Mindmill Privacy Notice

MindMill (HR) Software Ltd Privacy Notice


To comply with the requirements of the General Data Protection Regulation (GDPR), this document covers the specific requirements and business practices around privacy and data processing for MindMill (HR) Software Ltd.

This Privacy Notice aims to give you information on how we collect and process your personal data in a variety of circumstances including when using our website www.mindmill.co.uk or any associated mindmill domain and any data you may provide through these websites when you use any interactive features such as our Contact forms, Recruitment Systems, Assessments or otherwise. It is important that you read this privacy policy so that you are fully aware of how and why we are using your data. Our website is not intended for children and we do not knowingly collect data relating to children. This version was last updated on the 1st of November 2018.

Standard Statement Aim:

This policy aims to protect the individual as well as provide reassurance regarding the confidential treatment of information relating to Mindmill (HR) Software Ltd employees /clients and candidates.

Data protection compliance should be seen as an integral part of employment practises in order to develop a culture in which respect for security and confidentiality of personal/ client data is recognised.


As an HR Technology company MindMill takes our responsibility to safeguard our client data very seriously. Even though user data via our Assessment Platform is almost immediately anonymised and retained only in accordance to the data policies of our clients, we take utmost care to ensure compliance to Data Protection legislation.

Basic Principles

Data Protection Principles

Central to the Act are eight data protection principles which all data controllers must follow to ensure that personal data is:

These principles protect the individual and also make sound business sense (for example, if we send out mailing based upon incorrect or out of date records not only may we be in breach of the act and could annoy clients/ candidates, but we could ultimately waste our own time and money).

Overall Principles

The Right of Subject Access

Under the GDPR, MindMill respects the right of data subjects to access and control their personal data and has provisions in place for:

Mindmill (HR) Software Ltd will endeavour to provide:

Goals for this Notice

This document should ensure the governance framework and implicitly ensure that the Information Security Program implements adequate:

Management commitment to Information Security

The Board of Directors, the CEO and the other approvers (Head of Operations / Client Service Executive) realize how important Information Security is to Mindmill, and have the responsibility for:

What information may be collected?

Personal Information is stored separately on two core systems at MindMill. The Assessment System and the Recruitment system. A list of Key Information that may be stored on each system is as listed below. Not all fields are applicable in every deployment, and the list lists data fields irrespective of the length of time that data is stored on our systems.

Assessment System

Recruitment System

Data Controller

Users can get in touch if they have questions or concerns about your privacy practices, their personal information, or if they wish to file a complaint. The MindMill data controller can be reached via info@mindmill.co.uk

How is personal information used/shared?

NO personal or personally identifiable information is used/shared within MindMill’s internal processes. Personal and identifiable data is only used or shared by the commissioning client and that information protection falls under the scope and responsibility of the commissioning client, their Privacy Policies and Data Protection process.

MindMill may use anonymized data to create/update Psychometric norms but no identifiable data is kept or used for this purpose.


If you are a customer of ours, we may contact you from time to time by call or email to provide some information about our products or services. You can ask us or third parties to stop sending you marketing messages at any by contacting us, as appropriate, at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service experience or other transactions.

MindMill does not provide users’ personal data to third parties for marketing purposes. However, should this need arise we will get your express opt-in consent before we share your personal data with any company outside of our own for marketing unrelated to our company.

What legal basis do we have for processing your personal data?

Mindmill provides a means of capturing and analysing data. The data we collect from you may include personal data as defined by the Data Protection Act 1998 as amended. By providing any data to us through your use of Mindmill (any such data, End User Data), you acknowledge and consent to the End User data being transferred or stored within or outside the EEA. Please note that some places outside the EEA may offer lower levels of data protection than the UK. By submitting End User Data, you agree to this transfer, storing or processing.

Where do we store and process personal data?

All MindMill services are cloud-based and servers and databased are hosted in London (UK) with www.webhosting.co.uk. Their specific terms of service can be found and reviewed at https://www.webhosting.uk.com/terms-of-service/

How do we secure personal data?

Enterprise Threat Modelling

Enterprise threat modelling means the exercise of identifying who could be a threat to your organization, what their motives might be and how they would go about accomplishing these motives. It is important to note that threat modelling isn’t something you only do for applications, but something you do for the entire enterprise, hence “enterprise threat modelling”

This threat modelling should include all of the three aspects of the CIA triad and include also for example system failure and manual error. It should model expected or unexpected attackers against the company, their likely TTP (tools, tactics and procedures), their motivation and intent and what they might be likely to do if they breach the company. Using the threat modelling proactively can be used for budgeting investments and for prioritizing tasks in the day to day work by IT and Security personnel.

Based upon risk assessments and risk/consequence estimations preventive, discovering and corrective security controls should be implemented to iteratively until residual risks are within acceptable thresholds i.e. within the risk appetite. The areas to be included in risk assessment are:

Application Security

All business applications shall be developed using the OWASP SAMM framework for application security.

Data Classification

Different classification levels for assets/systems should be defined, for example:

System/Business Application/Infrastructure Prioritization

All systems/business applications/infrastructure should be assigned a business criticality between 1 and 3 where 1 means business critical and 3 means a not very critical system /application /infrastructure element. Example of a criticality rating of 3 could be a test system.

Only the business part of the company can prioritize these appropriately, so it’s a project that Information Security can lead but needs also the approvers and relevant business stakeholders. A list of all relevant systems/business applications/infrastructure with a given priority is required and should be updated annually.

Business Continuity & Business Recovery Planning

To re-establish a business as usual condition following a disaster or a major incident, the company must maintain a Business Continuity Plan and a Business Recovery Plan. The plans must ensure that the company can re-establish systems and data within a predefined time frame. The plans must contain detailed emergency plans for all infrastructure within scope. To accomplish this a scope must be established and approved by the approvers.

The BCP and BRP must be tested at least once per year by for example moving the active systems to the disaster recovery site or by conducting a similar simulation.

The CEO and/or approvers are responsible for defining acceptable downtime. IT responsible and Information Security responsible are responsible for creating plans that can implement the requirements and testing them.

Continuous improvement

All policies, risk assessments, and controls should be periodically re-evaluated/audited at least annually and whenever appropriate to ensure a continuous improvement of Information Security.

Outsourcing and Vendor Management

The overall goal of defining the rules of outsourcing and vendor management is to:

The purpose of this notice is also to satisfy legal and regulatory requirements and to manage the risks involved with outsourcing of significant activities.

Outsourcing should be used:

How long do we keep your personal data for?

MindMill complies to and operates as an extension to the Data Retention Policies of its clients and project initiators. As all data entering the Mindmill system belongs to the commissioning client, MindMill operates as an outsourced provider or 3rd party to the commissioning client. MindMill thus only processes data, provides packaged data to the customer and destroy or anonymize the data in accordance the applicable data retention policy.

Use of automated decision-making and profiling

In certain instances, MindMill makes use of Automated Decision making in order to streamline workflow and the processing of information.

By submitting your End User Data:

Definitions and abbreviations

Significant outsourcing activity: Outsourcing of an activity that has a significant size either in financial terms or in impact on the company’s operations and/or clients.

Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, and printers. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

Incident: Any event that does or could have caused an unintentional effect on the company’s IR with regards to the CIA triad Confidentiality, Integrity and Availability. Covers also security incidents.

SLA: Service Level Agreement. An agreement with a third party.

OLA: Operational Level Agreement. A company-internal SLA.

BCP: Business Continuity Planning.

DR: Disaster Recovery