OUR Data Protection POLICY
What is Anthro’s Data Protection Policy?
We understand the importance of data protection and will work to ensure your organization’s personal information remains secure.
DEFINITION OF PERSONAL DATA:
Personal Data: means any information relating to an identified or identifiable individual (‘data subject’). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to i) an identifier such as a name, an identification number, audiovisual materials, location data, an online identifier, ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual or iii) assessments of the status and/or specific needs of an individual. The definition of what constitutes personal data is contextual and expanding particularly due to enhancements in technology and methods for identifying individuals.
DATA COLLECTION
| Only the absolute minimum amount of personal data required for service delivery will be collected. Every item identified for collection will be justified (e.g. data minimization). | |
|---|---|
| Where possible, personal data will be de-identified (i.e. severing the identifiers from the personal data). | |
| Personal data will only be collected, used, shared or stored for the purposes stipulated in programme design and implementation (e.g. purpose specification). |
ACCESS CONTROL
| Wherever feasible, all access to personal data will be logged (both access by programme and IT staff) (e.g. need-to-know access only). | |
|---|---|
| Where possible, encryption (and other privacy-enhancing technologies (PETs)) will be used to protect stored data in such a manner that it can only be viewed by those authorized to do so. | |
| Access control will be built into the programme at the greatest level of granularity possible. Periodic confirmation of access rights will be conducted. |
DATA QUALITY
| All personal data that is kept will be accurate and up-to-date (for instance by setting ‘check-by’ dates for each of the purposes for which the data is collected and further processed). Design and implementation processes will dispose of inaccurate and outdated data. |
|
|---|---|
| We will provide easy and efficient processes for individuals to amend or request the amendment or deletion of their personal data if it is inaccurate or incomplete. |
NOTICE REQUIREMENTS FOR PERSONAL DATA COLLECTION
| Our service delivery will allow privacy notices to be provided at point of collection and delivered in a concise, intelligible and easily accessible format, using clear and plain language. | |
|---|---|
| Records will be kept of which individuals were provided with notifications and when. | |
| Where feasible, individual consent (based on clear and transparent notice) will be obtained prior to the collection of personal data, which will then be recorded and maintained. |
MANAGING INDIVIDUAL DATA PROTECTION RIGHTS REGARDING THEIR PERSONAL DATA
| Service provision will ensure that individuals’ requests for access, deletion or correction of their personal data will be supported and responded to. |
|---|
SUPPLIER OR PARTNER REQUIRMENTS
| Only minimum amounts of personal data or other confidential information will be shared with/transferred to partners or suppliers. Partners and suppliers will have to comply with Anthro’s personal data protection requirements applicable to their handling of the data. |
|---|
DATA RETENTION
| All the sets of personal data collected or further processed as part of Anthro’s service delivery will have a documented retention policy and functionality will be designed and implemented to remove data once the retention period has expired | |
|---|---|
| Personal data will only be kept in identifiable format only for as long as needed to fulfil a specific purpose, and securely destroyed or archived at the end of such a time period. |