This policy states how to protect personally identifiable information (PII) of customer, suppliers, business contacts, employees and other people the organization has relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored.
Purpose of this policy is to protect SLIC from data security risks including
Breaches of Confidentiality: For instance, information being given out inappropriately
Failing to offer choices: individuals should be free to choose how the company uses data relating to them
Reputational Damage: the company could suffer if hackers successfully gained access to sensitive data
This policy applies to all employees of the SLIC and any Third party that processes the personally identifiable information.
SLIC required adhering to the following principles of data protection. In accordance with those principles personal data shall be:
Processed fairly and lawfully
Processed for specified purposes only
Adequate, relevant and not excessive
Accurate and up to date
Not kept longer than necessary
Processed in accordance with data subjects rights
Processed and held securely
Data Collection: SLIC collects personal data in a fair, transparent, and lawful manner. As such, we adhere to the following guidelines:
Collect the minimum personal data required to support business activity or as mandated by law
Collect personal data in a fair and non-deceptive manner
Collect personal data directly from the individual, when possible
Where required by local law, obtain explicit consent from individuals, prior to the collection of sensitive personal information (e.g. race, ethnic origin, health details, sexual orientation etc.)
Verify that personal data collected from third parties is reliable and legally obtained.
Data Storage: All electronic files that contain Protected PII will reside within a protected SLIC DC information system location. All physical files that contain Protected PII will reside within a locked file cabinet or room when not being actively viewed or modified. Protected PII is not to be downloaded by employee, or contractor workstations or mobile devices (such as laptops, personal digital assistants, mobile phones, tablets or removable media) or to systems outside the protection of the organisation. PII will also not be sent through any form of insecure electronic communication E.g. E-mail or instant messaging systems. Significant security risks emerge when PII is transferred from a secure location to a less secure location or is disposed of improperly. When disposing of PII the physical or electronic file should be shredded or securely deleted.
Data Retention: SLIC does not retain personal data any longer than is absolutely necessary. The retention period for personal data is determined by:
The purpose of the data collected
The fulfillment of that purpose,
Retention periods, as mandated by any contractual and/or regulatory requirements
The mode of storage, archival and back up of personal data collected
Data Disposal: SLIC Data Disposal requires managerial approval for thedisposal, destruction and deletion of any personal data. Our data disposal procedures prevent the recovery, theft, misuse or unauthorized access of personal data.