Confidentiality, data and information technology protections

Data protection

Purpose

Together for Girls shall protect the security and privacy of all information, including financial information, entrusted to it. The purpose of this Data Protection Policy and Information Security Plan (the “Plan”) is to provide a framework for protecting non-public, personal identifying information (“PII”). Specifically, the objective of this Plan is to: (a) ensure the security and confidentiality of PII; (b) protect against any reasonably anticipated threats or hazards to the security or integrity of PII; (c) ensure the secure and proper disposal of PII; and (d) protect against unauthorized access to or use of PII in a manner that creates a substantial risk of identity theft or fraud to those whom Together for Girls seeks to protect under this plan. In formulating and implementing this Plan, Together for Girls has:

  • Identified reasonably foreseeable internal and external risks to the security confidentiality, and/or integrity of any records containing PII;
  • Assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the PII;
  • Evaluated the sufficiency of existing policies, procedures, information systems containing PII, and other safeguards in place to control risks;
  • Designed and implemented this Information Security Plan that puts safeguards in place to minimize those risks, consistent with the requirements under applicable laws;
  • Implemented regular monitoring of the effectiveness of those safeguards;
  • Applied each of the foregoing risk management steps to the secure and proper disposal of PII on our systems; and
  • Addressed the reasonably foreseeable risks to PII stored on the systems of our service providers and related third-parties.

Scope

This Plan applies to Together for Girls, including its employees, contractors, temporary employees, and other users at Together for Girls, as well as those users affiliated with third parties who access/use Together for Girls information systems. The Plan uses the term, “user,” which refers collectively to all such individuals, and is not limited to all information systems under the jurisdiction or ownership of Together for Girls.

Together for Girls is committed to protecting the security and privacy of all information entrusted to it. Our internal operating processes and procedures will comply with applicable laws and regulations, as well as established industry practices.

This Plan is necessary to serve goals pertaining to operations, records and facilities.

Such goals include, among other things:

  • Ensuring continuity of operations
  • Protecting the integrity of business records
  • Preventing unauthorized access to records
  • Protecting privacy and security of sensitive information

The objective of this Plan is to document effective administrative, technical and physical safeguards for the protection of consumer and employee PII, and to comply with our obligations under various state and federal laws.

The Plan sets forth our protocols for evaluating and addressing our electronic and physical methods of accessing, collecting, processing, storing, using, transmitting, and protecting PII through to its proper and secure disposal. PII shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Legal framework

For purposes of this Plan, PII is information protected under the following laws and their implementing regulations:

  • The GLBA (15 U.S.C. §§ 6801-6809)
  • The FTC Act (15 U.S.C. §§ 41-58, as amended)
  • The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule (the “Privacy Rule”). Anyone who uses this Guide should also review the Privacy Rule, found at 16 C.F.R. Part 313 (May 24, 2000).
  • The European Union’s (EU) General Data Protection Regulation (GDPR)
  • The United Kingdom’s General Data Protection Regulation (UK GDPR)
  • The Data Protection Act of 2018 (DPA)
  • Applicable federal and state laws, including consumer protection laws, social security number protection laws, and related laws including the secure disposal of PII.

Responsibility

Together for Girls designates the Operations Team, led by the Chief Operating Officer (COO) to implement, supervise, and maintain the Plan. They will be responsible for:

  • Implementation of the Plan, including all related policies and procedures;
  • Providing initial and annual training for all employees who have access to PII on the elements of the Plan. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the organization’s requirements for ensuring the protection of PII, including;
    • Ensuring that PII is only retained for as long as necessary with periodic reviews of the data Together for Girls’ holds, and erase or anonymise it when no longer needed;
    • PII held is limited to what is necessary for Together for Girls organizational purposes and kept up to date and accurate;
    • PII is used for the purposes made clear to the individual and only used for only used for a new purpose if either this is compatible with our original purpose, consent is obtained, or there is a clear obligation or function set out in law;
    • Individuals maintain the right to withdraw consent to the use of their PII.
  • Testing regularly the Plan’s safeguards and overseeing an ongoing risk assessment process of the Plan;
  • Reviewing the scope of the security measures in the Plan at least annually or whenever there is a material change in our business practices that may implicate the security or integrity of records containing PII;
  • Reviewing the security procedures annually and fully apprising management of the results of that review and any recommendations for improved security arising out of that review;
  • Evaluating the ability of third-parties to implement and maintain appropriate security measures for the PII to which we have permitted them access;
  • Assessing and requiring such third-parties, by contract, to implement and maintain appropriate security measures;
  • Ensuring that access to personal information is restricted to approved and active user accounts;

Authority and reporting

Whenever a policy or procedure related to the Plan requires action or decision by a decision maker and the decision maker is not clearly identified in such policy or procedure, the COO shall be the decision maker or shall designate the decision maker.

Security and controls

The Operations Team, led by the COO, is responsible for developing an information security program to control the risks identified through its assessment, commensurate with the sensitivity of the information and the complexity and scope of Together for Girls’ activities. The Operations Team will implement the technical controls and measures necessary to address the identified risks. They shall include:

  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals.
  • Access to drives and folders limited to those who need access to the information for their role in the organization,
  • Password protection on any Together for Girls devices and these are not left unattended or unlocked;
  • Access to organizational systems promptly removed for any employees who leave the organization or consultants for whom their contract has terminated;
  • Procedures designed to ensure that information system modifications are consistent with the organization's information security program;
  • Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;

Information systems activity review procedures

Together for Girls may review information systems activity on a periodic basis to determine whether Protected Information is accessed or disclosed inappropriately.

The COO shall determine the records to be reviewed, the frequency of such reviews and the individual responsible. Examples of information system activity records may include, but are not limited to, audit logs, access reports and security incident reports.

Any security incidents identified as a result of information systems activity review shall be investigated as outlined in any related security incident policies and procedures.

Employee security policy procedures

Together for Girls shall ensure that employees requiring access to Protected Information have appropriate access while other workforce members who do not require Protected Information to perform their job duties are prevented from accessing such information.

Authorization to access Protected Information shall be granted as necessary based on job functions.

Access to Protected Information may be periodically monitored by the CEO and COO.

Privacy and security incident policy

All privacy and security incidents shall be reported to the COO who shall take appropriate steps to block further incidents, repair and restore service, and preserve evidence. Any information concerning a known or suspected privacy or security breach (an “Incident”) must be reported to the COO without delay and in writing. The COO is responsible for managing mitigation efforts. The COO shall conduct a prompt assessment of the nature and scope of the incident and identification of what PII has been accessed or misused. Together for Girls shall promptly notify the appropriate authorities once the organization becomes aware of an incident involving unauthorized access to or use of PII. In collaboration with the CEO, the COO shall implement measures to contain and control the incident to prevent further authorized access to or misuse of PII, preserving records and other evidence.

Data protection officer

Together for Girls designates the COO to serve as the organization’s Data Protection Officer (“DPO”) who will ensure Together for Girls complies with the GDPR’s requirements and applicable data protection laws. The DPO will be responsible for staff training, data protection impact assessments, internal audits, and maintaining records of all data processing activities by Together for Girls. The DPO will also serve as the primary contact for regulatory authorities, and individuals whose data is processed by Together for Girls (“data subjects”), and responsible for responding to data subjects to inform them about how their personal data is being used and what measures Together for Girls has put in place to protect their data. The DPO will also ensure that data subjects’ requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary.

Evaluation assessment

Through its outsourced IT provider, Together for Girls shall perform a periodic technical and non-technical evaluation to make certain that Together for Girls’ security policies and procedures continue to comply with all applicable laws, regulations, and administrative policies.

Destruction of protected information policy

This Plan covers all media containing Protected Information. All media shall be wiped or destroyed in a manner to safeguard confidentiality of Protected Information.

Plan exceptions

TfG acknowledges that, in rare circumstances, certain users will need to employ systems that are not compliant with these policies. The COO must approve all such instances in writing in advance.

Point of contact

Questions regarding this Plan and other information security policies may be directed to the Together for Girls Operations Team: operations@togetherforgirls.org

If you have a concern about how Together for Girls has processed your data, you can make a complaint via our AllVoices platform https://togetherforgirls.allvoices.co/

Plan compliance

Failure to comply with this Plan and all supporting or related information-security policies, procedures, and guidelines will be investigated and presented to Together for Girls’ appropriate executive officers and management for disciplinary action, up to and including termination of employment and/or legal action, as appropriate.