The Institute of Internal Auditors (IIA) Privacy Policy

Revised November 2016

Introduction

The Institute of Internal Auditors values the privacy of its members, affiliates, and visitors to its websites and is strongly committed to each visitor's right to privacy. This privacy policy has been developed as a codification of The IIA's commitment in this area. The privacy policy explains The IIA's information gathering and handling practices. If you have any questions regarding The IIA's privacy policy or do not feel that your concerns have been otherwise addressed, please contact the chief privacy officer by sending an email to privacy@theiia.org.

Consent

By using The IIA's websites, you signify your acceptance of our privacy policy. If you, as a visitor, choose to log on as a member, register for courses or events, purchase products, apply for membership or certification, or otherwise submit personally identifiable information, you are consenting to The IIA's use of such data in accordance with its privacy policy.

Scope

It is the intent of The IIA to be in compliance with the principles of the Personal Information Protection and Electronic Documents Act of Canada, the European Union Safe Harbour Act, the Data Protection Act of the United Kingdom, and selected legislation worldwide regarding privacy of data. If any provision of this policy is in conflict with such legislation, the provisions of this policy shall apply, except when otherwise required by law. This policy guides how The IIA stores and uses personal information that is collected by The IIA or provided to The IIA, whether through our websites or by other methods such as an application, enrollment, registration or order form, or other means. This policy covers all of The IIA's websites. However, this policy does not cover affiliate websites whether or not linked to The IIA's sites.

Membership Identity Number and Password

All individual IIA members (not corporations) are entered into the global membership database and are assigned a unique membership number. When members log on to the website, they will be asked to enter their e-mail address and to create a unique password to authenticate their membership. Membership numbers are delivered to members together with basic information about membership benefits and services either directly from global IIA or via their IIA Institute.

Collection and Use of Information

Even if you do nothing during your visit other than navigate an IIA website, read pages, or download information, we will automatically gather and store certain information about your visit. In order to ensure our websites are as useful and effective an information source as they can be, we analyze information that identifies visitors by categories such as the location of visitors (by domain, not by personal email address) and browser types. We also measure, in the aggregate, indicators such as number of visits, average time spent on the sites, and pages viewed. The IIA uses these statistics to improve site content and usability; this information does not identify visitors personally. However, when a visitor enters an email address and password obtained by the means described above on an IIA website for the purpose of logging in to restricted pages, a "temporary cookie" is deployed. This cookie — a small text file stored temporarily on the visitor's browser — enables the website to "remember" this authentication information during movement from one page to another. This makes it unnecessary to log in again on each page. The cookie will expire when the visitor leaves and no personal data is retained. In addition, to help prevent unauthorized users from using your identifying information, the cookie will expire if your session is idle for approximately 20 minutes. If you have set your Internet browser to reject cookies, access may be denied to secured areas of The IIA's websites. With the exception of specific secured pages, visitors are not required to be IIA members in order to gain access to The IIA's websites, although non-members may be required to register to receive all benefits available to users of the sites. The IIA may use personally identifiable information you have voluntarily provided on our websites or by other means to notify you via e-mail or printed material of IIA events or other relevant products and services offered by The IIA. If you are a member of an IIA committee or a CIA exam candidates the IIA may directly contact you. If you are a member of an IIA specialty section, The IIA may produce a directory of such participants for networking purposes. If you do not want to receive notice of such events or be included in specialty directories, you may choose to opt out by the means detailed in the "Opting Out" section of this policy.

Collection of Personal Data from IIA Institutes

The IIA collects, at a minimum, the names of IIA members who join IIA Institutes worldwide and records these in the global membership database in order to issue unique membership numbers. Members who wish to access the website will also have to provide e-mail addresses. Transfer and update of data between IIA and its Institutes is allowed through an explicit consent of its members, or through adherence of IIA Institutes to the Safe Harbour Act in Europe, Data Protection Act in the UK, or other privacy policies worldwide. The amount of personal information recorded in the database depends on the services selected by each Institute or the member and the preferred method of delivery. Members who do not wish to be contacted by global IIA may choose so, while members who wish to access additional services may provide additional personal data either directly on The IIAs website or via their IIA Institute. The IIA collects limited personal data from IIA affiliates worldwide in order to provide limited membership services to individuals who belong jointly to these affiliates and to The IIA. Members of IIA Institutes who do not wish their personal data to be transferred should request exclusion through their Institute or through the "Opting Out" section of this policy.

Disclosure of Information to Third Parties

If you voluntarily provide The IIA with personally identifiable information, The IIA may share personal information with companies, organizations or individuals outside of The IIA when we have your consent to do so. The IIA requires opt-in consent for the sharing of any sensitive personal information. The IIA may release information on a selective basis to outside organizations whose products and services are of perceived benefit. These organizations include, but are not limited to:

• For purchase of educational products, PBD Inc., which is The IIA's distribution/fulfillment house in Alpharetta, Ga.
• Various companies that authenticate credit cards on behalf of The IIA if you provide a credit card for the purchase of products or services.
• If you register as a certification candidate, to the examination site. Registrant's information may be released to providers of CIA exam preparation products, who subsequently may send you information concerning their products and services.
• IIA Institutes or chapters, which may solicit you for local participation or membership. In the case of IIA members, The IIA Institute or chapter may publish your name in a directory or use your data to mail or e-mail local materials, unless you contact the Institute or chapter and opt out of such disclosure.
• For some North American members, The IIA may provide mailing information to other organizations whose products and services are of perceived benefit. If you do not want The IIA to provide your personally identifiable information to third parties other than IIA chapters or as noted above, please see "Opting Out" section of this policy.

Disclosure of Information for Legal Reasons

The IIA will share personal information with companies, organizations or individuals outside of The IIA if The IIA has a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

• Meet any applicable law, regulation, legal process or enforceable governmental request.
• Enforce applicable Terms of Service, including investigation of potential violations.
• Detect, prevent, or otherwise address fraud, security or technical issues.
• Protect against harm to the rights, property or safety of The IIA, our members or the public as required or permitted by law.

Right of Access

The IIA is dedicated to providing reasonable access to North American members and others who want to review their personal information maintained by The IIA and correct any inaccuracies therein. North American Members may view and update their data by accessing their Member Profile, available upon logging in to www.theiia.org. Institute members and non-members may verify and/or change their data by emailing customerrelations@theiia.org or by writing Customer Relations, The IIA, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA. The IIA, however, is not responsible for verifying the continued accuracy of either member or non-member information.

Security

Although The IIA does not monitor the websites, The IIA has reasonable policies in place to protect from misuse the personally identifiable information provided by its users.

Links

The IIA's websites contain "links" to other sites, including sites operated by IIA Institutes and chapters. The IIA does not control, and is not responsible for, the accuracy, timeliness, security, or even the continued availability or existence of this outside information. Opinions expressed on other sites linked from The IIA's websites are not necessarily those of The IIA, nor does The IIA endorse, warrant, or guarantee products or services described or offered on those other sites. Neither is The IIA responsible for the contents of any websites that choose to link to The IIA's websites with or without The IIA's consent. Other organizations linked to The IIA's websites may collect information about you when you view or click on these sites. The IIA cannot control this collection of information. You should contact these organizations directly if you have any questions about their use of the information they collect.

Changes to Privacy Policy

The IIA’s Privacy Policy may change from time to time. The IIA will not reduce your rights under this Privacy Policy without your explicit consent. The IIA will post any privacy policy changes on this page and, if the changes are significant, The IIA will provide a more prominent notice (including, for certain services, email notification of privacy policy changes). The users of The IIA's websites should reference this policy periodically to ensure that they have knowledge of the current provisions of The IIA's privacy policy.

DISCLAIMERS

THIS WEBSITE AND ITS CONTENT ARE PROVIDED "AS IS" AND THE IIA EXCLUDES TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE. THE FUNCTIONS EMBODIED ON, OR IN THE MATERIALS OF, THIS WEBSITE ARE NOT WARRANTED TO BE UNINTERRUPTED OR WITHOUT ERROR. YOU, NOT THE IIA, ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION DUE TO YOUR USE OF THIS WEBSITE. Except as specifically stated in this Policy, or elsewhere on this website, or as otherwise required by applicable law, neither The IIA nor its directors, employees, content providers, affiliates or other representatives will be liable for damages of any kind (including, without limitation, lost profits, direct, indirect, compensatory, consequential, exemplary, special, incidental, or punitive damages) arising out of your use of, your inability to use, or the performance of this website or the Content whether or not we have been advised of the possibility of such damages. The IIA uses reasonable efforts to ensure the accuracy, correctness and reliability of the Content, but we make no representations or warranties as to the Content's accuracy, correctness or reliability. Some US states and foreign countries do not permit the exclusion or limitation of implied warranties or liability for certain categories of damages. Therefore, some or all of the limitations above may not apply to you to the extent they are prohibited or superseded by state or national provisions.

Opting In and Opting out of the Release of Personal Information

Members in North America are entered into the global membership database and given the choice to opt-out of receiving communications from The IIA or their chapter. To opt out, please complete the appropriate mailing and email option fields on the Member Profile form on The IIA's website, or send your request via email to: customerrelations@theiia.org. Members reported via their IIA Institute are entered in the global membership database and given the choice to opt-in to receiving communications and additional services from global IIA. IIA Institute members will not be contacted by global IIA unless they opt-in either by instructing their IIA Institute or by logging into their profile on the global IIA website and selecting to receive optional services and communications. However, if you choose to provide The IIA with personally identifiable information by purchasing a product, registering for an event, or requesting other services, The IIA may use that information to provide you with the purchased products or services, for billing purposes, to send immediately relevant information to you, and for other purposes related to the reason you provided the information even if you opt out of the use of your information by the means detailed in this privacy policy.

The Institute of Internal Auditors
1035 Greenwood Blvd., Suite 401, Lake Mary, Florida, 32746 USA
Tel. 1+407-937-1100, Fax. 1+407-937-1101
Email: privacy@theiia.org