Data Security & Privacy Policy | ValueLabs

Privacy Policy

Data Security and Privacy Policy
1.
Overview
ValueLabs ‘s intention behind publishing this Data Security and Privacy Policy is to ensure that we are compliant to the privacy and data security requirements. Herein, ValueLabs would like to provide detailed information regarding the data we collect, process and the controls we have implemented to safeguard the information provided to us by Data Subjects.
2.
Objective
The purpose of this policy is to outline the practices that we adhere to with respect to:
  • Data Security and Privacy Regulations including European Union General Data Protection Regulation (EU GDPR), Personal Information Protection and Electronics Documents Act (PIPEDA), Malaysia Personal Data Protection Act and any other such data privacy regulations
  • Statutory and Regulatory requirements such as HIPAA (Health Insurance Portability and Accountability Act)
  • Data Security, Confidentiality and Privacy requirements specified as part of Master Services Agreement (MSA), Statement of work (SOW) etc. by customers
  • Intellectual Property Rights of Data Subjects and customers
2.1
Terms & Definitions
Terms Definition
MSA Master Service Agreements
SOW Statement of Work
HIPAA Health Insurance Portability and Accountability Act
Personally Identifiable Information (PII) Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
Protected Health Information (PHI) Any information about health status, provision of health care, or payment for health care that is created or collected and can be linked to a specific individual
Processing of PHI / PII Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
EU GDPR European Union General Data Protection regulation
Data Controller Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Data Processor Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Data Subject Any natural or legal person providing its PII
ISMG Information Security Management Group
PIMS Personal Information Management System
IPS Intrusion Prevention System
IDS Intrusion Detection System
DLP Data Loss Prevention
SOC Security Operations Center
HRIS Human Resources Information System
3.
Policy Description
Many countries have introduced legislations placing controls on collection, processing and transmission of PII. We ensure to perform our services abiding to such laws and ensuring data security, privacy and confidentiality
4.
What data / information we collect
4.1
Prospective Customers
i
Prospective customers may provide their information while contacting us through our website for business opportunities
a.
We collect name, company details, email id (professional email id), and phone number
b.
Access to such PII is provided only on need-to-know basis and is restricted to those individuals, affiliates or subcontractors who are subjected to ValueLabs’s strict confidentiality obligations and disciplinary policies
c.
Adequate controls are implemented to safeguard the PII which includes physical, technical and administrative controls
ii
ValueLabs is a leading business technology and consulting services firm catering to over 180 customers through 30 offices globally. Our services span Digital Enablement and Product Development for leading organizations across sectors. We would like to connect to organizations such as yours to explore partnership opportunities.
a.
We receive information including name, email id, phone number, role, organization associated with from professional service providers such as LinkedIn premium service, marketing databases, prospective customer websites, references from our existing clients
b.
We assume that the data subjects have provided consent to such professional service providers to share the PII with ValueLabs
4.2
Customers Information
i
To provide effective services to our customers we collect PII which includes name, professional email id, phone number and company address
ii
The respective customer provides us with the information during the contract phase in order to perform services effectively (billing, invoicing, program management etc.)
iii
ValueLabs assumes that the customer organization has already obtained consent from the data subject and would exclude ValueLabs from any additional consent to be acquired
4.3
Prospective Employees
i
In the process of recruitment and talent management, ValueLabs’ HR may receive PII from Job Boards, Social Networking sites & other referral channels
ii
ValueLabs receives name, email ID, mobile number, address and other information provided by data subject in the respective job portals
iii
ValueLabs assumes that the job posting portals has already obtained consent from the data subjects to share such information and would exclude ValueLabs from any of the obligations related to additional consent management
4.4
ValueLabs Employees PII
i
HR at ValueLabs collects PII of employees while issuing the offer letters and during onboarding
ii
Information includes name, address, email id, phone number and emergency contact details
iii
By accepting the offer, the employee by default consents to allow ValueLabs to share PII with customers, affiliates and third party as may be required in relation to employment
iv
Access to PII is provided only on need-to-know basis and is restricted to those individuals, affiliates or subcontractors who are subjected to ValueLabs’ strict confidentiality obligations and disciplinary policies
4.5
Customer (Data Controller) provided information
i
PII / PHI data collection is done by ValueLabs’ Customers and is shared with ValueLabs for access / processing / storage during the services provided to them
ii
Data subjects consent will be obtained for such collection by the customers
iii
ValueLabs employees always ensure that they access such data only after written consent from Customer (SOW / MSA / meeting minutes shared with Customer)
iv
Project owners reach out to ISMG to understand the regulatory and compliance requirements prior to any such processing and thoroughly read the MSA
v
Customers to inform ValueLabs in case the data subject has withdrawn the consent so ValueLabs would erase such data as appropriate
4.6
Vendors/Business partners
i
To provide & initiate effective NDA, MSA & Purchase Order, we collect vendor’s data such as Name, Address, Email, Contact details, GST, PAN, Company registration details, Client list & Bank Details etc., by sending email for onboarding Vendors in SAP.
ii
Access to PII is provided only on need-to-know basis and is restricted to those individuals from Admin & Finance team, who are subjected to ValueLabs strict confidentiality obligations and disciplinary policies
4.7
Consultant / Interns
i
We collect PII related data through Personal History Record (PHR form) and while calling the candidate for a job opportunity.
ii
Data collected by HR-Tag : (To name a few) Name, Contact number, Email id, Address, blood group, DOB, Passport number, CTC details , Nationality, country, Place of birth.
4.8
Website data and the user behavior
i
The marketing team uses Google Tag Manager and Google Analytics to track user behavior on the website.
ii
The process given below is usually followed for every page on the website:
a.
Creation of tags for all the clickable actions on a webpage.
b.
Complete user behavior for all the tags that are stored in Google Analytics.
c.
Team also uses GA to get the number of conversions for any form on the website.
d.
Monitoring of user behavior data like number of visits, time spent; bounce rate, source, geo, etc. through Google Analytics.
iii
The data filled by a visitor on any form present on the website is transferred to the Marketing team. The team categorizes this data into different buckets and assigns respective owners for the same. Qualified contacts are moved into the central CRM database.
iv
The cookies settings on our websites are set to “allow cookies” for best browsing experience possible. User’s consent is obtained by them clicking on “Accept” in the notification pop-up about cookies which appears at the bottom right-hand side corner of the page as soon as they visit our websites.
5.
Data processing
5.1
Prospective Customers
i
In order to establish this connection, we would like to reach out to prospective customers with technological / digital propositions and solutions relevant to their business, invitations for our sales reach events, white papers, publications, industry newsletters and any relevant technology related content
5.2
Prospective employees
i
PII data of prospective employees are collected through job portals for recruitment and talent acquisition team will process/use the collected data to reach out to prospective employees for job openings and careers at ValueLabs
5.3
Employees
i
PII collected from employees would be processed as per our HRIS practices and fulfil the obligation of our people policy.
5.4
Customer (Data Controller) provided information
i
Processing of the PII / PHI shared by the Customers for providing the relevant services will be processed by ValueLabs as per the Statement of work and / or Master Services agreement, approved business requirement and / or written instruction only.
ii
ValueLabs would ensure the integrity of the personal data while processing by applying the required controls.
iii
ValueLabs would implement appropriate security controls in the application developed to ensure the confidentiality and privacy of the PII / PHI to avoid unauthorized access or disclosure of such PII / PHI.
iv
Project owners along with the help of the IT and SOC teams at ValueLabs would ensure adequate security controls (including the controls defined in MSA/SOW) are deployed in the project environment. The controls shall include but not limited to:
a.
Authentication and authorization
b.
Encryption of data while transmitting over a network and storage
c.
Provision for emergency access
d.
Data anonymization
e.
Log management where application / database should maintain logs of all processing etc.
5.5
Vendor/Business Partners
i
Data Processing of the PII / PHI shared by the vendors for providing the relevant services will be processed by ValueLabs as per the Non-Disclosure Agreement, Purchase Order and Master Service agreement, approved business requirement and / or written instruction only.
ii
ValueLabs would ensure the integrity of the personal data while processing.
5.6
Consultant / Interns
i
After collection of Data, if Consultant / Interns is joining with ValueLabs we transfer the data to HR Operations team.
6.
Data Storage
6.1
Prospective Customers
i
PII provided by the prospect in the website or gathered through marketing database shall be stored on a well-established CRM tool.
ii
Appropriate technical controls shall include but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information.
6.2
Prospective employees
i
PII provided by the prospective employees in the website or job portals shall be stored on a well-established HRIS Tool.
ii
Appropriate technical controls shall include but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information.
6.3
Employees
i
PII provided by the employees during on-boarding would be stored on a well-established HRIS Tool
ii
Appropriate technical controls shall include but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information.
6.4
Customer (Data Controller) provided information
i
Project owners should ensure that the PII / PHI data storage is limited to Customer environment only.
ii
Project Owners should restrain from copying the data in ValueLabs environment and educate the project resources on the legal / compliance obligations if such actions are performed.
iii
Most of the Data protection and privacy regulatory requirements restrain transmitting of PII and PHI data beyond the specified geographical regions. Project owner should ensure such restrictions are addressing (for e.g. Securing a virtual environment, storage in that geographical location etc) and restrain transmission of such data in to ValueLabs environment.
iv
In case of storage of PII / PHI data is one of the project / service requirement, Project owners or resources should ensure written consent from the Customer (in MSA or SOW or email approval from Customer) is obtained prior to transmission.
v
Project owners should reach out to security operation center to implement technical controls like DLP, Web content filtering etc. to safe guard data if storage is done within ValueLabs.
6.5
Vendor/Business Partner
i
PII provided by vendors during on-boarding would be stored on a SAP Tool.
ii
Appropriate technical controls including but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information.
6.6
Consultant / Interns
i
Data is stored in Excel sheets and PHR forms (Hard / soft copy) which is transferred to HR Operations team.
7.
Data Retention & disposal
i
ValueLabs shall retain the data of its employees in order to verify re-hire cases.
ii
Customers and their end users’ data (which may include PII or PHI data) shall not be retained and disposed as soon as they are no longer required for processing by ValueLabs.
iii
PII / PHI of data subjects shall not be retained by ValueLabs for a duration longer than necessary. Such requirements shall be identified during data collection process based on regulatory or legal requirements prevailing during that period.
iv
PII / PHI Data will be securely disposed once it is no longer in use according to the Data Retention and Disposal procedure.
8.
Data Disclosure
i
ValueLabs ensures that PII / PHI data is not disclosed to the unauthorized users without proper consent.
ii
Any such request for access to the data from third parties including law enforcement and government agencies would be notified to Data Subject where applicable.
iii
Disciplinary actions would be initiated as per the disciplinary policy defined for any unauthorized disclosure of PII / PHI.
9.
Data Subject rights
9.1
Right of Access, Modify
9.2
Prospective Clients and Employees
i
Data subjects at all times can reach out to ValueLabs through “datadataprivacy@valuelabs.com” for access to the personal data to review, modify and correct any inaccuracies.
ii
For Customer provided information, we request Customer to inform ValueLabs in case the data subject has withdrawn the consent so ValueLabs can take actions on such PII as appropriate.
9.3
Employees
i
Employees can reach out to relevant HR business partner for access, review, modification and correction of such data
9.4
Vendor/Business Partner
i
Vendors at all times can reach out to ValueLabs Procurement team through email: “procurement@ValueLabs.com” for modification and correction of such data of any inaccuracies.
9.5
Consultant / Interns
i
Respective candidate can reach out to concerned recruiter through email for any modifications, corrections of such data provided by them for any inaccuracies.
9.6
Right to consent / opt out consent
9.7
Prospective Clients
i
In case of data obtained through Premium services, ValueLabs will reach out to all such prospective clients with an email to obtain their consent providing a link to this policy.
ii
In case the data subject would like to opt out, they can reply to the email or web link option provided. In case, we do not receive the information within one week it would be deemed that consent is not provided.
iii
ValueLabs would maintain name, LinkedIn ID, or marketing database ID of opted out data subjects in do-not-contact(DNC) list to ensure that no future contacts are made by our sales team.
9.8
Prospective Employees
i
ValueLabs will reach out to all such prospective employees with an email to obtain their consent providing a link to this policy.
ii
In case the data subject would like to opt out, they can reply to the email or web link option provided. In case, we do not receive the information within one week it would be deemed that consent is not provided.
iii
ValueLabs would maintain name, LinkedIn ID, job portal ID of opted out data subjects in do-not-contact(DNC) list to ensure that no future contacts are made by our HR team.
9.9
Right to Erase
i
Data subjects at all times can reach out to ValueLabs through “email id: “pdataprivacy@valuelabs.com” to erase a part of data or complete data
ii
For Customer provided information, we request customer to inform ValueLabs in case the data subject has made such request.
10.
Breach Notification
i
ValueLabs would intimate the data subjects, customers on any instance of data breach which could potentially impact the privacy of data subject.
ii
Such notifications where ever feasible would be within 72 hours or as per the contracts established.
iii
ValueLabs would further take all reasonable steps to curb such instance from repeating and take all corrective measure to minimize the impact of such data breach.
11.
Data Processing and Data Controlling
11.1
ValueLabs will be acting as a data controller & processor
i
If they are determining the purpose and the means of collecting PII data from internal employees & prospect candidates and processing it.
ii
If they are determining the purpose and the means of collecting PII data from other regions where GDPR applies and processing the data and processing it (Ex: Marketing team collecting details on any company events).
iii
If the contractual agreement states that ValueLabs will be acting as data controller and as a data processor.
11.2
ValueLabs will be acting as a data controller
i
If they are determining the purpose of and by which means the data is processed when collecting PII data from internal employees & prospect candidates.
ii
If they are determining the purpose of and by which means the data is processed when collecting PII data from other regions where GDPR applies (Ex: Marketing team collecting details on any company events).
iii
If the contractual agreement states that ValueLabs will be acting as data controller.
11.3
ValueLabs will be acting as a data processor
i
If they are processing the PII data collected from internal employees & prospect candidates.
ii
If they are processing the PII data collected from other regions where GDPR applies.
iii
If the contractual agreement states that ValueLabs will be acting as data processor.
12
Organization Controls.
i
ValueLabs has ensured that there is a Data Protection Officer (DPO) nominated for the Data security and privacy.
ii
Appropriate controls such as DLP, Web Control Filtering, IDS, IPS etc. are be implemented to ensure there is no Data Leakage.
iii
ValueLabs has mandated Project owners to understand the compliance requirements thoroughly which are in the MSA and educate the same to the project resources.
iv
Legal and ISMG team would prepare the MSA trackers and share it to the project owners / resources upon request.
v
ValueLabs has mandated that all compliance requirements related to any statutory, regulatory and or contractual requirements are explicitly captured in the MSA / SOW.
vi
ValueLabs ensures that awareness sessions w.r.t data privacy and security are conducted for all relevant employees.
13
Intellectual property
i
All work products developed for ValueLabs and / or its customers including but not limited to code, test cases, test data, presentations, proof of concepts, marketing collaterals etc. are intellectual property of ValueLabs and / or its customers (and / or as defined in the MSA).
ii
Employees, contractors working on behalf of ValueLabs are strictly prohibited to share these work products over internet to unauthorized users, transfer these in to personal folders, drives etc.,
iii
In case users have been given access to the customers’ work product, users are restrained to transfer such work products in to ValueLabs environment without written consent from the customers.
iv
Project owners should ensure that they read out the Intellectual properties clause in the MSA and educate resources in the projects to provide their services accordingly.
14.
Enforcement
Legal and ISMG would ensure that the policy is enforced and implemented thoroughly. Any employee found to have violated this policy shall be subject to disciplinary action.
15.
Review
This policy shall be reviewed once in a year, or in case of compulsive changes, whichever is earlier.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close