Data Security And Privacy Policy

Spherion Mid Ohio Employment Services Inc.

Last updated 12/5/2024  |  Revision 1.0

Data Security and Privacy Policy

Introduction

At Spherion Mid Ohio Employment Services Inc. ("Spherion"), we are committed to protecting the privacy of our employees and applicants (“Individuals"). This Data Security and Privacy Policy ("Policy") outlines the steps we take to safeguard personal data and ensure that our practices comply with all applicable laws. This Policy is a key part of building and maintaining trust with our clients and employees, creating a secure environment where everyone can feel confident that their information is handled with care and respect.

Purpose

The purpose of Spherion’s Data Security and Privacy Policy is to:

• Build and Maintain Trust: Building trust with our clients, employees, and partners by demonstrating our commitment to protecting personal data and ensuring its ethical use.

• Protect Data: Safeguard the confidentiality, integrity, reliability, and availability of all personal data collected and processed by Spherion and its employees, protecting it from unauthorized access, breaches, or misuse.

• Ensure Legal and Regulatory Compliance: Ensure that Spherion adheres to all applicable data protection laws and regulations, maintaining compliance across all operations.

• Enhance Employee Understanding: Provide clarity and transparency regarding the collection, use, storage, and sharing of personal data by Spherion, while outlining the responsibilities of employees in maintaining data security.

• Manage Risks and Respond to Incidents: Establish a framework for identifying, assessing, and mitigating risks related to data security, and ensure a swift and effective response to any data breaches or security incidents.

Scope

This Policy applies to all personal data processed by Spherion, whether in electronic or physical form. It covers all employees, contractors, and any third parties engaged by Spherion who have access to or entered personal data through our website, in person at our office, or at a job event.

Data Collection

Types of Data Collected:
Spherion collects the following types of personal data:

• Personally Identifiable Data: This data may include names, addresses, Social Security Number, date of birth, driver’s license or other government issued ID, educational history, background checks, and criminal history.

• Employment Information: Job titles, employment history, work locations, schedules and time records, leave or absences, evaluations, records, and compensation details.

• Financial Information: Direct deposit banking and account details, tax and withholdings, payroll records, retirement plan contributions (401k), reimbursements, payroll withholdings, or any other financial information standard for employment purposes.

• Health and Medical Information: Health insurance information, dependent and beneficiary information, coverages, health savings, disability accommodations, screenings or testing reports and status, drug testing results, or flexible spending accounts.

• Communication Data: Includes phone numbers, email addresses, communications, emergency contacts and their associated information, access logs, and other provided contact information.

Methods of Collection:

Personal data is collected through:

• Forms, Applications, or Resumes: Both online and paper forms completed by Individuals.

• Employee Onboarding: Human Resources collection of information and background checks.

• Electronic Communications: Emails, text messages, and other digital means.

• Direct Interactions: Phone conversations, meetings, and other forms of direct communication.

Data Usage:
Personal data collected by Spherion is used for the following purposes

• Employment Processing: To verify eligibility for employment, process payroll, and manage employment records.

• Communication: To send job opportunities, reminders, and service updates to Individuals.

• Compliance: To meet legal and regulatory obligations, including tax reporting and adherence to labor laws.

• SMS Texts and Communication: Spherion, along with its affiliates and contracted partners, engages with candidates via calls, AI-generated calls, text messages, and emails to share job opportunities and employment updates. This communication aligns with our privacy standards, and no personal information will be shared with third parties or affiliates for marketing or promotional purposes.

Example Use Cases:
These are some of the ways in which we use Individuals information

• Onboarding New Employees: We collect identification, contact information, and employment details through online forms and in-person meetings. This data is used to set up payroll, enroll the employee in any applicable benefits, and create their employee profile in the company’s HR system.

• Text Reminders: We use your phone number to send reminders about upcoming shifts, reward programs, call-offs, interviews, onboarding steps, and orientation instructions.

• Job Opportunities: We may send you job alerts based on your preferences and qualifications.

Data Sharing

Personal data is shared with third parties only under agreement to ensure the security and confidentiality of the information. Third parties include service providers for background checks, payroll processing, and IT services, as well as legal entities as required by law.

Third-Party Sharing:
In instances where shared data includes specific Individual details, we ensure these are protected by our agreements with third parties. We may share data with the following types of third parties:

• Service Providers: Data is entered or shared with our applicant tracking software systems, consumer reports and background checks providers, information technology and cloud services providers, CTI WOTC, insurance providers, benefits providers and third party administrators, and payroll or related processors. For a listing or disclosure of current or historical providers of these services, please contact one of our representatives for more details.

• Limitations on Sharing: Consistent with Spherion’s privacy standards, information obtained through our communication channels, including AI-generated calls and text messages, will not be shared with third parties or affiliates for marketing or promotional purposes.

• Legal Entities: Government agencies or legal entities as required by law as well as auditors or compliance assessors for auditing or assessment purposes.

Text Messaging Terms:

By providing your phone number, you consent to receive text messages related to job opportunities, employment updates, and other services from Spherion Mid Ohio and its affiliates or contracted partners.

• Message Frequency: Frequency of messages may vary.

• Costs: Message and data rates may apply.

• Opt-Out: Reply STOP to cancel.

• Help: Reply HELP for assistance.

• Disclaimer: Carriers are not liable for delayed or undelivered messages.

Legal Requirements:
We may also share data to comply with legal obligations such as subpoenas, tax reporting, or other legal processes.

Data Security Measures

Spherion, in partnership with its Managed IT Services Provider, implements multiple layers of security to ensure the highest levels of protection of personal data. Access to personal data is restricted to authorized personnel based on the principle of least privilege.

Data Access Controls:

Training and strict user permission policies are enforced for access to data, with regular audits to ensure compliance. 

• Multi-Factor Authentication (MFA): MFA is required for accessing sensitive data and systems, adding an additional layer of security by requiring users to provide two or more verification factors to gain access.

• Privileged Access Management (PAM): Access to sensitive systems and data is restricted to authorized personnel only, using PAM to enforce the principle of least privilege and manage administrative rights securely.

• Phishing Campaigns and Security Awareness Training: Regular training and simulated phishing campaigns are conducted to educate employees on recognizing and responding to phishing attempts.

• Password Management: Spherion enforces strict password management policies following the National Institute of Standards and Technology (NIST) guidelines for best practices. Passwords must be securely stored to safeguard against unauthorized access.

• Domain Filtration and Protection: DNS filtration is implemented to block internet access to malicious domains, preventing potential or know threats from reaching Spherion’s network and protecting against DNS-based attacks.

• Encryption: All data managed by Spherion is encrypted in transit, using industry-standard encryption protocols to protect sensitive information from unauthorized access.

Data File and Loss Management

Advanced threat detection and technology-based tools are utilized to monitor and manage access to data files, as well as prevent unauthorized access and mitigating the risk of data loss.

• Data Replication and Cloud Backups: All data is encrypted and regularly backed up to local and secure cloud storage to ensure availability and integrity in the event of data loss or system failure. These backups are encrypted and stored in compliance with current best practices for data protection and continuity.

• Endpoint Detection and Response (EDR): Spherion utilizes next-generation anti-virus solutions with EDR capabilities to detect, respond to, and mitigate threats at the endpoint level, ensuring comprehensive protection against malware and other malicious activities.

• Managed Threat Detection and Response (MDR): Spherion utilizes MDR services to ensure continuous monitoring, rapid threat detection, and swift incident response across our environment. MDR enhances our security by providing 24/7 surveillance, leveraging advanced threat intelligence, and delivering quick containment and resolution of security incidents, thereby safeguarding our data and systems from evolving cyber threats.

• Dark Web Monitoring: Continuous monitoring of the dark web for potential data breaches involving Spherion's data.

• Penetration Testing and Vulnerability Testing: Regular penetration testing and vulnerability assessments are performed to identify and remediate potential security weaknesses and ensure our data security systems are working as expected.

Data Retention

Spherion retains personal data for as long as necessary to achieve the purposes for which it was collected or as required by law.

Retention Period: Employee data is maintained in Spherion's Applicant Tracking System (ATS) and other systems permanently unless deletion is requested by the Data Subject and is permissible under applicable laws.

Data Deletion: Upon the termination of employment or other relationships with Spherion, personal data will be reviewed and, if no longer needed, securely deleted or anonymized, unless retention is impossible, required by law, or under contractual obligation.

User Rights and Responsibilities

This section outlines the key rights and responsibilities of Spherion employees regarding data privacy, ethical conduct, and the use of company resources. It is designed to ensure that employees are aware of their rights to a safe, respectful, and secure working environment, while also emphasizing their responsibilities to protect confidential information, use resources appropriately, and adhere to company policies and legal requirements.

Data Privacy and Security

Employees must adhere to Spherion’s data security policies, including the use of strong passwords, safeguarding access credentials, and promptly reporting any suspected data breaches or unauthorized access. Employees have the right to be informed about how their personal data is collected, used, and shared, and can expect that their data will be handled securely and in compliance with applicable laws.

Social Media

Employees are encouraged to use social media responsibly, ensuring that no confidential or proprietary information about Spherion, its clients, or colleagues is disclosed. Any use of social media on behalf of Spherion requires prior approval. Inappropriate, defamatory, or harmful comments or posts related to Spherion, its employees, or clients may result in disciplinary action.

Confidentiality

Maintaining the confidentiality of sensitive information related to Spherion, its clients, and colleagues is a fundamental responsibility. Unauthorized disclosure of such information is strictly prohibited and may result in disciplinary action. Employees have the right to confidentiality regarding their personal data and assurances that it will not be shared externally without consent, except as required by law.

Use of Company Resources

Spherion’s resources, including internet access and email, must be used for work-related purposes and in a manner that aligns with company values. Misuse of these resources, such as accessing inappropriate content, may lead to disciplinary action. Employees have the right to a safe and respectful working environment, facilitated by the responsible use of company resources.

Compliance with Laws and Policies

Employees must comply with all applicable laws and Spherion policies, including those related to data protection, privacy, and ethical conduct. Failure to comply may result in disciplinary action. Employees have the right to clear communication of company policies and any changes to those policies to understand their obligations.

Reporting and Accountability

Employees are expected to conduct themselves ethically, in line with company policies, and to report any potential violations of this policy or related concerns through appropriate authority or supervisor. Employees are expected to conduct themselves ethically, in line with company policies, and to report any potential violations of this policy or related concerns through appropriate authority or supervisor.

Access and Correction

Individuals have the right to access their personal data held by Spherion and request corrections to any inaccurate or incomplete information. Requests for access or correction can be made by contacting the HR department or through the Spherion website.

Opt-Out

Individuals may opt out of receiving non-essential communications (e.g., text message notifications) by following the opt-out instructions provided in the communication or by contacting Spherion directly.

Data Portability

Individuals have the right to request the transfer of their personal data to another entity, where technically feasible, in a structured, commonly used, and machine-readable format.

Compliance and Legal Obligations

Compliance

Spherion is committed to complying with all applicable data protection laws, including the Ohio Data Protection Act and any other relevant state or federal regulations. Regular audits and reviews are conducted to ensure ongoing compliance.

Legal Requirements

Spherion may disclose personal data to legal authorities or other third parties if required to do so by law or in response to valid legal processes.

Updates to Policy

Spherion reserves the right to modify or update this Policy at any time. Any changes will be communicated to Individuals through appropriate channels, such as email or postings on the Spherion website. Continued use of Spherion's services after any such modifications shall constitute acceptance of the revised Policy.

Enforcement and Accountability

Adherence

Adhering to this policy is essential not only for legal compliance but also to uphold the trust and security of our employees, clients, and business operations.

Acknowledgment

All employees, vendors, and third party affiliates of Spherion are required to read, understand, and comply with this Policy, or have a similar policy in place that would ensure the privacy and security of personal data. Acknowledgment of this Policy is a condition of employment or engagement with Spherion.

Disciplinary Actions

Failure to comply with this Policy may result in disciplinary action, up to and including termination of employment or contract. Legal action may also be taken against individuals who breach data protection laws or this Policy.

Contact Information

For any questions or concerns regarding this Policy or the handling of personal data, please contact:

Aaron Starr
Director of Continuous Improvement
Email: astarr@spherionohio.com
Phone: 419-775-4235
Address: 2282 Village Mall Drive, Ontario, Ohio 44906