Summary of Policy Topic
A full assessment of data collected and processed is to be conducted annually.
Sensitive Data Provided by Clients
It is the policy of Phenomenon to not receive Personally Identifiable Information from its client’s constituents. The generation of Scoped Work (Marketing and Advertising) should not require the delivery of such Client Sensitive Data.
Inadvertent Data Collected by Clients
Data may inadvertently be collected and generated through the course of day-to-day business and contacts with Customer Representatives.
In regard to such data, we shall:
- limit access to the Information collected strictly to employees and representatives (such as attorneys and consultants) who have a need to know of the information in order to analyze or consummate the transaction (provided that such employees and representatives are bound to the confidentiality provisions at least as restrictive as those contained in Phenomenon “Non- Disclosure Agreement”)
- not authorize any third party to disclose such Information to others without the prior written approval of said client
- use the same degree of care in protecting clients Information as we use to protect our own information, but in no event less than a reasonable degree of care
- promptly notify the client in writing of any unauthorized use or disclosure of the information, which shall describe the nature of the disclosure
Phenomenon focuses on having a consistent level of data protection and security across the organization.
Our standards and preparation include:
- Information Audit – a company-wide information audit to identify and assess what personal information is held, where it came from, how and why it is processed and if and to whom it is disclosed.
- Policies & Procedures – our user access policies and procedures were updated to meet the requirements and standards set in both DPA, GDPR and any relevant state level data protection laws, including:
- Data Governance – our main policy and procedure document for data governance has been overhauled to meet the standards and requirements of the GDPR.
- Data Storage Retention & Erasure – we have updated our retention periods to ensure that we meet the “data minimization” and “storage limitation” principles and that personal information is stored, archived and destroyed compliantly and ethically.
- Data Breaches – our staff is acutely aware of the need to report any data breach to a member of the management team who will act upon this appropriately. In the event of a breach or suspected inadvertent disclosure of private information, the Director of IT is to be notified immediately and “Incident Response Procedure” is to be enacted.
- Access Management Request (AMR) – we have revised our AMR procedures to accommodate user termination notification that all access was removed to any and all Phenomenon Systems. Our new procedures detail the steps to be taken when processing an AMR.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy-to-access information via our website of an individual’s right to access any personal information that Phenomenon processes about them and to request information
- What personal data we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
- the right to lodge a complaint or seek judicial remedy and who to contact
In such instances documentation and evidence of compliance with the DPA and associated GDPR requests are stored in Phenomenon IT Ticketing Platform.