TREE, in its day-to-day operations handles and transacts with a large amount of customers, employees and third party personally identifiable information (PII). It is integral to organization that this information along with all customers confidential data is safeguarded and protected against all risks to the highest extent possible. The organization needs to keep certain information on its employees to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights Personal or individual data protection procedures within the organization.
This policy applies across the entire organization, entire infrastructure, processes and people which are responsible for processing personal information (including customer information) within the organization.. To secure and safeguard the Personal Identifiable Information (PII) or data related to persons (Data Subject) which may be collected during our service offers, interaction and processing.
The executive owner of this policy is the Information Security Manager. This policy must be reviewed once in a year.
The organization shall protect all personal information which it is responsible to maintain, including but not limited to data belonging to its customers, employees and third parties. Individuals’ data privacy shall be given highest importance; personal data shall be strictly used only for its intended purpose and kept up to date as relevant. Such information shall be stored in a secure manner and protected with appropriate levels of security controls. The organization shall adhere to applicable data privacy laws and regulations that govern it.
6.1 It shall be clearly defined which personnel have access to personal and customer data and under what circumstances.
6.2 Customer support representatives shall only view or access customer data, specific to desired support upon customer request or consent.
6.3 The procedures to collate, process and store/dispose personal information shall be controlled and in adherence to applicable laws.
6.4 Cross border data transfer shall be restricted and controlled as required by applicable laws.
6.5 The organization shall identify cross border data transfer laws prior to starting business within a region to ensure compliance.
6.6 The organization shall process customer data within the defined data boundaries thereby adhering to cross border data transfer laws of the country.
6.7 Security incidents involving personal data shall follow the incident management process.
6.8 Data masking and obfuscation tools, methods shall be used while using personal data in testing environments and in some cases even in production environments, depending on the merit of the data security permissions.
6.9 Role based access shall be provided to view, edit personal data shall be followed in Application and data processing.
6.10 The organization shall develop and regularly impart training and awareness programs to make all users aware about protection of customer data.
The Data (Privacy) Protection procedure addresses the following principles.
1. The management of the organization will ensure that:
a. Everyone managing and handling personal information is trained to do so.
b. Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do.
c. Any disclosure of personal data will be in line with the procedures of the organization.
d. Queries about handling personal information will be dealt with swiftly and politely.
2. To meet these responsibilities, the organization staff will:
a. Ensure any personal data is collected in a fair and lawful way.
b. Explain why it is needed at the start.
c. Ensure that only the minimum information needed is collected and used.
d. Ensure the information used is up to date and accurate.
e. Review the length of time information is held.
f. Ensure it is kept safely.
g. Ensure the rights people have in relation to their personal data can be exercised.
3. Training and awareness about the Data Protection and how it is followed in the organization will be in the form of a General training/ Awareness training once a year.
The organization provides notice about the policies and procedures in all contract agreements and individual quotations.
b. Address, phone and email addresses for communication
c. Date of Birth
d. Physical characteristics
e. Personal insurance documentation
f. Bank account number
g. Copy of passport
h. Iqama No. Or Social Security Number i. Source IP Address
j. Geographical Location
1. Personal information will / may be kept in the following forms:
a. Physical form (In hard copy)
b. Digital form