Roles and Responsibility

Following Roles and Responsibilities have been carried out in PolicyGhar:

Roles	Responsibilities
Board of Directors and Senior Management (Managing Partner and Partners)	Overall responsibility for ensuring that PolicyGhar complies with its legal obligations for data privacy.
Information Security Group /Committee/ CISO	Briefing the board on data protection responsibilities. Reviewing data protection and related policies. Advising other staff on data protection issues. Ensuring that data protection and information security induction and training takes place periodically. Handling subject access requests. Approving unusual or controversial disclosures of personal data. Approving contracts with data processors, if any.
Department Head	Each Team or Department where personal data is handled should be responsible for drawing up its own operational procedures (including, induction and training) to ensure that a standard data protection practice is established and followed. Also, Managers must ensure that the Information Security Group is informed for any changes in their use of personal data that might affect PolicyGhar notification.
Staff / Team	All staff and engaged employees should be required to read, understand, and accept any policies and procedures which is related to personal data that they may handle in the course of their work.

Sensitive Personal Data

Sensitive personal data or information of a person means such personal information which consists of information related to:

• Password.

• Financial information such as bank account, credit card/ debit card or other payment instrument details.
• Physical, physiological and mental health condition.
• Sexual orientation.
• Medical records and history.
• Biometric information.
• Social Security / Unique Identification Numbers.
• Location Information.
• Political Affiliation.

Data Protection Principles

PolicyGhar will discharge its responsibilities in accordance with the requisite legal compliances (law of the land) and the following data protection principles contained therein:

• Obtain and process information fairly.
• Keep it only for one or more specified, explicit and lawful purposes.
• Use and disclose it only in ways as mentioned in this document.
• Keep it safe and secure.
• Keep it accurate, complete and up- to- date.
• Ensure it is adequate, relevant and not excessive.
• Retain for no longer than is necessary.
• Give a copy of personal data to the individual upon request.

Processing of Sensitive Data

Personal data of customers/ employees will be securely stored in electronic or manual form and in accordance with the requisite legal compliances (law of the land). In addition, data collected for a specific purpose, product or service may be stored at PolicyGhar with other information relating to an individual and only in accordance with the data protection principles mentioned above.

Data Transfer

PolicyGhar shall not disclose an individual's personal data outside their office except:

• When PolicyGhar has express consent to do so or in circumstances as agreed between PolicyGhar and an individual.
• When necessary to regulatory bodies and auditors.

• When PolicyGhar is required or permitted to do so by Law.
• To fraud prevention agencies where required.

Procedures and guidelines for Data Privacy>

• PolicyGhar shall maintain physical, technological and procedural safeguards and securities that comply with the requisite legal compliances (law of the land). PolicyGhar to ensure high standards in relation to data protection.
• Below are some of the steps that PolicyGhar shall take to ensure customers’/ employees’ data privacy:

• Access to sensitive data should be provided strictly on the basis of need to know;
• Backup should be kept in a safe and secure environment;
• Sensitive personal data should be shared with proper authorization as required;
• Data kept in file servers or shared servers should have proper access controls;
• Logs of the systems should be taken periodically and reviewed to identify the user access for the applications and servers containing sensitive personal data;
• Strict disciplinary actions should be taken if any breach of data protection standard is identified as per this policy;
• Data privacy should be ensured in using the company’s resources such as laptops, online applications, external storage devices, file servers, records and documents.

Data Migration

• Data migration plan shall include methods for verification of completeness, consistency, and integrity of migration activity, pre and post- migration activities along with responsibilities and timelines for completion of the same.
• The key aspects that are required to be consider must include:

• Integrity of data: indicating that the data is not altered manually or electronically by a person, program and substitution or overwriting in the new system. Integrity thus, includes error creep due to factors like transposition, transcription, etc.
• Completeness: ensuring that the total number of records from the source database is transferred to the new database (assuming the number of fields is the same).
• Confidentiality of data under conversion: ensuring that data is backed up before migration for future reference or any emergency that might arise out of the data migration process.

• Consistency of data: field/ record called from the new application should be consistent with that of the original application. This should enable consistency in repeatability of the testing exercise.
• Continuity: new application should be able to continue with newer records as an addition (or appendage) and help in ensuring seamless business continuity.

Procedures and Guidelines for Data Migration

• IT data migration activity must ensure the key aspects which are mentioned above.
• Explicit sign- offs from users/ application owners need to be obtained after each stage of migration and after the completion of migration process.
• Each migration phase must include documentation of audit trails, error logs, root cause analysis, etc. for easy recovery from migration failure.

Data Privacy Incident Management

Any incident of data privacy violation must be reported immediately to the group ID at admin@PolicyGhar.com.