Protecting your privacy is paramount to OnGuard. This privacy statement provides information about the data that OnGuard collects and manages, the ways in which this data is used to deliver these services, and the security practices we follow to keep it secure. The first level of our security to ensure your privacy is 2048 bit encryption of data delivered securely between mobile devices carried by users with the OnGuard mobile application and OnGuard Services hosted by OnGuard and Google.
Collection of Data
The OnGuard Smartphone application is a user “opt-in” product, which means users give express permission to OnGuard to collect certain types of information directly from their mobile devices for the purpose of delivering our service. To deliver the highest levels of service possible we regularly collect location information via the GPS on your mobile device and when GPS location is unavailable, such as inside buildings, we use other means to estimate the location of your mobile device.
Service delivery requires your mobile device to be connected wirelessly to a mobile network, or Wi-Fi, and the quality of this connection determines whether the wireless service available will support OnGuard service delivery.
OnGuard has partnered with MyMobileCoverage.com (MMC) to provide visibility into the wireless availability/coverage for our users. With MMC implemented in the OnGuard client (Android only) as a library, MMC regularly and anonymously gathers mobile network performance data from your mobile device and this is contributed to a database where other anonymous users are also contributing such data. This aggregated data is then used to determine when your device may soon enter or possibly be in an area where wireless connectivity is insufficient for service delivery.
Examples of aggregated data gathered from a compilation of many users are; general RF coverage details, when and where dropped calls or lost data connections occur or other RF anomalies that may contribute to poor wireless connection conditions.
Data that is collected relating to the operation of your mobile device and its location:
- Dropped calls, failed calls, no coverage events,
- RSCP, PSC, Bit Error Rate
- Ec/Io, signal strength, cell ID, LAC, timestamp, event type, duration, battery charge
- GPS measurements: latitude/longitude, speed, heading, uncertainty, altitude
- Data speed rate (upload and download speeds) MCC, MNC, IMSI, IMEI, phone number, handset manufacturer and model.
Examples of personal data gathered that is unique to each user and their device are; mobile number, network IMSI, device IMEI, location information and the email address given by user at the time of registration. OnGuard makes no effort to identify a user beyond what is required to deliver our service. OnGuard makes no effort to in any way to use personal data provided other than for the purpose of uniquely recognizing the user for the purposes of delivering the service. OnGuard provides each user a dedicated area within the mobile client to enter personal medical information that may be essential in the event of an emergency. This data may (optionally) be presented in the foreground of the OnGuard mobile client on screen in the event of an Emergency Alert. This data is not available to dispatchers or admins of the Command Portal.
OnGuard will take reasonable technical and organizational precautions to prevent the loss, misuse or alteration of your personal data. OnGuard will store all the personal data you provide on its secure servers and take all reasonable precautions to ensure that this data cannot be accessed by third parties.
Corporate Data Retention and Compliance Requirements
Every end user of the OnGuard Service may have their personal information, including location updates and associated lone worker status updates downloaded by their employer. The amount of data being retained may vary based on the data retention and compliance requirements that may apply in the jurisdiction where the end user works, where the employer is based or may be governed by the lone worker compliance laws in the jurisdiction where the OnGuard service is or was being used.
Sharing information with third parties
OnGuard does not share personal data with unrelated third parties. Aggregated anonymous data may be shared with third parties, such as mobile operators or may be used commercially for the purposes of improving the service those operators deliver. OnGuard accepts no responsibility for any data that a user should choose to share with any third party not related to the delivery of OnGuard services.
Cross-border data transfers
Information Requests and Data Removal
Any user on the OnGuard system can request a copy of their data by sending an email to firstname.lastname@example.org. To qualify for these requests you may have to prove your identity and or rights to the data. Data that may have been shared with your employer for compliance and regulatory purposes must be requested direct from your employer and is outside the scope of this agreement.
Updating this statement
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
OnGuard uses industry leading technical and organisational controls in place to assure the highest level for security and compliance.
Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can be confirmed by adequacy decisions such as the ones that supports the EU-U.S. Privacy Shields. We contractually commit under our current data processing agreements to maintain a mechanism that facilitates transfers of personal data outside of the EU as required by the Data Protection Directive, and will offer a corresponding commitment from 25 May 2018, when the GDPR comes into force.
- OnGuard employs a dedicated security expert who implements all security controls
- We conducted Data Protection Impact Assessments (DPIA). Based on the results, we have put in place appropriate controls on data processing and management.
- We do not collect or process credit card information.
- Based on a legitimate need to help workers get the assistance they need in an emergency we do optionally collect personal medical information. This information is provided to first responders to assist them to provide proper care during an emergency, such as if the worker has allergies to a medication.
- Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest using AES-256. We have developed in-house tools for better governance and discovery of data plus aggregation of all system logs to identify any potential intrusions or anomalies.
- All data synchronized or transferred between mobile clients and servers is secured using 2048-bit encryption.
- Access to our Command Portal is secured using strong password rules
- Data accessed via our web dispatch portal is secured using ECDSA 384
- Access to our servers by administrators is based on legitimate need for access and is secured by way of strong/multi-factor, non-shared authentication secrets at every login.
- When needed, breach notifications will be done according to our internal Privacy Incident Response policy. Customers will be notified of a breach within 72 hours after OnGuard becomes aware of it. For general incidents, we will notify users through our website and or system notifications. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address).
- Users that want a copy of their data we store in our system can contact our support directly to request a copy of that data or have it purged from our system altogether.