Policy Statement
Personal Data Protection Policy
iTech Management is committed to comply with the data protection and good practices, including,
- Processing personal information only when it’s strictly necessary for legal and regulatory purposes or legitimate organizational purposes.
- Processing only minimum personal information required for these purposes.
- Providing clear communication to the data subjects about how their personal information can be used and by whom.
- Only processing relevant and adequate personal information.
- Processing personal information fairly and lawfully.
- Maintaining documented inventory of the personal information processed by the organization.
- Keeping personal information accurate and where necessary up to date.
- Retaining personal information only for as long as necessary for legal or regulatory requirements or for legitimate organizational purposes and ensuring timely and appropriate disposal.
- Respecting data subject’s rights in relation to their personal information.
- Keeping all personal information secure.
- Adequately protecting the PII while transferring the information outside the country of origin based on the contractual and security requirement.
- The application of the various exemptions allowable by data protection legislation.
- Identification suitable employees with specific responsibility and accountability.
- Providing necessary PDP awareness training to create awareness among the employees.
Privacy Notification and Statement Policy
- iTech shall provide clear, open and honest privacy notification and statement in accordance with applicable Data Protection Legislation regarding how iTech use Personal Data.
- Where possible, Privacy notifications shall be made available to the Individual at the time when iTech collect Personal Data.
- Any significant changes to the way iTech use Personal Data shall be communicated to iTech employees, Customers and other stakeholders through iTech Privacy notifications and other appropriate ways.
- iTech shall maintain Privacy notifications and review them at least on an annual basis to ensure that they accurately describe how iTech use Personal Data.
- The ISSC shall maintain a centralized repository of all Privacy notifications.
Data Protection Impact Assessments (“DPIA”) Policy
- iTech shall perform a DPIA any time it starts a new Project that is likely to include, in any way, the use of Personal Data, using the appropriate DPIA Template in accordance with the DPIA Procedure.
- DPIAs shall identify, describe, and assess the necessity, proportionality, and risk to Individuals resulting from how iTech use Personal Data in accordance with the Risk Assessment procedure.
- DPIAs shall inform the design and implementation of appropriate controls to reduce the risks to Individuals.
- DPIAs shall be completed by the individual or team responsible for the new Project who understands how Personal Data will be used.
- The DPO, ISSC may assist individuals or project teams to complete the DPIA.
- All DPIAs shall be submitted to the ISSC for review and approval before Personal Data may be used.
- Where required, the ISSC shall consult with Individuals (or their representatives), applicable DPOs and/or Data Protection Authorities in respect of new Projects and ensure that any concerns, advice, or recommendations are communicated to the individual or team responsible for the new Project.
- The individual or team responsible for the new Project is responsible for ensuring that controls required to reduce the risk to Individuals, as recommended by the ISSC, are implemented.
- No new Projects shall be undertaken if there is a high risk to Individuals that cannot be mitigated, unless this has been approved by the Management.
- The ISSC shall, from time-to-time, review projects to ensure that appropriate controls have been implemented to reduce the risk to Individuals.
- The ISSC shall reassess DPIAs for projects at its discretion, following any significant changes in the environment of business, Data Protection Legislation, Authority guidelines, industry best practices, media, public sentiment and recent judgements.
- The ISSC shall maintain a centralized repository of all DPIAs and supporting documentation.
- As and when required, iTech may assist its customers to complete their DPIAs by providing the relevant information to support their assessment of the risk to Individuals. The DPO, ISSC may support Customer teams to respond to these requests.
Data Subject Rights and Requests Policy
- All Data Subject Requests shall be managed in accordance with iTech Data Subject Rights Policy and associated procedure.
- All Data Subject Requests shall be responded to within a timely manner, in line with the timeframes stipulated by applicable Data Protection Legislation.
- iTech shall design, implement and maintain appropriate measures to execute any Data Subject Requests.
- The ISSC shall maintain a centralized record of all Data Subject Requests.
Data Privacy and Protection Enquiries and Complaints Policy
- iTech shall establish procedure to receive, recognize and respond to PDP enquiries and complaints from Individuals.
- All PDP enquiries and complaints shall be dealt with in a timely manner, in accordance with applicable Data Protection Legislation.
- All PDP complaints shall be reported immediately to the local DPO for co-ordination and response who will inform the Management Team on a regular basis or escalate as appropriate.
- The DPOs (where relevant) and SPOCs (where appropriate) shall assist in responding to PDP enquiries from Individuals.
- The ISSC shall maintain a centralized record of all PDP complaints.
- All PDP complaints shall be reviewed and analysed by the ISSC to identify trends, root causes and deficiencies in iTech PDP policies, frameworks, procedures and guidelines on a quarterly basis.
Data Protection by Design Policy
- Any time iTech use Personal Data, iTech shall ensure that it apply iTech PDP Policy.
- iTech apply the PDP Policy, and associated PDP policies and procedures when iTech change or build new applications, systems, infrastructure, Products, Services or Solutions that Use Personal Data.
Data Landscape Policy
- iTech shall document, maintain, and review at least annually, an accurate and complete record of what Personal Data that iTech uses and how it’s used in the Data Management Plan.
- iTech shall identify and document iTech legal basis (i.e., contract, Legitimate Interests, Vital Interests, compliance with legal obligations, Consent) for using Personal Data.
- iTech shall ensure that where iTech legal basis is “Consent”, that Consent is freely given, specific, informed and clearly given; and Individuals can withdraw Consent at any time.
- The ISSC shall maintain a centralized repository of the Data Management Plan.
Information Lifecycle Management Policy
- iTech shall use Personal Data only for a legitimate business purpose.
- iTech shall not use Personal Data for any additional purposes unless this is compatible with the original purpose for which it was collected.
- iTech shall collect Personal Data directly from the Individual unless they are aware of and/or have Consented to the collection of Personal Data about them from other persons or third parties.
- iTech shall collect Special Category Personal Data only if it has a legitimate business purpose and it is permitted under law (including Data Protection Legislation).
- iTech shall collect Personal Data relating to Vulnerable Persons only if it has a legitimate business purpose.
- iTech shall collect the Personal Data of Children only if it has a legitimate business purpose and have obtained the informed Consent of their parent, guardian, or other competent person.
- iTech shall implement mechanisms to ensure that Personal Data is accurate, complete and up to date.
- iTech shall keep Personal Data for as long as iTech need it to fulfil the business purpose and in accordance with retention schedules.
- iTech shall securely destroy, dispose of, de-identify or anonymize Personal Data when no longer need it.
Cross-border Transfers of Personal Data Policy
- iTech shall transfer Personal Data outside of the country from where it was originally collected only in accordance with applicable laws and regulations (including Data Protection Legislation and data localization and data sovereignty requirements).
- When iTech transfer Personal Data outside of the country from where it was originally collected within iTech, ensure that iTech has appropriate Transfer Mechanisms (i.e. Standard Contractual Clauses, Adequacy Decisions) in place.
Employee Personal Data Policy
- iTech shall respect the right to privacy of iTech Employees and uphold their rights in all that we do.
- iTech shall not use the Personal Data of its employees if they do not know about it, or in a way that would be considered intrusive or invasive.
- iTech shall use the Personal Data of its employees only if it has a legitimate business reason to do so and iTech shall not collect more Personal Data than what is needed.
- iTech shall treat the Personal Data of its employees as confidential at all times and do not share it with others unless they have a legitimate need to know.
Customer Personal Data Policy
- Any time iTech process Personal Data on behalf of its customers (or potential Customers) (“Customer Personal Data”), iTech shall ensure that it only do so in accordance with a written agreement between iTech and iTech customer that describes iTech role, the required terms and conditions, the type of Personal Data, the purpose for using the customer Personal Data, and what iTech may or may not do with the Customer Personal Data.
- Any agreements that set out PDP obligations with iTech customers shall be negotiated and agreed in accordance with the applicable legal contracting playbooks that include iTech standard clauses and escalation processes.
- iTech shall maintain an accurate and complete record of how iTech use Customer Personal Data in the Data Management Plan.
- The ISSC shall maintain a centralized repository of the PDP Customer record of Processing.
Marketing Policy on PDP
- iTech shall respect the right of an Individual to not be marketed to. Hence iTech shall provide Individuals with the option to opt-in to iTech’s marketing communications (including electronic, online, telephonic and post), unless permitted under applicable laws and regulations.
- At any point in time, iTech shall provide Individuals with the option to opt-out of our marketing communications and provide them with an information on how to do so.
- iTech shall not market to Individuals who have opted-out of our marketing communications.
- When purchasing marketing lists or databases, iTech shall ensure that the list or database provider has obtained the required opt-in consent from Individuals to receive marketing communications from us. Where iTech buy a list, iTech shall conduct a review to ensure that any Individual who has withdrawn consent from iTech for marketing communications is removed.
- iTech shall not sell its marketing lists or databases to 3rd parties.
- iTech only receive or share its marketing lists or databases from/with iTech Partners, if there is:
- a specific agreement in place (including a Data Protection Agreement (“DPA”)),
- there is a legitimate business reason for sharing the Personal Data,
- only the minimum amount of Personal Data necessary is shared,
- the Personal Data will not be used for a different purpose,
- the Use would not be considered excessive, and
- Individuals are aware that iTech share their Personal Data with its Partners.
- iTech shall obtain consent for the use of cookies and other technologies that target, profile and/or track Individuals for marketing purposes.
- Where possible, iTech shall ensure that Individuals are aware of its marketing practices at the time their Personal Data is collected.
- iTech maintain a record of Individual preferences regarding marketing communications, cookies, and other technologies.
- iTech maintain a record of all marketing lists and databases that are purchased or received from and shared with other parties or its Partners.
Regulatory Policy
- The ISSC and senior maangement shall ensure that iTech Management is aware of and understand the requirements imposed by Data Protection Legislation(s).
- DPOs (and equivalent roles) may inform and advise the ISSC of requirements under Data Protection Legislation, when required.
- The ISSC and DPOs (and equivalent roles) shall keep abreast of changing legislative, regulatory and industry best practices and ensure that any changes are adopted and communicated.
- The ISSC shall define, document, assess, manage and monitor Risk Management Plans for high-risk Data Protection Legislation.
- All required statutory registrations and required authorizations (including DPOs or equivalent roles, databases, Special Category Personal Data, cross-border transfers, etc.) shall be performed/obtained and maintained in accordance with applicable Data Protection Legislation by the relevant business units. The ISSC shall assist in statutory registrations or authorizations, as required.
- All requests from Authorities (including complaints, questions, audits, investigations, etc.) shall be immediately reported to the DPO.
- The DPO, where required, shall assess, co-ordinate and respond to requests from Authorities in accordance with Data Protection Legislation, and any other applicable legislation.
- The DPO, where required, shall be consulted prior to disclosing Personal Data to any Authorities.
- The ISSC shall maintain a centralized register of all statutory registrations, authorizations, interactions with Authorities and data disclosures with necessary access control.
Third Party Management Policy
- All third parties shall be selected, on-boarded, managed and off-boarded in accordance with iTech supplier management policies, procedure and guidelines.
- Any time that iTech engage a Third-Party Processor, iTech shall ensure that a written Data Processing Agreement (DPA) is in place.
- DPAs shall be negotiated and agreed in accordance with the appropriate legal contract.
- All Third-Party Processors shall only use Personal Data in accordance with the written agreements between iTech and them and shall not use Personal Data for any other purposes.
- Where Third Party Processors transfer Personal Data outside of the country from where it was originally collected or stored, iTech shall ensure that an adequate Transfer Mechanism is in place.
- Any time that iTech engage a Third-Party Processor, iTech shall ensure that the Third-Party Processor has undertaken the PDP Third Party Risk Assessment and the Information Security Vendor Risk Assessment.
- Any Third-Party Processor that does not meet iTech PDP and/or information security requirements, shall not be allowed to use Personal Data on iTech behalf.
- All Third-Party Processors shall implement appropriate controls to ensure that Personal Data is protected against unauthorized use, access, disclosure, loss or damage.
- All Third-Party Processors shall immediately notify iTech of any actual or suspected Personal Data Breaches.
- From time-to-time, iTech may audit (or require assurance from) its Third-Party Processors to ensure that they comply with iTech PDP and information security requirements.
- The ISSC shall retain a record of all Third-Party Processors and the associated DPAs.
- All Third-Party Processors shall be made aware of and comply with iTech PDP Policy.
- iTech shall ensure that appropriate (Data Processing Agreements and Data Sharing Agreements) are in place to support the Use of Personal Data, when processed by iTech and/or its subsidiaries.
Privacy Training and Awareness Policy
- iTech is committed to building a culture that promotes Personal Data Protection and the ethical use of Personal Data.
- All of iTech employees shall be aware of, understand and committed to ensure that iTech use Personal Data in a transparent, fair, ethical and lawful way.
- iTech shall ensure that all of its employees receive training on PDP polices, procedures and guidelines, appropriate to their role upon joining and on at least an annual basis thereafter.
- The ISSC shall be responsible for the design, implementation and maintenance of PDP training and awareness.
- Where local variations, additional requirements and/or exceptions to the PDP Policy exist, the relevant DPO shall ensure that appropriate, additional training is provided to iTech employees to ensure that they are aware of their additional responsibilities under the local variation, additional requirements and/or exceptions. Any additional training shall be
- consistent with the PDP Policy and associated PDP polices, frameworks, procedures and guidelines and reviewed and approved by the ISSC
PDP Risk Management Policy
- PDP Risks shall be managed in accordance with Risk Management Policy and Procedure (iTech-ISMS-POL 06 & iTech-ISMS-PR 02 ).
- When iTech identify possible PDP Risks, this shall be reported to the ISSC.
- The ISSC shall review, identify, and assess PDP Risks on at least a quarterly basis and capture these in the Risk Register.
- The ISSC shall design and implement controls and initiate activities to mitigate PDP Risks to an acceptable level of residual risk.
- The ISSC shall ensure that PDP Risks are managed within iTech’s risk appetite as given in the Risk Management procedure.
- The ISSC shall assess the effectiveness of the controls implemented to mitigate iTech’s PDP Risks, at least on an annual basis.
- The ISSC shall review and define key risk and control indicators to monitor the status of risks and risk management activities.
- CISO shall report on the status of the risk management activities to the Management team at a minimum on a bi-annual basis (i.e. twice a year).
- As and when required , ISSC shall perform a deep dive of PDP Risks and present a report to the CISO about the adequacy and effectiveness of controls implemented to address these risks.
Breach Response and Notification Policy
- iTech shall manage IS incidents and provide Personal Data Breach notifications in accordance with iTech Personal Data Breach Notification Policy.
- iTech shall identify, protect, detect, respond, and recover from Personal Data Breaches in accordance with iTech’s Incident Management procedure.
- All of iTech’s employees shall immediately report any suspected or actual Personal Data Breaches to their line manager, the local Data Protection Officer.
- iTech shall notify relevant Authorities, affected Individuals and Customers of Personal Data Breaches in accordance with Data Protection Legislation and iTech’s contractual commitments.
- The ISSC maintains a record of all Personal Data Breaches and notifications.
Related Policies, Procedures and Guidelines
- Data Management Plan
- Website Data Privacy Consent Notice
- Third Party Data Privacy Consent Notice
- iTech Employee Data Privacy Consent Notice
Further help and advice
For any further queries or suggestions please contact the Data protection Officer at dpo@.com.
Annexures
Annexure1 – Regulatory Compliances
The applicable list of data protection laws for different regions are as follows:
- European Union – General Data Protection Regulation.
- United States of America – Health Insurance Portability and Accountability Act 1996, The Cable Communications Policy Act of 1984, The Children’s Online Privacy Protection Act (COPPA), The Computer Fraud and Abuse Act of 1986, The California Online Privacy Protection Act (CalOPPA).
- United Kingdom – The Data Protection Act, 2018.
- Australia – Australian Privacy Act, 1988.
- United Arab Emirates – Federal Law No. 5 of 2012 on Combatting Cybercrimes, Internet Access Management Policy of United Arab Emirates, UAE Penal Code and all Applicable Data Protection law.
- Bahrain – The Personal Data Protection Law No. 30 of 2018 (PDPL).
- Oman – Electronic Transactions Law 2008 of Oman.
- Kuwait – Kuwait Law No. 20 of 2014 (Regarding Electronic Transactions).
- Singapore – Personal Data Protection Act, 2012.
- Malaysia – Personal Data Protection Act (PDPA), 2013.
- South Korea – The Personal Information Protection Act (PIPA).
- Vietnam – 2012 Law of Information Technology, 2006.
- African Union – African Union Cyber Security and Data Protection Convention, 2014.
- South Africa – Protection of Personal Information Act 2013 (POPIA).
- India – Information Technology Act, 2000.
- Japan – Act for the Protection of Personal Information.
- China – PRC Cyber Security Law, 2019.
- Mauritius – Data Protection Act, 2017.
The data retention period for different regulatory compliances are as follows:
- GDPR – In accordance with the time line set by the company at the time of collection of data which iTech be in strict compliance with the purpose for processing the data and the legal or regulatory requirements for retaining it.
- HIPAA – 6 years from the date of creation or the last effective date, whichever is later.
- United States of America – 1 year.
- Australia – 2 years.
- European Union Data Retention Directive, 2006 – Minimum 6 months and a maximum of 24 months.
- South Africa – Section 14 (1) Protection of Personal Information Act states “‘records of personal information shall not be kept any longer than is necessary for achieving the purpose for which the information was collected.”
- Singapore – Personal Data Protection Act specifies that a reasonable time of retention may be decided based on the purpose of collection of data and the business and legal purposes for which it may be retained.
- South Korea – 3 years.
- United Kingdom – 24 months.
- India – Section 69 of the IT Act allows the interception, monitoring and decryption of information for a limited period of 2 months.
- Malaysia – Personal Data Protection Act mandates that all data protection forms shall be disposed off in 14 days unless it can be said to have some “legal value” in connection with the commercial transaction for which the personal data was collected.
- Vietnam – 36 months.
- Mauritius – No general time period specified but sector specific.
- China – Comply with the purpose limitations and maximum data retention periods stipulated in the contract.
- Japan – 7 years to 10 years.
- South Africa – 12 months.
Annexure2 – GDPR Personal Data Principles
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
- It shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes iTech not be considered to be incompatible with the initial purposes;
- Shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- Shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Responsibility and Authority
This policy is reviewed for suitability – by the ISSC and approved by the CEO.
This review shall happen atleast once in a year or on need basis after the initial review and approval.
CISO is responsible for communicating the policy
- to all the employees of iTech.
- to all stakeholders and interested parties, on need basis.
All relevant employees are responsible for complying with this policy at all times.
Internal audit is authorized to assess compliance with this policy at any time.
Policy Awareness
- This Policy shall be made available to all staff currently employed on iTech Intranet portal.
- Individual sections of the policy will be updated as required and will be available on iTech Intranet site.
Applicability and Enforcement
This policy applies to all iTech stakeholders.
CISO of iTech shall be responsible for all decisions regarding the enforcement of this policy, utilizing the disciplinary procedures at his or her disposal as appropriate.
Exception Process
Information security shall consider exceptions on an individual basis Exception to this policy shall be recorded in the Risk acceptance form with approval from Head of the department and submitted to IS for review and agreement. This approval shall be reported in the Risk Assessment Report.
The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three consecutive terms.