Data Use Policy
Date effective from: 30 December 2020
This Data Use Policy is designed to help you understand everything you need to know about how non-personal confidential data is processed and used in RJC.
What kind of data do we collect?
An overview of the types of data we collect is outlined in the RJC Confidentiality Policy under Business Information and Confidential information.
Where did we obtain your data from?
Members: other than collecting data directly from you via application forms and surveys and events you participated in, we may gather data from other sources including:
- from third party organisations, such as accredited auditors, via audit reports and supporting documentation
- independent researchers contracted by RJC to undertake research to evaluate the impact of its work in the industry
Audit firms: other than collecting data directly from you via application forms, audit logs, surveys and training completed, we may gather data from other sources including third party organisations, such as oversight bodies, via oversight reports, emails, and supporting documentation.
Why do we collect data?
Members: Confidential data is collected from members for the primary purpose of membership and certification. However, this data is also used for the purpose of assurance to monitor the audit quality, and monitoring and evaluation to enable RJC to measure the impact of its work in the industry.
Accredited audit firms: Confidential data is collected from audit firms for the primary purpose of accreditation and assurance. However, this data is also used for the purpose of monitoring and evaluation to enable RJC to measure the impact of its work in the industry.
Data obtained from members and audit firms are subject to compilation, analysis and shared in an aggregated and anonymised format both internally and externally via reports.
Who will we share your data with?
RJC will not disclose any confidential information to any third-party without the consent of the relevant member company. RJC will however disclose such information when there is a clear, legitimate reason for doing so (e.g. required by law or court order).
All RJC Members consent, at the point of joining (through the membership agreement), to their company name, forum, date of joining and applicable certification status, including a copy of the certificate being listed on the RJC website. Members understand that this information is in the public domain and can be viewed by various stakeholders including the general public. The following data is made publicly available on the RJC website:
- Member name
- Head office location
- RJC membership forum
- Extensions to membership granted
- Information on current and previous certifications including:
- Certificate number
- Certification period
- Materials in scope (Chain of custody certification only)
- Eligible material declarations issued (Chain of custody certification only)
- Certification scope
- Audit dates
- Audit type
- Number of previous certifications
- Applicable RJC standard
- Accredited audit firm and audit team
- Applicable provisions of the standards
- Provenance Claims (Code of Practices certification only)
- Auditor statement of conformance
- Mid-term review recommendation (Code of Practices certification only)
Accredited audit firms:
All accredited audit firms consent, at the point of accreditation (through the contract), to the following accreditation information being listed on the RJC website. Audit firms understand that this information is in the public domain and can be viewed by various stakeholders including the general public. The following data are made publicly available on the RJC website:
- Company name
- Company website
- RJC audit programme manager name and contact details
- Status and period validity of accreditation
- Standards within scope of accreditation
- Sectors within scope of accreditation
- Countries within scope of accreditation
Rules on the distribution of publicly available membership data
RJC may, if it is considered to be in the best interest of the membership, share publicly available membership data in a more accessible format (e.g. Excel) with a partner. Circumstances that may warrant this discretionary action may include:
- Supporting “supplier/customer expectation” checks for RJC membership amongst their supplier/customer lists.
- Where a trading/business opportunity has been identified to benefit the membership or forum being requested.
- Such a list must be accurate and reflect only what is already publicly available on the RJC website.
- Under no circumstances should additional information beyond what is already public be added.
- Additional consent from the membership need not be sought as consent to have the information publicly accessible has already been granted ab initio.
How can stakeholders use publicly available data?
Concerning data made publicly available on RJCs website, stakeholders are free to:
- copy, publish, distribute and transmit the data;
- adapt the data;
- use the data for non-commercial purposes only or those in the interest of the membership.
Where stakeholders do any of the above, they must acknowledge RJC as the source of the data and attribute accordingly and specify the date when the data was taken from the RJC website.