IIR PRIVACY NOTICE

The Institute for Intergovernmental Research (IIR) is committed to protecting your information. Please read this Privacy Notice (“Notice”) carefully, as it sets out important information relating to how we handle your personally identifiable information (PII).

IIR Issuing the Notice

In this Notice, references to “we,” “our,” “us,” or “IIR” are references to the Institute for Intergovernmental Research, Inc., operating on behalf of federal agency clients and partners with whom we work on behalf of federal agency clients. References to “websites,” “social media sites,” or “applications” (“apps”) refer to websites, social media sites or pages, or applications that we have developed, maintain, or operate for our federal clients, including those owned or controlled by those clients, and through which we may obtain PII.

How to Contact Us

Questions, comments, and requests regarding this Privacy Notice should be addressed to our Data Protection Office through the following means:

Data Protection Office
Institute for Intergovernmental Research
Post Office Box 12729
Tallahassee, FL 32317-2719
USA
Email Address: dpo@iir.com


Introduction


This Notice sets out how we may collect and use personal information and the choices and rights available to you in connection with our use of your personal information.

PII—As used in this Notice, PII refers to “personally identifiable information,” “your information,” and any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

PII that you have provided ceases to be PII if we anonymize and/or aggregate it. “Anonymizing” means that we have stripped your PII from the data you have provided. Data aggregation is a type of data and information processing in which information you have provided is searched, gathered, and utilized in summary form as part of a grouping of data, usually for purposes of statistical analysis, without your personal identity being attached to it. This policy does not apply to information in an anonymized and/or aggregated form. Data aggregation is utilized by IIR for purposes such as preparing reports or providing statistics to examine trends, make comparisons, or reveal information and insights that would not otherwise be observable when the data is viewed in isolation. For example, IIR might produce a report for its client indicating the percentage of participants in a webinar having work experience exceeding ten years. Participants matching that category are not identified by name or other PII.

This Notice describes our practices when using your PII after you:

  • Express an interest in or have signed up for our events or products, including newsletters, apps, and webinars;
  • Attend an IIR event; or
  • Visit our websites (including our public website and member-based websites) or our social media sites or utilize our applications.


IIR performs services on behalf of federal agencies or other third parties (“clients”). Events, products, apps, webinars, and websites developed or managed by IIR may be on behalf of these clients.

This Notice also applies to PII that we may collect from you via any assessment or diagnostic tools. Should the terms of any such assessment or diagnostic tool’s confidentiality notice utilize your PII in a manner not described in this Notice, the assessment- or diagnostic- specific confidentiality terms will take precedence over the terms in this Notice and you will be asked to approve the additional use.

This Notice will apply whether you have provided the PII directly to us or we have obtained it from a different source, such as a third party.


1. INFORMATION THAT WE COLLECT ABOUT YOU


1.1 Data Collection and Usage


Information that we collect directly from you or from the following sources:
  • Third-party referrals
  • Information that you have provided in using our social media sites, applications, and Internet sites
Categories of information that we collect about you may include:
  • Personal information, such as name and title, contact details, employing agency or organization name, and email address.
  • Communications with you.
  • Information that you provide when posting content on social media sites.
We use this information for certain activities, including:
  • Facilitating the efforts of IIR through communication with contacts (e.g., to communicate details of events or webinars).
  • Internal analysis and research to help us improve our services.
  • Administering our websites, investigating any complaints, and providing customer service.
  • Monitoring social media content to manage relations with our clients and to conduct our services.
We use this information because:
  • It is necessary for performing our obligations and efforts under our contracts (including grants and cooperative agreements) and grant obligations with our clients.
  • It is necessary for compliance with any legal or regulatory obligations.
  • We have a legitimate business interest to:
    • Manage and promote our services and offered products, events, information, etc.
    • Provide and improve our services.
    • Ensure compliance with laws and regulations.
  • We have obtained your consent to collect and use your information. When you have consented to the collection of your PII, you have the right to withdraw your consent by notifying IIR’s Data Protection Officer.
Information that we collect when you attend one of our events:
Categories of information that we may collect about you include:
  • Information that you provide us when registering your attendance, such as name, email address, profile information, job title, and any requested individual accommodation.
  • Information collected when we record one of our events.
We use this information for certain activities, including:
  • Enabling you to attend or access online our events.
  • Facilitating the smooth running of events.
  • Analyzing attendee interests in and interactions with the event through voluntarily authorized and provided geo-location data (such as “Find an event near me”).
  • Marketing our events through the use of video.
  • Providing access to audio and/or video recordings (e.g., “replays”) of certain event sessions to attendees and online through our websites or social media sites.
We use this information because:
  • It is necessary for performing our obligations and efforts under our contracts (including grants and cooperative agreements) and grant obligations with our clients.
  • It is necessary for compliance with any legal or regulatory obligations.
  • We have a legitimate business interest to:
    • Manage and promote our services, programs, etc., being offered.
    • Operate, manage, monitor, and evaluate our events.
    • Provide and improve our services.
    • Collect relevant information for hospitality and health and safety purposes.
    • Manage attendance or participation in events or programs available to limited audiences (such as “open to sworn law enforcement personnel only”).
Information that we collect from users of:
  • Our websites (member-based, restricted-access, and public)
  • Our applications (“apps”)
  • IIR-managed Web pages or client pages on social media sites
Categories of information that we may collect about you include:
  • Information that you provide when you enter information on our website, an IIR-managed client website, social media sites, or through our apps, such as when you provide contact details or answer online questionnaires or feedback forms.
  • Information that you provide when you subscribe to email newsletters or event announcements, such as name, email address, and job title.
  • Information that you provide when registering for an online or user account, including name, organization or personal email address, job title, organization, organization’s physical address, direct telephone number, photograph, and biographical details.
  • When you have an online or user account, information such as login and similar credentials and information about use and preferences for these services.
We use this information for certain activities, including:
  • Enabling you to access your online accounts across devices.
  • Personalizing the experience of our websites, IIR Web pages, IIR-managed client pages, and apps.
  • Administering our websites and/or apps, including enforcing audience or user access restrictions.
  • Enabling peer networking opportunities based on your background and experience.
  • Providing better, more customized client service.
  • Investigating any complaints.
  • Monitoring social media content to meet client expectations.
We use this information because:
  • It is necessary for performing our obligations or exercising our efforts under our contracts (including grants and cooperative agreements) with our clients.
  • It is necessary for compliance with any legal or regulatory obligations.
  • We have a legitimate interest to:
    • Promote our services through our websites and through social media tools.
    • Monitor, investigate, and report any attempts to breach the security of our websites, social media sites, or apps.
    • Provide and improve our services, including, but not limited to, our apps.
    • Operate our services and business.
  • We have your consent (where required) to use your information. After you have consented to the collection of your PII, you have the right to withdraw your consent by notifying IIR’s Data Protection Officer.
Information that we collect about the use of our managed websites, social media sites, and apps from users:
Categories of information that we collect about you include:
  • Information captured in our Web logs—such as device information (e.g., device brand and model, screen dimensions), unique identification numbers (e.g., IP address and device ID), and browser information (e.g., URL, browser type, pages visited, date/time of access)—geo-location and other device-specific information, and Internet connection information.
  • Information captured through IIR’s use of cookies, which may be utilized to enhance resources. In general, IIR websites do not utilize cookies or other methods other than to analyze usage patterns to improve our services and users’ experiences. If we are using cookies or any other methods for any other purpose, you will be asked to consent to that use.
We use this information for certain activities, including:
  • Personalizing the experience of our managed websites, social media pages, and apps.
  • Administering our managed websites, social media pages, and apps.
  • Performing statistical, usage, and trend analyses to improve the user experience and the performance of our managed websites, social media pages, and apps.
  • Providing better, more customized client service.
  • Investigating any complaints.
We use this information because:
  • It is necessary for compliance with any legal or regulatory obligations.
  • It is necessary for performing our obligations or managing our efforts under our contracts (including grants and cooperative agreements) with our clients.
  • We have a legitimate interest to:
    • Monitor, investigate, and report any attempts to breach the security of our websites.
    • Improve the performance and user experience of our websites.
    • Customize our clients’ experience.


1.2. Special Categories of Information


Certain types of PII are more sensitive than others. For example, your request for an accommodation of a personal condition while attending a training session could reveal sensitive information beyond general information such as your employer or contact information. Should IIR seek to collect more sensitive information from you, we will identify the type of information being sought, why we seek it, and how it will be used. The disclosure of such information remains voluntary on your part.


Information that we collect when you attend one of our events:
Categories of information that we may collect about you include:
  • Your data could be destroyed, but you ask us to restrict use of the data instead of deleting it and provide specifics supporting the reason for your request.
  • Any physical or mental disability or impairment that you may disclose to us in the course of requesting a reasonable accommodation of your needs.
We use this information for certain activities, including:
  • Providing venue sites that are suitable for attendees of our events.
  • Ensuring that websites are reasonably accessible to persons with disabilities.
We use this information because:
  • You have consented by providing us with the information. Where we rely on your consent, you have the right to withdraw your consent by contacting the IIR Data Protection Officer.

1.3. Further Information


Occasionally, legitimate interests mentioned in this policy may take precedence over the routine protection of your personal data. If you have any question about how or when such an interest affects how your personal information is treated, you may contact our Data Protection Officer. Our websites and online services are normally designed for individuals who are at least 18 years of age.


Note: In certain circumstances, if you do not consent to the collection of information as described in this Notice or otherwise do not provide personal information that is required by us, we will not be able to provide you with access to our products and services. It remains your decision whether to provide the required information in order to gain access to the products or services. Withdrawing your previously provided consent or failing to consent to a modification of this Notice may result in us not being able to provide you with continued access to our products or services.


2. WHEN WE DISCLOSE YOUR INFORMATION


IIR does not regularly provide your PII to third parties. We do not “sell” or “rent” your PII as provided to us. We may disclose your PII to third parties as follows:

  • To process the data for the purposes disclosed in this policy
  • When we have your specific consent or authorization to do so
  • To third parties who work on our behalf to provide technical services or operations (e.g., printing materials for an event or seminar)
  • To third parties providing services to us who have a need to access your information, such as professional service providers (e.g., auditors and lawyers) or those providing venues for our events
  • To comply with applicable laws; protect rights, safety, and property; and respond to lawful requests from public authorities (such as disclosing data in appropriate situations for national security or law enforcement purposes)

Utilization Information
We may share information with our organizational participants about how their employees use the sites and the resources available to them through the sites (e.g., how employees used certain features of the sites, utilization trends, which features were most popular with the member’s employees). If any information is shared, IIR will require the third party to provide the same or equal protection of your information, as is required by this policy.


3. RETENTION PERIODS


We will retain your PII for as long as required to perform the purposes for which the data was collected, depending on the legal basis for which that data was obtained and/or whether additional legal/regulatory obligations mandate that we retain your personal information. We may also retain personal information for the period during which a claim may be made in relation to our dealings with you.

In general terms, this will mean that your personal data will be kept for the duration of our relationship with you or a time period required by our clients and:

  • The period required by laws, regulations, or audit requirements.
  • As long as it is necessary for you to be able to bring a claim against us and for us to be able to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under applicable laws.


Any information that has been anonymized or aggregated, as well as raw data, also may be kept for such time as the information is of value to IIR.


4. CHOICES ABOUT YOUR INFORMATION


We believe it is important to give you choices about the use of your PII. We will use your PII as described in this Notice (or any other event- or service-specific privacy notice). If we want to use your information for a purpose not described in this Notice and not previously consented to, we will first get your consent to do so. As previously noted, anonymized or aggregated information does not constitute PII.

Marketing Communications

We will respect your wishes not to receive marketing communications from us. (“Marketing communications,” as used by IIR, means advising you of upcoming events, webinars, new apps related to our ongoing operations, and similar communications.) Marketing communications are done primarily through email.

If you have previously given us your email address to receive marketing communications, you can withdraw your permission at any time by using the “unsubscribe” links or instructions included at the bottom of our emails. If you receive marketing communications through a method other than email, you can withdraw your permission by following the instructions provided with that method.

Please note that as long as you continue to use our managed apps, access our managed websites or social media pages, or otherwise utilize our IIR services, we will continue to send you service-related communications regardless of any withdraw request.

As a nonprofit company, we will not sell your personal information. We will not share your personal information with third parties (other than our clients or subcontractors working on our behalf) unless you give us specific consent to do so and where sharing is permitted by applicable law or we are otherwise required to do so by law or regulation.


5. DATA SUBJECT RIGHTS


You have certain rights, in certain circumstances, in relation to your PII. A summary of each right and how an individual can take steps to exercise it is set out below. If you wish to exercise any of these rights, please contact us using the contact details specified on page one for the Data Protection Officer. Such requests should include appropriate identity verification information (such as your name, address, email address, or other information reasonably required).

Where we receive a request to exercise one of these rights, we shall provide information on the action we take on the request without undue delay and usually within one month of receipt of the request. This may be extended in certain circumstances, e.g., where requests are complex or numerous.

The information may be provided free of charge, except where requests are manifestly unfounded or excessive, in particular, because of their repetitive character. In these circumstances, we may charge a reasonable fee or refuse to act on the request. We will advise you of any fees prior to proceeding with a request.

We may ask for additional information to verify your identity before carrying out a request.

Where we do not carry out a request, we shall inform you without delay and within one month of receipt of the request, providing our reasons for not taking the action requested.

Right How You Can Exercise the Right:
Right to access and/or correct your personal information You have the right to access PII that we hold about you, as well as to be provided with a copy of the PII (in most circumstances). You also have the right to correct any information that we may hold about you that is inaccurate.
Right to restrict use of your personal information
You have the right to ask us to restrict the processing of your personal data where one of the following applies:
  • Your data could be destroyed, but you ask us to restrict use of the data instead of deleting it and provide specifics supporting the reason for your request.
  • You are contesting the accuracy of your personal data. Where you contest the accuracy of your personal data, the restriction will apply until we have verified the accuracy or corrected your personal data or have anonymized the data.
  • We no longer require the personal data for the purposes of processing, but you have requested in writing that we keep it in connection with a specified legal claim.
  • If you maintain that we have no basis to process your data, you have a right to object to the processing of your data by providing us a legitimate specific basis for your objection. The restriction will apply until we have taken steps to verify whether we have legitimate grounds to continue processing.
Right to request deletion of your personal information You have the right to ask us to delete your personal information. However, in certain circumstances, there are certain exceptions where we may refuse your request for deletion (e.g., where the personal data is required to comply with an active legal obligation or for the establishment, exercise, or defense of legal claims).
Right to object to processing of your personal information You may object to the processing of your personal data in cases where we have used legitimate interests as the basis for processing. In such cases, we will stop processing your personal data until we verify that we have legitimate grounds for processing that outweigh your interests, rights, and freedoms in asking us to stop processing the data, or in limited cases where we need to continue processing the data for the establishment, exercise, or defense of legal claims.
Right to data portability In most cases, you have the right to receive all personal data that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another data controller, where technically feasible.
Right to lodge a complaint with a supervisory authority In some jurisdictions, if you object to our processing of your personal data, you have a right to complain to the data protection authority in the jurisdiction where you reside and/or work or where an alleged infringement of data protection laws has taken place. We request that you first attempt to resolve your issue with us if at all possible.

6. SECURITY


We have implemented administrative, technical, and physical security measures to help prevent unauthorized access or attempts to harm the information system(s). IIR complies with generally accepted industry or other applicable standards for security. IIR operates in a secure facility protected from external intrusion and utilizes secure internal and external safeguards against network intrusions. IIR has in place privacy and security safeguards/controls to protect the security and confidentiality of PII and records. Despite these measures, no data transmission over the Internet can be entirely secure, and we cannot and do not guarantee or warrant the security of any information you transmit via our websites or apps. Please note that you are responsible for maintaining the security of your credentials used to access any IIR service or account, and we request that you immediately report to us any suspected or confirmed unauthorized activity involving IIR services or accounts. We make efforts to restrict access to information to only those employees, contractors, and agents who need such access to operate, develop, improve, or deliver our programs, products, and services.


7. COOKIES AND SIMILAR TECHNOLOGIES


A cookie is a small text file that includes a unique identifier that is sent by a Web server to the browser on your computer, mobile phone, or any other Internet-enabled device when you visit an online site. Cookies and similar technologies are widely used to make websites work efficiently and to collect information about your online preferences. For simplicity, we refer to all of these technologies as “cookies.” IIR collects session-related cookies. By collecting this information, we learn how to best tailor our sites for our users and to analyze how our managed sites are being used. We will advise you should we utilize cookies at IIR-managed sites for any purpose not related to improving services provided to our users or otherwise in a manner not discussed in this Notice.


8. MISCELLANEOUS


8.1. Links


To provide increased value to you, we may provide links to other websites or resources that are not part of the products, programs, or services run or controlled by IIR. We do not control these websites or their privacy practices, and any information you provide to these sites is subject to the privacy policies of those sites, which may or may not conform with the practices detailed in this Notice.


8.2. Changes to This Notice


From time to time, we may revise this Notice. If this Notice changes, we will post an updated version with the date of posting in its title. You will be asked again to consent to the practices outlined in the newly posted Notice. Your use of IIR services and products after you make an affirmative consent when asked means that you agree to IIR’s privacy policies as posted in IIR’s Notice. If you do not agree with our policies, you should refrain from using our services or products and withdraw your consent. We suggest that you occasionally review this Notice to remain aware of our current information policies and practices. Any changes to this Notice will go into effect upon posting.