PRIVACY POLICY & EMPLOYEE INFORMATION

1.0 PURPOSE 

All employees at one time or another may receive personal, privileged and/or confidential information which may concern other employees, Company operations or clients/customers. The purpose of this Statement of Policy and Procedure is to preserve the privacy of employees, customers and Quantic BEI, by outlining employee obligations and procedures for dealing with personal, privileged and/or confidential information.

2.0 SCOPE 

This policy applies to all Quantic BEI employees. Human Resources is accountable for the implementation of this policy. Any issues or questions regarding this policy should be directed to Human Resources. 

3.0 DEFINITIONS

(a) “Personally, Identifiable Information (PII)” is any information about an identifiable individual and includes race, ethnic origin, age, marital status, family status, religion, education, medical history, criminal record, employment history, financial status, address, telephone number, and any numerical identification, such as Social Security Number. Personal information also includes information that may relate to the work performance of the individual, any allegations, investigations or findings of wrongdoing, misconduct or discipline. Personal information does not include job title, business contact information or job description.

(b) “Personal Health Information (PHI)” is information about an identifiable individual that relates to the physical or mental health of the individual, the provision of health care to the individual, the individual’s entitlement to payment for health care, the individual’s health card number, the identity of providers of health care to the individual or the identity of substitute decision-makers on behalf of the individual.

(c) “Third parties” are individuals or organizations other than the subject of the records or representatives of Quantic BEI that require access to the Personal Information. Note that in certain circumstances, the Company may be entitled to provide personal information to an external party acting as an agent of Quantic BEI.

3.0 POLICY 

4.1 Quantic BEI is committed to protecting the privacy of its employees, customers and confidential business information. 

4.2 Employees are obligated to ensure that Personal Information, to which they may have access remains confidential, is only used for the purposes for which it was collected, is not disclosed without authorization or used for personal gain. 

4.3  An employee who is found to be in breach of this policy will be subject to discipline up to and including discharge for cause. 

5.0  PROCEDURE 

5.1 Employee Records 

(a) An employee’s Supervisor, Manager, Human Resources, and Payroll personnel shall have access to employee records containing personal information. Only Human Resources will have access to an employee’s personal health information. Personal information and personal health information will not be disclosed outside of the organization without the knowledge and/or approval of the employee. Notwithstanding the foregoing, Quantic BEI will cooperate with law enforcement agencies and will comply with any court order or law requiring disclosure of personal information without the employee’s consent.

(b) Personal Identity Information (PII): Unique personal identification numbers or data, including:

· Social Security Numbers

· Taxpayer Identification Numbers 

· Employer Identification Numbers 

· State or foreign driver’s license numbers

· Date(s) of birth

· Corporate or individually held credit or debit transaction card numbers (including PIN or access numbers) maintained in organizational or approved vendor records

· Bank Account or Direct Deposit Information

PII may reside in hard copy or electronic records; both forms of PII fall within the scope of this policy.

(c) Employees may request access to review documents in their file that relate to the employee’s qualifications for hire such as application, promotion, disciplinary action, and transfer as well as policy signoff forms and training records by making arrangements with Human Resources. Employees shall contact Human Resources to make an appointment. 

Employees may obtain a copy of any document in their file which they have signed previously. No material contained in an employee file may be removed from the file. A representative of Human Resources will be present during viewing of the file. 

(d) An employee may provide a written notice of correction related to any data contained in the employee’s file. The notice of correction shall be provided to Human resources. 

(e) There must be documentation or a release form that has been completed, signed and dated by the employee for any requests for disclosure of their own personal information to Third Parties. This includes insurance companies with respect to employee benefits and to provide confirmation of earnings to financial institutions for lending purposes. 

(f) Unless retention of personal information is specified by law, Federal Acquisition Regulation (FAR) or other regulation, for certain time periods, personal information that is no longer required to fulfill the identified purpose shall be destroyed, erased or made anonymous within three (3) years after its use. 

6.0  Customer Information

(a) Personal, privileged and/or confidential information about customers may only be collected, used, disclosed and retained for the purposes identified by Quantic BEI as necessary.

(b) Employees must ensure that no personal, privileged and/or confidential customer information is disclosed without the customer’s consent and then only if security procedures are satisfied. 

(c) Customer information is only to be accessed by employees with appropriate authorization. 

(d) Unless retention of personal information is specified by law, Federal Acquisition Regulation (FAR) or other regulation, for certain time periods, personal information that is no longer required to fulfill the identified purpose shall be destroyed, erased or made anonymous within three (3) years after its use.

7.0   RESPONSIBILITY 

All new hires entering the company who may have access to PII are provided with introductory training regarding the provisions of this policy, a copy of this policy and implementing procedures for the department to which they are assigned. Employees in positions with regular ongoing access to PII or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PII data and shall receive annual training regarding the security and protection of PII data and company proprietary data.

7.1   Employees are responsible for: 

• keeping their own employee files current regarding name, address, phone number, dependents, etc. 

• being familiar with and following policies and procedures regarding personal information; 

• obtaining the proper consents and authorizations prior to disclosure of personal, privileged and/or confidential information; 

• immediately reporting any breaches of confidentiality to Human Resources; 

• keeping private passwords and access to personal, privileged and/or confidential data; 

• relinquishing any personal, privileged, confidential or client information in their possession before or immediately upon termination of employment. 

7.2   Managers/Supervisors are responsible for: 

• ensuring policies and procedures regarding collection, use and disclosure of information of personal information are consistently adhered to; 

• responding to requests for disclosure after the proper release is obtained; 

• cooperating with Human Resources to investigate complaints or breaches of policy; 

• obtaining from terminating employees prior to their termination any personal, privileged, confidential or client information in their possession. 

7.3  Human Resources and Payroll are responsible for: 

• ensuring that appropriate consents have been obtained from employees with respect to the collection and use of personal information; 

• maintaining systems and procedures to ensure employee records are kept private; 

• obtaining the proper consents and authorizations prior to disclosure of information contained in employee records; 

• responding to employees’ requests for access to their files; 

• ensuring proper disposal of unnecessary files/information (i.e. shredding, marking document unreadable or secure destruction).

• maintaining separate files to ensure that personal health information is protected. 

• safeguarding physical documents in secured cabinets or rooms were PII is not left on desks or other locations visible to individuals.

7.4 Management Information Systems data access

· Quantic BEI maintains multiple Management Information Systems (MIS) data where PII data may reside; thus, user access to such MIS systems is the responsibility of the MIS department. The MIS department has created internal controls for such systems to establish legitimate access for users of data, and access shall be limited to those approved by MIS. Any change in vendor status or the termination of an employee or independent contractor with access will immediately result in the termination of the user’s access to all systems where the PII may reside.

7.5 Data Transmission and Transportation

• Company Premises Access to PII: The Finance, Human Resources and MIS departments have defined responsibilities for on-site access of data that may include access to PII; MIS has the oversight responsibility for all electronic records and data access capabilities. Finance and Human Resources have the operational responsibility for designating initial access and termination of access for individual users within their organizations and providing timely notice to MIS.

• Quantic BEI may share data with vendors who have a business need to have PII data. Where such inter-company sharing of data is required, the MIS department is responsible for creating and maintaining data encryption and protection standards to safeguard all PII data that resides in the databases provided to vendors. A company officer will authorize the sharing of data with a third party vendor. 

• Quantic BEI reserves the right to restrict PII data it maintains in the workplace. In the course of doing business, PII data may also be downloaded to laptops or other computing storage devices to facilitate company business. To protect such data, the company will also require that any such devices use MIS department-approved encryption and security protection software while such devices are in use on or off company premises. The MIS department has responsibility for maintaining data encryption and data protection standards to safeguard PII data that resides on these portable storage devices. 

• Quantic BEI understands that employees may need to access PII while off site or on business travel, and access to such data shall not be prohibited, subject to the provision that the data to be accessed is minimized to the degree possible to meet business needs and that such data shall reside only on assigned laptops/approved storage devices that have been secured in advance by the MIS department.