||We self-certify compliance with|
Company Intentions And Management Responsibilities
Intentions And Objectives-In the course if its business, it is necessary for SDD Inc to record, store, process, transmit, and otherwise handle private information about individuals. SDD Inc takes these activities seriously and provides fair, secure, and fully-legal systems for the appropriate handling of this private information. All such activities at SDD Inc are intended be consistent with both generally accepted privacy ethics and standard business.
Management Responsibilities-Management must take reasonable efforts to ensure that all private information maintained by SDD Inc is accurate, timely, relevant, and complete. Management also must make reasonable efforts to ensure that all private information is used only as intended, and that precautions preventing misuse are both effective and appropriate. Management is responsible for establishing appropriate controls to ensure that private information is disclosed only to those who have a legitimate business need for such access. Management must establish and maintain sufficient controls to ensure that all SDD Inc information is free from a significant risk of undetected alteration.
Data Classification Labels-Management, specifically information Owners, must consistently apply a standard data classification label indicating that information is private. For example, this label must appear on computer screens when private information is displayed, and it must also be stamped on hardcopy versions of private information. This label must follow private information no matter what form it takes, what technology is used to handle it, who handles the information, and where the information resides.
Safe Harbor Principles
a. Notice. When personal information is collected, timely and appropriate notice describing the personal information will be given including how it will be used and the types of third parties with whom it will be shared
b. Choice. Choices will be given about the ways the personal information will be used and shared
c. Relevance. Personal information will only be collected as needed for specific, identified purposes, and will not be used for other purposes without consent.
d. Retention. Personal information will be kept only as long as needed for purposes for which it was collected or as permitted by law.
e. Accuracy. Appropriate steps will be taken to make sure the recorded personal information is accurate.
f. Security. Appropriate physical, technical ad organizational measures will be taken to protect the personal information from loss, misuse, unauthorized access or disclosure, alteration and destruction.
SDD's Safe Harbor certification can be found at http://web.ita.doc.gov/safeharbo/shlist.nsf/webPages/safe+harbor+list. For more information about the Safe Harbor Principles, please visit the U.S. Department of Commerce's Web Site at http://export.gov/safeharbor/
Disclosure of Private Information
Revealing Information About Policies and Procedures-As a general rule, information security policies and procedures should be revealed only to SDD Inc employees and selected outsiders, such as auditors, who have a legitimate business need for this information. A notable exception involves the policies that deal with private information about individuals. All involved individuals have a right to receive an officially-approved statement of SDD Inc policies and procedures regarding the handling of information about them. In addition, SDD Inc must disclose the existence of systems containing private information and the ways that this information is used. With the exception of criminal and policy-violation investigations, there must be no system of personnel records within SDD Inc whose very existence is kept secret from the people described therein.
Handling Private Information Requests-All requests for private information coming from a person or organization outside SDD Inc must be forwarded to the SDD Inc chief legal counsel. All requests for private information that fall outside normal business procedures and that come from a SDD Inc insider must be forwarded to the director of the Human Resources department. These managers will decide whether the requests will be granted.
Appropriate Handling of Private Information
Collect Only Necessary Information-In general, SDD Inc may collect, process, store, transmit, and disseminate only that private information that is necessary for the proper functioning of its business. For example, SDD Inc management must not collect information about employee activities during non-work hours unless these activities are highly likely to influence the involved employee’s performance, or unless they could adversely affect the reputation of SDD Inc.
Destruction Of Private Information-When private information is no longer needed, it must be destroyed by shredding, or by other destruction methods approved by the Information Security department. Destruction of private information resident on computer disks and other magnetic media must be accomplished with an overwriting process. A simple erase process is not sufficient. To assure the proper destruction of private or confidential information, disposal of computers with embedded hard disk drives or other data storage systems must proceed according to procedures issued by Information Security.
Removal Of Private Information-Private or confidential information must not be removed from SDD Inc offices. Permission to take such information offsite may be granted by a departmental manager provided the involved employee has completed the information security segment of telecommuter training, and passed the associated test. Signed third-party non-disclosure agreements may additionally be required when private information is removed from SDD Inc offices. Private information must not be moved to another country unless the permission of the manager of the Information Security department is obtained.
Preventing Inadvertent Disclosure on Screens-The display screens for all personal computers, workstations, and dumb terminals used to process sensitive or valuable data, including private information, must be positioned such that they cannot be readily viewed through a window, by persons walking by a hallway, or by persons waiting in reception and related areas.
Preventing Inadvertent Disclosure By Hardcopy-Whenever an employee is handling private information, if a person who is not authorized to view that information enters the immediate area, steps to conceal the information must promptly be taken. If the information is in physical form, the information can be covered with other material. If the information is displayed on a computer screen, the employee can invoke a screen saver or log off.
Private Information on Computer And Communication Systems
Expectation Of Privacy-All messages sent over SDD Inc internal computer and communications systems are the property of SDD Inc. Management reserves the right to examine all information transmitted through these systems. Examination of such information may take place without prior warning to the parties sending or receiving such information. Because the SDD Inc computer and communications systems must be used for business purposes only, employees must have no expectation of privacy associated with the information they store in or send through these systems.
Examination Of Stored Information-At any time and without prior notice, SDD Inc management reserves the right to examine archived electronic mail, private file directories, hard disk drive files, and other information stored on SDD Inc information systems. Such examinations are typically performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of SDD Inc information systems.
Manager Involvement In Monitoring-Whenever an employee’s computer or communications user ID is monitored for investigative or disciplinary purposes, the involved employee’s manager must be informed of this activity promptly. All employee monitoring must itself be logged for subsequent management review and possible use in disciplinary or legal actions.
Department Manager Activity Review-SDD Inc routinely logs web sites visited, files downloaded, and related information exchanges over the Internet. SDD Inc records the numbers dialed for telephone calls placed by each employee. Department managers routinely receive reports detailing the usage of these and other internal information systems, and are responsible for determining that such usage is both reasonable and business-related.
Changing Information Resident on Systems-Management reserves the right to delete, summarize, or edit any information posted to SDD Inc computers or communication systems. These facilities are privately-owned business systems, and not public forums, and as such do not provide free-speech guarantees.
Routine Usage of Backup Systems-All files and messages stored on SDD Inc systems are routinely copied to tape, disk, and other storage media. This means that information stored on SDD Inc information systems, even if an employee has specifically deleted it, is often recoverable and may be examined at a later date by system administrators and others designated by management.
Remote Computer Monitoring-SDD Inc routinely scans the personal computers connected to its networks. These scans ensure that remote computers are operating only with approved and licensed software, are free from viruses and worms, and have been used only for approved business purposes.
Encryption Of Electronic Mail-Employees must consider electronic mail to be the computerized equivalent of a postcard. Unless material sent by electronic mail is encrypted, employees must refrain from sending credit card numbers, passwords, research and development information, medical histories, computer programming source code, and other private or confidential information through electronic mail.
Links Between Separate Types Of Private Data-Without advance consent from the manager of the Information Security department, SDD Inc information systems must not be configured to support new links between private information and other types of information related to the same individual.
Testing With Sanitized Data-Unless written permission is obtained from the Information Security department manager, all software testing for systems designed to handle private data must be accomplished exclusively with production information that no longer contains specific details that might be valuable, critical, or sensitive.
Physical Security Systems-Employees may be subject to electronic monitoring of their activities while on SDD Inc premises. This monitoring is used to measure employee performance and to protect employee private property, employee safety, and SDD Inc property. In areas where there is a reasonable expectation of privacy, such as bathrooms, dressing rooms, and locker rooms, no electronic monitoring will be performed.
Personal Effects and Private Communications-All personal effects brought to SDD Inc premises are subject to search at any time without advance notice. Employees wishing to keep certain aspects of their personal life private must not bring related personal effects to SDD Inc premises. To keep these matters private, employees must not communicate about such matters using SDD Inc telephones, electronic mail systems, or other communications systems that may be monitored and which are intended to be used for business purposes only.
Use Of Informants-From time to time, SDD Inc uses informants who may be placed in various internal positions and who may appear to be the same as any other employee. Management has no obligation to notify employees about the presence of, or nature of the work performed by, such informants.
Pretext Requests-SDD Inc believes that all business activities must be conducted in a forthright and honest manner. However, in certain circumstances authorized by the director of Physical Security, the organization may utilize investigators who pose as other persons in order to test customer service, test security policies, or investigate alleged wrongdoing.
Fixed Password Management
Choosing Passwords-Employees must choose difficult-to-guess passwords. Fixed passwords must not be found in the dictionary and must not be a reflection of the user’s personal life. All fixed passwords must be at least 10 characters, and this minimum length must be enforced automatically where systems support it. Employees must choose fixed passwords that include both alphabetic and numeric characters.
Changing Passwords-User-chosen fixed passwords must not be reused or recycled. Where systems support it, fixed passwords must be required to change every 60 days and passwords must be changed the first time they are used. If a user suspects that somebody else may know his or her password, the password must be changed immediately. The Information Systems department’s Help Desk will not reset user passwords unless a user is identified.
Protecting Passwords-Employees must not share a fixed password with anyone, including managers and co-employees. Employees must employ authorized mechanisms to share information such as local server shared directories, electronic mail, intranet pages, or floppy disks. Employees must not store fixed passwords in any computer files, such as logon scripts or computer programs, unless the passwords have been encrypted with authorized encryption software. Passwords must not be written down unless a transformation process has concealed them, or they are physically secured, such as placed in a locked file cabinet. All fixed passwords set by default by the hardware or software vendor must be changed before the involved system can be used for SDD Inc business activities.
Handling Personnel Information
Access to Own Personnel File-Upon written request, every employee must be given access to his or her own personnel file. Employees must be permitted to both examine and make one copy of the information appearing in their personnel file. If employees object to the accuracy, relevance, or completeness of information appearing in their personnel file, each year they may add a supplementary statement of up to 200 words.
Disclosure To Third Parties-Disclosure of private information about SDD Inc employees to third parties must not take place unless required by law or permitted by explicit consent of the employee. SDD Inc must not disclose the names, titles, phone numbers, locations, or other contact particulars of its employees unless required for business purposes. Exceptions will be made when such a disclosure is required by law or when the involved persons have previously consented to the disclosure. The reason for termination of employees must not be disclosed to third parties. Two permissible exceptions are the prior approval of a SDD Inc senior manager or if the disclosure is required by law. Every disclosure of private information to third parties must be recorded by the Human Resources department and these records must be maintained for at least five years.
Summary Of Disclosures-If they request it, employees must be provided with a summary of all disclosures of their private information to third parties. In addition, employees must be given sufficient information to permit them to contact such third parties to rectify errors or supply additional explanatory information.
Change Of Status Information-Detailed employee change of status information is strictly confidential, and must not be disclosed to anyone except those people who have a genuine need to know. Detailed change of status information includes the reasons for terminations, retirements, resignations, leaves of absence, leaves of absence pending the results of an investigation, inter-departmental transfers, relocations, and changes to consultant or contractor status.
Private Information From Job Seekers
Gathering Unnecessary Information-Private information about a prospective employee may not be gathered unless it is both necessary to make an employment decision and also relevant to the job. This policy addresses marital status, family planning objectives, off-hours activities, political affiliations, performance on previous jobs, previous employers, credit history, education, and other personal details.
Credit And Background Checks-Whenever a credit report will be examined or a background check will be performed, prospective employees must provide a written release indicating their approval of the process. These prospective employees must be given an opportunity to withdraw their application for employment or contract work if they choose not to disclose such private information to SDD Inc.
Permissible Tests-Candidates for a job with SDD Inc must not be subjected to drug tests, AIDS tests, psychological tests, or other tests that may illuminate the candidates’ lifestyle, political associations, or religious preferences. An exception may be made if this information is clearly needed to determine a candidate’s suitability for a certain position.
Private Information About Customers
Consent For Collection Required-The collection of private information on prospects, customers, and others with whom SDD Inc does business, is customary and expected. However, SDD Inc employees must not collect private information from prospects or customers without having obtained their knowledge and consent.
Consent For Uses Required-Before a customer places an order or otherwise discloses private information, all SDD Inc representatives must inform the customer about the ways that this private information will be used, and the third parties, if any, to whom the information will be disclosed.
Collection Of Unnecessary Information-SDD Inc employees or information systems must never require the provision of prospect or customer private information that is unnecessary for the provision of information, for the completion of a transaction, or for the delivery of products or services. No product or service provided by SDD Inc may be denied to any person if they refuse to provide unnecessary private information. All disputes about necessary private information will be resolved by the SDD Inc chief legal counsel.
Opting Out From Unsolicited Contacts-SDD Inc customers must be given an opportunity to inform SDD Inc that they do not wish to be contacted through unsolicited direct mail, telemarketing, and related promotions. SDD Inc staff must faithfully observe and act on these customer requests. SDD Inc employees must diligently observe the unconditional right of individuals to block data about them from being included in mailing lists or calling lists, block the sale of data about them to third parties, and to have data about them erased from direct marketing lists.
Sharing Of Customer Information-SDD Inc does not disclose specific information about customer accounts, transactions, or relationships to unaffiliated third parties for their independent use, except under certain circumstances. These circumstances are limited to the disclosure of information to a reputable information reporting agency such as a credit bureau, when performing its own due diligence related to a customer’s request to perform a certain action such as extend the amount of an existing line of credit, those circumstances when the customer requests the disclosure, the disclosure is required by or permitted by law, or the customer has been informed about the possibility of such a disclosure for marketing or similar purposes, and has been given an opportunity to decline.
Change Of Business Structure-Should SDD Inc go out of business, merge, be acquired, or otherwise change the legal form of its organizational structure, SDD Inc may need to share some or all of its customer information with another entity in order to continue to provide products and services. If such a change and associated information transfer takes place, customers must be promptly notified.
Use Of Outsourcing Organizations-SDD Inc may outsource some or all of its information handling activities, and it may be necessary to transfer prospect and customer information to third parties to perform work under an outsourcing agreement. In all such cases, the third parties involved must sign a confidentiality agreement prohibiting them from further dissemination of this information and prohibiting them from using this information for unauthorized purposes.
General Counsel and Chief Operating Officer
800-A NW 17th Avenue
Delray Beach, Florida 33445
Effective Date: 11/1/09
Policy Number: Privacy 09-01