Data Sharing and Dissemination

Updated: 1 June 2022

Download as PDF

Introduction to the Policy Statement

This Data Sharing and Dissemination Policy represents the importance placed on all aspects related to sourcing and managing data by all entities within the JVR Africa Group. Data, in all its forms, is core to the strategic viability and competitiveness of our businesses, essential in our business operations, and central to our GRC responsibilities (Governance, Risk Management, and Compliance).

Purpose of the Policy

This policy intends to clarify the business rules and rules of engagement for the sharing and dissemination of information to various stakeholders based on various scenarios through which access to information that is hosted by JVR may be requested.

The scenarios defined in this policy may not be finite, in which case JVR reserves the right to formulate the necessary rules on engagement to address the specific scenario or request.

Definitions and Terminology

‘Data’ refers to qualitative and quantitative information that is collected, calculated/processed, and analysed, using specific methods for a specific purpose of studying, referencing, or analysing the information.

‘Data dissemination’ is the process of transferring data between stakeholders for the purpose of further processing, analytics (including research), and/or decision-making.

‘Personal Information’ according to the POPI Act is data that can be used to identify a person. It is defined as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

1. The name of the person, if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.
2. Any identifying number, symbol, email address, telephone number, location information, online identifier, or other assignment to the person.
3. Information relating to the age, race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, physical or mental health, well-being, disability, religion, conscience, belief, political affiliation, culture, language, and birth of the person.
4. Personal information relating to the education or the medical, psychological, financial, criminal, or employment history of the person.
5. The biometric information of the person.
6. The individual opinions, views, or preferences of the person.
7. Correspondence sent by the person that would reveal the contents of the original correspondence.
8. The views or opinions of another individual about the person.

 

“Personally Identifiable Information” means any unique information that can be used to identify an individual person and that is linked or linkable to an individual. Some examples are names and surnames, date of birth, contact details, Government IDs (including but not limited to passport numbers, tax numbers, driver’s license, and identity numbers), employment information, bank details, cookies, and IP (Internet Protocol) addresses.

“Pseudonymisation” or “Anonymised data” refers to types of information sanitisation whose intent is privacy protection. These are de-identification procedures by which personally identifiable information fields within a data record are removed or replaced by one or more artificial identifiers or pseudonyms. This is to ensure that the people whom the data describe remain anonymous.

Structure of the Policy

This policy includes reference to:

1. Governance, risk management, and compliance
2. Sources and usage of JVR data
3. Principles of data sourcing, sharing, and destruction
4. Managing requests for data sharing

 

Governance, Risk Management, and Compliance

Given the psychological and business nature of much of the professional work done at JVR and the use of technical and electronic methodology to serve as vehicle for such services, it is essential to comply to the relevant legislation and best practice.

Legislation

Compliance to, for instance the following, is non-negotiable:

1. Protection of Personal Information Act No. 4 of 2013 (POPIA).
2. General Data Protection Regulation (GDPR, EU 2016/679) also as it relates to South African legislation, and the rules, regulations, and ethical principles of the Health Professions Council of South Africa (HPCSA).
3. National Health Act No. 61 of 2003 and the Employment Equity Act No. 55 of 1998.
4. Promotion of Access to Information Act (PAIA) No. 2 of 2000.
5. Employment Equity Act No. 55 of 1988.
6. Electronic Communications and Transactions Act No. 25 of 2002

Standards and Best Practice

JVR continuously strives to the standards set by:

1. ISO 27001, an international standard addressing Information Security, including the data protection of personal information.
2. ISO 20614:2017 – Information and Documentation, defines the five transactions (Transfer, Deliver, Dispose, Modify, and Restitute), which the partners can use to exchange Data Objects.

Consent

Wherever personal information is collected, appropriate and relevant information is provided on a Consent Form for acceptance by the data subject.

A typical and generic JVR consent form includes clarification on the purpose of the data collection, the recipient of the information (responsible party), the voluntary nature of the request, the right to feedback, the possibility of cross-border processing, and the security measures used, the fact that only relevant and essential information is collected, and that anonymised data can be used for statistical, qualitative processing, and research purposes.

JVR Policies

This JVR Policy should be read with all the other JVR Policies regarding the management of data and information. Examples of such policies are:

1. Access Control Policy
2. Data Retention Policy
3. General Processing of Personal Information Policy
4. Data Destruction Policy
5. Information Classification Policy
6. Information Life Cycle Management Policy
7. JVR Africa Group Data Security Policy
8. JVR Africa Group Privacy Policy

Further information on the above policies and JVR’s compliance regarding the confidential and secure management of data, can also be obtained from: informationofficer@jvrafrica.co.za

The JVR Data Context/Data Sources at JVR

There are numerous sources of data in everyday JVR business activities. Some of the data may already be in the public domain, other data could be sensitive from a financial, contractual, personal, or strategic perspective. Given the nature of work done by JVR, personal, confidential information is managed with particular care and compliance to legislation. Please also refer to the JVR POPIA Policy Statement - that clarifies how JVR works with personal information https://jvrafricagroup.co.za/terms-and-conditions

General Sources of Data in JVR

JVR has access to numerous sources of data. These results from daily business- and marketing activities, as well as from the professional products and services we offer to clients. Some sources of information could include:

1. Financial and business data
2. Marketing, sales, and client or CRM (Customer Relationship Management) data
3. Website and technological progress data
4. Efficiency of processes and JVR’s compliance to risk management
5. Staff, performance, and compliance data
6. Research and survey data
7. Assessment scoring, professional services, and educational/training data
8. Electronic platform usage/log data

Use of data for business intelligence

JVR’s focus on operational efficiency, customer service, sales, research, products, and service excellence rely on business intelligence sourced from objective data and metrics available from a variety of electronic and online systems used by the businesses. All data is managed in compliance with legislation, best practice, and negotiated contracts and agreements.

Data and the JVR professional services

JVR regularly incorporates psychological and other assessments in the services provided to clients. These assessments and the data they generate are diligently managed according to legislation.

Depending on the contractual agreements JVR has in place with the owners of such assessments, the management of data, intellectual property, and risks are also clearly stipulated in signed agreements. Strict adherence to signed contractual agreements are in place.

In the services provided by JVR, consent forms, signed by the recipients of reports and their clients, clearly stipulate the parameters within which the results/data from the assessments and services may be used.

This policy of Data Sharing acknowledges the rights of all stakeholders and stipulates the principles used by JVR in guiding access to the data we have custodian and other rights to.

Specific Principles of Data Sharing and Dissemination

Data is not automatically available to anyone who requests access. Access is guided by legislation, contracts, agreements, principles of relevance, appropriateness, best practice, signed policies, and managerial controls. The access granted may also be subject to the sensitivity of the data requested.

Personal Data Collected within JVR

In addition to general HR information on employees, data is occasionally sourced from within JVR, where employees voluntarily participate in data collection and research projects. The information and data gained are held in confidentiality and used anonymously for research purposes. Individual or group feedback (where appropriate and ethically acceptable) is provided to the participating employees who use the information as an opportunity for individual and/or group feedback, learning, and development.

The opportunity to do research on the data sourced in this manner is restricted to the JVR researchers. They do statistical analysis with anonymised results to publish case studies, articles, do academic presentations, and expand on/author technical reports.

Anonymised JVR data sourced in this manner can only be published on by the JVR researchers and will not be made available to any other stakeholders.

Data Collected and Processed as Part of the JVR Services

JVR regards the scientific integrity of all assessments distributed and used in our services as of primary importance. The same is true of the scientific information used and relied on in our training, skills development, and the range of consulting services we provide. Science, research, and professional best practice is a core JVR value, a strategic priority, and a legal imperative.

As part of our responsibility to ensure the continued quality of all our assessments, the JVR researchers often acquire or request access to data sets for specific tests. These data sets are anonymised, and no personally identifiable information is shared. Some biographical data is however required in the JVR research/use of data to ensure compliance to the South African Employment Equity Act.

Data sourced in this manner can only be published on by the JVR researchers working with the owners of the assessments and services from which the data originates. It will not be made available to any other stakeholders.

Data Collected by JVR for/with Clients

Smaller and larger collections of data result from the products and services contracted for by JVR clients. As Responsible Party, clients may request insight into the data to provide descriptive- and/or predictive analysis or an indication of the return on their investment (ROI). The provisos for doing work with the data obtained from the products and services used by the client company include:

1. A signed Service Agreement or similar contract and JVR (or company specific) POPIA Operator Agreement must be in place.
2. Signed consent forms from data subjects for gaining access to the data.
3. Signed consent and agreement from third parties and/or service providers who may have been involved in facilitating or generating the data is required.
4. Client organisations as responsible parties can only have access to their own data.
5. Clients take full responsibility for the governance, safety, and security and compliance of personal and confidential information/data on their own premises.
6. Understanding that psychological data, governed by health legislation, cannot be provided to untrained and unqualified people to do the analysis, research, and reporting on the psychological measurement per se.
7. Can request JVR through its researchers and data experts, to provide a proposal and/or quote on the costs of doing the statistical analysis, research, and reporting of the data.
8. Should any specific norm (i.e., industry norm) or other industry comparison be required, this could be negotiated and costed by the product owners and JVR researchers. No guarantees are made regarding the availability of such additional norms or comparative information.
9. Should the data (data set) of the client for which this data analysis is requested be under the custodianship of another party/stakeholder, it is the responsibility of the client to request the custodian to disseminate the data to JVR in its raw or analysable normed/transformed format for JVR to process the research and insights.

Anonymised data sourced in this manner from JVR by the JVR client can only be published on by the clients and/or the JVR researchers and will not be made available to any other stakeholders.

Data collected by JVR working with Contractual Business Partners as the owners of Products/Assessments and Services

The JVR contracts/agreements with Business Partners guide the way in which, amongst others, Intellectual Property (IP), research, and data are managed.

Data collected in this manner is sourced and managed in the following ways:

Data collected on the JVR and/or external processing platforms

JVR has access to numerous and diverse sets of data. Some data exists on the JVR-owned electronic- and online systems. In some cases, an API (Application Protocol Interface) exists between the JVR electronic systems, and an external Business Partner given that the scoring is done on the partner’s system. In other cases, external administration and scoring platforms are used without an API integration into the JVR systems.

With regards to the above alternatives, the following:

1. JVR is committed to comply to all contractual requirements, including also access to the services, the use of various electronic platforms, and the data collected.
2. As per a signed partnership agreement, if the data lies on a platform external to the JVR systems, JVR can request anonymised data regarding the Sub-Saharan use of assessment(s) for research and validation purposes.
3. The analysis and management of data is managed in a transparent and cooperative manner with the owner/distributor/publisher data.
4. Data obtained from one distributor will only be shared with other distributor(s) once the aggregated data has been written up in technical reports, case studies, presentations, or articles, and discussed and accepted by the relevant owner/distributor of the assessment or service.
5. Should diversely sources of data include vested interests of other assessment owners, the draft manuscript will be shared by JVR with the relevant contractual business partners before any publication is done. The publication will refer to the data in general terms and not use any identifiable names.
6. Should there be an opportunity to negotiate a research partnership agreement amongst different contractual business partners, this will be done contractually with an addendum to the existing agreements.
7. Data requests to external business owners may incur costs and must be accepted and signed off by the JVR CFO (Chief Financial Officer).
8. Requests for- and management of data can only be done by the designated JVR research team for purposes of statistical analysis, research, and reporting. The purpose of such research is to ensure that relevant data is used to ensure compliance, best practice, and the opportunity for scientific insight.
9. JVR reserves the right to merge data across various sources of information, including the JVR-owned assessments, and provide only anonymised data sets for research purposes.

Anonymised JVR data sourced in this manner, can therefore only be published on by the JVR researchers and the contract owners and will not be made available to any other stakeholders without contractual agreement.

Data collected by JVR client organisations who use JVR and/or external processing platforms

JVR Client organisations purchase assessments and services from JVR and collect data throughout the process. It is often advised that such data, once adequate numbers have been collected, be statistically analysed to determine trends, descriptive or predictive value, and ROI.

In this regard:

1. The JVR clients can/will be supported by the JVR research team and quoted for any costs incurred in sourcing, analysing, or reporting on the data.
2. Unless otherwise agreed in writing, only scored and aggregated data will be provided, not raw item responses.
3. Where a JVR client organisation requests access to their own data collected and processed through the JVR systems, the request will be managed following a signed Services Agreement, defining the support and services provided by JVR, and a signed JVR POPIA Agreement clarifying legislation/compliance and best practice.
4. Where a JVR client organisation requests access to their own data on assessments distributed by JVR, but accessed through other electronic and IT systems, written and signed permission from the external service provider/owners of the external systems need to be obtained before JVR can source, analyse, or research the data. Once permission is obtained, the process will be guided by a negotiated and signed Service Agreement and JVR POPIA Operator Agreement.

Anonymised JVR data sourced in this manner, can only be published on by the JVR client who purchased the assessments and services with support and advice from the JVR researchers. Such data will not be made available to other stakeholders.

Data Requested by Academic Institutions/Students for Research Purposes

JVR places a high value on the long-standing relationships we have with South African and African Universities. Signed agreements guide how academic institutions and JVR collaborate on working with data collected by them using JVR assessments and services. It must be noted that JVR does not make any archival data sets automatically available to students.

The exception to the above is when:

1. Requests for/access to anonymised archived data is specified in the contractual agreement between JVR and the owner.
2. Such research and use of the data is subject to ethical approval by a university research ethics committee.
3. The appropriate consent forms, the POPIA Operator Agreements, and research agreements have all been signed by the relevant parties.

Students who use- and collect their own research data on the JVR systems must do so within the ethical parameters set out for projects involving human subjects. The access to the data on the JVR Systems is subject to this policy, specifically 5.4, and the Terms of Business set out on the website (www.jvrafricagroup.co.za/terms-and-conditions). Anonymised data sourced from JVR in this manner by academics and/or students, will be supported by the JVR researchers and will not be made available to any other stakeholders.

Requests for Data Access, Movement, and Interchange

All requests for the access, movement, and/or interchange of data as per the scope above, must be submitted to JVR in writing, stating the scope, purpose, and motivation, as well as the agreement to compliance with the relevant legislation and commercial obligations.

JVR will assess and process the requests accordingly and duly engage with the requestor.

In Conclusion

JVR is committed to working with data according to national and international legislation and best practice. Our attention is to ensure that we work with accurate and clean data obtained from reliable sources, appropriately processed, safely-, securely-, and confidentially kept, and legally processed whether the information is sourced in person, in written or printed form, or obtained on any of the JVR electronic platforms.

The data held in safekeeping by JVR will only be transferred to others on the proviso that it is transferred to equivalent safety. While we fully support access to data for research purposes and the continuous improvement of assessments, we do so with the expectation that the data is used responsibly, ethically, and legally.