This policy states how to protect personally identifiable information (PII) of customer, suppliers, business contacts, employees and other people the organization has relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored.
Purpose of this policy is to provide direction to the SLIC employees, various stakeholders and responsible personnel to protect SLIC from data security risks including
Breaches of Confidentiality: For instance, information being given out inappropriately
Failing to offer choices: individuals should be free to choose how the company uses data relating to them
Reputational Damage: the company could suffer if hackers successfully gained access to sensitive data
This policy applies to all employees of the SLIC and any Third party that processes the personally identifiable information (PII).
SLIC required adhering to the following principles of data protection. In accordance with those principles personal data shall be:
Processed fairly and lawfully
Processed for specified purposes only
Adequate, relevant and not excessive
Obtain consent for PII data e.g. Unique Identification Number (UIN),Biomatric, PAN, & etc
Accurate and up to date data must be processed
Not kept longer than necessary
Processed in accordance with data subjects rights
Processed and held securely
All the PII data must be processed as per the governance guidelines
Data Collection: SLIC collects personal data in a fair, transparent, and lawful manner. As such, we adhere to the following guidelines:
Collect the minimum PII personal data required to support business activity or as mandated by law
Collect PII personal data in a fair and non-deceptive manner
Collect PII personal data directly from the individual, when possible
Where required by local law, obtain explicit consent from individuals, prior to the collection of sensitive personal information (e.g. race, ethnic origin, health details, Unique Identification Number (UIN), biometric information & etc.)
Collection of Aadhaar data will be as per the Aadhaar Act 2016,amendment regulations and other circulars released by IRDAI, UIDAI from time to time
Verify that PII personal data collected from third parties is reliable andlegally obtained and mandated as per by law
Data Storage: All electronic files that contain Protected PII data (e.g. UIN, biometric information, PAN number, health details & etc) will reside within a protected SLIC DC information system location. All physical files that contain Protected PII will reside within a locked file cabinet or room when not being actively viewed or modified. Protected PII is not to be downloaded by employee, or contractor workstations or mobile devices (such as laptops, personal digital assistants, mobile phones, tablets or removable media) or to systems outside the protection of the organisation. Protected PII will also not be sent through any form of insecure electronic communication E.g. E-mail or instant messaging systems. Significant security risks emerge when PII is transferred from a secure location to a less secure location or is disposed of improperly. When disposing of PII the physical or electronic file should be shredded or securely deleted
Data Retention: LIC does not retain PII personal data any longer than is absolutely necessary. The retention period for PII personal data is determined by:
The purpose of the data collected
The fulfillment of that purpose,
Retention periods, as mandated by any contractual and/or regulatory requirements
The mode of storage, archival and back up of personal data collected
All the guidelines will be followed for data retention as per IRDA, UIDAI, Cyber Security and ISO Standard
Data Disposal: SLIC Data Disposal requires managerial approval for the disposal, destruction and deletion of any personal data. Our data disposal procedures prevent the recovery, theft, misuse or unauthorized access of personal data. All the PII data will be disposed when not required as per the governance guidelines, amendment regulations and other circulars released by IRDAI, UIDAI from time to time.
Information Handling Policy.
Media Disposal Policy.
All the PII data like UIN, PAN Number, Biometric Information, Health Details and other required details will be collected with proper consent from the owners, SLIC employees, any third party,and various stakeholders for processing the information as required by SLIC.
UIN along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.
If required any biometric information will be collected, using the registered devices specified by UIDAI. The demographic details of the individual received from UIDAI as a response shall be used for identification of the individual for the specific purposes of providing the specific services for the duration of the services. e-KYC will be carried out by authentication facility provided by the authority or by trained SLIC employees at the SLIC office.
The identity information collected and processed shall only be used pursuant to applicable law and as permitted under the Aadhaar Act 2016 or its Amendment and Regulations given time to time. The identity information shall not be used beyond the mentioned purpose without consent from the UIN holder and even with consent use of such information for other purposes should be under the permissible purposes in compliance to the Aadhaar Act 2016.
Process shall be implemented to ensure that Identity information is not used beyond the purposes mentioned in the notice/consent form provided to the UIN holder.
No financial information such as Bank account or credit card or debit card or other payment instrument details will be collected by SLIC employees at the time of providing the services.
All the PII personal data collected will be stored securely and confidentiality will be maintained.UIN will be masked in all the online application used by SLIC during the service being provided to the client. PII personal date shall not be shared in contravention to the Aadhaar Act 2016, its Amendment, Regulations and other circulars released by UIDAI from time to time.
Any exception to this policy shall be approved by Chief Information Security Officer (CISO)/ IT Team of Shriram Life Insurance Company Ltd.
Note: All the guidelines will be followed for data privacy as per Cyber Security, ISO Standard, IRDAI, UIDAI, and Aadhaar Act 2016.