CORPORATE PRIVACY POLICY
Overview
Method3 is committed to protecting the privacy of our employees, our customers, and their employees.
As part of this commitment, Method3 has established a privacy program that demonstrates our due
diligence to privacy laws.
Scope
Method3’s global privacy policy governs the principles and the practices that Method3, Inc. follow with
respect to the collection, use, sharing and securing of personal information processed by Method3.
Definitions
- Customer – A company who has entered into a business relationship with Method3 for Method3 to perform a service.
- Individual – The person whose data Method3 has processed, for example, an employee of Method3, an employee of a customer, or a person using a Method3 website, service or tool.
- Personal Information – Any data element or combination of data elements that enables the identification of an individual, including, but not limited to, name, address, human resources data, personal health information, government identification such as social security number, name, biometric identifier, home address, driver’s license number, credit card number, or account number.
- Processed – personal information that is in Method3’s possession or under its control.
Accountability
Method3, its employees, and contractors take responsibility for personal information in accordance with
Method3 policies and standards. Method3’s Compliance Officer is responsible for defining the
requirements of this policy and for ensuring compliance with its provisions. The Compliance Officer is
responsible for implementing and maintaining appropriate controls and measures to enable compliance.
Method3 is liable for personal information it processes and for personal information Method3 provides
to contractors for processing. With respect to personal information that has been transferred to
a contractor to be processed, contractual requirements are used to provide a comparable level of
protection. Method3’s liability for a third party’s performance of its obligations is set forth in each
agreement that Method3 signs with its Clients, and Method3 assumes liability for the performance of
the services and obligations subcontracted to such contractors, including those related to protection of
PHI.
Our services also involve the transfer of data to third parties (for example, banks, 401k providers and
tax agencies) as instructed by employers who are our clients. In these cases, Method3 does not have a
direct relationship with the third party and is not liable for the processing of data in their possession.
These third parties have their own independent obligations with respect to the data, usually by
operation of law or through contracts with employers.
Method3 trains its employees with respect to its privacy policies and practices.
Notice, Choice and Consent
Method3 provides notice as to the purposes for which personal information is collected, used, retained,
and disclosed.
In most cases, customers are responsible for notification of purpose and for obtaining appropriate
consent when they collect personal information and personal information that is transferred to Method3
by our customers to be processed shall be deemed to have been collected with appropriate
notification. Method3 assumes no responsibility for obtaining or validating that appropriate consent has
been obtained in respect of data transferred to Method3 by organization(s)/customers.
In some cases, Method3 collects personal information directly from the individual, for example, when
individuals visit a Method3 website, or when individuals use certain confidential services. In these cases,
Method3 is responsible for obtaining appropriate consent, except where inappropriate or if the
collection is required/permitted by law without consent. Where appropriate, Method3 describes any
choices available within the services to individuals and obtains appropriate consent. Individuals who
seek to vary or withdraw consent that has been obtained by Method3 directly may do in writing in the manner set out in the Enforcement Section of this policy. If you decide you do not want to receive
commercial emails from Method3 you can “opt-out” by clicking on the “unsubscribe” link provided at
the bottom of every commercial email. Subject to legal or contractual restrictions, Method3 shall abide
by the withdrawal or variation of consent, and shall advise the individual of the consequences of a
change in the scope of consent. In cases where consent has been obtained by the customer, the
individual will be referred to the customer.
Unless required by law, Method3 shall not use or disclose personal information for any purpose other
than the purpose for which it was originally collected without first identifying and documenting the new
purpose and obtaining the appropriate consent.
Once data has been de-identified, aggregated or summarized it shall no longer be considered personal
information, and individuals cannot seek to have their information removed from an aggregated data
set, nor is consent for further use required.
Collection and Use
Method3 does not collect data indiscriminately. Method3 collects personal information only for the
purposes of providing and promoting the services we offer and limits use to those purposes, including
initiating, maintaining, enhancing, and terminating the employee-employer relationship. Personal
information shall be collected by fair and lawful means, and not by misleading or deceiving individuals
about the purpose for which information is collected.
Method3 may also collect personal information from other sources, either with the consent of the
individual or where permitted or required by law. Examples of indirect sources of personal information
include background checks, employers or personal references.
Retention and Disposal
Method3 retains personal information only as long as necessary to fulfill the stated purposes or as
legally required and thereafter appropriately disposes of such information. Method3 will specify
minimum and maximum retention periods for the various records containing personal information.
When personal information is no longer necessary or relevant for the identified purpose or to fulfill a legal
or business requirement, it shall be securely destroyed. Method3 will either physically or electronically
erase the personal information or make it anonymous in a non-recoverable manner.
Access
Unless Method3 is permitted or required by law to prohibit access, Method3 makes personal
information available for review and updating, either directly through the self service feature in its
products, by directing individuals to the employer for access, or through an access request made to
established contacts within Method3.
Where applicable, individuals may contact Method3 in the manner set out in the “Enforcement” section
of this policy. Method3 responds to requests within the time limit set out by the applicable privacy
legislation and, if applicable, provides the individual with an estimate of the cost associated with
administering and responding to the request. Method3 requires sufficient information to authenticate
requests for access.
Sharing
Method3 does not use or disclose personal information for purposes other than those for which it is
collected, unless required by law.
Method3 discloses personal information to the following third parties to fulfill the specified purposes:
- Corporate Entities – In the event that Method3, or any portion of our assets, are acquired, sold, or transferred, Method3 may disclose Personal Information with the company involved to complete the business transition.
- Service Providers and Subsidiaries, Affiliates and Contractors – Method3 may disclose Personal Information to service providers or to Method3’s subsidiaries, affiliates, and contractors to fulfill the services Method3 offers. These services may include, among other things, providing products or services to you or your employer on our behalf, creating or maintaining our databases, researching and analyzing the usage and performance of the application, preparing and distributing communications, responding to inquiries, or as part of our process.
- Employer Designated Third Parties – As part of the services Method3 delivers to employers, Method3 transfers data to third parties such as banks, tax agencies, and benefit providers.
- Legal Parties –In response to a legal inquiry, Method3 may disclose Personal Information to law enforcement or the applicable party involved in the inquiry to fulfill the request. When required to provide information in response to a legal enquiry, Method3 exercises reasonable caution to ensure that the order or request is valid and only legally required Personal Information is disclosed.
If Method3 has knowledge that a third party uses or discloses personal information in an unapproved
manner, Method3 takes reasonable steps to prevent or stop the use or disclosure.
Where applicable, to limit or opt out of the disclosure of personal information, individuals should contact
their employer or Method3 in the manner set out in the Enforcement Section.
Method3 does not sell any personal information to third parties for marketing or any other commercial
purposes.
Cross Border Transfer
Method3 transfers personal information outside of a local jurisdiction only with adequate protections in
place and in compliance with applicable laws and standards.
For data transfers to the U.S. from the E.U. Method3 complies with the U.S.-E.U. Privacy Shield
Framework regarding the collection, use, retention and disclosure of personal information from the E.U.
and E.E.A. to the U.S., and certifies its adherence to the Privacy Shield Privacy Principles of notice,
choice, onward transfer, security, data integrity, access, enforcement, and the applicable supplemental
principles. To learn more about the Privacy Shield Principles please visit https://www.privacyshield.gov.
Safeguards
Method3 has implemented policies, procedures and practices to protect personal information.
Method3 protects personal information using recognized industry standard security safeguards
appropriate to the sensitivity of the information. Method3 reviews its security policies and procedures on
a regular basis and updates them as needed to maintain their relevance. Method3 makes reasonable
security arrangements to protect personal information in its custody or under its control from and
against risks, such as loss or theft, as well as unauthorized access, collection, use, disclosure, copying,
modification, disposal and destruction.
The methods of protection include physical measures, organizational measures and technological
measures.
Method3 requires all third parties to whom it may transfer personal information as required to perform
its services, to maintain adequate security safeguards in compliance with applicable laws and standards
to protect personal information.
Quality
In delivering services, Method3 relies on employers and employees to supply Method3 with accurate,
complete and up-to-date information that is relevant to Method3’s delivery of the services. Individuals
are asked to review their records on a regular basis and make the appropriate updates or notify their
employer of errors promptly. Method3 makes reasonable efforts to maintain the integrity of the data
within its products as necessary to fulfill the purposes for which the information is to be used.
Where Method3 collects information outside of service delivery, Method3 makes reasonable efforts to
keep personal information as accurate, complete and up-to-date as is necessary to fulfill the purposes
for which the information is to be used. Method3 provides a means for individuals to update or correct
the personal information Method3 possesses.
Monitoring and Enforcement
Where appropriate, individuals may request access and raise concerns or complaints regarding their
personal information with Method3 by completing appendix A and submitting it via email
to: Privacy@Method3.com or by mailing it to the Compliance Officer at Method3, Inc. 415 St. Johns
Church Road, Suite 205, Camp Hill, PA 17011.
If an individual files a complaint, Method3 will investigate the matter or suspected failure to comply with
this notice or Method3’s Privacy Principles. It is Method3’s practice to respond to the individual within
45 days of receiving the complaint. Method3 will take all appropriate action to remedy any such issues.
If the matter cannot be settled, Method3 agrees to cooperate in a dispute resolution system/process.
Method3 will conduct periodic assessments to confirm the accuracy of this policy and verify its
adherence to Method3’s Privacy Principles. In addition, Method3 will deploy internal auditing measures
to monitor its compliance with the Principles and to address all questions or complaints.
Changes to this Policy
Method3 may update this privacy policy to reflect changes to our practices and reserves the right to
change its policies at its own discretion without notice.