Effective: 1st April 2020
This policy is designed to provide a global baseline across the Company with regards to the protection of Personal Information. It sets out the Company’s commitment to ensuring that the processing of all Personal Information is carried out with integrity and in accordance with all relevant data protection law. While it seeks to define our core purpose and principles without reference to any specific personal information protection regime, the Company recognizes that in certain jurisdictions the applicable regulations may impose additional, specific requirements: Where this is so, we manage the processing and storage of Personal Information in accordance with all such applicable laws.
This corporate policy applies globally, to all employees, consultants, contractors, and vendors of Amplity Health, or of any of its current or future subsidiaries, affiliates, successors or assigns (collectively, the “Company”). All company workers are expected to comply with the policy. Failure to do so may lead to disciplinary action for misconduct, including dismissal or termination of contract.
The Policy covers:
The Company has defined this and other related policies to ensure the delivery of good privacy and data protection practices. These are:
Policies are supported by Standard Operating Procedures (SOP) and Guidelines.
The Company is committed to the principle of ‘Privacy by Design’ and seeks to ensure that good data protection practice is embedded in our culture and processes.
The Company complies with the fundamental principles of Personal Information protection set out below:
We are clear, open, and honest about our use of Personal Information:
Personal Information is only collected when necessary, and for specified, explicit, and lawful purposes. It is not processed in a manner that is incompatible with those purposes, unless subsequently authorized by the Data Subject.
Only Personal Information that is adequate, relevant, and limited to what is necessary in relation to the stated purpose is collected.
Personal Information that we hold is accurate and, where necessary, kept up to date. Reasonable steps are taken to ensure that inaccurate Personal Information is recognized and erased or rectified without delay, having regard to the purposes for which it is processed.
Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary to fulfill the legitimate purpose, or to comply with legal obligations.
Personal Information is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
The Company takes full responsibility for complying with all relevant legislation by adopting this Policy and the other supporting Policies mentioned. Appropriate technical, organizational, and administrative measures are implemented and maintained, and records are kept to monitor and demonstrate compliance. Where relevant, the Company utilizes voluntary codes of conduct and certification schemes to maintain and improve the quality of delivery.
The rights of Data Subjects vary across the globe and depend on the relevant data privacy legislation. The Company commits to ensuring that Data Subjects understand their rights under any applicable regime, to providing access to allow those rights to be exercised, and to responding to all legitimate requests in full compliance with the relevant laws. These may include:
Data Subjects are not be discriminated against as a result of their choice to exercise their data protection rights.
The Company has put in place, and maintains, SOPs and training programs to ensure adherence to this policy and to support the exercise of the rights of Data Subjects.
Data privacy legislation typically identifies special categories of Personal Information, which are of greater sensitivity, and enforce additional legal obligations for processing. Sensitive Personal Information may include (depending on the applicable legislation) information regarding:
Where the Processing of Sensitive Personal Information is required, we review risk, establish and record the required lawful conditions for processing (typically explicit consent, employmentrelated obligation, or other legal obligations) and employ necessary measures to ensure privacy and security.
The Company puts in place appropriate administrative, technical and physical information security measures to support the delivery of this policy and to protect the Personal Information in our care against threats such as loss or theft; unauthorized or inappropriate access, use or disclosure; tampering; loss of data integrity; and improper retention or deletion.
Employees are appropriately trained and expected to take steps to recognize and prevent such threats to Personal Information and to report any suspected or known threat or incident.
It is sometimes necessary to share Personal Information and to transfer it between companies within Amplity Health or to our partners, clients, service providers, and agents. This may also mean the transfer of Personal Information between locations and jurisdictions. In all cases, we apply the guiding principles above and ensure that the Personal Information for which we are responsible is adequately protected.
The retention period for Personal Information is determined according to the principle of “storage limitation” as described above: Accordingly, in general, Personal Information is held only as long as necessary for a specified purpose, and the Company takes reasonable steps to minimize the length of time for which that Personal Information is held.
The Company has a “Document Retention and Destruction Use Policy” to define retention periods for certain classes of document in line with statutory requirements. Personal Information contained within these specified document categories is retained on the basis of legal obligation for the stated retention periods. The Company has defined nd maintains processes to ensure that Personal Information is anonymized (de-identified) or safely deleted in line with the principle of storage limitation and the Document Retention and Destruction Use Policy
The Company does not typically engage in marketing and promotional activities targeted at individuals or consumers for its own purposes, but may do so on behalf of our clients. In all cases, the Company complies with applicable law and ensure that the rules of consent are implemented and that the rights of the individual or consumer are upheld.
The Company maintains a Data Privacy Management System to ensure robust governance of data privacy. This includes:
The Company appoints a Data Privacy Officer (DPO) to advise on data protection obligations and the implementation of necessary compliance measures, to monitor internal compliance and to act as a first point of contact for data subjects and the relevant supervisory authorities. The DPO is independent and reports to the top level of management, and is adequately supported and resourced.
The protection of Personal Information and compliance is the responsibility of all employees and others working on our behalf.
The Company ensures appropriate training to support its employees in the delivery of this policy.
|Data Subject||An identified or identifiable individual (otherwise described in different legislation as a “natural person,” “consumer” or similar term) whose Personal Information we Control or Process.|
|Personal Information (or Personal Data)||Information that relates to is capable of being associated with or can be linked to a Data Subject, both directly or indirectly. Personal Information is to be considered as belonging to the Data Subject.|
|Controller||A Controller determines the purpose and means of processing Personal Information.|
|Processor||A processor is responsible for Processing Personal Information.|
|Processing (of Personal Information)||Any operation performed on Personal Information, such as collection, storage, organization, adaptation or alteration, retrieval, use, transmission or transfer of Personal Information for a lawful purpose.|
Description:An identified or identifiable individual (otherwise described in different legislation as a “natural person,” “consumer” or similar term) whose Personal Information we Control or Process.
Term:Personal Information (or Personal Data)
Description:Information that relates to is capable of being associated with or can be linked to a Data Subject, both directly or indirectly. Personal Information is to be considered as belonging to the Data Subject.
Description:A Controller determines the purpose and means of processing Personal Information.
Description:A processor is responsible for Processing Personal Information.
Term:Processing (of Personal Information)
Description:Any operation performed on Personal Information, such as collection, storage, organization, adaptation or alteration, retrieval, use, transmission or transfer of Personal Information for a lawful purpose.