2. Data Privacy Policy
2.1 Introduction
Ducis Services Ltd is committed to providing its employees, clients, customers, and partners with exceptional service. We collect, use and disclose Personal Information (PI) about our employees, clients, customers, and partners which makes protecting their PI a key priority.
In the course of its business, it is necessary for Ducis Services Ltd to record, store, process, transmit, and otherwise handle Confidential and or PI (generally referred to as ‘Processed’).
Ducis Services Ltd takes these activities seriously and provides fair and secure systems for the appropriate handling of Information. All such activities at Ducis Services Ltd are intended to be consistent with both generally accepted privacy ethics, standard business practices, and the relevant legal and regulatory requirements i.e., General Data Protection Regulation (GDPR).
2.2 Privacy by Design and by Default
The Principles of Privacy and Design and by default shall be applied as governing principles:
The principles of privacy by design are:
Limit collection. – The system or process collects only the minimum amount of PI that is relevant, proportional, and necessary for the identified purpose. Limit processing. – The system or process limits the processing of PI to that which is adequate, relevant and necessary for the identified purpose. Maintain accuracy and quality– The PI used is accurate, complete and up to date. Minimize PII Limit collection -PI that does not need to be used in full or is no longer necessary is reduced through methods such as deletion, pseudonymization, and de-identification. Privacy by default dictates that Ducis Services Ltd does not process more PI than is strictly necessary, even where the PI principal might, for instance, be able to increase the scope of the processing. This applies equally to the amount of personal data collected, the extent of the processing, and the period of storage
2.3 Data Privacy Principles
The following Data Privacy principles shall be applied:
Management shall take reasonable efforts to ensure that all Personal Information processed and maintained by Ducis Services Ltd is accurate, timely, relevant, and complete. Management shall establish appropriate controls to ensure that Sensitive Information (i.e. Confidential, internal and PI) is disclosed only to those who are authorized and have a legitimate business need for such access. Management also shall make reasonable efforts to ensure that all Sensitive Information is used only as intended, and that precautions preventing misuse are both effective and appropriate. Data Privacy Impact Assessments (DPIA) shall be performed where new projects/contracts result in PI processing activities. Management shall establish and maintain sufficient controls aiming to ensure that all Ducis Services Ltd Information is free from unauthorized alteration that may affect the integrity of the Information. Information Owners, shall classify all relevant Information in line with the Information Management and Classification policy and ensure controls are designed in line with the classification. Ducis Services Ltd is committed to ensuring the security of client, customer, and member PI to protect it from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Ducis Services Ltd shall use appropriate security measures when destroying client’s, customers and Staff’ PI. Ducis Services Ltd shall continually review and update our security policies and controls as technology changes to ensure ongoing PI Security. All Employees/Staff shall be provided with training to ensure that they understand Ducis Services Ltd policy and the procedures it has put into place to implement this policy. 2.4 Collecting PI
Unless the purposes for collecting PI are obvious and the employee, client, customer or and/or partner voluntarily provides his or her PI for those purposes, we will communicate the purposes for which PI is being collected, either orally or in writing, before or at the time of collection. Ducis Services Ltd shall obtain client, customer, and member consent to collect, use or disclose PI where required. Ducis Services Ltd shall retain client, customer, and member PI only if necessary to fulfill the identified purposes, a legal or business purpose. External parties to Ducis Services Ltd should request correction to their PI by forwarding a request to the Information Officer. Ducis Services Ltd employees who seek to correct PI must inform their line manager and HR department. 2.5 Disclosure of Information
All requests for Sensitive Information coming from a person or organization outside Ducis Services Ltd shall be forwarded to the Information Officer. All requests for PI that fall outside normal business procedures and that come from an Ducis Services Ltd employee must be forwarded to the Information Officer. The Data Protection Officer will decide whether the requests will be granted. 2.6 Appropriate Handling of Information
In general, Ducis Services Ltd may collect, process, store, transmit, and disseminate only Sensitive Information that is necessary for the proper functioning of its business. When information is no longer needed, it must be destroyed, considering applicable legal requirements. Before Ducis Services Ltd Information is removed the Staff shall take due care to ensure that the necessary security controls are applied as per the Information Security policies. Where Sensitive Information is to be moved to another country to conduct business activities, Staff shall consult with their departmental manager or the Information Owner to ensure compliance with applicable legislation. The display screens for all personal computers, workstations, and dumb terminals used to process Sensitive information, must where possible be positioned such that they cannot be readily viewed internally or in public areas. All Sensitive Information shall not be disclosed to anyone except those people who have a genuine need to know. The collection of Sensitive Information on prospects, customers, and others with whom Ducis Services Ltd does business, is required. However, Staff shall not collect such Information from prospects or customers without having obtained their consent.