Privacy Policy

 

Purpose Of Policy

The purpose of this policy presents CareHealth commitment for privacy of user information and sensitive commercial/financial data.

Scope of Policy

This policy applies to all data that is either owned or managed by CareHealth.

Supporting Documents

List of documents supporting this policy,
Information Security Policy

Responsibilities

1. Chief Information Security Officer is responsible for development, implementation, maintenance and enforcement of the policy
2. CareHealth’s Internal Audit Team is responsible for conducting regular audits to ensure compliance to this policy
3. Employees and non-employees of CareHealth are responsible and/or accountable to ensure adherence to the terms of this policy in the course of their job duties

Policy Statements


The privacy policy displayed to the user must clearly communicate minimum of the following information:
1. Purpose for collection of personal information
2. Manner in which the information will be processed
3. Controls for protection of personal information
4. Usage of tools such as cookies to collect personal information online
5. Details of information such as IP address, Domain information captured about the user
6. Sharing of information with third parties
7. User rights to access of personal information
8. Details to contact CareHealth for queries on processing personal information
9. CareHealth commitment to privacy and security
10. Period for which the terms and conditions are valid
11. CareHealth information security standards and practices
12. Policy on external links

    • CareHealth will not use information about user activities on the Internet together with any information that would result in the user being identified without his consent.
    • CareHealth will not associate the information collected by software utilities (cookies, single-pixel gif images) with username or email address, at the time of the user visiting the sites.
    • CareHealth will implement policy guidelines to safeguard the privacy of the user identifiable information from unauthorised access or improper use, and will continue to enhance security procedures as new technology becomes available.
    • CareHealth honour requests from users to review all personally identifiable information maintained in reasonably retrievable form, which currently consists of the users name, address, e-mail address, telephone number and will correct any such information which may be inaccurate. Users may verify that appropriate corrections have been made.
    • CareHealth may use user identifiable information to investigate and help prevent potentially unlawful activity or activity that threatens the network or otherwise violates the user agreement for that service
    • All kinds of data such as personally identifiable information shared by users shall be:
      • Processed fairly, lawfully and securely
      • Processed in relation to the purpose for which it is collected
      • Maintained up to date and accurate as necessary
      • Retained for no longer than is necessary for the purpose for which it is collected
      • Users shall be provided with at least the following information before collecting personally identifiable information
      • Purposes of processing the information
      • Any further information regarding the specific circumstances in which personal information is collected, such as:
        • The recipients of the information
        • Whether submission of information is obligatory or voluntary, as well as the impact of failure to submit such information
        • The existence of the right to access, update or remove personal information
        • Whether personal information will be used for marketing purpose

Enforcement

Policy Violations

Violation of the policy will result in corrective action from the management. Disciplinary action will be consistent with the severity of the incident, as determined by the investigation, and may include, but not limited to

  • Loss of access privileges to information assets
  • Termination of employment or contract
  • Other actions deemed appropriate by management, HR division, Legal division and their relevant policies

Violation or deviation of the policy shall be reported to the service desk and a security incident record has to be created for the further investigation of the incident.

Policy Exceptions

Any exceptions to this policy have to be formally approved by the Chief Information Security Officer. All the exceptions shall be formally documented in the standard IT exceptions request form.

The exception request shall follow the below mentioned approval matrix.

First LevelUnit Manager/Reporting Manager
Second LevelChief Information Security Officer

After approval by the Chief Information Security Officer, the exception request form should be forwarded to the relevant IT unit for execution.