Confidentiality Policy
Updated: November 1, 2021
The Company’s Policy is derived from our corporate values, ethical obligations, legal requirements and standards of practice concerning the confidential information that we maintain for our customers and their clients.
Scope
This policy applies to all Company associates, contractors and other persons working with confidential information that is within the possession, custody or control of Company (“Company Custodians”). For purposes of this Policy, “confidential information” means all customer data, Company data and application and systems software that is created, stored, accessed and distributed, regardless of whether such information is in physical or electronic form.
POLICY
Responsibilities
Governance
Overall responsibility for ensuring compliance with this Policy rests with the Human Resource Manager and Chief Information Security Officer (CISO). All Company Custodians must comply with this Policy in connection with day-to-day use, collection and processing confidential information in the ordinary course of Company’s business.
Management
Each Company manager is responsible for ensuring that Company employees within such Company manager’s area(s) of responsibility are complying with this Policy. Company management is also responsible for making all external parties aware of any changes to our confidentiality policy.
Staff and Contractors
All Company Custodians are responsible for ensuring that appropriate steps are taken to protect Client confidential Information at all times. Company Custodians are encouraged to regularly review and consult this Policy to ensure their own practices are in accordance with this Policy as it concerns the collection, access, use or disclosure of confidential information. Company Custodians are expected to report any issues, problems, questions and concerns about this Policy to the CISO. Company Custodians are encouraged to make suggestions to the CISO to help improve privacy and security procedures. In the event of any incident involving confidential information or privacy and data security, Company Custodians are expected to fully cooperate with such investigations.
Acknowledgement of Confidentiality
In order to promote compliance with this Policy, Company requires that all Company Custodians be provided with a copy of this Policy. Company management must also regularly refresh and remind Company Custodians of this Policy and the importance of maintaining the confidentiality of confidential information. As a condition of employment or affiliation with Company, all new employees and contractors are required to read and sign a Confidentiality Acknowledgment (included below) or non-disclosure agreement, which specifies that such employee or contractor understands the importance of maintaining the confidentiality of confidential information and will fully comply with this Policy. Company employees and Company Custodians are also required to maintain confidence over confidential information after their affiliation with company comes to an end.
Failure to Comply
Any failure by a Company employee or Company Custodian to comply with this Policy may result in disciplinary action including, but not limited to, the termination of employment or affiliation with Company.
Collection of Confidential Information
The collection of confidential information by Company is governed by applicable international, federal and state law. As a practical matter, the collection of confidential information should be limited to what is needed to fulfill a specific purpose identified to the client or other person from whom it is collected.
Accuracy of Confidential Information
All Company Custodians must take all reasonable steps to ensure the accuracy and completeness of any confidential information that such Company Custodians collect or record. Company Custodians must be diligent to protect against making any errors due to carelessness or other oversights.
Access, Use, Disclosure or Sharing of Confidential Information
Company Custodians are only authorized to access, use, disclose or share confidential information for legitimate business purposes and should be limited to those Company Custodians who have a “need to know” such information in order to perform their job functions and responsibilities.
Release of Information
Company Custodians are expected to comply with all Company policies, procedures and guidelines for the release of confidential information. Company Custodians must also ensure that any release of confidential information, including personally identifiable information is done in accordance with applicable law.
Accessing or Sharing Confidential Information with Third Parties
Before confidential information that is within the possession, custody or control of Company is accessed by or shared with a contractor or other third-party organization, the third party must execute a Non-Disclosure Agreement (NDA) or information sharing agreement with Company. Senior Company management must approve the form of all such agreements.
All Company Custodians are required to take all reasonable steps to ensure no unauthorized personnel or third parties are provided with access to records containing confidential information. In the event a third party requests access to confidential information, all of the following steps must be taken prior to granting access: (1) the third party must produce identification verifying their identity, (2) a Company manager must confirm that the third party has signed a non-disclosure or information sharing agreement with Company, (3) a Company Manager must confirm that the applicable Company management has approved the third party for access to confidential information, and (4) the third party’s access to such confidential information is limited only to the information absolutely necessary for such third party to perform their job task or function.
The CISO must be consulted before any program is implemented in which confidential information will be transmitted outside the boundaries of the Company’s system.
Security of Information
Company is committed to maintaining the security of confidential information and other sensitive information and has implemented technical and organization security mechanisms to help ensure the security and availability of physical and digital records, computer and network systems. All Company Custodians are expected to comply with Company’s security requirements and policies for use of such systems, including without limitation, Company’s Acceptable Use Policy.
Retention and Destruction of Confidential Information
Company Records will be retained in accordance with Company’s Record Retention Policy and all legal, regulatory and accreditation requirements. It is the responsibility of each Company Custodian in possession of a Company record to identify the applicable retention period for the particular record and to follow Company guidelines and procedures for the secure destruction of those records when the applicable retention period has expired and the information is no longer necessary to retain.
Personal Identification Information (PII) Risk Assessment
On at least an annual basis, a PII Risk Assessment must be completed by Company and before implementing or significantly changing any program or system that requires the collection, use, disclosure or sharing of confidential information.
Compliance Monitoring, Auditing & Consequences
Access, use and disclosure of confidential information will be monitored by Company. All suspected breaches of this Policy will be investigated by Company management. Any actions taken as a result of such a breach will be determined by Company management in consultation with representatives from Human Resources, Legal Services and/or other Company stakeholders, depending upon the nature of the breach, circumstances and parties involved. Each Company department and program must conduct appropriate reviews and audits of their systems and processes to ensure compliance with internal policies and standards of Company.
Breach of Policy
All Company Custodians are expected to report any real or suspected breaches of this Policy to the CISO, including any actual or suspected data breach involving personal or confidential information belonging to or within the possession, custody or control of Company.
All incidents involving theft or loss of confidential information will be promptly addressed for containment, investigation, reporting and remedial actions.
PROCEDURES
General Inquiries or Requests to Amend Confidential Information
Questions or concerns about collection, access, use or disclosure of confidential information, reports of breaches or loss of information should be directed to the CISO.
Confidentiality Acknowledgements
Human Resources is responsible for ensuring that each Company employee and Company Custodian has executed a Confidentiality Acknowledgement and maintaining the signed Confidentiality Acknowledgements on file.
Version 20190503v.1.2