Last Updated: December 2016
Mercer | Sirota recognizes and respects the legitimate interest of individuals to protect the privacy of information about them that may be collected or processed in the ordinary course of our business. Mercer | Sirota has therefore adopted a privacy and data protection policy that is applicable to information relating to our employees, as well as to information relating to other individuals collected or processed in the general course of our survey research business, including but not limited to Personal Data received from locations within the European Union. It is the goal of Mercer | Sirota to set forth the rights of Data Subjects (defined below) in clear and unambiguous terms.
For the purposes of this policy, we use the term “Personal Data and Personal Information” (or abbreviated as “PI”) as interchangeable terms that refer to any information, recorded in any form, relating to a living person who can be identified, directly or indirectly, by reference to that information and which is in Mercer | Sirota’s possession. An individual with respect to whom PI may be collect or processed will be generically referred to as a “Data Subject”, or more specifically, as employee or survey respondent, as the context requires. Through this policy, it is Mercer | Sirota’s intention to protect the privacy interests of individuals and for Mercer | Sirota to be in compliance with all applicable laws, rules and regulations relating to data privacy. References to “we” and “Mercer | Sirota” refer to Mercer (US) Inc. and its subsidiaries and affiliated companies.
Mercer | Sirota takes reasonable and appropriate measures to protect the privacy of Data Subjects by appropriately safeguarding PI from loss, misuse, unauthorized access, disclosure, alteration or destruction taking into account the risks involved in the processing and the nature of the Personal Data.
Mercer | Sirota does not process personal data other than to the extent such processing is necessary to achieve the legitimate business purposes of Mercer | Sirota. Mercer | Sirota does not share, transfer to third parties, assign, sell, permit the viewing of or access to any PI, except as set forth in this policy. Examples of these precautions include physical and logical separations, encryption and security, password protections for online information systems and restricted access to PII. In addition, any third party inquiries to Mercer | Sirota, either written or verbal, concerning the identity, employment record, or performance of a current or terminated employee, or of any Data Subject, are referred to Mercer | Sirota’s Certified Information Privacy Manager (CIPM) who has oversight responsibility for data privacy. If the request is from a government agency, our legal department will verify the credentials of the agency representative and take appropriate steps to safeguard confidentiality and privacy.
In collecting or processing and otherwise handling Personal Information, it is the policy of Mercer | Sirota and all employees of Mercer | Sirota shall act in accordance with these policies to:
- Ensure that personal data is processed fairly, securely, accurately and only to the extent reasonably necessary to carry out the business of Mercer | Sirota. For Employees of Mercer | Sirota, that means that the use of PI will be limited to what Mercer | Sirota must do to process business critical information, such as payroll, benefits, other pension and related filings and as otherwise required by national or local ordinances. For survey respondents, this means that Mercer | Sirota will process demographic information regarding individuals participating in surveys only for the purposes and to the extent necessary to analyze the data and for related scientific and professional research purposes.
- Ensure that Data Subjects know for whom the data is being obtained or processed and for what purposes it will be used. This may be set out in documents or may be explained to the individual. To the extent possible, PI will be pseudonymized so that the names and identities of the Data Subjects are not known by data processors within Mercer | Sirota or by Mercer | Sirota’s clients for which the surveys are commissioned.
- Ensure that the Data Subject has been advised in clear and unambiguous terms as to what use the data is going to be put and ensure that the individual has consented to the data being used for that purpose. Requesting consent will likewise be in clear and unambiguous terms, and we will seek consent, but it will be explicit for any information that is sensitive (see below for further details on Sensitive Personal Information). However, consent will not be necessary if:
- The information is required to perform contractual obligations to that individual or to take steps at their request with a view to entering into a contract with them.
- We are required by legal process, statute or applicable regulation to supply the information or it is necessary to obtain the information in order to comply with any legal obligation.
- Is necessary to use the information to protect that individual’s vital interests.
- Notwithstanding the foregoing, we will not collect process or otherwise deal with any PI in any manner incompatible with that purpose stated and we will not go beyond or act in contravention of any confidentiality or privacy undertakings given to any such Data Subjects.
- We will collect or process PI only to the extent that it is relevant and not excessive in relation to the purpose for which it is collected or processed.
- When seeking information, we will only ask for what is needed for the particular purpose and no more.
- When legitimately disclosing information to another party we will only reveal the information that is strictly relevant to that purpose.
- We will ensure that the information is accurate and kept up-to-date (as relevant and appropriate).
- Where feasible, the information should be obtained directly from the Data Subject or the accuracy checked with them. Data Subjects will have the right to review the accuracy of any PI relating to them in our possession and to correct any erroneous information.
- However, not all information that relates to an individual has to be disclosed to them if requested. Disclosure should not occur if:
- It would involve identifying another person.
- It would involve Mercer | Sirota breaching a duty of confidentiality owed to another.
- The information is subject to legal privilege.
- It is a reference given by Mercer | Sirota.
- It relates to management forecasting or planning.
- It relates to matters over which Mercer | Sirota is negotiating with that individual and the disclosure of the information would prejudice those negotiations.
- We will not retain personal data for longer than is necessary except to the extent that we are able to aggregate the same to the point that it is anonymized for statistical research. How long is appropriate will depend on the type of data and the use to which it has been put. In general, and subject to our clients’ lawful instructions, PII relating to survey responses are retained for five (5) years to enable continued data analysis by way of providing trend and normative data. However, survey respondents may request that their PII be removed from Mercer | Sirota’s active systems (see policy #15 below). Mercer | Sirota also retains employee PII for not less than seven (7) years to comply with local tax reporting and employment regulations and good business practice. Mercer | Sirota’s legal department may direct that such information be retained for a longer period of time in the event of a litigation hold or as he deems necessary to protect the interests of Mercer | Sirota or as otherwise required by law.
- Individuals have the right to review personal data about them that Mercer | Sirota holds and to correct any inaccuracies in such information.
- Most clients and employees will be aware of what information we hold relating to them but there may be some exceptions. Any queries should be referred to the Certified Information Privacy Manager of Mercer | Sirota and should not be addressed by employees directly unless authorized to do so.
- We will ensure that appropriate technical and organizational measures are in place to ensure that an unauthorized or unlawful processing or accidental loss or damage or destruction to personal data is prevented.
- We will take appropriate steps and will be implementing procedures and providing training to staff as appropriate for the information they handle. This will be subject to an ongoing review.
- We will not disclose or otherwise transfer PI, except:
- If requested by an employee, Mercer | Sirota will transfer information relating to that employee (e.g., in order to verify employment in connection with that employee’s application for credit); or
- To a third party acting as its agent for Mercer | Sirota or a client of Mercer | Sirota with respect to such clients’ processed information, such as an outside benefits administrator or a third-party professional service organization retained by a client, providing that the third-party processor contractually undertakes that such data may only be processed for limited and specified purposes consistent with the consent provided by the Data Subject and that the recipient with provide the same level of protection as Mercer | Sirota provided. When it is necessary to comply with legal obligations, such as providing government authorities appropriate tax and social security information, or if required under court order or subpoena; and
- When necessary to protect and defend our legal and property rights, or meet national security, the public interest, or law enforcement requirements; and
- In providing statistical reporting in the ordinary course to Mercer | Sirota’s clients, provided the PI is suitably anonymized through either technical procedures or the implementation of minimum aggregation rules; and
- If the request is from a government agency, or the result of legal process, our legal department will verify the credentials of the agency or other legal representative and take appropriate steps to safeguard confidentiality and privacy, including but not limited to seeking judicial review of the request and seeking protective relief before releasing any information.
- In those situations in which Mercer | Sirota does onward transfer personal information to third parties acting as an agent on its behalf, Mercer | Sirota shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
- Mercer | Sirota is part of a financial services company and is, therefore, excluded from the jurisdiction of the EU-U.S. Privacy Shield Framework. Mercer | Sirota uses other mechanisms to enable the transfer of EU personal data. These mechanisms include Data Transfer Agreements (DTAs) based on the EU Model Clauses and Model Contracts as approved by the European Commission.
- With respect to sensitive personal data, the following shall apply:
- Sensitive personal data is personal data which relates to:
- The racial or ethnic origin of the individual.
- His/her political opinions.
- His/her religious beliefs or other beliefs of a similar nature.
- Whether he/she is a member of a trade union.
- His/her physical or mental health or condition.
- His/her sex life.
- The alleged commission by him/her of any offence or anything related to any criminal proceedings against him/her.
- In addition to the above principles, and except with reference to sensitive personal data relating to US-based employees or survey respondents, the following conditions also apply to the processing of sensitive personal data:
- The individual must give their specific consent to the processing of the personal data.
- The processing must be necessary for the purposes of exercising or performing any right or obligation conferred or imposed by law on Mercer | Sirota in connection with employment.
- Processing of information relating to racial or ethnic origin that is necessary for the purposes of reviewing policy of opportunity or treatment is permissible.
- Processing is necessary for medical purposes by a health professional or similar.
- The Certified Information Privacy Manager (CIPM) at Mercer | Sirota is responsible for overall compliance of Mercer | Sirota privacy issues and the principles and policies set forth herein. All enquiries should be addressed to the CIPM at email@example.com.
- While Mercer | Sirota takes reasonable steps to ensure that Personal Data is accurate, complete, and current, it is a responsibility of all employees to immediately inform Mercer | Sirota in the event of changes in Personal Information. Upon request, Data Subjects may access Personal Information about them and are able to have inaccurate information corrected by request to Mercer | Sirota’s Certified Information Privacy Manager (CIPM) at firstname.lastname@example.org.
- In the event that a survey respondent wishes to have his or her PI deleted from Mercer | Sirota’s active servers after the conclusion of a survey, or if any individuals wish to otherwise limit the use or disclosure of their personal data, they may do so in a written request to Mercer | Sirota’s Certified Information Privacy Manager (CIPM) at email@example.com and the request will be honored in the ordinary course of business. The deletion of information will be on the active servers only and not the back-up media (tapes) maintained by Mercer | Sirota for emergency planning purposes. However, a log is maintained of any PI that is deleted and in the event a back-up tape is required to be restored, Mercer | Sirota will delete the PI from the restored database.
- In the event of a dispute relating to Mercer | Sirota’s handling of PII, Data Subjects should be directed to contact Mercer | Sirota’s Certified Information Privacy Manager (CIPM) at Four Manhattanville Road, Purchase, New York 10577 or by email to firstname.lastname@example.org in order to register complaints, to submit access requests, or to address any other issues arising under these privacy policies. The CIPM is authorized to expeditiously investigate any such dispute or disagreement and will generally respond by mail or email (using the same method of communication as the initial inquiry unless otherwise requested) within thirty days of receipt of the communication. The CIPM is authorized to take all appropriate steps to respond to and resolve the matters raised.
- Mercer | Sirota is subject to the investigatory and enforcement powers of the FTC, and any other US authorized statutory body. With respect to human resources data transferred from the EU in the context of the employment relationship, Mercer | Sirota commits to cooperate with the EU data protection authorities (DPAs).