1. STATEMENT OF PRACTICE & POLICY:
SBICPSL respects the privacy rights and interests of each person and will observe the following principles when processing sensitive / personal data:
(i) Data will be processed fairly and lawfully.
(ii) Data will be collected for specified and legitimate purposes and not processed further in ways incompatible with those purposes which have been duly explained, communicated to and consented by each person concerned.
(iii) Data will be relevant to and not excessive for the purposes for which they are collected and used. For example, data may be rendered anonymous when feasible and appropriate, depending on the nature of the data and the risks associated with the intended uses.
(iv) Data will be kept only as long as it is necessary for the purposes for which it was collected and processed and in accordance with data storage requirements under various applicable local laws.
(v) Data will be processed in having full regard to each person’s lawful l rights (as described in these Standards or as provided by appropriate law).
(vi) All appropriate technical, physical, and organizational measures will be taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to data.
The scope of this policy include the collecting, recording, organizing, storing, modifying, using, disclosing, or deleting Customer, Employee and Company related data. For details of such definitions reference is drawn to the Information Technology Act, 2000 read with all statutory amendments carried forth therewith ("Act") including all other relevant Laws, Rules, Bye Laws or Standing orders passed by competent authorities within India applicable to each the Company. This includes personal information that is collected in India from individuals located outside of India and then transferred outside of India. Any treatment of all such data including its collection, storage, usage, and be fully protected in accordance with this policy and Privacy Rules.
This policy applies to SBICPSL and all its Employees, Officers, Directors, Advisors, Consultants other Personnel, and all third party service providers who act on behalf of the Company and collect, process and use personal data, profile data, financial and other, within India and outside.
2.2. Effective Date
This Policy has been issued on 10/24/11. It is effective from 10/24/11.
Provider of Information: The individual who provides the information (i.e., the data subject). The Term "Person" is defined to mean and include natural persons as under stood under the applicable Indian laws.
Personal information: Any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
Sensitive Personal Data or Information of a person: means such personal information which consists of information relating to –
(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Public Information: Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of this Policy.
Company or Body Corporate means the body corporates as defined in Section 43 A of the IT Act 2000 and for the purposes of this policy means and refers to SBICPSL. .
Password means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information.
4. REASONABLE SECURITY PRACTICES AND PROCEDURES
SBICPSL will ensure Reasonable Security Practices and Procedures including but not limited to the following:
(1) Comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business are available
(2) In the event of an information security breach, SBICPSL or a competent and duly authorized person having knowledge of and in possession of information relating to such security breach shall be prepared to demonstrate, as and when called upon to do so by the regulatory agency created under the the applicable law, that the Company has taken all bonafide measures and have implemented security control measures in accordance with the SBICPSL documented information security programme and information security policies together with standards and codes of best practices in letter and spirit.7
(3) Such policies, standard or the codes of best practices have been certified or audited on a regular basis by entities by an independent auditor.
5. RESPONSIBILITY & WIDE PUBLICITY:
SBICPSL will publish the policy on its website in an endeavor to make accessible through this policy the statement of practices & policies governing:
(i) Type of personal or sensitive personal data or information collected;
(ii) Purpose of collection and usage of such information
(iii) Disclosure of information including sensitive personal data or information as provided in rule for Disclosure of Information; and
(iv) Reasonable security practices and procedures as provided under rule for Reasonable Security Practices and Procedures
The Company while collecting information from the Provider of Information, data, sensitive personal data and other financial information will ensure that, in addition to obtain consent:
(i) The Provider of Information understands the purpose for the collection; the intended recipients of the information; Contact details for agency collecting/retaining the information.
(ii) The Provider of Information will also have an option not to provide or withdraw their consent. The company can decline goods/services for which info was sought.
(iii) Prior permission from the person is required for disclosure to any third party (except as may be required to be disclosed by law).
(iv) Providers will have access to review, correct or amend information provided.
(v) Data may be transferred in line with the consent (i.e., provider knew purpose/intended recipients when giving information) in India or to any country so long as same level of data protection is provided.
(vi) The consent obtained by the Company be of a nature and extent so as to fulfill the requirements of a lawful contract between the Provider of Information and the Company.
(vii) If access or rectification is denied, the reason for the denial will be communicated and a written record will be made of the request and reason for denial. In this case the person affected may make use of the dispute resolution processes described in law.
(viii) If the person demonstrates that the purpose for which the data is being processed is no longer legal or appropriate, the data will be deleted, unless the law requires otherwise.
7. Common Obligations:
7.2 Collection and Use of Sensitive Data:
In addition to the general obligations, there are obligations specific to the collection, use, and disclosure of sensitive personal data. Sensitive personal data is broadly defined to include password; financial information (bank account, credit/debit card, or other payment instrument details); physical, physiological, and mental health conditions; sexual orientation; medical records and history; and biometric information. Any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, is excepted from the definition.
Notwithstanding anything in Section 5 and 6 above, any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.
Any discrepancies or grievances will be addressed in a timely manner by the Company. A Grievance Officer and such other personnel designated to assist that grievance officer shall be designated, and his or her name and contact details are at all-time be published on the company’s website. The Grievance Officer is singularly responsible for and accordingly redresses the grievances expeditiously (but within one month from the date of receipt of the grievance).
8. AUDIT PROCEDURES:
To further ensure enforcement of these Standards, Privacy Leader in consultation with the appropriate Legal Counsel, Regulatory Officer and Compliance officer will identify Provider and Employment Data procedures that should be audited on periodic basis.