The purpose of this policy is to maintain the privacy of and protect the personal information of customers, employees, vendors, and business partners of eNTrust Software & Services Private Limited and ensure compliance with laws and regulations applicable (refer annexure A ‘Data Privacy Annexures’ document) to eNTrust Software & Services Private Limited (hereafter referred to as “eNTrust” or “the organization”).
This policy is applicable to all eNTrust employees, vendors, customers, and business partners who may receive personal information, have access to personal information collected or processed, or who provide information to the organization regardless of geographic location.
1.4. Policy Compliance
In cases where non-compliance is identified, the Data Privacy officer shall review the reasons for such non-compliance along with a plan for remediation and report them to Information Security forum. Depending on the conclusions of the review, need for a revision to the policy may be identified. In instances of persistent non-compliance by the individuals concerned, they shall be subject to action in accordance with the eNTrust Disciplinary Policy.
1.5. Data Privacy Principles
This Policy describes generally acceptable privacy principles (GAPP) for the protection and appropriate use of personal information at eNTrust. These principles shall govern the use, collection, disposal and transfer of personal information, except as specifically provided by this Policy or as required by applicable laws:
- Notice: eNTrust shall provide data subjects (or the PII Controller who handles contractual obligations with data subjects) with notice about how it collects, uses, retains, and discloses personal information about them.
- Choice and Consent: eNTrust shall give data subjects (or the PII Controller who handles contractual obligations with data subjects) the choices and obtain their consent regarding how it collects, uses, retains and discloses their personal information.
- Rights of Data subject: eNTrust shall provide individuals with the right to control their personal information, which includes the right to access, modify, retain, erase, restrict, transmit, or object to certain uses of their information and for withdrawal of earlier given consent to the notice.
- Collection: eNTrust shall collect personal information from data subjects data subjects (or the PII Controller who handles contractual obligations with data subjects) only for the purposes identified in the contract agreements / SoW / Consent Form / Legally binding requirements / privacy notice and only to provide requested product or service.
- Use, Retention and Disposal: eNTrust shall only use personal information that has been collected for the purposes identified in the contract agreements / SoW / Consent Form / Legally binding requirements / privacy notice and in accordance with the consent that the data subject (or the PII Controller who handles contractual obligations with data subjects) shall provide. eNTrust shall not retain personal information longer than is necessary to fulfil the purposes for which it was collected and to maintain reasonable business records. Each department shall document the retention period of the privacy data in accordance with contract agreements / SoW / Consent Form / Legally binding requirements / privacy notice in their respective configuration management plans. eNTrust shall dispose the personal information once it has served its intended purpose, as per retention period documented in configuration management plans or as specified by the data subject (Contractual agreements such as Project Engagement Notes, Consent Form etc..
- Access: eNTrust shall allow data subjects (or the PII Controller who handles contractual obligations with data subjects) to make inquiries regarding the personal information about them, that eNTrust shall hold and, when appropriate, shall provide access to their personal information for review, and/or update.
- Disclosure to Third Parties: eNTrust shall disclose personal information to Third Parties / partner firms only for purposes identified in the contract agreements / SoW / privacy notice with prior intimation and after obtaining necessary consent from Data Subjects (or the PII Controller who handles contractual obligations with data subject). eNTrust shall disclose personal information in a secure manner, with assurances of protection by those parties, according to the contracts, laws and other segments, and, where needed, with consent of the data subject (or the PII Controller who handles contractual obligations with data subjects).
- Obligations for Sub-processor: Where a processor (vendor or 3rd party acting on behalf of eNTrust engages another processor (Sub-processor) for carrying out specific processing activities on behalf of eNTrust, the same data protection obligations as set out in the contract or other legally binding regulations between eNTrust and the processor shall be imposed on the Subprocessor by way of a contract or other legally binding mechanism, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements stipulated by eNTrust. Where the Sub-processor fails to fulfil its data protection obligations, the initial processor (relevant vendor or 3rd party acting on behalf of eNTrust) shall remain fully liable to eNTrust for the performance of that Sub-processor's obligations.
- Security for Privacy: eNTrust shall protect personal information from unauthorized access, data leakage and misuse.
- Quality: eNTrust shall take steps to ensure that personal information in its records is accurate and relevant to the purposes for which it was collected.
- Monitoring and Enforcement: eNTrust shall monitor compliance with its privacy policies, both internally and with Third Parties, and establish the processes to address inquiries, complaints and disputes.
Notice shall be made readily accessible and available to data subjects (or the PII Controller who handles contractual obligations with data subjects) before or at the time of collection of personal information or otherwise, notice shall be provided as soon as practical thereafter. Notice shall be displayed clearly and conspicuously and shall be provided through online (e.g. by posting it on the intranet portal, website, sending mails, newsletters, etc.) and / or offline methods (e.g. through posts, couriers, etc.). All the web sites (including Intranet portals), and any product or service that collects personal information internally, shall have a privacy notice.
In case of any cross-border transfer of personal information, the data subjects (or the PII Controller who handles contractual obligations with data subjects) shall be informed by a notice sufficiently prior to the transfer.
Privacy notices may include:
- The organization's operating jurisdictions; Third Parties involved; business segments and affiliates; lines of business; locations;
- Types of personal information collected; sources of information; who is collecting the personal information, including contact information;
- The purpose of collecting the personal information;
- Assurance that the personal information will be used only for the purpose identified in the notice and only if the implicit and / or explicit consent is provided unless a law or regulation specifically requires otherwise;
- Any choices the data subject (or the PII Controller who handles contractual obligations with data subjects) have regarding the use or disclosure of the information; the process and data subject shall follow to exercise the choices;
- The process for a data subject (or the PII Controller who handles contractual obligations with data subjects) to change contact preferences and ways in which the consent is obtained.
- Collection process and how the information is collected; how the information is used including any onward transfer to Third-Parties;
- Retention and disposal process for personal information; assurance that the personal information to be retained only as long as necessary to fulfil the stated purposes, or for a period specifically required by law or regulation and will be disposed-off securely or made anonymous post the identified purpose is completed; process of accessing personal information; the costs associated for accessing personal information (if any); process to update / correct the personal information; the resolution of disagreements related to personal information; how the information is protected from unauthorized access or use;
- How users will be notified of any changes made to privacy notice;
- Disclosure process for Third Parties; the assurance that the personal information is disclosed to Third Parties only for the purpose identified; the remedial actions in place for any misuse of personal information by the Third Parties;
- Security measures in place to protect the personal information; ways of maintaining quality of personal information;
- Monitoring and enforcement mechanisms in place; description of the complaint channels available to data subjects; how the internal personnel, key stakeholders and the customers can contact the Company related to any privacy complaints or breaches; relevant contact information and / or other reporting methods through which the complaints and/or breaches could be registered;
- Consequences of not providing the requested information.
1.7. Choice and consent
Choice refers to the options for the data subjects (or the PII Controller who handles contractual obligations with data subjects) are offered regarding the collection and use of their personal information. Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.
- eNTrust shall establish systems for the collection and documentation of data subject (or the PII Controller who handles contractual obligations with data subject) consents to the collection, processing, and/or transfer of personal data.
- Data subjects (or the PII Controller who handles contractual obligations with data subjects) shall be informed about the choices available to them with respect to the collection, use, and disclosure of personal information.
- Consent shall be obtained (in writing or electronically) from the data subjects (or the PII Controller who handles contractual obligations with data subjects) before or at the time of collecting personal information or as soon as practical thereafter.
- The changes to a data subject’s (or the PII Controller who handles contractual obligations with data subjects) preferences shall be managed and documented. Consent or withdrawal of consent shall be documented appropriately.
- The choices shall be implemented in a timely fashion and respected. If personal information is to be used for purposes not identified in the contract agreements / SoW / notice at the time of collection, the new purpose shall be documented, the data subject (or the PII Controller who handles contractual obligations with data subjects) shall be notified, and consent shall be obtained prior to such new use or purpose. The data subject (or the PII Controller who handles contractual obligations with data subject) shall be notified if the data collected is used for marketing purposes, advertisements, etc.
- eNTrust shall review the privacy policies of the Third Parties and types of consent of Third Parties before accepting personal information from Third-Party data sources.
1.8. Collection of Personal Information
Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.
- Personal information shall not be collected unless either of the following is fulfilled:
- Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- The data subject (or the PII Controller who handles contractual obligations with data subjects) has provided a valid, informed and free consent;
- Processing is necessary for compliance with the organizations legally binding obligations;
- Processing is necessary in order to protect the vital interests of the data subject; or
- Processing is necessary for the performance of a task carried out in the public interest
- Data subjects (or the PII Controller who handles contractual obligations with data subjects) shall not be required to provide more personal information than is necessary for the provision of the product or service that data subject (or the PII Controller who handles contractual obligations with data subjects) has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional. Collection of personal information shall be avoided or limited when reasonably possible.
- Personal information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
- When using vendors to collect personal information on the behalf of eNTrust, it shall ensure that the vendors comply with the privacy requirements of eNTrust as defined in this Policy.
- eNTrust shall at minimum, annually review and monitor the information collected, the consent obtained and the contract agreement / SoW / notice identifying the purpose.
- The project team/support function shall obtain approval from Chief Information Security Officer before adopting the new methods for collecting personal information electronically.
- eNTrust shall review the privacy policies and collection methods of Third-Parties before accepting personal information from Third-Party data sources.
1.9. Use, Retention and Disposal
Personal information may only be used for the purposes identified in the contract agreements / SoW / notice and only if the data subject has given consent;
- Personal information shall be retained for as long as necessary for business purposes identified in the contract agreements / SoW / notice at the time of collection or subsequently authorized by the data subjects (or the PII Controller who handles contractual obligations with data subjects).
- When the use of personal information is no longer necessary for business purposes, a method shall be in place to ensure that the information is destroyed in a manner sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable.
- eNTrust shall communicate changes in retention periods of personal information required by the business to the data subjects (or the PII Controller who handles contractual obligations with data subjects) and who are authorized to request those changes.
- Personal information shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by eNTrust or for the benefit of the data subject (or the PII Controller who handles contractual obligations with data subject). Additionally, eNTrust has the right to retain the personnel information for legally binding requirements and as per applicable data privacy laws.
eNTrust shall establish a mechanism to enable and facilitate exercise of data subject’s (or the PII Controller who handles contractual obligations with data subjects) rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of personal information.
- Data subjects (or the PII Controller who handles contractual obligations with data subjects) shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing to the Data Privacy Officer. eNTrust shall provide its response to a request within 72 hours of receipt of written request.
- The data subjects (or the PII Controller who handles contractual obligations with data subjects) shall have the right to require eNTrust to correct or supplement erroneous, misleading, outdated, or incomplete personal information.
- Requests for access to or rectification of personal information shall be directed, at the data subject’s (or the PII Controller who handles contractual obligations with data subjects) option, to the manager of the projects team or support function responsible for the personal information.
- The Data Privacy officer or privacy coordinators to whom the responsibility is delegated shall record and document each access request as it is received and the corresponding action taken.
1.11. Disclosure to Third Parties
Data Subject (or the PII Controller who handles contractual obligations with data subjects) shall be informed as per contractual agreements / SoW / Consent Forms / Legally binding obligations, if personal information shall be disclosed to Third Parties / partner firms, and it shall be disclosed only for the purposes described in the contractual agreements / SoW / Consent Forms / Legally binding obligations and for which the data subject has provided consent.
- Personal information of data subjects may be disclosed to the Third Parties / partner firms only for reasons consistent with the purposes identified in the contractual agreements / SoW / Consent Forms/ Legally binding obligations with due notification to the Data Subject (or the PII Controller who handles contractual obligations with data subjects) unless legally obligated to not disclose the same.
- All requests for disclosure of privacy information that are not legally shall be rejected and privacy information shall not be shared.
- eNTrust shall notify the data subjects prior to disclosing personal information to Third Parties / partner firms for purposes not previously identified in the contractual agreements / SoW / Consent Forms.
- eNTrust shall communicate the privacy practices, procedures and the requirements for data privacy and protection to the Third Parties / partner firms.
- The Third Parties shall sign a NDA (Non-Disclosure Agreement) with eNTrust before any personal information is disclosed to the Third Parties partner firms. The NDA shall include the terms on non-disclosure of personal information.
Information systems, Information security policies and procedures shall be designed, documented and implemented to ensure privacy by design and privacy default for personal information collected, stored, used, transferred and disposed by eNTrust.
- All new Information systems shall be designed and developed with data privacy protection as one of the key aspects
- Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
- Management shall establish procedures that maintain the logical and physical security of personal information.
- Management shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
- Incident response protocols are established and maintained in order to deal with incidents concerning personal data or privacy practices.
- Individuals (including employees, suppliers, third parties, customers, data subjects) noticing or becoming aware of any breach of personal data shall notify the DPO (by emailing at email@example.com) within 2 hours. It shall be the DPO’s responsibility to analyse and act on the intimation of the same within 12 hours; furthermore, in accordance with the Breach Management Policy (wherever applicable).
eNTrust shall maintain data integrity and quality, as appropriate for the intended purpose of personal data collection and use and ensure data is reliable, accurate, complete and current.
- For this purpose, the data privacy officer and privacy coordinators shall have systems and procedures in place to ensure that personal information collected is accurate and complete for the business purposes for which it is to be used.
1.14. Monitoring and enforcement
1.14.1. Dispute Resolution and Recourse
eNTrust shall define and document an Incident and Breach Management policy which addresses the privacy related incidents and breaches.
- The incident and breach management program includes a clear escalation path up to the executive management based on type and/or severity of the privacy incident/breach. It shall define a process to register all the incidents/complaints and queries related to data privacy
- eNTrust shall perform a periodic review of all the complaints related to data privacy to ensure that all the complaints are resolved in a timely manner and resolutions are documented and communicated to the data subjects.
- An escalation process for unresolved complaints and disputes which shall be designed and documented.
- Communication of privacy incident / breach reporting channels and the escalation matrix shall be provided to all the data subjects.
1.14.2. Dispute Resolution and Escalation Process for Employees
Employees with inquiries or complaints about the processing of their personal information shall first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the DPO. (Emailing at firstname.lastname@example.org)
1.14.3. Dispute Resolution and Escalation Process for Customer / Third Party
Customers / Third Party with inquiries or complaints about the processing of their personal information shall bring the matter to the attention of the DPO in writing. Any disputes concerning the processing of the personal information of non-employees shall be resolved through arbitration.
1.14.4. Compliance Review
Privacy Review Team shall conduct an internal audit once every six months to ensure compliance with the established privacy policies and applicable laws. The internal audit shall consist of the review of the following:
- personal information collected from data subjects;
- The purposes of the data collection and processing;
- The actual uses of the data;
- Disclosures made about the purposes of the collection and use of such data;
- The existence and scope of any data subject consents to such activities;
- Any legally binding obligations regarding the collection and processing of such data, and
- The scope, sufficiency, and implementation status of security measures.
- The Privacy Review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the Privacy Management committee.
- The Data Privacy Officer along with Privacy Coordinators shall take actions on the findings from the internal audit and work on the recommendations for improvement of the privacy posture
- Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers.
||A data subject who is the subject of personal and sensitive personal data.
|Personal data or Personally Identifiable Information (PII)
||PII is any information about an individual (the data subject) which can
Examples included but not limited to: Name, Address, Date of birth etc.
- Any information that can be used to distinguish or trace an individual‘s identity;
- Any other information that is linked or linkable to an individual
|Sensitive Personal Information (SPI)
||Sensitive personal data means personal data consisting of information but not limited to the following attributes of the data subject:
Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
- Financial information such as bank account or credit card or debit card or other payment instrument details ;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Genetic or biometric information;
- Racial and ethical origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Any detail relating to the above clauses as provided to body corporate for providing service; and
- Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
||All external parties – contractors, interns, trainees, vendors – who have access to NTrust information assets or information systems.
|Data protection and security
||Anyone collecting personal and customer information must fairly and lawfully process it, process it only for limited, specifically stated purposes, use the information in a way that is adequate, relevant and not excessive, use the information accurately, keep the information on file no longer than absolutely necessary, process the information in accordance with your legal rights, keep the information secure and never transfer the information outside the country without adequate protection
||Data Privacy Officer