Data Security And Privacy Policy

Spherion Mid Ohio Employment Services Inc.

Last updated 9/1/2024  |  Revision 1.0

Data Security and Privacy Policy

Introduction

At Spherion Mid Ohio Employment Services Inc. ("Spherion"), we are committed to protecting the privacy of our employees and applicants (“Individuals"). This Data Security and Privacy Policy ("Policy") outlines the steps we take to safeguard personal data and ensure that our practices comply with all applicable laws. This Policy is a key part of building and maintaining trust with our clients and employees, creating a secure environment where everyone can feel confident that their information is handled with care and respect.

Purpose

The purpose of this Policy is to:

• Protect the confidentiality, integrity, and availability of all personal data processed by Spherion and Individuals.

• Ensure compliance with applicable data protection laws and regulations.

• Provide transparency about how personal data is collected, used, stored, and shared by Spherion.

Scope

This Policy applies to all personal data processed by Spherion, whether in electronic or physical form. It covers all employees, contractors, and any third parties engaged by Spherion who have access to or entered personal data through our website, in person at our office, or at a job eve

Data Collection

Types of Data Collected:
Spherion collects the following types of personal data:

• Employee Data: Includes name, address, Social Security number, date of birth, employment history, and other identifying information

• Communication Data: Includes phone numbers, email addresses, and other contact information

Methods of Collection:

Personal data is collected through:

• Forms: Both online and paper forms completed by Individuals.

• Direct Interactions: Phone conversations, meetings, and other forms of direct communication

Data Usage:
Personal data collected by Spherion is used for the following purposes

• Employment Processing: To verify eligibility for employment, process payroll, and manage employment records.

• Communication: To send job opportunities, reminders, and service updates to Individuals.

• Compliance: To meet legal and regulatory obligations, including tax reporting and adherence to labor laws.

Example Use Cases:
These are some of the ways in which we use Individuals information

• Text Reminders: We use your phone number to send reminders about upcoming shifts, reward programs, call-offs, interviews, onboarding steps, and orientation instructions.

• Job Opportunities: We may send you job alerts based on your preferences and qualifications.

Data Sharing

Personal data is shared with third parties only under agreement to ensure the security and confidentiality of the information. Third parties include service providers for background checks, payroll processing, and IT services, as well as legal entities as required by law.

Third-Party Sharing:
In instances where shared data includes specific Individual details, we ensure these are protected by our agreements with third parties. We may share data with the following types of third parties:

• Service Providers: Data is entered or shared with our applicant tracking software systems, consumer reports and background checks providers, information technology providers, CTI WOTC, and payroll processors. For a listing or disclosure of current or historical providers of these services, please contact one of our representatives for more details.

• Legal Entities: Government agencies or legal entities as required by law.

Legal Requirements:
We may also share data to comply with legal obligations such as subpoenas, tax reporting, or other legal processes.

Data Security Measures

Spherion, in partnership with its Managed Services Provider, implements multiple layers of security to ensure the highest levels of protection of personal data. Access to personal data is restricted to authorized personnel based on the principle of least privilege.

Data Access Controls:
Strict user permission policies are enforced, with regular audits to ensure compliance.

• Multi-Factor Authentication (MFA): MFA is required for accessing sensitive data and systems, adding an additional layer of security by requiring users to provide two or more verification factors to gain access.

• Privileged Access Management (PAM): Access to sensitive systems and data is restricted to authorized personnel only, using PAM to enforce the principle of least privilege and manage administrative rights securely.

• Phishing Campaigns and Security Awareness Training: Regular training and simulated phishing campaigns are conducted to educate employees on recognizing and responding to phishing attempts.

• Encryption: All data managed by Spherion is encrypted in transit, using industry-standard encryption protocols to protect sensitive information from unauthorized access.

Data File and Loss Management
Advanced threat detection and technology-based tools are utilized to monitor and manage access to data files, as well as prevent unauthorized access and mitigating the risk of data loss.

• Data Replication and Cloud Backups: All data is encrypted and regularly backed up to local and secure cloud storage to ensure availability and integrity in the event of data loss or system failure. These backups are encrypted and stored in compliance with current best practices for data protection and continuity. Data Replication and Cloud Backups: All data is encrypted and regularly backed up to local and secure cloud storage to ensure availability and integrity in the event of data loss or system failure. These backups are encrypted and stored in compliance with current best practices for data protection and continuity.

• Endpoint Detection and Response (EDR): Spherion utilizes next-generation anti-virus solutions with EDR capabilities to detect, respond to, and mitigate threats at the endpoint level, ensuring comprehensive protection against malware and other malicious activities.

• Domain Filtration and Protection: DNS filtration is implemented to block access to malicious domains, preventing threats from reaching Spherion’s network and protecting against DNS-based attacks.

• Managed Threat Detection and Response (MDR): Spherion utilizes MDR services to ensure continuous monitoring, rapid threat detection, and swift incident response across our environment. MDR enhances our security by providing 24/7 surveillance, leveraging advanced threat intelligence, and delivering quick containment and resolution of security incidents, thereby safeguarding our data and systems from evolving cyber threats.

• Dark Web Monitoring: Continuous monitoring of the dark web for potential data breaches involving Spherion's data.

• Penetration Testing and Vulnerability Testing: Regular penetration testing and vulnerability assessments are performed to identify and remediate potential security weaknesses and ensure our data security systems are working as expected.

Data Retention

Retention Period
Spherion retains personal data for as long as necessary to achieve the purposes for which it was collected or as required by law. Employee data is maintained in Spherion's Applicant Tracking System (ATS) and other systems permanently unless deletion is requested by the Data Subject and is permissible under applicable laws.

Data Deletion
Upon the termination of employment or other relationships with Spherion, personal data will be reviewed and, if no longer needed, securely deleted or anonymized, unless retention is required by law or contractual obligation.

User Rights

Access and Correction
Individuals have the right to access their personal data held by Spherion and request corrections to any inaccurate or incomplete information. Requests for access or correction can be made by contacting the HR department or through the Spherion website.

Opt-Out
Individuals may opt out of receiving non-essential communications (e.g., text message notifications) by following the opt-out instructions provided in the communication or by contacting Spherion directly.

Data Portability
Individuals have the right to request the transfer of their personal data to another entity, where technically feasible, in a structured, commonly used, and machine-readable format.

Compliance and Legal Obligations

Compliance
Spherion is committed to complying with all applicable data protection laws, including the Ohio Data Protection Act and any other relevant state or federal regulations. Regular audits and reviews are conducted to ensure ongoing compliance.

Legal Requirements
Spherion may disclose personal data to legal authorities or other third parties if required to do so by law or in response to valid legal processes.

Updates to Policy

Spherion reserves the right to modify or update this Policy at any time. Any changes will be communicated to Individuals through appropriate channels, such as email or postings on the Spherion website. Continued use of Spherion's services after any such modifications shall constitute acceptance of the revised Policy.

Enforcement and Accountability

Adherence
Adhering to this policy is essential not only for legal compliance but also to uphold the trust and security of our employees, clients, and business operations.

Acknowledgment
All employees and contractors are required to read, understand, and comply with this Policy. Acknowledgment of this Policy is a condition of employment or engagement with Spherion.

Disciplinary Actions
Failure to comply with this Policy may result in disciplinary action, up to and including termination of employment or contract. Legal action may also be taken against individuals who breach data protection laws or this Policy.

Contact Information

For any questions or concerns regarding this Policy or the handling of personal data, please contact:

Aaron Starr
Director of Continuous Improvement
Email: astarr@spherionohio.com
Phone: 419-775-4235
Address: 2282 Village Mall Drive, Ontario, Ohio 44906