Data Privacy & Security Policy

Purpose:

OIT’s Data Privacy & Security Policy aims to maintain the privacy of data and protect personal information of all its stakeholders’ including Employees of SPVs and Project Manager(s), Customers, and Business Associates.

Scope

This policy is applicable to the employees of SPVs and Project Manager(s). All OIT employees are required to handle sensitive information with utmost privacy and adhere to principles set in this Policy. It also covers any third party, who may have access to personal information in possession of OIT and its SPVs, will be required to enter into confidentiality agreement and follow guidelines set up here.

Policy Statement:

As per the Data Privacy and Security Policy:

• All business heads, business partners, employees, SPVs, project managers, board of directors, financial stakeholders, customers, and value chain partners are responsible to safeguard our information and that relates to individuals. Our employees shall understand and value information and its sensitivity and exercise their individual responsibility to protect it
• OIT shall determine information assets and classify them based on the value they create in the business operations. It shall also identify potential risks associated with the information and placing appropriate policies, procedures, and system in place to mitigate these risks.
• OIT shall update the data privacy procedures as per the changes within the organization’s operating environment
• OIT shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
• OIT shall have procedures in place to assure that the personal information is retained only if it is necessary (to fulfill the stated purpose) and obligatory under any law.
• OIT shall conduct capacity building and training sessions on information privacy and security for employees to ensure compliance with OIT’s information security principles.

OIT’s Data Privacy Principles

The policy is governed as per the following principles:

• Notify: OIT shall provide data subjects (individuals who owns the information asset) with notice about how it collects, uses, retains, and discloses personal information about them.
• Seeking choice & consent: OIT shall give data subjects the choices and obtain their consent regarding how it collects, uses, and discloses their personal information.
• Collection of information: OIT shall obtain information with proper disclosure of its intent to be used – privacy notice, SoW, contract agreement etc.
• Use, Retention and Disposal of information – OIT shall only use personal information that has been collected for the purposes identified in the privacy notice / SoW / contract agreements and in accordance with the consent that the data subject shall provide. OIT shall not retain personal information longer than is necessary to fulfil the purposes for which it was collected and to maintain reasonable business records. OIT shall securely destroy the personal information once it has served its intended purpose or as specified by the data subject.
• Access: OIT shall allow data subjects to make inquiries regarding the personal information about them, that OIT shall hold and, when appropriate, shall provide access to their personal information for review, and/or update.
• Disclosure of information to Third Parties – OIT shall disclose personal information to Third Parties / partner firms only for purposes identified in the privacy notice / SoW / contract agreements. OIT shall disclose personal information in a secure manner, with assurances of protection by those parties, according to the contracts, laws and other segments, and, where needed, with consent of the data subject.
• Security for privacy – OIT shall protect personal information from unauthorized access, data leakage and misuse shall protect personal information from unauthorized access, data leakage and misuse.
• Monitoring and Enforcement: OIT shall monitor compliance with its privacy policies, both internally and with Third Parties, and establish the processes to address inquiries, complaints and disputes.

Dispute Resolution and Escalation Process for Employees

Employees with inquiries or complaints about the processing of their personal information shall first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the Grievance Committee.

Dispute Resolution and Escalation Process for Customer / Third Party

Customers / Third Party with inquiries or complaints about the processing of their personal information shall bring the matter to the attention of the Grievance Officer in writing. Any disputes concerning the processing of the personal information of non-employees shall be resolved through arbitration.

Compliance Review

• The IT Team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.
• The internal audit shall consist of the review of the following:
  • personal information collected from data subjects.
  • the purposes of the data collection and processing.
  • the actual uses of the data.
  • disclosures made about the purposes of the collection and use of such data.
  • the existence and scope of any data subject consents to such activities
  • any legal obligations regarding the collection and processing of such data, and
  • the scope, sufficiency, and implementation status of security measures.
•  The IT Team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the Key Leadership Team (KLT).
• The KLT shall take actions on the findings from the internal audit and work on the recommendations for improvement of the privacy posture.
•  Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.

Dissemination

This Policy will be disclosed on the company’s website.

Review

The Data Privacy and Security Policy at OIT shall be reviewed as may be deemed necessary as per any regulatory amendments or decisions by KMT and the Board.