Handling Private and Sensitive Data Operating Policy
|
STATEMENT of POLICY and PROCEDURE | |||
|---|---|---|---|
| Department | Information Systems | Policy No. (or n/a) |
001.01 |
| Name | Handling Private and Sensitive Data Operating Policy |
Review Frequency | 3 yr |
| Approved by |
Department | Replaces | n/a |
| Effective date | May 27, 2024 | Dated | n/a |
1 PURPOSE
1.01 At MakeWay Foundation (“MakeWay”) we recognize the critical importance of safeguarding private and sensitive data entrusted to us by our users, partners, and clients. As members of the Information Systems (IS) department, we play a crucial role in maintaining the security and integrity of this data and the trust that we will manage and protect this information. This policy outlines the guidelines and controls for IS staff regarding access to and use of private and sensitive data to ensure compliance with relevant regulations and best practices.
The purpose of this policy is to:
- Establish guidelines for accessing private and sensitive data.
- Define the responsibilities of IS staff in handling such data.
- Ensure transparency and accountability in data access and usage.
- Mitigate the risk of unauthorized access or use and data breaches.
2 SCOPE
2.01 This policy applies to all staff members and temporary-full-time and full-time contractors of the Information Systems department who have access to private and sensitive data in the course of their duties (“IS Staff”)
3 DEFINITION
3.01 Private and Sensitive Data (also referred to below as “Data”) is any data that is not publicly available on MakeWay’s system. It includes personal information and communications, meeting data, passwords and authentication information, employment information, financial information, legal information, and any other personally sensitive information, whether it is stored as a document, email, text message, instant message, image, video, voice recording, note, transcript, agreement, or in any other form. Private and Sensitive Data includes information stored in personal files and on private departmental storage spaces.
This list is not exhaustive. IS Staff should treat all data on MakeWay’s system as private and sensitive unless it is patently clear that it is not and should ask a supervisor or manager if there is any doubt. The reference to “personal” information includes information about an individual whether or not that information is related to the activities of MakeWay.
4 POLICY
4.01 Access Control
IS Staff must only access, or grant access, to Private and Sensitive Data on a need-to-know basis and according to the principle of least privilege. Least privilege maintains that a designated user or entity should only have access to the specific data, resources and applications needed to complete a required task.IS Staff should access Data only when necessary to perform their job duties and only within the guidelines outlined in Section 4.04 below. Any access needs outside of these guidelines must be requested and authorized in advance through the CFO and/or Privacy Officer.
4.02 Data Handling
Private and Sensitive Data should be handled with the utmost care and confidentiality. Data should not be accessed, copied, or modified unless it is required for legitimate IS support or operational purposes.IS staff must adhere to MakeWay Records Retention Policy (SPP No. 010.02) and securely dispose of Data when it is no longer needed.
4.03 Monitoring & Auditing
Regular monitoring and auditing will be conducted to ensure compliance with this policy with the goal to identify any unauthorized access or suspicious activities. Regular monitoring reports and any unauthorized access reports will be sent to the CFO and Privacy Officer. For clarity, IS staff should have no expectation of privacy with respect to their activities carried out using the IT systems of MakeWay as the monitoring and auditing will involve all aspects of the system. However, the personal information of IS staff that is not relevant to the monitoring and auditing process will be afforded the same protection as other Data under this policy
4.04 Access Guidelines
All access to Private and Sensitive Data must be logged and monitored in accordance with the following guidelines:
- Technical Support: IS staff may need to access Data to troubleshoot technical issues, resolve problems, or investigate suspected security incidents. These require tracking through the support ticketing system.
- Compliance and Legal Requirements: In cases where there is a legal or regulatory obligation to review Data (e.g., in response to a subpoena or court order), IS staff may be required to access Data under the supervision of legal counsel. This requires approval from the CFO or Privacy Officer.
- Employee Departure or Investigation: If an employee leaves the organization or is under investigation, accessing Data may be necessary for business continuity, security, or compliance reasons. Access regarding departures requires approval from Human Resources (PEL). Access regarding investigations requires approval from the Privacy Officer and Human Resources (PEL).
- Consent: In some cases, employees may voluntarily grant consent for IS staff or administrators to access Data for specific purposes, such as setting up email forwarding during a leave or accessing archived emails or files for a project. These require tracking through the support ticketing system.
IS Staff may receive approval for the activities set out in this policy from the CEO or the chair of the board of MakeWay in the event of a conflict with the designated individuals providing approval.
The following employee Data should never be accessed by IS Staff unless with express and tracked consent from the CFO and/or the Privacy Officer:
- Personnel files
- Payroll information
- Staff salary and compensation information
- Performance evaluations
- Disciplinary records
4.05 Responsibility to Report
Any IS Staff, who has, or may have, intentionally, accidentally or inadvertently accessed Private and Sensitive Data outside of these guidelines, must immediately self-report to their supervisor.
If any IS Staff are aware of a breach of this policy by another IS Staff member, or a vulnerability in MakeWay’s information security systems that could result inunauthorized access to MakeWay’s Data, they must immediately report this to their supervisor.
4.06 Awareness
All IS Staff must be aware of data privacy and security best practices and be familiar with the laws regarding privacy and security.
IS Staff members must be aware of the potential risks associated with accessing Private and Sensitive Data and the consequences of non-compliance with this policy
5 COMPLIANCE
5.01 Failure to comply with this policy is a serious employment offence and may result in disciplinary action, up to and including termination of employment. An intentional material breach of this policy will result in termination of employment for cause, subject to an assessment of the circumstances. Violations of this policy may also subject individuals to other civil legal action and financial consequences. IS Staff may be suspended and have their access to the system removed pending any investigation under this policy involving the IS Staff
6 REVIEW & SIGN-OFF
6.01 This policy will be reviewed and signed by IS Staff during onboarding and then will be reviewed and signed yearly at the start of the performance management or contractor review cycle.
7 CHANGES TO THIS POLICY
MakeWay expressly reserves the right to change, modify, or delete portions of this policy without notice. IS Staff are responsible for periodically reviewing this policy to ensure they are aware of and comply with its terms.
8 REFERENCES and RELATED STATEMENTS of POLICY and PROCEDURE
8.01 Records Retention Policy (SPP No. 010.02)
Acknowledgement of Receipt and Review
I ____________________ (employee or contractor name) acknowledge that I have read and understood the IS Operating Policy for Handling Private and Sensitive Data. I agree to comply with the guidelines and controls outlined in this policy and understand the consequences of non-compliance.
| Date | Signature |