Privacy Policy
We
In this document, ‘we’ means Cultural Infusion Pty Ltd, the company that supplies the Atlas and the Inclusive Employer Index. We are a Data Processor as defined by the European Union’s General Data Protection Regulation (GDPR).
Our Service(s)
‘Our service(s)’ or ‘the Atlas services’ refers to Cultural Infusion websites and platforms, including any Atlas survey, the Atlas administrator dashboard, and the Cultural Infusion membership program. Cultural Infusion websites are at culturalinfusion.com and may include subdomains, including membership.culturalinfusion.com. Cultural Infusion may support organisations with additional types of work, including but not limited to on-the-ground research, custom survey design, advice or project support. In such cases, unless other agreements are made following a privacy risk assessment, this privacy policy continues to apply.
Client Organisation
An entity to whom Cultural Infusion is providing services. This could be a private business, a government agency, an event organising body, or non-governmental organisation (NGO). A client organisation is a Data Controller as defined by GDPR.
Organisational Administrator
An employee or contractor of a client organisation designated by that organisation to have administrator access to Cultural Infusion services, particularly, the Atlas dashboard that allows that administrator to view and analyse results of a survey.
(Individual) User
An individual user refers to a person who uses Cultural Infusion services, whether by interacting with the websites (culturalinfusion.com and membership.culturalinfusion.com), participating in surveys, signing up for membership, or using any other services provided by Cultural Infusion. Individual users are considered among other applicable laws, Data Subjects under GDPR, meaning they have specific rights regarding their personal data, including the right to access, correct, delete, and restrict processing of their data.
(Survey) Respondent/Participant
A respondent is a person who provides their personal information as part of their participation in an Atlas survey. A respondent is a Data Subject as defined by the GDPR.
Table 1: Overview of GDPR roles
Third-Party Plugins and Embedded Content
Articles on our websites may include embedded content from other websites (e.g., videos posted from our YouTube account, images, or articles). These third-party websites may collect data about you, use cookies, and monitor your interaction with the embedded content. We advise reviewing the privacy policies of these external sites for more information.
User Rights and Data Management
Users who have accounts or have left comments on our websites can request to receive an exported file of the personal data we hold about them, including any data provided to us. Users can also request that we erase any personal data we hold about them, except for data we are obliged to retain for administrative, legal, or security purposes.
We retain user data collected through our websites for as long as necessary to provide our services and fulfil the purposes outlined in this privacy policy. Users can request deletion of their data at any time, subject to legal and operational requirements.
Security Measures
We implement robust security measures to protect personal data collected through our websites. This includes SSL encryption for data transmission, secure storage solutions, and regular security audits. Our WordPress installations and plugins are regularly updated to mitigate security vulnerabilities.
Membership
Our websites, atlas.culturalinfusion.com and membership.culturalinfusion.com, are built using WordPress. These websites utilise various plugins including GravityForms, Paid Membership Pro, Modern Events Calendar, Zoho SalesIQ, CloudFlare, and WPML. Additionally, we use Zoho CRM for customer relationship management.
Our website servers are based in Australia and the EU, and website content is distributed using Cloudflare per below.
What are cookies, and how do we use them?
Cookies are files with small amounts of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and are stored on your device. We do not use advertising cookies or share data with third parties, except for functional purposes as mentioned below.
We may collect information on how the Cultural Infusion websites are accessed and used, which is known as Usage Data. For survey participants, this Usage Data does not include your Internet Protocol address (IP Address) or any other Personal Identifiable Information (PII) but can give us information about browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages, which type of device you are using, and other diagnostic data. This helps us to continuously improve the accessibility of our survey for use on different devices.
We use cookies and similar tracking technologies to monitor and hold certain information about your use of our websites including the membership program. We use beacons, tags, and scripts to collect and track information about how people use our website, and to improve our services. For example, these technologies allow us to understand if people are spending large amounts of time on one page, or whether things such as our contact forms are working correctly.
You can instruct your browser to refuse all non-essential cookies or to indicate when a cookie is being sent by a website. If you do not accept cookies, you may not be able to use some portions of our website. Note that if you select options like “do not allow cookies”, you will still have one cookie added to your device so that we remember your preferences the next time you visit the site.
Data Collection and Usage
We collect personal data through forms on our websites, which may include but are not limited to contact forms, registration forms, and membership sign-ups. This data is collected using WordPress’ inbuilt features and the GravityForms plugin, and is stored securely within our systems.
For users who sign up for our membership program via membership.diversityatlas.io, we collect additional data required for membership management. This data is handled through the Paid Membership Pro plugin and integrated with Zoho CRM for administrative purposes.
Cookies and Tracking Technologies
Our websites use cookies and similar tracking technologies to enhance user experience and collect information about user interactions. These cookies include essential cookies for login and session management, functionality cookies for user preferences, and analytics cookies for usage statistics.
As is standard, we use Google Analytics to collect and store information about how visitors interact with our websites (diversityatlas.io and membership.diversityatlas.io). This helps us analyse website traffic and improve our services. The information collected by Google Analytics may include your IP address, browser type, pages visited, and the time and date of your visit. This data is kept confidential and is used solely for internal analysis. We do not share this information with any third-party companies. You can opt-out of Google Analytics tracking by taking steps such as installing the Google Analytics opt-out browser add-on.
We use Zoho SalesIQ to chat with website visitors, as well as to track visitor interactions on our websites. Information you give us during a chat session may be stored in our CRM, Zoho CRM. These integrate so that we remember our past interactions and can follow up with you appropriately. For example, say you start a chat with us on the website, because you have a question about the Atlas survey. We’ll store that interaction in our CRM, and next time we connect, we’ll be able to refer back to our previous chat so you don’t need to repeat yourself.
We use Cloudflare to enhance the security and performance of our websites. In straight-forward terms, this service stores parts of our website around the world, so that when you visit us, the data gets to you more quickly. Cloudflare may place cookies on your browser to assist with content delivery and security measures. Data collected by Cloudflare is subject to their privacy policy.
Our websites also utilise WPML (WordPress Multilingual) to enable language translation switching. WPML may use cookies to remember your language preferences. The authoritative version of our website is in English.
Useful third-party privacy policies
Our membership program, available via membership.diversityatlas.io, is managed using the Paid Membership Pro plugin. This program allows users to sign up for different membership tiers, access exclusive content, and participate in member-only events. During the sign-up process, we collect various types of personal information necessary for membership management and service provision.
Types of Data Captured: When users sign up for our membership program, we collect the following information:
- Personal Information:This includes your name, email address, mailing address, and phone number. It may include organisational information, particularly for organisational memberships.
- Account Information:Username, password, and membership tier details.
- Payment Information:Credit card details or other payment method information, which are securely processed through our payment gateway and not stored on our servers. This information is necessary to process your payment.
- Demographic Information:Age, gender, and other optional information that helps us tailor the membership experience.
- Usage Data:Information about how you interact with the membership site, including login times, pages visited, and services used.
Use of Stripe for Payment Processing: We use Stripe as our payment processor to handle payments made for the membership program via our websites. Stripe is a secure and trusted payment gateway that complies with industry standards for payment processing and data protection. When you make a payment, your payment details are securely transmitted to Stripe for processing. We do not store your full credit card information on our services. Stripe handles all sensitive payment data in accordance with their strict security protocols and compliance requirements. To facilitate payment processing, we share relevant personal data with Stripe. This includes transaction details and the personal information required to authenticate and complete the payment. Stripe’s privacy policy governs the use and protection of this data, and that can be found on their website here:https://stripe.com/privacy
Integration with OpenLearning platform: Our membership website is integrated with the OpenLearning course platform to provide a seamless learning experience for our members. When you log in to the OpenLearning platform using your Diversity Atlas membership, we share basic information such as your name, email address, membership status, and course status between the two systems. Additionally, any information about badges or certificates you complete via OpenLearning will also be shared with the membership site to keep your records up to date. This integration allows us to offer you a cohesive and efficient learning journey. All data shared between Diversity Atlas and OpenLearning is handled securely and in compliance with our privacy policy and applicable data protection regulations.Similar data may also be shared with certification platforms (such as, but not necessarily, Badgr.io or Accredible) so that we can provide you with badges that can be shared on your social profiles. OpenLearning’s privacy policy may be found at: https://solutions.openlearning.com/privacy-policy
Data Storage and Security: All personal data collected through the membership program is stored securely on our servers, which are protected by industry-standard security measures. We use SSL encryption to safeguard data during transmission and implement robust security protocols to prevent unauthorized access to stored data. Payment information is handled by Stripe as described above.
Data Retention: We retain personal data for as long as necessary to provide our membership services and fulfill the purposes outlined in this privacy policy. This includes maintaining user profiles, processing payments, and managing membership subscriptions. Users can request to view, update, or delete their personal information at any time by contacting our support team. However, certain data may be retained for legal, administrative, or security purposes.
By participating in our membership program, you consent to the collection, storage, and use of your personal data as described in this privacy policy. We are committed to protecting your privacy and ensuring that your data is handled with the utmost care and respect.
Your participation in an Atlas survey involves the provision of cultural and demographic information—that is, information about you that a third party might be able to use to identify you if they gained access to it. For example, if you say that you are a white Australian woman aged 38 who works at ‘Organisation X’, and there is only person that meets that description at Organisation X, you would be identifiable from your responses. For this reason we have special rules in place around the data we collect, including the ‘Rule of 20’, which you can read about below.
As a survey respondent, you should understand that there are unavoidable risks involved in the provision of personal information to any entity, however we believe that we have taken every available measure to ensure this will not happen, including but not limited to full encryption, anonymity, ISO/IEC 27001:2022 certification, systems to ensure pseudonymisation, and a storing the platform in a secure cloud-based server.
We do not validate and verify participants’ input—so you will never hear from us saying that your response was wrong, as we do not know who has answered what in the survey, and we are not in a position to decide how other people describe themselves.
Anonymous method of surveying:
The beauty of the Atlas survey is that you are anonymous. Your answers form part of your organisation's diversity snapshot but cannot be attributed to any individual participant.
In its default configuration, the Atlas survey invites respondents to provide information about themselves which is considered ‘sensitive information’ under Section 6(1) of Australia’s Privacy Act and article 9 of the European Union GDPR. This includes information about:
- Ancestral and/or cultural heritage
- Sexual orientation
- Religion / Worldview
- Disability
Answering these, or any, of the survey questions is entirely voluntary. Respondents are under no obligation to answer these questions and can indicate in the Atlas survey that they prefer not to answer them.
Organisations may have custom questions added to the survey by the Cultural Infusion team, or have default questions removed from the survey, and they must ensure ongoing compliance with the principles of privacy and anonymity as described in this document.
How your information is used
Once an Atlas survey has been completed, the results are made available to the client organisation’s Organisational Admin via the Atlas online dashboard.
Using this dashboard, Organisational Administrators can undertake analysis and generate reports based on the results of the survey. Access to this Dashboard is limited to the designated Organisational Administrator(s) and is protected with SSL-encrypted passwords. Each page of the Atlas has an SSL certificate. Our web server is located in a highly secured domain. All website data is backed up on a daily, weekly and monthly basis.
The Atlas dashboard used by Organisational Administrators limits visibility of participants’ data to preserve their confidentiality. Organisational Administrators can see how many people in their organisation have completed the survey, but they cannot see who has completed the survey, or any participant’s specific answers.
What admins can see:
- How many people responded to the survey
- Overall organisational results
- Diversity metrics at the level of teams or departments, as long as there are at least 20 participants (see the Rule of 20)
What admins can't see:
- Respondents’ individual answers
- The names of any respondents
- Results for any teams within the organisation (eg: a business unit, or region) in which fewer than 20 people have responded
Atlas has this same level of access, only if the Client Organisation requests it and enables ‘view’ consent. This is typically granted so that we can provide technical, administrative, or expert support. Otherwise, Atlas team members cannot view a Client Organisation’s survey data. Atlas team members cannot view or modify respondents’ survey answers.
Your individual data is never, under any circumstances, disclosed, shared, or sold to a third party. Aggregated anonymised data where you as an individual are not identifiable may be used for research projects, whether by the Atlas directly, or affiliated researchers, but only with consent by your administrator.
Rule of 20
No survey results are shown unless 20 people have submitted a survey. This applies not just at the level of an organisation, but also to any sub-unit of that organisation such as department, or office, or business unit. For example, if you are part of a marketing department that has fewer than 20 people, in an organisation with 200 people, your Organisational Administrator would be able to view the overall diversity results for your organisation, but not for the marketing department. This is to protect your privacy, while still allowing your personal results to matter for the organisation.
Filter enquiries are also subject to the rule of 20. For example, the dashboard allows Organisational Administrators to filter results by gender or age. If the query is to show results for ‘women’ between the ages of 20 and 40, no results will be shown unless there are at least 20 women in that age range.
Sometimes organisations ask for different thresholds. For instance, for the DCA Inclusive Employer survey, the ‘all’ figure is even higher, at ‘36’, but the filter queries across diversity demographics is set at ‘10’. Where there are deviations from the Rule of 20, Client Organisations and/or their Organisational Administrators are responsible for telling their potential survey respondents, so that individuals can decide for themselves whether they take part or not.
Survey data storage and security
We store all users’ information on servers protected by world-leading standards of data integrity.
In Australia, all databases containing survey users’ data are stored on our Amazon Web Services (AWS) servers in Sydney, Australia. We have the capacity to make our services available to clients using other servers located anywhere in the world, pursuant to their needs and any legislative requirements for the storage of personal data. In EU jurisdictions, survey data is hosted at AWS servers in Berlin, Germany.
Encryption
The Atlas survey administrator dashboard is only accessible to Organisational Administrators with a password. These passwords are SSL encrypted using the Hash function, meaning nobody has access to them—including the Cultural Infusion team.
Cultural Infusion uses column-based encryption to offer additional protection to the information provided by respondents in an Atlas survey.
Retention of survey data
We will retain your Personal Data only for as long as it is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our website, or we are legally obligated to retain this data for longer periods.
To meet privacy requirements, upon completion of the Atlas survey participants are offered options to edit / delete data at any time in the future that the data is still held.
Shared responsibilities
Shared responsibility is collaboration between two parties performing their duties to maintain the secure environment. Cultural Infusion and its customers (Client Organisations/Organisational Administrators and individual users) share equal responsibility of security and compliance. This security model helps to establish secure environment with less operational overhead as Cultural Infusion operates, manages, and controls the facilities that they run.
As shown below, there are different responsibilities that refers to the security of the platform versus security in the platform.
Shared Controls: In a shared control, AWS gives the information of requirements for the infrastructure and the customer comes up with their own control implementation within their use of AWS services. For example:
- Patch management
- Configuration management
- Awareness and training
ISO Compliance
Information is an asset that Cultural Infusion has a duty and responsibility to protect. The availability of complete and accurate information is essential for the organisation to function in an efficient manner and provide products and services to customers and partners.
Cultural Infusion holds and processes confidential and personal information on private individuals, employees, partners, and suppliers, along with information relating to its own operations. The objective of this policy is to ensure the confidentiality, integrity, availability and accountability of Cultural Infusion’s information assets.
Scope
The company’s ISMS is applicable specifically to resources and equipment maintained by Cultural Infusion. Developing digital platforms for diversity and inclusion focused solutions. Information Security related to Application platform and DevOps platform for Cultural Infusion's Atlas and Application platform and DevOps platform for Sound Infusion.
Statement of Applicability
For over 30 years, our vision is to help create a world that is culturally harmonious. Our business and foundation's mission has been to build global harmony through intercultural action, from delivering a wide range of cultural programs for schools, businesses, governments and partners to running major events and programs that help people better understand and experience the value cultural diversity has in all our lives.
Our founder, Peter Mousaferiadis is an internationally recognised thought leader of culture as a driver of peace and innovation. From his early childhood, Peter’s own experiences of diversified cultures created a lifelong interest and passion to learn from and teach others about culture in many varied forms. This led to founding Cultural Infusion in 2002 to deliver broad cultural experiences that help others understand the value of diversity.
Our ISMS Journey
- Analysis of Security measures
- Developing our ISMS framework
- Developing policies and procedures
- Training and awareness program
- Engaging with JAS-ANZ cert body
- Internal \ External audit
- Achieving ISO/IEC 27001:2022
- Monitor, review and annual surveillance
Our information security practices
As outlined, we will handle personal data with the utmost respect for the privacy and confidentiality of users. But strong privacy values, as reflected in our Code of Conduct aren’t enough. We also take all available technical steps to safeguard user data from unauthorised access.
The information security management system of Cultural Infusion’s Atlas is based on the three pillars of confidentiality, integrity and availability of user data.
Confidentiality
The Diversity Atlas online platform is SSL certified. All passwords are encrypted using the Hash function—this means that the passwords cannot be decrypted by any intruder, and or by the Cultural Infusion’s Atlas technical team.
Integrity
The Cultural Infusion’s Atlas dashboard is designed so that only organisational administrators have the ability to see the data set generated by a survey and to remove any respondents’ data. We also ensure that all encrypted files are backed up daily.
Availability
We ensure that the tool and client assets are always available to all authorised parties. As our platform is hosted on world-leading Amazon Web Services, this guarantees that there is never any down time for the project and that the Cultural Infusion’s Atlas service will always be speedy and available for clients' use.