Privacy Policy
1. OBJECTIVE
To ensure compliance of federal and provincial/state privacy and personal data protection laws and regulations where the Company operates.
2. SCOPE
The scope of this Policy applies to board of directors, management, employees, consultants of the Company (“the Company’s Personnel”), as well as vendors or service providers, customers, and business partners who have business relations with the Company that involve in collection, processing or use of personal data (“the Company’s Business Collaborators”).
3. DEFINITIONS
3.1 “PERSONAL DATA”
Refers to a natural person’s name, date of birth, gender, sex at birth, personal identification card number, phone number, healthcare number, passport number, features, fingerprints, marital status, family information, education background, occupation, tribal affiliation, ethnicity, language information, disabilities, symptoms, medical records, healthcare data, genetic data, insurance information, data concerning a person’s sex life, records of physical examination, criminal records, financial conditions, data concerning a person’s social activities and any other information that may be used to directly or indirectly identify a natural person.
3.2 "PERSONAL DATA FILE"
A collection of personal data structured to facilitate data retrieval and management by automated or non automated means.
3.3 "COLLECTION"
Refers to the act of collecting personal data in any way.
3.4 "PROCESSING"
The act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file.
3.5 "USE"
The act of using personal data via any methods other than processing.
3.6 "PERSONAL DATA SOURCE"
The person who is the subject of the personal information.
3.7 DATA PROTECTION PRINCIPLES
All individuals who process personal data for the Company (manual or electronic) has an obligation to comply with this procedure.
3.8 COMPLIANCE OFFICER
A member of the Company’s Personnel who is authorized by the board of directors of the Company to oversee the compliance of this Policy.
4. PROCEDURES
4.1 FAIR AND PROPER COLLECTION AND PROCESSING
(i) When collecting Personal Data, the Company’s Personnel must have the legitimate grounds for collecting the Personal Data from the Personal Data Source.
(ii) Personal data obtained should not be processed and used in an unjustified manner which could cause adverse effects on the Personal Data Source.
(iii) The Personal Data Source should be sufficiently informed of the intended use of their Personal Data.
4.2 OBTAIN, PROCESS, AND USE FOR ONE OR MORE SPECIFIED LAWFUL PURPOSE(S) ONLY
(i) When collecting Personal Data, the Company’s Personnel must have the legitimate grounds for collecting the Personal Data from the Personal Data Source.
(ii) Personal data obtained should not be processed and used in an unjustified manner which could cause adverse effects on the Personal Data Source.
(iii) The Personal Data Source should be sufficiently informed of the intended use of their Personal Data.
4.1 FAIR AND PROPER COLLECTION AND PROCESSING
(i) Before obtaining Personal Data, the Company’s Personnel must clearly understand why he/she is collecting and processing the data.
(ii) In case there is doubt, he/she must seek direction from his/her manager before working on the Personal Data.
4.3 ADEQUATE, RELEVANT AND NOT EXCESSIVE IN RELATION TO THE PURPOSE(S) FOR WHICH THEY ARE PROCESSED
(i) The amount of Personal Data should not exceed the amount required for its purpose.
(ii) The Company should not continue to hold Personal Data on a Personal Data Source when it serves no purpose.
4.4 ACCURATE AND, WHERE NECESSARY, UPDATED
(i) The Company should take steps to ensure that the Personal Data it holds is accurate. (ii) A record of origins of the data, e.g. interviews, telesales, or website communications, should be kept properly.
(iii) Manager responsible for the function or business division should carefully review inaccurate data, make corrections accordingly, and update obsolete data, as necessary.
4.5 HOLD FOR NO LONGER THAN IS NECESSARY
(i) A routine assessment should be done to review the length of time records of Personal Data File held by the Company.
(ii) Once Personal Data File is no longer required, it must be destroyed appropriately and securely by the authorized personnel.
(iii) When getting rid of the Personal Data File, careful attention must be taken to prevent data leakage. All paper, note, and printed copy being disposed should be carefully checked and properly destroyed.
(iv) Destroying Personal Data File earlier than necessary should be avoided. The Company’s Personnel must check the retention periods before destroying any Personal Data File.
4.6 DISPOSAL AND DESTRUCTION OF PERSONAL DATA
(i) The Company’s Personnel must check any paper waste that they throw away. Anything that contains personal or sensitive information must be treated as confidential waste.
(ii) Shredder should be provided in the workplace for the Company’s Personnel to dispose confidential waste in.
(iii) The Company’s Personnel must avoid leaving confidential waste bagged up in public places. (iv) Sensitive personal data kept on USBs, laptops and PCs and other electronic means must be destroyed properly as well.
(v) When outside disposal service is used, items for disposal must only be passed to the disposal service provider that the Company have formal contractual agreement with.
4.7 APPROPRIATE MEASURES AGAINST UNAUTHORISED OR UNLAWFUL PROCESSING AND USE OF PERSONAL DATA AND AGAINST ACCIDENTAL LOSS OR DESTRUCTION OF, OR DAMAGE TO, PERSONAL DATA
(i) Data security measures should be implemented by each personal data collector and processor, e.g., encryption of storage devices, to reduce the potential harm of any data security breach.
(ii) In all instances, personal data should never be stored on unprotected laptops, servers or cloud based platforms.
4.8 REGULAR DATA PROTECTION PROCEDURE ASSESSMENT AND ROLE OF COMPLIANCE OFFICER
(i) The Compliance Officer will assess the effectiveness of the Company’s data protection practice.
(ii) The Compliance Officer’s role shall include, among others:
(a) Ensuring that the Company’s Personnel that holds, controls, or uses personal data are aware of their obligations.
(b) Checking whether the Company’s Personnel demonstrates compliance to, and understanding of, the personal data protection procedures.
(c) Ensuring that computers and information systems used in the Company are secured with password access and is securely backed up.
(d) Determining the necessary changes or amendments to enhance the effectiveness of the procedure.
(e) Providing a report with a follow up review every twelve months.
5. CODE OF PRACTICE
(i) All members of the Company’s Personnel should be aware that all Personal Data they collect and use either manually or electronically due to their functions and duties are subject to this Policy.
(ii) The Company shall procure suppliers, contractors, service providers and agents undertaking work on behalf of the Company, and to whom Personal Data are made available to acknowledge and comply as well to this Policy.
(iii) Access to Personal Data by the Company’s Business Collaborators must be controlled and documented.
(iv) Access to Personal Data by other external party must be governed and pre-approved by the Compliance Officer.
(v) Any member of the Company’s Personnel who suspects or has proof that there has been a breach of data securities in the Company must notify the Compliance Officer immediately.
6. NON-COMPLIANCE
(i) In the event of non-compliance, the Compliance Officer should, within 24 hours of discovering the non-compliance, inform the concerned employee/party of the issue, both verbally and in writing, clearly outlining the non-compliance, and giving him/her a reasonable period to correct the issue.
(ii) If the noncompliance is serious in nature and a suitable resolution cannot be reached, as a last resort, disciplinary action may be imposed according to the Company’s human resource policies and/or contractual terms.
(iii)Where a breach of data has been deliberate, the Compliance Officer must discuss with Management. Management may initiate disciplinary action against an employee/party who committed the breach according to the Company’s human resource policies and/or contractual terms.