Asset
Is a digital or physical solution through which Meridian processes data (e.g. software, applications, physical filing systems).
Assessment
Identifies the types of data security risks that an organization is exposed to through third parties.
Consent
Refers to any freely given, specific, informed indication of will, whereby the individual agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means.
Data Breach
Is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.
Data Controller
Is the person or organization responsible for determining the purposes and means of processing personal data.
Data Processing Agreement (DPA)
Is an agreement between the organization and third parties (e.g., vendors, subrecipients, asset providers, etc.) that binds the third parties to specific data protection standards and retention policies when processing data is transferred by Meridian.
Data Processor
Is the person or organization (a third party) who processes personal data on behalf of the data controller.
Data Subject (“Individual”)
Is the identified or identifiable person to whom the personal data relates.
General Data Protection
Regulation (GDPR)
A high standard for data protection providing one set of rules that
“applies to the processing of personal data of data subjects who are
in the Union”. The 99 articles of the GDPR set forth several fundamental rights of data protection, including the right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.
Personal Data
Is any information that relates to an identified or identifiable living individual. This includes where living individuals can be directly or indirectly identified using information such as a name as well as other identifiers such as unique personal identifiers (e.g., address, phone number); location data or other online identifiers; and physical, physiological, genetic, mental, economic, cultural or social identity.
Personally Identifiable Information (PII)
Is any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII.
Processing
Is defined very broadly and encompasses any action performed on or with personal data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, and restriction (that is, the marking of stored data with the aim of limiting its processing in the future, erasure and destruction).). In effect, it is any activity involving personal data. A discrete operational process that involves personal data (e.g., conducting a background check, booking hotel reservations, etc.) is referred to as a Data Processing Activity.
Retention
Is the idea that organizations should only retain information as long as it is pertinent or justifiably necessary.
Special Category Data
Personal data that reveals an individual’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic, biometric and health data; and information relating to sex life or sexual orientation. Special Category Data require consent prior to processing.
Third Party
A legal body, an agency, or an authority other than the data subject, data controller, or data processor who is authorized to process personal data under the data controller.
Personal data is any information that, directly or indirectly, relates to an identified or identifiable natural person. Personal data may only be collected for specified, explicit, and legitimate purposes, and not
further processed in a way incompatible with those purposes. Unless a legitimate purpose can be established in accordance with data protection regulations, personal data may not be collected.
Processing of personal data is any operation or set of operations that is performed upon personal data, whether or not by automatic means, including but not limited to collection, organization, storage, adaptation, disclosure, blocking, or erasure. It is only legitimate to process personal data if:
· The individual to whom the personal data relates to has given explicit consent;
· The processing is necessary for the performance of a contract to which the individual is party, or in order to take steps at the request of the individual prior to entering into a contract;
· The processing is necessary for compliance with a legal obligation to which Meridian is subject;
· The processing is necessary to protect the vital interests of the individual;
· The processing is necessary for Meridian, or a third party to whom the data are disclosed, to perform tasks carried out in the public interest on behalf of official authorities; or
· The processing is necessary for a legitimate interest pursued by Meridian or by the third party or parties to whom the data are disclosed, except where such interest is overridden by the privacy interest of the individual to whom the personal data relates.
Where required by applicable law or otherwise deemed reasonably practical and appropriate, collection of personal data should be executed with the consent of the individual. Consent from individuals whose personal data are being processed should be unambiguous, explicit, revocable by the individual concerned.
When collecting personal data, the need for transparency should be considered. Accordingly, personal data collected should be adequate, relevant, and not excessive in relation to the purposes for which the data are collected and/or further processed.
Special category data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual orientation. Special category data should not be collected unless it is deemed necessary and lawful under applicable law, where the individual explicit consent to the processing and particularly to the transfer of such special category data to third parties will be obtained.
Other categories of personal data that do not constitute sensitive personal data, but nevertheless are given particular protection under applicable data protection laws, should be processed in consideration of the need for particular protection. Examples of such categories of personal data include, but are not limited to data relating to offenses, criminal convictions, or security measures that may be carried out only under the control of an official authority.
Article 8 of GDPR specifically deals with the issue of consent and processing data from children. The processing of personal data of a child can be lawful if the child is at least 16 years old. If a child is younger than 16 years, the processing can be considered lawful only when consent is given and authorized by the parent or legal guardian of the child. However, personal data must not be collected from children under the age of 13 years.
Personally Identifiable Information (PII) must be rigorously protected. PII can be labeled sensitive or non-sensitive. Non-sensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Non-sensitive PII can be easily gathered from public records, phone books, corporate directories, and websites. This might include information such as zip code, race, gender, and date of birth – information that, by itself, could not be used to discern an individual's identity.
Sensitive PII is information that, when disclosed, could result in harm to the individual when a data breach occurs. This type of sensitive data often has legal, contractual, or ethical requirements for restricted disclosure. Sensitive PII should therefore be encrypted in transit and when data is at rest. Such information includes personally identifiable financial information and unique identifiers, such as passport or Social Security numbers. Employee personnel records; tax information, including Social Security numbers and Employer Identification Numbers (EINs); password information; credit card numbers; bank accounts; electronic and digital account information, such as personal email address and internet account numbers.
When required by applicable law or where reasonably practical and appropriate, individuals should be provided with notice of the processing of their personal data. Such notice must, at a minimum, contain the following information:
· Reference and URL link to Meridian’s Privacy Policy;
· The purposes for which the personal data will be processed; and
· Any further information that is necessary in order for the individuals to be able to exercise their rights in connection with the processing, such as the types of personal data, the recipients or categories of recipients of the data, and the nature of any access rights under applicable law.
If an individual makes a request to 1) obtain information regarding Meridian’s processing of personal data, 2) object to the processing of personal data, or 3) rectify or erase personal data, Meridian must respond in the manner required by applicable law. All requests received by Meridian must be referred to IT Support for resolution. Employees should not respond to these requests on their own. See Data Protection Guidance for Data Request Form.
Processed personal data must be accurate and, to the extent necessary, up to date. Personal data that is inaccurate or incomplete should be erased or corrected. An employee who has access to personal data must only process the data in accordance with the purpose of the processing, and may not share, distribute, or otherwise disclose the personal data to a third party unless authorized to do so.
Appropriate technical and organizational measures should be implemented to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and any other unlawful forms of processing. Security breaches that jeopardize the confidentiality
or security of personal data processed by Meridian should be reported immediately to the Chief Talent & Administrative Officer (CTAO) or IT Support. This includes security breaches that may have occurred to a third party impacting personal data transferred to them by Meridian.
Personal data should only be stored for as long as is necessary, considering the purposes for which it was collected and applicable legal storing periods. When the storing period of personal data has expired, it should be erased in a permanent and secure way.
Meridian has a defensible legitimate interest in or legal obligation to retain permanent records documenting certain historical activity. Examples include records of program participation or employee engagement. There should be a standard established in each department as to what personal data and documents constitute the permanent record. This defined data set can be preserved appropriately, but all other personal data must be expunged or anonymized per Meridian’s data retention policy. All impacted individuals must be apprised that certain personal data will be retained by Meridian as a permanent record. See Data Protection Guidance for retention schedule.
Personal data may only be disclosed to third parties, such as Meridian’s vendors, subrecipients, partners, and affiliates, when there is a legitimate basis for doing so. When disclosing personal data to a third party, a determination should be made as to whether the third party is considered a data controller or a data processor of the personal data disclosed. The term “data processor” refers to a legal entity that processes personal data on behalf of the data controller. The term “data controller” refers to a legal entity that alone or jointly with others determines the purposes and means of processing personal data. Where required by applicable law, a data processing agreement must be entered into with each data processor, for example, in connection with the use of cloud services or providing support services to program participants. Such agreements should require the data processor to protect the personal data from further disclosure and only process personal data in accordance with Meridian’s instructions. A data processing agreement should also require the data processor to implement appropriate security measures to protect the personal data, keep it confidential, and include procedures for data breach notifications. See Data Protection Guidance for data disclosure procedures.
A personal data breach means a breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data. When an employee discovers a data breach, they must report this to IT Support within 24 hours. Meridian takes all data breaches seriously and will investigate all potential and actual data security breaches. Some breaches may be minor and not lead to risks beyond an inconvenience; however, some breaches, such as theft of a personal database or system hacking, are much more serious. Before deciding what steps to take beyond immediate containment, there will be an assessment performed by IT Support and the CTAO (“response team”).
The response team will assess:
· What type of data is involved?
· How sensitive is the data?
· Has the data been lost or stolen?
· Are there any protections in place, such as encryption?
· Could the personal data be used for purposes harmful to individuals?
· How many individuals’ personal data are affected by the breach?
· Who are the individuals whose personal data has been breached?
Within 72 hours, the response team will investigate causes and implement security processes. They will assess which individuals must be notified depending on the type of data breached and potential exposure to harm. The response team, in consultation with the insurance broker/carrier, shall also establish whether there is anything that can be done to recover losses and limit the damage the breach has caused, as well as, if necessary, the physical recovery of equipment. Where appropriate, law enforcement authorities shall be notified.
It is important not only to investigate causes of the breach but also to evaluate the effectiveness of the organization’s response to it and the measures in place to prevent it recurrence. The response team shall curate an evaluative body of relevant employees to ensure procedures, policies and equipment meet sufficient security standards to avoid future breaches.
All third parties with which Meridian shares or transfers personal data must undergo a risk assessment to determine that they can credibly secure and protect the personal data entrusted to them. The procurement of any new asset will require a formal assessment protocol before a contract is finalized. Employees must contact IT Support to facilitate this assessment before executing an agreement and sharing data with any new asset provider.
The use of personal data for marketing measures, such as direct marketing campaigns, marketing through social websites, or the purchase of personal data for marketing purposes, must fulfill the requirements of applicable law. Unless a legitimate purpose allowing the collection and use of personal data for marketing purposes can be established, personal data may not be used for these purposes.
Individuals are entitled to give notice that they oppose the processing of their personal data for purposes concerning direct marketing. If an individual gives such a notice, it must be honored. Meridian website(s) must include an online privacy statement, including procedures for accepting cookies, fulfilling the requirements of applicable law.
Meridian provides data protection training to all staff on a regular basis. This training is mandatory, and completion of the training will be monitored by HR and IT Support. Supervisors also should ensure that their supervisees have completed the mandatory data protection training and are familiar with Meridian’s procedures and practices regarding the processing of personal data to which they have access in the course of their duties.
Where personal data is to be disposed, employees should ensure that it is destroyed permanently and securely. This may involve the permanent removal of personal data from work shared accounts, deleted items folder or recover deleted items folder. Hard copies of personal data must be confidentially shredded or placed in confidential waste bins provided. Employees should be careful to ensure that personal information is not disposed of in a wastepaper basket / recycle bin. Staff must remember that the destruction of personal data is of itself “processing” and must be carried out in accordance with the data protection principles. For procedures on document destruction, please see Data Protection Guidance.
The CTAO oversees Meridian’s compliance with data protection regulations. Violations of the Data Protection Policy may include prohibiting processing activities and result in employee discipline, up to and including termination of employment.
Employees who suspect that a violation of this policy or of relevant data protection laws has occurred within Meridian should immediately contact the CTAO or IT Support.
Each year, an annual assessment will take place to review current data protection policies, procedures and reassess third party protection threat levels. The annual assessment will be conducted by IT Support and assisted by relevant stakeholders. Upon completion of the annual assessment, a final report will be available to all employees. The CTAO, or his/her designee, must approve all changes to policy before becoming effective.
Meridian reserves the right to modify this policy as needed to comply with changes in laws, regulations, practices and procedures, or requirements imposed by data protection authorities.
This policy should be read in conjunction with Meridian’s Data Protection Guidance