This policy is applicable to all ClearTech employees, contractors, vendors, interns, customers, and business partners who may receive personal information from ClearTech, have access to personal information collected or processed by or on behalf of ClearTech,or who provide information to ClearTech.
This policy covers the treatment of personal information gathered and used by ClearTech for lawful business purposes.
ClearTech aims to meet leading standards for data protection and privacy. Data privacy rules must be followed in order to protect the privacy or personal identifiable information of ClearTech, its customers, employees and, third parties or any other entities (if applicable) and to perform any action with regards to personal data, whether in whole or in part, such as collecting, recording, organizing, storing, modifying, using, disclosing, transferring, monitoring or deleting.
4. Policy Statement
Personally, Identifiable Information (PII)
- PII is any information about an individual maintained by an agency, including:
- any information that can be used to distinguish or trace an individual’s identity, such as name, Aadhar number, date and place of birth, mother’s maiden name, or biometric records.
- any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
- PII may be divided into two categories: linked information and linkable information.
- Linked information is any piece of personal information that can be used to identify an individual and includes, but is not limited to, the following:
- Full name
- Home address
- Email address
- Aadhar number
- Passport number
- Driver’s license number
- Credit card numbers
- Date of birth
- Telephone number
- Biometric information (Fingerprint)
- Linkable information, on the other hand, is information that on its own may not be able to identify a person, but when combined with another piece of information could identify, trace, or locate a person.
Collection of Personal Data
- ClearTech may collect the personal data of employees, customers or third parties as per the relevant business operation policies and procedures and will limit its collection, use, storage, processing, transfer and disclosure of personal data to a minimum that ClearTech requires to carry its business-specific purposes.
- Personal data or PII may only be collected, used, stored, processed, transferred or disclosed for reasonable, specific and lawful purposes.
- Departments shall be aware of the applicable data protection legislations or regulatory guidelines and comply with the same.
- ClearTech shall be responsible to identify data which requires specific compliance requirements regarding data protection and privacy.
- In case when data is collected directly from data subjects, ClearTech shall ensure that the privacy notice is visible and uses clear language.
- ClearTech should verify the accuracy and completeness of PII that an individual
update by means of a self-declaration form or supporting evidence provided at the
time of making those changes.
ClearTech shall not collect, use or disclose any personal data without the consent of
the data owner except where there is consent or where such collection, use or
disclosure is required to meet the requirements of country specific laws and,
regulations, if any.
Accuracy of Personal Data
Personal data shall be accurate and wherever necessary, kept up to date. ClearTech shall take all reasonable steps to ensure the accuracy of any personal data it obtains and the authenticity of its source, as required by the ClearTech policies and related procedures.
Individuals shall be notified of the purposes for which ClearTech intends to collect, use
or disclose personal data before or when such data is collected. In the event that any
intended use of personal data will go beyond the purposes notified during collection,
ClearTech employees will notify the relevant individual of the new purpose and seek
that individual’s consent to use the data for such a purpose.
Adequacy of Personal Data
ClearTech shall ensure that personal data collected, stored, and processed by
ClearTech shall be adequate, relevant and not excessive in relation to the business
purpose or purposes for which the data is collected.
Protection of Personal Data
- Implementing security controls for personal data protection:
- ClearTech shall determine and ensure the implementation of appropriate procedural (policies, procedures, guidelines, and standards), physical or technical security controls in order to protect personal data against risks such as loss, unauthorized access, modification, destruction, disclosure and misuse of its information processing facilities;
- ClearTech shall have processes in place to ensure the integrity of PII through existing security controls
- ClearTech shall determine the specific privacy requirements and implement technical controls resulting from the identified privacy requirements; and
- ClearTech shall define specific controls to ensure all data protection and privacy requirements are catered.
- Handling of Personal Data and Employment Contracts:
- Human Resource Policies shall define that any employment contract/ third party agreements include the appropriate terms stating how ClearTech employees will handle employees’ personal data in the course of their employment with ClearTech and the actions to be taken if employees use this information for other than stated purposes.
- Privacy requirements for Contractors and Service Providers:
- ClearTech shall establish privacy roles, responsibilities, and access requirements for contractors and service providers; and shall include privacy requirements in contracts and other acquisition-related documents.
- Processing Personal Data:
- Personal data shall be processed by ClearTech in accordance with the rights of data subjects under the applicable national legislations.
- Personal data Access & Correction:
- ClearTech shall ensure that the information owner is given access to his/ her personal data and allowed to make corrections, if it is inaccurate after seeking necessary approval/ permission from the data owner to do so.
- Retention and Destruction of Personal Data:
- Personal data collected shall to be destroyed securely once the purpose is achieved/where the data is no longer required, subject to policies for retention of data.
- Access to personal data shall be restricted according to, ClearTech’s business needs and the requirements of the tasks at hand, to the minimum number of persons required.
- Personal data shall be used for approved purposes only. The printing, use, exchange, distribution or any other type of processing of personal data is permitted only in compliance with ClearTech policies.
- Disclosure of Personal Data:
- Information (including information derived from the processing of personal data) that can be linked to an individual can be disclosed to third parties and ClearTech employees only if such disclosure is permissible as per the ClearTech policies.
- Exposure of any personal data of any entity, during Incident resolution processes with external vendors shall not be considered as a privacy breach by ClearTech or any of its team performing any such activity.
- ClearTech shall provide the relevant information to respective individuals who request information about the data ClearTech maintains on him or her.
- Prohibiting the Processing of Sensitive Data:
- Conducting Privacy Impact Assessments:
- ClearTech team shall document and implement a privacy risk management process that assess privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information.
Privacy Monitoring and Review
- ClearTech shall have rights to monitor any computer system, network system and storage device, or personal data (stored, or in transmission), if required and as per the applicable legislation. Such monitoring shall be carried out as preventive measures to detect any fraudulent activity and shall not be a privacy violation to any employee and shall be carried out with appropriate approvals.
- ClearTech shall document all the Personally Identifiable Information (PII) processing operations carried out under its responsibility.
- ClearTech shall review complaints/grievances to identify indications of any misuse of PII by third parties.
- ClearTech shall have a process in place to document and maintain the record of the PII hardcopy and media movements from the facilities.
- ClearTech shall conduct periodic self-assessment or reviews or due diligence of third parties to demonstrate compliance to privacy requirements.
- ClearTech shall provide effective notice to the public and to individuals regarding:
- Its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII
- Authority for collecting PII
- The choices, if any, individuals may have regarding ClearTech uses PII and the consequences of exercising or not exercising those choices
- The ability to access and have PII amended or corrected if necessary
- ClearTech shall describe:
- The PII the organisation collects and the purpose(s) for which it collects that information
- How the ClearTech uses PII internally
- Whether ClearTech shares PII with external entities, the categories of those entities, and the purposes for such sharing
- Whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent
- How individuals may obtain access to PII
- How the PII will be protected
- ClearTech shall revise its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
Disclosure to Third Parties:
- ClearTech shall share personally identifiable information externally, only for the authorized purposes and/or described in its notice(s) or for a purpose that is compatible with those purposes.
- Where appropriate, enter into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used.
- If third party or sub-contractor and vendors (support/ enhancement/ troubleshooting/ administration) is aligned in the process involving PII, non-disclosure agreement (NDA) to be signed and privacy requirement to be mentioned in the contract.
- ClearTech shall monitor, audit, and train its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII.
- ClearTech shall evaluate any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.
5. Review and Evaluation
- The reviews shall ensure that it is updated in-line with any major changes within the operating and technical environment or on recommendations provided by internal/ external auditors, legal counsel and/or regulations.
- In cases where non-compliance with the policy is identified, the Information Security or Management Team shall issue either general or specific notifications to relevant stakeholders regarding the established policy.
6. Policy Violation
Any employee found to be in violation of this policy shall be subject to disciplinary action up to and including termination of employment but not limited to revocation of computing privileges, suspension, dismissal, prosecution and restitution for damages according to severity of the offense. Involvement in the infraction shall include, but is not limited to participation, encouraging, aiding or failing to report known offenses. Third parties found in violation would be subject to a fine/termination and/or possible legal action taken.
7. Special Situations and Exceptions
ClearTech’s top management, regulatory body or norms thereof may override ClearTech’s policies / procedures at any time.