Data Privacy and Protection Policy pertaining to Integriti Group Pvt. Ltd., Pakistan & Integriti Group Inc., Canada.
SECTION 1: Employer and Employee Privacy Responsibilities
1.1) Employer Rights
- Any type of work or product created or derived from assets of the employer is the exclusive Intellectual Property (IP) of the employer.
- Employee must follow and oblige to all the protocols and policies established in the company’s intranet.
- No move shall be made by the employee to offload the company’s data to a personal network or device, including, but not limited to, USB flash drives, External hard drives, Solid state drives, Personal Google Drive, Personal Dropbox, or any other type of personal physical storage or personal cloud storage. Employer has the autonomy to set in place all lawful technical procedures to counteract such actions.
- Employer has the right to deploy and pursue all necessary litigation and prosecution in case of evident malfeasance committed by employee(s).
- All physical and intangible assets granted by the employer must be returned and submitted by the employee at the time of resigning.
- Rightful owner of the data can request a change of update to the data should there be any inaccuracy found.
- Due to security reasons, there are CCTV cameras installed all over office and employees should know that the employer reserves the right to refer to the recordings in matters demanding such an action.
- Office premises is integrated with biometric verification. Employer can ask for new hires’ fingerprints to enable their access.
1.2) Employee Rights
- The employer cannot monitor employees chats unless there is a discrepancy to be investigated. In such case, the employer can revoke the privacy of the employee and notify the person of concern.
- The employer must protect the Personally Identifiable Information (PII) of all its employees. This includes but not limited to email address, mailing address, social security number, phone number and pictures. Also included are the technological factors like IP address, log in ID, social media post, biometric, geolocation and behavioural data.
- Employer offered benefits like medical insurance and its data should be strictly guarded by the insurance company and the employer. Under no circumstances should this data be used or shared in anyway without the consent of the employee.
- Performance record of the employee can only be accessed by the authorized personnel. Employees may ask to see their performance summary.
- Financial record and payslips are all managed by the employer’s respective finance department and should not be disclosed to anyone unless there is a need by law to report such information to the government.
- Employee has the right to access his/her data and data controller must comply with such a request within 30 days of the time request was made.
- Any data breach should be reported within 72 hours of the breach to all the concerned entities.
- Any data that employer collects from employees, for example fingerprints for office access or picture for employee card is the sole property of employee and is not shared with anyone. In case an employee leaves the company, such data is permanently deleted.
- Any sort of media (e.g., pictures, videos) taken at company events etc., should not be taken, posted or shared without the consent of the employee(s).
- If the employees believe that their privacy has been encroached, they have the right to lodge a complaint with the company’s Privacy Official.
SECTION 2: Business Data Privacy
The business scope of Integriti Group Pvt. Ltd., Pakistan & Integriti Group Inc., Canada is as following:
2.1) Talent Acquisition Services (TAS)
Under this scope, the company works in a partnership with vendors that help facilitate the talent acquisition operations.
All employees using services of these vendors fall:
- under the vendors respective data privacy and protection policy as outlined in the table below
- under clauses of 1.1 (Section 1)
|Sterling||Required for background check of candidates.
Corporate Services department of Integriti Group Pvt. Ltd. shares candidate information for the purpose of validation. Such information comprises of candidate name, address, date of birth and work visa/immigration details.
|Manatal||Provides applicant tracking system and stores all information of present and past candidates whether they were offered job or rejected by Integriti Group Pvt. Ltd and Integriti Group Inc. clientele.
Integrated with Secured Signing to inscribe signatures on official documents. The signed documents automatically become a part of candidate’s profile on the ATS.
2.2) eCommerce Solutions
Working as a service provider, the company will follow strict privacy rules (mentioned under section 4) regarding website hosting and any data/information exchanged in the process of platform development between the company and the client.
However, the client itself is responsible for implementing specific data privacy and protection policy for its store according to its scope of operation and geolocation. This may include maintenance of user privacy online, information collection methods, unauthorized access resulting from data breaches, intellectual property re-selling, auditing and log files etc. For information on these or anything else, contact with the client should be made.
Integriti Group Pvt. Ltd. & Integriti Group Inc. shall not be considered liable or responsible for any issue, problem, accident or complaint originating or caused from the client’s data privacy and protection policy.
SECTION 3: Data Protection Safeguards
Financial data is managed in the following ways and falls under the privacy and protection policies mentioned in this document:
- Wagepoint is used for salary history, tax record of people on Integriti’s payroll and transfer of wages. Wagepoint is for transfer of salaries and funds to contractors (placed at clients’). Only the company’s Finance department, the company Partners and Corporate Services department has access to Wagepoint.
- Quickbooks is used for accounting and bookkeeping. Financial statements are generated through Quickbooks. Only the company’s Finance department, the company Partners and Corporate Services department has access to QuickBooks.
- For incorporated contractors and referral vendors we transfer them funds through bank.
- For payments made in Canada all funds transferred and received are shown automatically in QuickBooks. We have to match them with the bills and invoices.
- For payments made in Pakistan to internal employees and vendors the transfer is made through local bank. The accounting is done on QuickBooks as well but the funds transferred and received do not show automatically on QuickBooks. We have to manually record those and reconcile with the bank statement at the end of every month.
- SharePoint stores the various internal financial transactions (invoices/pdfs).
Various technical safeguards are put into place, including but not limiting to the following:
- Company has deployed automatic software patches and updates for all devices connected to its network.
- All users are required to create complex passwords conforming to strong security standards set by the administrator. Change of password would also be required periodically.
- All user devices are encrypted using Bitlocker.
- Fully integrated Windows Defender Anti-Virus is installed to detect and correct threats or anomalies.
- Two Factor Authentication is in place using Microsoft Authenticator to stop any unauthorized sign ins.
- Fortinet Firewall is deployed to safeguard the company’s network from external threats and infiltrations.
- Malwares like spyware, ransomware, trojans, DDoS are dealt with placing various policies on user devices and the firewall.
- SPF record that helps prevent spoofing and phishing by verifying domain names from which email is sent.
- DKIM records help authenticate emails through cryptographic keys.
- Baseline spam configuration which can restrict activity from unidentified domain or email ID.
- Cybersecurity training for all employees would help users identify safe practises against threats via email and internet.
SECTION 4: Compliance to Data Laws
All business done by Integriti Group Pvt. Ltd. in Pakistan shall fall under the rules and regulations of Pakistan’s data privacy and protection laws. The law in effect comprises of but not limited to data protection provisions of the Prevention of Electronic Crimes Act 2016. Any actions not explained thereunder this law may get its meaning derived from Pakistan Penal Code, 1860 (Act XLV OF 1860), Code of Criminal Procedure, 1898 (Act V of 1898) and the Qanoon-e-Shahadat Order, 1984 (P.O.No.X of 1984) as the case may be.
Any entity as applicable, employer or the employee, may not:
- have unauthorized access to data or information
- commit unauthorized transmission or copying of data
- interfere with information or data with dishonest or harmful motive
Other clauses include:
- Any electronic forgery or fraud would be treated with zero tolerance by the employer.
- There should be no illegal possession or usage of identity information.
- There should be no data interception via wrongful ways for example obtaining data illicitly from electromagnetic emissions from an information system.
- Sabotaging infrastructure or system using malicious code would be punishable as per law confined to it.
- There should be no attempt of spamming or spoofing and the employer has the right to enforce all systems checks and revoke privacy privileges to address these issues.
All Integriti Group Inc. and Integriti Group Pvt. Ltd.employees assent to the following terms:
- Any data or information attained or derived from the client shall be considered the sole property of the client. Concerned employees only use it under the scope of the agreement signed between Integriti Group Pvt. Ltd. and the client or between Integriti Group Inc and the client
- All second party and third-party vendors engaged with Integriti Group Inc. and Integriti Group Pvt. Ltd. for business services and with whom data is shared must adhere to the data privacy and information disclosure policies mentioned in this document.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Integriti Group Inc and Integriti Group Pvt. Ltd. must obtain an individual’s consent before they collect, use or disclose their personal data.
Personal information or data, under PIPEDA, is justified as:
- Age, name, ID numbers, income, ethnic origin, blood type
- Opinions, evaluations, comments, social status or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (to acquire goods or services or change of job etc.)
Integriti Group Inc. and Integriti Group Pvt. Ltd. follows and abides by the 10 fair information principles enlisted under PIPEDA legislation.
- Company will assign and declare a privacy official for at least a one-year term every year.
- Privacy official’s information will be available on the company’s portfolio and communication.
- A privacy management program will be constituted under the privacy official.
- Privacy assessment and threat analysis (covered in section 6) will be accounted and shared by the company.
- All information collected under TAS falls under the policies of the vendors mentioned in 2.1 of Section 2.
- Candidates who are screened and contacted are made aware that their information will be shared to match them with employers. Their consent is acquired before any sharing happens.
- All data remains indefinitely in the servers of Manatal and subjected to its privacy laws.
- All data that TAS personnel handle is strictly confined to the purpose of hiring and no disclosure is done outside this scope.
- Company shall implement policies and procedures to respond to complaints, inquiries and requests to access personal information.
- Company shall design, document and implement breach and incident-management protocols.
- Company shall document and implement risk assessments.
- If the company shares data with third parties, then it shall develop, document and implement appropriate practices to be used by third-party service-providers.
- Privacy training for employees should occur time to time to keep them updated to all changes and requirements.
- Privacy management program should be reviewed often with solutions to any shortcomings.
- Company shall be always prepared to demonstrate that it has specific policies and procedures in place to protect personal information.
- Privacy policies and procedures should be available to customers and employees (e.g., in brochures and on websites).
- All information holdings (like name, tax file numbers, date of birth, immigration status proof, bank account information, identity information etc.) should be specified and collected for a reason. No unnecessary information should be acquired.
- When personal information is taken from someone, there should be a verbal or written coherence so the person giving the information knows the purpose of the data collection.
- Keep record of all purposes of data collection and consents attained from the data owners.
- It should be ensured that the purposes are limited to what a reasonable person would consider appropriate under the circumstances.
- While getting consent, these four should be relayed to the owner of the data by the company:
- What personal information is being collected and for what purpose
- With whom is the information being shared or disclosed with
- If there are any risks or consequences related with sharing of a person’s data, they should be made aware beforehand
- Provide information in manageable and easily accessible ways
- Consent could be implied or express. Company must ensure that the consumer knows where a certain consent is implied and where an express consent needs to be taken.
- The company shall provide a consent form (for implied and express consent) that is easy to understand and signed by the consumer.
- Express consent is generally required when:
- the information being collected, used or disclosed is sensitive.
- the collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
- the collection, use or disclosure creates a meaningful residual risk of significant harm.
- The company should allow individuals to withdraw consent at any given time, albeit this will be subject to legal or contractual restrictions.
- The company shall obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves like being underage etc. Different regions may have different laws defining underage therefore check with local authorities.
- Company should document what kind of personal information was collected in the information-handling policies and practices.
- Company must limit the data to the scope of the purpose.
- Company staff should be able to explain why certain information was acquired and for what purpose.
Limiting Use, Disclosure and Retention
- The company should monitor employee access to personal information, and take appropriate action when information is accessed without authorization.
- All data that is no longer of use or does not institute fulfilment of official objective should be disposed safely. Disposal of information could be an effective delete of electronic record or shredding of paper record.
- If information is to be kept for analytical or statistical purposes, render the data anonymous and place it under retention policy and rules.
- Company should ensure that all user information is deleted before disposing off the electronic paraphernalia or reassigning it to a new user.
- There should a training program regarding protection of data and all employees should have standard knowledge on this subject. This helps mitigate malicious attacks targeted towards naïve users/non-technical workforce.
- All data that is kept should be accurate, complete and updated from time to time if needed.
- When updating, it should be determined who updates the data and protocols should be followed as this could be a confidential process.
- Company would implement ways of protecting personal information (see Section 3)
- Security is provided by the company in multifaceted ways, including but not limiting to:
- physical security (e.g., locked filing cabinets, restricting access to offices, and alarm systems)
- up-to-date technological tools (e.g., passwords, encryption, firewalls and security patches)
- organizational controls (e.g., security clearances, limiting access, staff training and agreements)
- Data would be provided increased layers of security depending on factors like:
- the sensitivity of the information and the risk of harm to the individual
- health and financial information
- the extent of distribution
- the format of the information (e.g., electronic or paper)
- the type of storage
- the types and levels of potential risk your organization faces
- Security protocols would be reviewed and monitored by the company often to check if everything is working fine.
- Reviews must address any known vulnerabilities through regular security audits and/or testing.
- Company would make the employees aware of the importance of maintaining the security and confidentiality of personal information, and hold regular staff training on security safeguards.
- Company should deploy clear guidelines on obtaining consent.
- It should be ensured that company’s front-line staff is familiar with the organization’s procedures for responding to people’s inquiries about their personal information.
- Company should have the following assigned:
- the name/title and contact information of the person to whom requests of access should be sent
- procedure to how individuals can gain access to their personal information
- procedure to how an individual can complain to the company
- documents that provide organization’s policies, standards or codes
- description of what personal information the company discloses to other organizations or third parties.
- The company shall help people prepare their request for access to personal information in case, they are confused how to initiate the process.
- Requests should be taken up with priority. Response to the query should be no later than 30 days after receiving it.
- The normal 30-day response time limit for access requests can be extended if:
- responding to the request within the original 30 days uniquely interferes with the business activity
- The company needs additional time to conduct consultations with respect to the query
- The company needs additional time to convert personal information to an alternate readable format. Data may be heavily encrypted and may require time for decryption.
- If it turns out to be the case that process time is extended, the company shall notify the individual and advise them of their right to reach out to the company’s privacy official for further detail.
- Data retrieval should be at minimal or no cost to the individual. If there is a cost to it under a given company policy, then the company shall notify the requestor of the approximate cost before processing the request. Confirm that the individual still wants to proceed with the request.
- An average person may not be knowledgeable towards acronyms, abbreviations and codes. Company shall ensure they understand everything.
- If there are any data amendments made, the updated parts should be relayed to any third parties that have access to the information in cases where doing so is appropriate.
- If the company refuses to grant access to personal information, explain in writing the reasons and inform the requestor of any recourse available to them. Recourse includes the option to complain to the company’s privacy official.
- If the company holds no personal information on the requestor, tell them so.
- Company should be open to receiving complaints or disputes. The date and nature of complaint should be recorded.
- A receipt should be sent out to the person of concern and any questions or clarification be addressed by both sides.
- Company should assign a person-in-charge who can review the dispute fairly and impartially. There should be no conflict-of-interest scenario.
- Person-in-charge would have the authority to access to all relevant records, employees or others who handled the personal information.
- Outcome of disputes/complaints should be relayed at the earliest opportunity.
- It is possible that certain cases expose loopholes in the system or elsewhere. If this holds true, all necessary changes should be implemented promptly, and workforce should be made aware of official changes.
Canada’s Anti-Spam Legislation (CASL)
- The device of the employee is to not be left unattended or lent to anyone for any amount of time. Physical security of the device is the responsibility of the employee at all times.
- Security tools for identity theft protection are to be deployed by the employer.
- The employee must keep the device up to date (see software patches section 3.)
- Employee is required to change password(s) periodically.
- No remote connectivity of device should be done unless doing so fulfils job obligations and is configured securely by the company’s IT department.
- Encryption should be present at all mediums to make any data indecipherable to external threats.
- Joining the company’s device to any public network should always be taken up with proper precautions comprising but not limited to the following:
- Use sites that only begin with “ https:// “.
- Do not conduct any sensitive work on public network (like shopping, banking etc.)
- Always connect to the network after confirming the name and login procedure with appropriate staff that is providing the network.
- All data should be used per the accord signed between Integriti Group Inc. and the vendor or Integriti Group Pvt. Ltd. and the vendor.
- Allowance for the usage of data in a way not mentioned in the accord must be gained in the form of a written approval from the concerned party.
- Under no circumstances should there be a disclosure or transfer of the data. If such an action is a need of business operation or adherence to a law, a written approval should be gained and discussion be held to ensure all parties are aware and on the same page. All this procedure is to be documented.
- In case of an enquiry where a rightful owner of the data requests a change, issues a complaint or brings forth misuse of data, such request should be pipelined to the issuer from whom data was legally attained.
- Integriti Group inc. and Integriti Group Pvt. Ltd. shall have information security guidelines to implement strict physical, technical and organizational measures to safeguard the data. Such measures are outlined under section 3.
- A written set of security policies should be deployed by Integriti Group Inc. and Integriti Group Pvt. Ltd.
- Implemented security measures shall protect against data loss, data damage, unauthorized access, data theft, data leak and any other damage thereto.
- Policies governing access rights should be present to curb any misuse by the internal users.
- There should be a systematic oversight on transmittal of data, how data was changed, by whom and when, what was deleted if in case it was.
- There should be full access for either party to obtain records for auditing, examination and inspection as long as it concerns the scope of business between them.
- There should be confidentiality to any electronic or paper communication which holds personal, private or sensitive information.
- All devices connected to the company network should be secured and have all the safety measures in place.
- All the mediums of data storage, like servers, operating system, computers and so forth should comply with industry grade security protocols.
- No subcontracts or sublease should be made without the consent of the other party.
- All the data is exclusive property of the rightful owner and cannot be shared, sold, leased, saved or configured in anyway by the second- or third-party vendor.
- Confidential Information, where appropriate and lawful, is applied to employees, customer, contractor, client, vendor and any entity involved in business with Integriti Group Inc. and Integriti Group Pvt. Ltd.
- Confidential Information would pertain to any or all data, applications, operating systems, database, communication, software whether now or thereafter existing, derived or developed from.
- Financial information, disclosure procedures, any research and development, technical equipment and operations shall all fall under confidential information where deemed appropriate.
SECTION 6: Security Policy
- System Failure / Backup
- Power back up has been deployed for the entire office.
- 2 ISP’s (including back up ISP) to ensure smooth running of business operations.
- If a user’s device is affected, spare devices are kept to manage work alternatively.
- Device data backup is done on Microsoft’s OneDrive.
- Retention policy is in place which stores all emails for 63 years in cloud. Similarly, all SharePoint data and Team’s data (attachment/documents/pdf’s) is saved to OneDrive.
- Securing devices connected to company network
- Fortinet Firewall monitors incoming and outgoing network traffic and blocks malicious activity based on the configured security protocols. Firewall firmware updates keep the network defence in check of all latest threats.
- WPA2 is enabled in the network router
- VPN is used where needed (like Zoom Phone).
- File sharing is enabled on file servers only.
- Physical Security
- Fingerprint Scanners allow only authorized personnel in the office premises.
- There are CCTV Cameras installed all over office for security purposes.
- Server room is always locked and only IT Department has access to it.
SECTION 7: Penetration Testing
- Integriti Group Inc. and Integriti Group Pvt. Ltd. shall perform a security penetration test at least once every year from a professional vendor.
- The vendor should be an endorsed industry provider of the penetration test and an independent one to ensure that there is no conflict of interest.
- The penetration test should conform to the latest standards of the time and a security report should by generated entailing any vulnerabilities or risks found and the remedies to them.
- The security report should be put forth, with full transparency and honesty, to the company’s clients and discussed in a general nature.
- Integriti Group Inc. and Integriti Group Pvt. Ltd. reserves the right to redact any sensitive information or broader disclosure of content deemed proprietary under the company’s name.
- The vendor should not engage with a third party nor should any data be hosted on the third-party server unless the third party is compliant to the testing obligations.
- Vendor should permanently delete from its servers or handover the data back to rightful owner once the test has been finished and delivered. Such action could also be unilaterally demanded by the rightful owner at any given time should there be any reason or risk involved. Vendor should provide in writing the completion of these tasks when asked.
© 2021 All Rights Reserved Worldwide