Principle of Data Protection
-
-
Data should be obtained for specific and lawful purposes
-
Data should be processed fairly and lawfully only for the specific purpose
-
Data should be adequate, relevant and not excessive in relation to the purpose for which it is held
-
Data should be accurate and, where necessary, kept up to date
-
Data should be kept only for as long as necessary
-
Data should be processed in accordance with the rights of data subjects
-
Data should be securely maintained to avoid loss or destruction
-
Data should not be shared / transferred to place where there is no / inadequate level of protection.
-
All customer data that is not Open Source or Public and classified as equal to “SENSITIVE” or “RESTRICTED” by clients, will be treated as SENSITIVE when it is received by REGIME TAX SOLUTIONS PRIVATE LIMITED. Access to this information is restricted to a limited number of personnel in a group on a “NEED TO KNOW” basis.
REGIME TAX SOLUTIONS PRIVATE LIMITED is committed to ensure that SENSITIVE DATA is not disclosed to unauthorized third parties including family & friends of employees. All employees of REGIME TAX SOLUTIONS PRIVATE LIMITED should always maintain the secrecy of the information they are handling or coming in contact with.
However, there will be certain circumstances where REGIME TAX SOLUTIONS PRIVATE LIMITED will have to disclose the data.
-
-
Legitimate Disclosure (with prior consent taken by REGIME TAX SOLUTIONS PRIVATE LIMITED)
-
Disclosure of Information required in performance of contract
-
Disclosure in the legitimate interest of the concerned / REGIME TAX SOLUTIONS PRIVATE LIMITED
-
Disclosure without consent
-
When required by a Court of Law
-
When required by a Regulatory Body
-
To safeguard national security
-
Unless otherwise directed by a specific non-disclosure agreement, customer data is treated as per this procedure.
-
Roles & Responsibilities
|
Roles |
Responsibility |
|
Department Head |
Protection of data, Obligation to protect data, Determining Right to access |
|
Project Manager /Department Head |
Identifying and defining the confidentiality of data / assets; Protection of data, Determining Right to access, Disclosure of data |
|
System Administrator |
Protection of data, Implement the control |
|
Individual Employees |
Protection of data and complying with this procedure |
Identification of Classified Data
Any data which is received from clients or business partners and already classified by the clients or business partners as REGIME TAX SOLUTIONS PRIVATE LIMITED equivalent of “RESTRICTED” would be treated as Classified Data. These Data would be handled as per the protection & privacy procedure defined in this document.
Protection of Data
- The Product Owner/Engineering Manager should be responsible for protection of customer’s data in his/her project.
- The Product Owner/Engineering Manager should identify the confidentiality levels of the data.
- Based on the level of confidentiality required, the Product Owner/Engineering Manager should define the access matrix for data and he / she should also define the protection level in coordination with Department Head-IT or CISO or Security Head
- REGIME TAX SOLUTIONS PRIVATE LIMITED reserves the right to use any technology or measures which it feels is required / adequate / feasible in protecting the data available in their custody, wherever necessary.
- If there are any Legal / Client specific requirements, REGIME TAX SOLUTIONS PRIVATE LIMITED will implement the appropriate technology / measures.
Obligation to Protect Data
- The Management of REGIME TAX SOLUTIONS PRIVATE LIMITED is obliged to ensure the protection of data collected, taken, received during its normal course of business engagements with various data subjects to fulfil the Principles of Data Protection. However, this is limited only to Classified Data which is equivalence of “SENSITIVE” OR “RESTRICTED” as per REGIME TAX SOLUTIONS PRIVATE LIMITED’s classification policies.
- The necessary Technical, Procedure oriented, Organizational measures would be implemented across all the activities of REGIME TAX SOLUTIONS PRIVATE LIMITED to ensure that the process of “DUE CARE” is followed to protect the data, always.
Implementation of the Controls
Storage of Customer Data
Customer’s data in the form of feedback, client information, stored by TLs and Managers physically in folders of their respective machines or servers if required. Access to these folders / servers should is limited and given to only those users who are working for that specific customer and have a specific “Need to Use”.
Backup of Customer’s Data
Backup of customer data wherever necessary.
Retention & Disposal of Customer’s Data
- All data collected / received from various sources as part of Business engagements should not be retained beyond the agreed / required period in the custody of REGIME TAX SOLUTIONS PRIVATE LIMITED.
- On completion of the contract / term, the data should be removed from the work area. However, REGIME TAX SOLUTIONS PRIVATE LIMITED should be entitled to take a backup of the data for its own references which should be preserved at onsite and offsite location with the highest classification possible such as “SENSITIVE” OR “RESTRICTED”.
- All other copies either manual or electronic should be destroyed commensurate with their classification.
Right to Access
Clients, Partners and other individuals (within the scope of this policy) may audit REGIME TAX SOLUTIONS PRIVATE LIMITED to ascertain the level of protection accorded to their own data with prior permission and due notice to the management of REGIME TAX SOLUTIONS PRIVATE LIMITED.