The purpose of this policy is to govern how our organization uses the personal data we collect. Personal data we collect may come from various sources and may include, among other information, Personal Identification Information (PII) provided directly from our users or through our partner organizations.
This policy applies to each person involved in developing, designing, selecting, auditing, and using applications, services and products that are based on the processing of personal data or processing personal data to fulfill their task. This includes data that is provided directly to us by a user, or indirectly to us through a third party or partner organization.
The Human Managed ISMS Council must approve exceptions to this policy in advance through the Information Security Policy Exception Management Process.
You are responsible for ensuring our users' data protection rights are protected, and that our users are made aware of their data protection rights, and have given consent prior to collecting or storing any data from our users.
You are responsible for the data protection rights of every element of a task, technology, or service that is under your control. You must ensure that considered effort is given, at every stage, to maintaining a user's right of data privacy, including:
The right to access – A user has the right to request for copies of their personal data.
The right to rectification – A user has the right to request that we correct any information they believe is inaccurate. They also have the right to request that we complete the information they believe is incomplete.
The right to erasure – A user has the right to request that we erase their personal data, under certain conditions.
The right to restrict processing – A user has the right to request that we restrict the processing of their personal data, under certain conditions.
The right to object to processing – A user has the right to object to our processing of their personal data, under certain conditions.
The right to data portability – A user has the right to request that we transfer the data that we have collected to another organization, or directly to the user, under certain conditions.
Users have the right to see what personal data we have about them, and you must only use user data to the minimum extent required to deliver the applicable product, service, or feature to them.
You must get consent from the user or partner organization before data can be collected and stored, through a clear and transparent privacy policy, which is easy to understand, and accessible from the moment a user provides data to us.
You must be transparent to users about how long their data will be kept before it is deleted, and where their data will be stored, including reference to the data privacy policy of any third party we use to securely store their data
You must take a user's data protection into account at all times, from the moment you begin developing a product, to each time you process data.
You must implement appropriate technical and organizational measures to protect data, including to encrypt, pseudonymize, or anonymize personal data wherever possible, in accordance with the Encryption Policy.
You must notify the authorities and our data subjects in the event of a data breach, in accordance with the Data Breach Policy.
Information Security Council: approves policy and makes decisions on policy waiver and violations.
ServiceOps: monitors compliance and reports violations based on defined thresholds to the respective parties.
Data Protection Officer: maintains all data protection and privacy policies and ensures adequate measures are in place to protect users' data privacy rights.
Chief Architect: supports and advises on Security Policy creation and reviews and implements an enterprise-wide roll out of the policy based awareness and training programs.
HM Life: ensures that employees of the organization and, where relevant, contractors receive appropriate awareness education, training, and regular updates on organizational policies and procedures relevant to their job function.
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. Each business function must be able to demonstrate they have a written Response Plan in place, and that it is under version control and is available via the web. Human Managed measures and verifies compliance to this policy through various continuous monitoring measures, such as:
• Continuous control testing/Annual ISMS internal compliance audits
• ISMS Council (annual management review)
• Monthly incident response checklist
• Quarterly tabletop exercises & simulations Annual Incident Response Exercise
• Planned: External audits (SOC 2 Type 2, SOC 3, customer security assessments)
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The policy is updated and reviewed as part of the continual improvement process.
i.
Information Security Policy Exception Management Process
ii.
Encryption Policy
iii.
Monitoring Policy
iv.
Security Incident Response Plan
v.
Breach Response Plan