Information Security Management System - Employee Data Privacy Policy

1. Purpose

This policy outlines the principles and procedures regarding the collection, use, disclosure, and protection of the personal data of employees at InfraCloud Technologies

2. Scope

This policy applies to all employees, contractors, and temporary staff of InfraCloud Technologies

3. Definitions

Personal Data: Information relating to an identified or identifiable natural person (e.g., name, contact information, employment details).
Processing: Any operation performed on personal data, such as collection, storage, use, and disclosure.
Data Subject: The employee whose personal data is being processed.

4. Data Collection

Types of Data Collected: InfraCloud collects and maintains certain Personal Data and sensitive personal data as part of the business administration and records including but not limited to:
- Contact information (e.g., name, address, phone number, email address)
- Employment details (e.g., job title, department, employment history)
- Compensation and benefits information (e.g., pension benefits, insurance benefits, dependents for such benefits, bank account details)
- Performance and disciplinary records (e.g., working time records, leave records, performance review)
- Financial information (e.g., bank account details for payroll)
- Health and safety information (e.g., medical records, emergency contact details)
- Information collected as part of Surveillance and Monitoring and performance assessment (e.g., CCTV monitoring data, well as biometric and access control logs)
Purpose of Data Collection: Personal Data is collected for the following purposes:
- Managing employment relationships and business operations
- Payroll and benefits administration
- Performance management and professional development
- Compliance with legal and regulatory requirements
- Ensuring health and safety in the workplace
- Health insurance

5. Data Use

Usage: Personal data will be used solely for the purposes it was collected, as outlined above.

Consent: Employees must provide explicit consent for their data to be processed unless the processing is required by law.

6. Data Storage and Security

Data Storage: Personal data will be stored securely following industry standards and legal requirements.
Access Control: Access to personal data is restricted to authorized personnel only and is granted based on job responsibilities.
Backup and Recovery: Regular backups will be conducted to ensure data integrity and availability in case of data loss.

Internal Sharing: Personal data may be shared internally with departments requiring access to fulfil their responsibilities.
Third-Party Sharing: Personal data will not be shared with third parties without the employee’s consent, except where required by law or necessary for contractual purposes.
Data Processing Agreements: Third-party service providers must comply with InfraCloud’s data protection standards and sign data processing agreements.
Affiliates: Personal data may be provided to our affiliates to manage business operations.
Advisors: Personal data may be shared with InfraCloud’s advisors such as auditors, lawyers, insurers, bankers, and other professional advisors.
Merger or Acquisition: Personal data may be transferred if InfraCloud is acquired by another entity, merges with another company, or transfers a part of InfraCloud’s business to a third party. Any such third party or resultant entity shall have the right to continue to use the personal data in line with the purposes set out herein. In the event of such a sale or transfer, we may notify you.
Legal and Regulatory Authorities: Personal data may be disclosed to comply with legal obligations, court orders, or requests by government authorities.
Investigation and Grievance Redressal: Personal data may be used for investigation and grievance redressal purposes, ensuring fair and lawful processing of complaints and issues.

8. Data Subject Rights

Access: Employees have the right to access their data held by InfraCloud.
Rectification: Employees have the right to request correction of inaccurate personal data.
Erasure: Employees have the right to request the deletion of their personal data, subject to certain conditions.
Restriction: Employees have the right to request the restriction of processing of their personal data.
Portability: Employees have the right to request a copy of their personal data in a portable format.
Right of Grievance Redressal: Employees have the right to have readily available means of grievance redressal mechanisms provided by InfraCloud for any acts and omissions of InfraCloud.
Right to Nominate: Employees have the right to nominate any individual who will exercise these rights on their behalf in the event of the employee’s death or incapacity.
Withdraw: InfraCloud understands that employees may withdraw their consent by informing in writing to InfraCloud’s human resource department at talentserviceops@infracloud.io. Employees also consent and accept that if such withdrawal of consent affects the purpose for which personal data was sought, InfraCloud reserves the right to take steps as it deems appropriate, including termination of employment.

9. Data Subjects’ Responsibility

Accuracy: Employees are responsible for ensuring the accuracy, correctness, and truthfulness of their personal data.
Updates: Employees must inform the human resources department immediately in the event of changes to their personal data.
Dependent Information: Employees agree to inform their dependents about the contents of this Employee Privacy Policy and ensure that they have the right and have obtained adequate consent to provide dependent information to the Infracloud.
Compliance: Employees shall abide by the applicable laws and Infracloud’s policies when accessing personal data during their relationship with Infracloud.
Usage: Employees will not access or use any personal data for any purpose other than in connection with and to the extent necessary for the performance of their services
Post-Employment: Employees understand that these obligations continue and exist after termination of their employment with the Infracloud Technologies.

10. Data Breach Response

Incident Response Plan: InfraCloud has a data breach response plan under incident management to address breaches promptly and effectively.
Notification: Employees will be notified of any data breach affecting their personal data per legal and regulatory requirements.
Internal Breach Notification: Employees shall immediately notify security@infracloud.io the designated internal point of contact, upon becoming aware of any data breach within InfraCloud.

11. Compliance and Monitoring

Regular Audits: InfraCloud will conduct regular audits to ensure compliance with this policy and identify areas for improvement.
Training: Employees will receive regular training on data protection principles and the requirements of this policy.

12. Review and Updates

Policy Review: This policy will be reviewed annually and updated as necessary to remain current and effective.
Policy Updates: Employees will be notified of any significant changes to this policy.

13. Contact Information

Data Protection Officer (DPO)/ Chief Information Security Officer: Gaurav Chaware, gaurav@infracloud.io
Reporting Concerns: Employees can report concerns or complaints about data processing activities to the DPO.

Compliance Measures

The InfoSec team shall never use the access required to perform server audits for any other purpose. The Infosec Team will verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions
Any exception to the policy must be approved by the IT Director/Security in advance.
Non-Compliance
An employee who violates this policy may be subject to disciplinary action, including termination of employment.

Appendix

Definitions and Terms used: https://www.sans.org/security-resources/glossary-of-terms/