored within Insperity’s environment as Insperity’s employee records and not as our client’s records, Insperity is not processing such employee records on any client’s behalf and therefore does not enter into data processing agreements with clients as a processor. 

With respect to some of our Insperity BPS solutions that are offered to clients, Insperity continues to maintain its commitment to the protection of data received by BPS users in accordance with the EU-US and Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability. Insperity continues its self-certification with the US Department of Commerce and continues to appear on its published Data Privacy Framework List. Insperity and clients will assess data processing needs as applicable for privacy compliance and will make good faith efforts to enter into any new contractual terms that may be required for cross-border data transfers. For more information regarding the Data Privacy Framework, please refer to this section in the Insperity Privacy Notice.

The Insperity Data Privacy Team maintains an awareness of evolving privacy legislation through the following means:

• Subscriptions to  news-gathering sources focused on privacy matters;
• Active participation in relevant professional associations;
• Ongoing dialog with business stakeholders to identify changes in operations that could result in new privacy requirements.

Insperity has assigned specific individuals to an Incident Response Team. This formal Insperity Incident Response Team (IRT) follows a detailed process and has documented procedures for dealing with various data security events. The response plan addresses intruders, detection, communications, legal issues, containment strategies, remediation efforts, and documenting lessons learned from activities.  Employees are trained to report incidents to the IRT when encountered. Response processes are tested,  reviewed at least annually and updated as appropriate through a series of hands-on tabletop exercises.

Third parties who will access, produce, manage, or otherwise consume Insperity data are evaluated to determine what risks they may present to the enterprise.   These risks are documented, summarized in a risk assessment, and reviewed with the respective business owner and the third parties are given a risk rating.  Results of the risk assessment are also used to evaluate and propose revisions to any relevant agreements.  Third parties are re-assessed periodically based on the services provided and overall risk rating.