1. Purpose of Data Protection Policy
The purpose of the Data Protection Policy is to ensure Cimigo and our clients are protected against data privacy breaches.
2. 5 Data Protection Principles
Principle 1 — Purpose and manner of collection
This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject.
Principle 2 — Use of personal data
This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.
Principle 3 — Security of personal data
This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).
Principle 4 — Information to be generally available
This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.
Principle 5 — Access to personal data
This provides for data subjects to have rights of access to and correction of their personal data.
3.1. Personal Data
“personal data” means any data
(a) relating directly or indirectly to a living individual; and
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is practicable;
Examples of personal data include name, address, identity card number, telephone number, email, gender, date of birth, age, occupation, salary, nationality and photos.
However a nationality on its own is not personal data. It becomes ‘personal data’ when it is/or can be associated with a living individual by name or ID or any other reference.
3.2. Confidential Data
“Confidential data” includes but is not limited to:
- all Cimigo and Clients’ information and trade secrets including;
- financial, marketing and technical information, ideas, concepts, technology, processes and knowledge together with lists or details of customers, suppliers, prices, discounts, margins and information relating to research and development, current trading performance and future business strategy and any information derived from them.
3.3. Data Privacy
Data Privacy relates to which data is collected, how the data is used and whom the data can be shared with.
3.4. Data Security
Data Security covers the security measures we put in place to ensure personal data and confidential information is secure and not improperly accessed.
4. Policy maintenance
The policy is reviewed once a year and at additional times should there be amendments to the Network Information Security No. 86/2015/QH13 (Nov. 19, 2015).
5. Review & Audits
Annual internal security audits are carried out to ensure company policies are being observed and applied across all departments.
The audit will include assessment of the following areas:
- Who has access to each system.
- User access levels.
- How is access logged.
- Compliance with security procedures.
6. Data Privacy
At all times Cimigo will be bound by and will comply with all privacy policies, guidelines and practices as required and instructed by the client.
- The client must warrant that it has all necessary consents to allow Cimigo to use their customers’ data solely for the purpose of providing Services to the client. Cimigo must not disclose the data to any third party without the consent of the client.
- Cimigo and the client shall comply with their obligations under the Network Information Security No. 86/2015/QH13 (Nov. 19, 2015) and any other obligation in relation to personal data and shall provide each other such confirmation as it may be reasonably required to satisfy the other party that it has complied with such obligations.
- The client shall retain title to and full and complete ownership rights to customer data, and Cimigo understands and agrees that such data constitutes the client’s proprietary and confidential information. Any customer data supplied by the client to Cimigoand any and all copies thereof, are to be used by Cimigo solely for the purpose of providing services to the client.
7.1. Server security
- All internal servers deployed at Cimigo must be registered with the IT department
- The server room is a restricted access room fitted with smoke, fire and intrusion alarms. Servers are clearly marked with labels.
- The database and applications are protected from hostile sources through its location within Cimigo’s network environment.
- Only authorized persons are allowed to enter the data centre and server equipment room.
- Furthermore, data exchange between applications and the external web interface is conducted via a secure and encrypted internet connection via a secure SSL encrypted channel, together with username and password login facility
- The most recent security patches will be installed on the system with the regular schedule day of server maintenance. The only exception being when immediate application would interfere with business requirements.
- Root account / administrator account will be use only by Cimigo IT infrastructure team and the authorized vendor, other users will be provided by non-privileged account if feasible.
- Security audits are performed on a regular basis by authorized personnel.
7.2. Passwords and Access Control
- Passwords to the Cimigo Network and applications must be changed every three months.
- Passwords must contain letters in upper and lower cases, numbers and special keys, and are 8 or more characters in length.
- Employees must not write down or share passwords.
- Access to all systems is revoked as soon as a person leaves the business.
A detailed backup plan is devised and maintained by IT. In summary the procedures include:
- Daily backup of live data.
- Backup off site using cloud services.
7.4. Secure disposal of equipment
- Backup tapes which have held personal data will degaussed or physically destroyed when no longer required.
- Computer hard disks which have held personal data will be degaussed or physically destroyed when no longer required.
- USB Keys (memory sticks) and CD/DVDs which have held personal data will be reformatted using low level formatting or physically destroyed when no longer required.
7.5. Vulnerability management
- An inventory of all information technology assets is in place and the IT department, continuously monitor for vulnerabilities, remediation, and threats happening.
- IT department will prioritize patch application and use phased deployments as appropriate.The patches will be tested before deployment and whenever appropriate, applications will be automatically updated.
- All credit card information and account passwords are stored in the databases in encrypted mode.
7.7. Wireless communication
All wireless infrastructure devices that reside at the office and connect to the office network, or provide access to information classified as Confidential / Restricted must:
- be installed, supported, and maintained by an approved person.
- use Cimigo approved authentication protocols and infrastructure.
- use Cimigo approved encryption protocols.
- maintain a hardware address (MAC address) that can be registered and tracked.
- not interfere with wireless access deployments maintained by other support organizations.
7.8. Personal communication device
Personal Communication Devices (PCDs) will be issued only to Cimigo personnel with duties that require them to be in immediate and frequent contact when they are away from their normal work locations.
For the purpose of this policy, PCDs are defined to include handheld wireless devices, cellular telephones, laptop wireless cards and pagers.
Confidential or sensitive data shall never be stored on a PCD and lost or stolen equipment must immediately be reported to department head and IT department.
7.9. Mobile computing and removable media
Mobile computing and storage devices include, but are not limited to: laptop computers, personal digital assistants (PDAs), plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device that may connect to or access Cimigo network.
A risk analysis for each new media type shall be conducted prior to its use or connection to the network at Cimigo unless the media type has already been approved by the Cimigo management team and IT department.
Mobile computing and storage devices containing or accessing the information resources at Cimigo must be approved prior to connecting to Cimigo network. IT department will maintain a list of approved mobile computing and storage devices.
- Employees must not use non-Cimigo email accounts (i.e., Gmail, Hotmail, Yahoo, AOL), or other external resources to send emails on behalf of Cimigo, thereby ensuring that official business is never confused with personal business.
- Cimigo client emails must not be forwarded to personal email accounts.
7.11. Remote access
- Secure remote access (SSLVPN) must be strictly controlled. Control will be enforced via password authentication. VPN access is only available to authorised employees.
- Employees must only access the network using Cimigo approved equipment.
- Network connection from other company to the Cimigo network due to business needs, must be approved by Cimigo management team and IT department.
7.12. Physical access
- Part time employees must wear ID badges at all times and are allowed access to designated areas only. In HCMC that is the 1stand 2nd floor only.
- Deliveries and messengers are handled by Cimigo reception and do not gain access to Cimigo’s
- All visitors must report to reception. Authorised visitors are accompanied at all time whilst on Cimigo
7.13. Security incident management
A security incident is any event that can damage or compromise the confidentiality, integrity or availability of confidential information or personal data or systems.
Security Incidents can include:
- strange phone requests, especially for information
- unusual visitors
- strange patterns of computer activity
- unusual appearance of computer screens
- computers taking longer than usual to perform routine tasks
Employees must notify their supervisor of anything which may be a sign of a Security Incident.
7.14. Clean desk
- Personal computers, computer terminals and printers should be logged out or the screen should be locked when not in use and should be protected by locks, passwords and the like.
- Computer media (disks, tapes, CDs) and paper and paper files must be stored and locked away, including in lockable pedestals, filing cabinets and cupboards.
- No paperwork containing confidential or personal information should be left on desks overnight. Any such information must be stored and locked away.
- Laptops must be locked away overnight.
- Everyone is required to use a password protected screen saver that automatically fires up after 4 minutes of inactivity.
- All printers and fax machines must be cleared of papers as soon as they are printed.
8. Data handling
8.1. Receiving and Sending Data Files with clients
- Via email – the client should be advised to provide encrypted or password protected files.
- Via Google drive, Dropbox or another file sharing platform – Client must be provided with a dedicated username and password.
- Via physical storage media –the client is to be advised to provide encrypted or password protected file.
- All the passwords should be provided through phone (and not to left on voicemail), or through a separate
8.2. Storing of Data File
- All data file should be stored in network folders (Project Folder) that are protected by password or access control. Access to those folders is provided to specific employees on a project basis
- With the exception of authorised staff in IT, no data file should be stored on employee desktop PCs.
- Under no circumstances may data be stored on laptop/notebook computers. If a data file containing client’s data must be stored locally, it must be stored in a desktop PC with either file encryption or password protection.
- Physical devices containing customer data must be delivered to dedicated employee and the materials received must be kept in locked cabinet at all time
8.3. Removal/Return of Data File
- Where data is received by responsible staff via email, they should save the data on the client Network Folder / system, and delete the attachment from the email immediately.
- If the data file is provided by Google drive, Dropbox or other file sharing platform, the removal of the data file from the Google drive, Dropbox or other file sharing platform server must be completed by responsible staff (for the file storing in FTP) within 1 working day of receipt.
- If the data file is provided via CDs or other physical format, the original data medium should be returned to client upon client’s request, by our responsible staff within 5 working days after the completion of the project. If Cimigo is not requested to return the CDs or other physical devices, responsible staff should pass the devices to IT department with providing IT request form, for requesting to destroy it. Written request for destroying the devices should be provided by client.
9. Data & document retention
Generally documents and data should not be kept longer than defined timeline in appendix 1 is required for business, legal or regulatory purposes. Unless specified by clients, Cimigo will adhere to the following procedures. See Appendix 1 for further details
9.1. Databases containing personal data
- The period of retention is client dependant. However data files and databases will be deleted within a maximum of 12 months after the end of contract for the project, application or system.
- For Cimigo owned respondent or panel data, this may be kept indefinitely and reviewed periodically.
9.2. Email records
- Emails and attachments containing confidential or personal data will be deleted within a maximum of seven years after the termination of project, application or system.
9.3. Paper records
- Paper records containing personal or confidential information will be stored in locked rooms or cabinets. These documents will be destroyed within a maximum of 12 months after the end of contract for the project, application or system.
- Confidential data about clients will be destroyed maximum seven years after the termination of the project, application or system.
9.4. Credit Card details
- Captured credit card details should be encrypted and only last 4 digits visible to operators. Physical authorisation forms containing credit card details along with transaction records should be retained in secure location for 7 years.
9.5. Audio recordings
- Audio recordings of customer calls will be stored on a secure server with no accessibility from public networks or the internet. These audio recordings will be deleted within a maximum of 12 months after the end of contract for the project, application or system.
10. Document disposal
Paper documents containing personal or confidential information must be destroyed in a secure manner. Documents can be shredded or disposed off in the confidential waste bin.
The confidential waste bin is collected and destroyed regularly by a confidential material destruction company.
Subcontractors will not be used without written approval from the client.
12. Confidentiality and non-disclosure agreements
All suppliers, contractors and third parties who are to receive or have access to data must sign an NDA.
13. Employee contracts, training and education
- Confidentiality and secrecy agreement must be signed by all Cimigo employees at time of employment.
- All employees must attend yearly data protection training and the date should be referenced in their personnel file.
- New employees should be trained in data protection and shown a copy of this policy document
- Team leaders, supervisors, managers are responsible for conducting additional team briefings and monitoring the staff compliance with the data protection policy.
- Any breach of the data protection policy can be result in disciplinarily action.
14. Protection of confidential Information
- All employees have a contractual obligation for protecting confidential company or client information, regardless of where it is stored.
- Employees must not attempt to access any data or programs contained on company systems for which they do not have authorisation or the explicit consent of the owner of the information or application.
- Confidential client information must not be disclosed to non-employees, or anyone else who is not authorised to view the information.
- Employees must not share their company employee account(s) with anyone else. This includes sharing the password to the account, providing access via a remote access entry, or any other means of sharing.
- All employees have an obligation to protect company assets, including intellectual property, personal and proprietary information, and confidential client data. Such information should be:
- only disclosed to those with a business need to know
- not disclosed outside the company, except as part of a contractual obligation
- not discussed or left visible or unsecured in public places
- secured when online, when on removable computer media, and when in printed form
- not left unattended on desks, faxes or printers
- Data which includes Payment Card Account Numbers must only be stored in an encrypted or otherwise unreadable form. You must not copy, store, transmit, or email Payment Card Account Numbers in a clear text form.
- Paper documents or copies of confidential information must be shredded when no longer required. There are specially marked bins provided on company premises for documents to be shredded.
- Confidential customer information may NOT be copied to, or stored on removable storage media (such as memory sticks, DVDs, CDs, etc), unless the storage media is protected by encryption (e.g. PGP).
- It is not permitted to copy company or client data onto your personally owned computer, phone, PDA, disk, or removable media (CD, USB key, etc.).
- It is not permitted for you to send company or client data to your personally owned email account, instant messenger (IM) account, Skype account, Google drive, or via any other file sharing service outside the company.
- Do not send company confidential, proprietary, or client information over the Internet without explicit authorisation. Where the transmission is necessary, encryption should be used.
- Any paper, fax or other hardcopy of company confidential, proprietary, or client informationmust be physically secured, and not left unattended on desk, printers, faxes, or in any public location.
- Paper documents or copies of confidential information must be shredded when no longer required.
*** In this context, “encryption” means strong encryption such as PGP, SSL, SSH, or SFTP. Merely password protecting, or zipping a document, is insufficient, as these levels of protection are trivial to circumvent.