Policy for the Protection of Privacy and Controls

Overview

Trust Science places the highest priority on maintaining the protection of privacy and the security of personally identifiable information. 

This policy document guides the development and implementation of broad privacy practices, procedures, and other supporting materials, as well as articulating context-specific commitments to preserving privacy.

These commitments are major drivers behind all other Trust Science policies, standards, and practices.

 

Note: At no time may a staff member for themselves, or on behalf of any other party, access, transmit, copy, use, create, alter, delete, or move personal information – or media containing same – for anything other than Trust Science business purposes for which the individual to which the data refers has consented.

Applicable External Standards

The development and execution of privacy controls follows ISO document 29100:2011 – “Information technology — Security techniques — Privacy framework”, and incorporates PIPEDA’s fair information principles.

Scope

The scope of this document is all information assets owned, controlled, or stored by Trust Science and any / all directly controlled entities / subsidiaries, and all staff employed by the same in any capacity – and includes all data provided by Trust Science to clients of / subscribers to Trust Science’s services without limitation.
This document establishes a baseline practice with respect to protecting personal data, legislative / contractual compliance surrounding personal data, and designing, developing, and operating systems and services that interact with personal data. Other requirements may exist in specific scopes, such as geographic regions, or related to specific partnerships.

Terms

Business purposes are those functions which have been disclosed to clients, and those processes that support the same.

Personally Identifiable Information (PII) is that data which has been disclosed to and / or collected by Trust Science which can uniquely be attributed to a single individual.

Data owners are those individuals who are the source of their own PII.

Data custodians are those agents who store, use, transmit, or otherwise interact with PII, under consent from the PII owner for clearly communicated business purposes.

Privacy is respecting the obligations that Trust Science has under law and contract to owners of personal information.

Third parties are those agents who assist Trust Science, either / both directly and indirectly, to achieve its business purposes.

Controls

Responsibilities for the Protection of Privacy

All staff members must observe all privacy and security-related practice documents at all times when interacting with Trust Science data, systems, and processes, and with individuals interacting with Trust Science.

These responsibilities include, but are not limited to:

  1. Following Trust Science’s practices around the collection, usage, disclosure, retention, and transfer of PII.
  2. Being clear, accurate, and complete in identifying to data providers, and documenting within Trust Science, the business purposes for which PII is collected (see: https://www.trustscience.com/legal/smart-consent)
  3. At all times obtain, and preserve all records for consent for collection of data, as appropriate.
  4. Documenting the relationship between data collected and the business purposes such collection supports.
  5. Documenting how use, disclosure, retention, and disposal practices for collected PII are limited to only identified business purposes, and communicating those practices to the Chief Security and Privacy Officer.
  6. Documenting how the accuracy of PII is maintained, and maintaining records of changes to PII including source individual, date, time, and network origin of any changes.
  7. Documenting the security safeguards implemented to protect PII, and how those safeguards correspond to the sensitivity of that data.
  8. Documenting any additional policies, standards, and procedures that affect how PII is managed.
  9. Immediately communicating any requests by individuals for information about their own PII (specifically, but not limited to the existence, use, and disclosure of their PII) to the Chief Security and Privacy Officer or their designate.
  10. Immediately communicating:
    1. Any requests by individuals for information about Trust Science’s security and privacy practices; and
    2. Any requests by legal or law enforcement officials for access to PII to the Chief Security and Privacy Officer or their designate.
  11. All privacy-related documentation, as detailed above or elsewhere in supporting material, must be communicated to the Chief Security and Privacy Officer.

Oversight

The Chief Security and Privacy Officer is responsible for the maintenance of this document, for identifying and articulating practices related to privacy, auditing same for effectiveness and compliance, and for the overall coordination of privacy functions.
No staff member may access PII without first having passed all background checks and having signed a binding NDA.
Staff are required, when dealing with third parties, to contractually oblige that those third parties apply protection of privacy controls verifiably as strong as, or better than those applied by Trust Science.
Staff must follow all Trust Science protection of privacy standards, practices, and guidelines at all times.
Staff who fail to observe these requirements will be subject to discipline, up to and including termination.
This document must be reviewed no less than annually, in the event of any identified deficiency, or in a material change to privacy expectations by the Chief Security and Privacy Officer or their designate.