<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5003644&amp;fmt=gif">
Skip to content
English - Australia
Contact Us Customer Portal
  • There are no suggestions because the search field is empty.

Privacy & Data Protection

Everything you need to know about Privacy & Data Protection in Acorn PLMS.

Data Ownership & AI Data Usage

Your organisation's data is your own. Acorn PLMS is built on the fundamental principle that you retain complete ownership of all data stored within the system. This commitment extends to how your data is used, particularly regarding artificial intelligence and machine learning applications.

Your Data Ownership Rights

When you use Acorn PLMS, all learning data, performance metrics, user information, and organisational content remain your exclusive property. Acorn does not claim ownership over any data you input, generate, or store within the platform. This clear separation ensures that your organisation maintains full control over its learning management assets, intellectual property, and sensitive employee or learner information.

Your data ownership is absolute regardless of the volume of information stored, the duration of your subscription, or the features you utilise within the system. Whether you're managing a small training programme or enterprise-wide learning initiatives, the ownership principle remains constant and inviolable.

Restrictions on AI Data Usage

Acorn PLMS enforces strict restrictions preventing the use of your client data to train artificial intelligence models. Your data will not be used to develop, improve, or refine any AI systems—whether proprietary to Acorn or provided by third-party vendors. This restriction is a core operational policy, not a negotiable option.

These restrictions apply comprehensively across all data types within your system:

  • Learner performance data cannot be used for AI model training
  • User interaction patterns are protected from AI training applications
  • Course content and learning materials remain isolated from model development
  • Organisational metadata will not contribute to machine learning initiatives

By maintaining these boundaries, Acorn ensures your data serves only the purposes for which you authorised its collection and storage.

Security Leadership & Governance

Acorn's commitment to data ownership and AI restrictions is upheld by dedicated security leadership. The Chief Technology Officer (CTO) oversees the organisation's entire security operations programme, ensuring that data protection policies are consistently implemented and monitored.

This leadership structure includes:

Security Operations Management: Acorn's CTO is responsible for managing the organisation's security operations, ensuring that all systems, processes, and personnel follow established data protection protocols. This oversight guarantees that data ownership principles are maintained in day-to-day operations.

Security Initiatives: New security initiatives—including those related to data usage policies and AI restrictions—are developed and implemented under CTO direction. Any evolution in how your data is protected or governed flows through this dedicated leadership pathway.

Dedicated Information Security Team: Acorn maintains a dedicated Information Security team that works under CTO supervision. This team provides the technical and operational expertise necessary to enforce data ownership restrictions and prevent unauthorised AI training applications.

Incident Response Oversight: The Incident Response Team operates under CTO responsibility, ensuring that any security concerns—including potential data misuse—are addressed promptly and comprehensively.

Practical Implications for Your Organisation

Understanding data ownership and AI restrictions has several practical implications for how you use Acorn PLMS:

Data Confidence: You can confidently deploy Acorn PLMS knowing your organisational learning data will not be absorbed into external AI training datasets. Your competitive advantages, proprietary training methodologies, and sensitive performance information remain secure within your system.

Compliance Assurance: If your organisation operates under regulatory frameworks requiring data isolation (such as GDPR, HIPAA, or industry-specific standards), Acorn's restrictions on AI training use help support your compliance obligations.

Long-Term Data Strategy: Your organisation can develop long-term learning strategies without concern that accumulated data will be repurposed for AI model development. The data you generate today through Acorn PLMS remains under your control indefinitely.

Vendor Transparency: Acorn's clear governance structure and dedicated security leadership provide transparency regarding who is responsible for enforcing your data rights. You know the CTO and Information Security team are accountable for maintaining these protections.

Questions About Your Data

If your organisation has specific questions about how your data is used, stored, or protected within Acorn PLMS, contact your account manager or Acorn's support team. The dedicated Information Security team can provide detailed information about data handling practices specific to your deployment.

Your data ownership rights and the restrictions on AI training use are non-negotiable commitments from Acorn PLMS. These protections form the foundation of the trust relationship between your organisation and the platform.

Data Retention & Deletion Data Retention & Deletion

Effective data management is fundamental to privacy compliance and operational efficiency. Acorn PLMS provides comprehensive data retention and deletion capabilities to help your organisation meet regulatory requirements, manage storage costs, and respect individual privacy rights.

Understanding Data Retention in Acorn PLMS

Data retention refers to how long your organisation maintains learning records, performance data, and related information within Acorn PLMS. Your retention policies should align with regulatory requirements specific to your industry, jurisdiction, and contractual obligations.

When establishing retention periods for your organisation, consider:

  • Regulatory compliance requirements in your operating jurisdictions
  • Business necessity for maintaining historical performance and learning data
  • Individual privacy expectations and statutory rights
  • Contractual obligations with employees, contractors, and third parties
  • Audit and reporting needs for governance and risk management

Your organisation retains full control over defining retention schedules within Acorn PLMS. Work with your compliance and legal teams to establish data retention policies that reflect your specific obligations and business requirements.

Data Deletion and Scrubbing Capabilities

Acorn PLMS supports systematic data deletion and scrubbing to help you comply with retention policies and privacy regulations. Your organisation can configure automated or manual deletion processes based on defined criteria such as record age, user status, or contract termination.

Data scrubbing within Acorn PLMS involves:

  • Identifying records that have reached their retention expiration date
  • Classifying data by sensitivity level and retention requirement
  • Removing or archiving records according to your organisation's policies
  • Documenting deletions for audit and compliance purposes

When data is deleted from Acorn PLMS, associated records are permanently removed from active systems. Your organisation should document all deletion activities to demonstrate compliance with data protection regulations and internal governance policies.

Right to Be Forgotten

Data protection regulations in many jurisdictions—including GDPR, CCPA, and similar frameworks—grant individuals the right to request deletion of personal data held about them. This right, commonly referred to as the "right to be forgotten," requires organisations to erase personal information upon valid request, subject to limited exceptions.

When an individual exercises their right to be forgotten:

  1. Your organisation receives and validates the deletion request
  2. You identify all data held in Acorn PLMS relating to that individual
  3. You initiate deletion processes within Acorn PLMS to remove or anonymise their records
  4. Acorn PLMS executes the deletion according to your configured policies
  5. You document the completion of the request for compliance records

Exceptions to the right to be forgotten may apply where:

  • Data retention is required by law or regulation
  • Data is necessary for legal claims or dispute resolution
  • Contractual or employment obligations require retention
  • Public interest considerations override the deletion request

Your organisation remains responsible for evaluating deletion requests against applicable exceptions and determining what data can be safely removed from Acorn PLMS.

Archive Policies and Long-Term Data Management

Archiving provides an alternative to permanent deletion when your organisation must retain data for compliance, audit, or historical purposes but no longer requires active system access.

Archive policies in Acorn PLMS allow you to:

  • Transition inactive records to archive status, reducing active system load
  • Maintain historical data for regulatory compliance and dispute resolution
  • Preserve audit trails demonstrating learning and performance decisions
  • Segregate archived data from active learning and performance systems
  • Control access to archived records through restricted permissions

Archived data remains secure and auditable but is typically excluded from routine searches, reports, and active system operations. Your organisation should clearly document which data categories are archived versus deleted, and maintain records of archival dates for compliance verification.

Consider archiving rather than deletion when:

  • Legal holds or litigation potential exists
  • Regulatory requirements demand long-term record preservation
  • Organisational policy requires retention for historical reference
  • Data relates to completed contracts or employment relationships

Post-Contract Data Handling

When your organisation's contract with Acorn PLMS terminates, data handling procedures ensure a smooth transition and compliance with data protection obligations.

Post-contract data management typically includes:

  • Data export capabilities allowing you to retrieve and download your data from Acorn PLMS
  • Transition support to facilitate movement of data to successor systems or storage
  • Secure deletion procedures to permanently remove data from Acorn infrastructure upon your request
  • Verification and attestation confirming data deletion completion
  • Timeline alignment with your organisation's wind-down and knowledge transfer requirements

Following contract termination, your organisation remains responsible for:

  • Determining post-contract retention periods based on applicable regulations
  • Retrieving necessary data before access is revoked
  • Directing Acorn PLMS regarding final deletion or return of data
  • Maintaining compliance with data protection regulations during transition
  • Documenting all data handling actions for audit purposes

Work with Acorn PLMS account management and compliance teams well in advance of contract expiration to establish clear post-contract data handling procedures aligned with your retention obligations and privacy commitments.

Compliance and Documentation

Regardless of which data management approach—deletion, archiving, or long-term retention—your organisation employs, maintain comprehensive documentation including:

  • Retention policy decisions and business justifications
  • Deletion requests and completion confirmations
  • Archive and transition procedures
  • Post-contract data handling directives
  • Audit logs and system-generated records of all data management actions

This documentation demonstrates your organisation's commitment to compliant, transparent data stewardship and supports regulatory inquiries, audits, and privacy impact assessments.

For detailed guidance on incident response procedures that may affect data handling, please refer to the incident management documentation. Your data retention policies should coordinate with breach response procedures to ensure appropriate handling of potentially compromised records.

Data Subject Rights in Acorn PLMS Data Subject Rights in Acorn PLMS

Data subjects—individuals whose personal data is processed—have specific legal rights under modern data protection regulations such as GDPR, CCPA, and similar frameworks. Acorn PLMS is designed to support your organisation in recognising, managing, and fulfilling these rights effectively.

Understanding Data Subject Rights

The Right to Access

Individuals have the right to access their personal data held within your systems. When a data subject submits an access request, your organisation must provide them with a copy of their personal data in a clear, accessible format. Acorn PLMS enables you to locate, retrieve, and compile personal data efficiently, helping you meet statutory response timeframes—typically 30 days, extendable to 90 days in complex cases.

When processing access requests through Acorn PLMS, ensure that you verify the identity of the requester before disclosure and provide all relevant personal data collected and processed about them.

The Right to Rectification

Data subjects can request correction of inaccurate or incomplete personal data. If you receive such a request, you must assess whether the data is indeed inaccurate and, if so, correct it promptly. Acorn PLMS allows you to update personal data records while maintaining an audit trail of changes for compliance documentation.

Rectification requests should be processed without undue delay. Your organisation should inform the data subject of any corrections made and, where applicable, notify third parties to whom the data has been disclosed—unless doing so proves impossible or disproportionate.

The Right to Data Portability

Individuals have the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance. This right applies when processing is based on consent or contract, and when processing is carried out by automated means.

Acorn PLMS supports your organisation in exporting personal data in standard formats, enabling data subjects to move their information between service providers seamlessly. This capability is particularly important for learning records, performance data, and other structured information maintained within your system.

The Right to Erasure ("Right to be Forgotten")

Under certain circumstances, data subjects can request deletion of their personal data. These circumstances include:

  • The data is no longer necessary for the original purpose
  • The data subject withdraws consent and no other legal basis exists
  • The data subject objects to processing and no legitimate interest overrides their request
  • The data has been processed unlawfully
  • Legal obligations require deletion

When processing erasure requests through Acorn PLMS, distinguish between deletion and anonymisation. Deletion removes identifiable data, while anonymisation renders data permanently unable to identify the individual. Your organisation must determine which approach applies based on your legal obligations and business requirements.

Acorn PLMS Security and Incident Management

Commitment to Data Protection

Acorn PLMS maintains robust security practices to protect personal data throughout its lifecycle. Your organisation can be assured that the platform has not suffered any reportable information security incidents requiring notification to clients, regulators, or government entities within the last three years. This track record reflects Acorn's commitment to maintaining secure systems that safeguard data subject information.

Incident Register and Response

Acorn PLMS maintains a comprehensive incident register that documents any outages or security incidents affecting the platform. This register captures critical details including:

  • Incident identification and classification
  • Root causes of failures or breaches
  • Outcomes and impact assessment
  • Remediation actions taken
  • Timeline and resolution status

Maintaining detailed incident records enables Acorn to demonstrate accountability and continuous improvement in data protection practices.

Root Cause Analysis

Following any critical incident, Acorn PLMS performs thorough root cause analysis to identify underlying issues and prevent recurrence. This process involves:

Detailed Examination: Comprehensive review of system logs, infrastructure records, and workflow processes to understand what occurred and why.

Identification of Underlying Issues: Analysis goes beyond immediate symptoms to identify systemic weaknesses or process gaps that contributed to the incident.

Corrective Actions: Implementation of specific measures to address identified root causes and strengthen controls.

Prevention of Recurrence: Deployment of technical and procedural safeguards to prevent similar incidents from occurring in the future.

System Enhancement: Integration of lessons learned into platform improvements, ensuring incidents drive genuine system reliability enhancements and inform future development priorities.

This rigorous approach to incident management protects your organisation and the data subjects whose information is processed through Acorn PLMS.

Fulfilling Data Subject Rights in Your Organisation

While Acorn PLMS provides the technical infrastructure and security practices necessary to support data subject rights, your organisation remains responsible for:

  • Establishing clear procedures for receiving and logging data subject requests
  • Verifying requester identity before responding
  • Meeting statutory response timeframes
  • Documenting all actions taken to fulfil requests
  • Maintaining records of compliance efforts
  • Training staff on data subject rights procedures

By combining Acorn PLMS capabilities with robust organisational processes, you can effectively manage data subject rights while maintaining the security and integrity of personal data.

Next Steps

Review your current data subject rights procedures and ensure they align with Acorn PLMS functionality. Document your processes for handling access, rectification, portability, and erasure requests. Train relevant staff members on the platform's data management features and your organisation's specific protocols for fulfilling data subject rights.

Third-Party & Subcontractor Data Access Third-Party & Subcontractor Data Access

Managing third-party and subcontractor access to your organization's client data requires robust controls, clear security obligations, and comprehensive risk oversight. Acorn PLMS implements formal change management and verification processes to ensure that any access granted to external parties—whether subcontractors, vendors, or integrated service providers—is authorized, documented, and continuously monitored.

Understanding Third-Party Risk in Your System

Third-party and subcontractor data access represents a critical control point in your data protection strategy. When external parties interact with your platform or access client information, your organization remains responsible for ensuring compliance with data protection regulations and contractual obligations. This is why Acorn PLMS implements multi-layered governance around any changes that affect third-party integrations, library dependencies, or subcontractor permissions.

Why Change Management Matters for Third-Party Access

A mature change management process is foundational to controlling third-party risk. Your organization should be able to document procedures for tracking third-party-maintained libraries, dependencies, and vendor integrations. This includes understanding which external components your system relies upon and verifying them with each major change. By maintaining visibility into your supply chain, you can identify vulnerabilities before they impact your data security posture.

Acorn PLMS tracks all changes internally with peer review, testing, and quality assurance completed before any updates go live. This means that before subcontractors gain new access rights or before third-party integrations are enabled, those changes are subject to formal authorization, impact analysis, testing, and validation.

Controlling Subcontractor Access

Authorization and Documentation

Your organization should establish clear criteria for which subcontractors can access client data. All access decisions must be formally authorized and documented. This includes:

  • Explicit approval: Each subcontractor's access must be approved by authorized personnel before activation.
  • Scope definition: Document exactly which data, systems, or features the subcontractor can access.
  • Duration limits: Specify whether access is permanent or time-limited (for example, access valid for a specific project period).
  • Audit trail: Maintain records of who approved the access, when it was granted, and any subsequent modifications.

Acorn PLMS supports this through formal change control workflows where access grants are treated as system changes requiring authorization before implementation.

Third-Party Library and Dependency Verification

Your organization must verify third-party libraries and dependencies with each major change. This is a supply chain security best practice that ensures you are not inadvertently introducing vulnerable or unauthorized external code into your environment.

Accounting for third-party components means:

  • Inventory: Maintain a current list of all third-party libraries your system uses.
  • Version tracking: Document the version of each external component in use.
  • Verification on updates: When upgrading your system or implementing changes, verify that third-party components remain approved and current.
  • Vulnerability monitoring: Stay informed of known vulnerabilities in third-party libraries and plan updates accordingly.

Acorn's approach to change management includes internal tracking and peer review specifically to catch supply chain risks before they reach production.

Security Obligations for Subcontractors

Clear Terms and Accountability

Your organization should establish documented security obligations for every subcontractor with access to client data. These obligations should address:

  • Data handling requirements: Rules for how client data must be stored, processed, and transmitted.
  • Access restrictions: Subcontractors should access only the minimum data necessary for their role.
  • Incident reporting: Subcontractors must report any security incidents or suspected breaches immediately.
  • Compliance obligations: Reference applicable regulations (GDPR, HIPAA, industry-specific requirements, etc.).
  • Audit rights: Your organization retains the right to audit subcontractor compliance.

Emergency Changes and Accountability

In rare cases, emergency changes may be required to address critical security issues. However, even emergency access or configuration changes must be documented and authorized. Your organization should:

  • Define emergency procedures: Establish clear criteria for what qualifies as an emergency requiring immediate action.
  • Require authorization: Even in emergencies, changes should be approved by authorized personnel or escalated through a defined chain of command.
  • Document post-action: After the emergency is resolved, conduct a post-action review to ensure accountability and identify lessons learned.
  • Maintain records: Keep detailed logs of who made the change, when, why, and what the outcome was.

This focus on system integrity ensures that only authorized users can execute system changes—including those affecting subcontractor access—and that accountability is maintained even under time pressure.

Maintenance Windows and System Stability

Scheduling Changes During Off-Peak Hours

Your organization should restrict system updates and configuration changes to standard maintenance timeframes, typically during off-peak hours. This practice ensures that:

  • Operations are not disrupted: Changes to production systems do not impact your organization's normal business operations or client access.
  • Troubleshooting is simplified: If problems occur after a change, the controlled maintenance window makes it easier to isolate and diagnose issues.
  • User impact is minimized: Scheduling changes outside business hours reduces the number of users affected.

This is particularly important when changes involve subcontractor access or third-party integrations, as issues in these areas can cascade across your entire system.

Implementing Maturity in Your Change Process

A weak or undocumented change management process is a red flag for third-party risk. Your organization's responses about how changes are controlled, how third-party components are tracked, and how subcontractor access is authorized should reflect genuine, mature processes—not aspirational claims.

Access to Acorn PLMS resources can support your organization's maturity in this area:

  • Dedicated implementation support helps you establish formal change procedures aligned with your organization's risk tolerance.
  • Administrator and user training ensures that everyone involved in granting or managing subcontractor access understands the governance requirements.
  • Technical Account Managers work with your team to design phased rollouts and communicate changes effectively across your organization.
  • Acorn Help Centre provides ongoing guidance on managing access, reviewing audit logs, and maintaining compliance.
Key Takeaways

Managing third-party and subcontractor data access is not a one-time configuration—it is an ongoing governance responsibility. Your organization should maintain formal, documented processes for authorizing access, verifying third-party components, documenting security obligations, and monitoring compliance. Acorn PLMS provides the change management infrastructure and support needed to implement these controls effectively, ensuring that your organization remains accountable for all external access to client data.