Data protection
Purpose
Together for Girls shall protect the security and privacy of all information, including financial information, entrusted to it. The purpose of this Data Protection Policy and Information Security Plan (the “Plan”) is to provide a framework for protecting non-public, personal identifying information (“PII”). Specifically, the objective of this Plan is to: (a) ensure the security and confidentiality of PII; (b) protect against any reasonably anticipated threats or hazards to the security or integrity of PII; (c) ensure the secure and proper disposal of PII; and (d) protect against unauthorized access to or use of PII in a manner that creates a substantial risk of identity theft or fraud to those whom Together for Girls seeks to protect under this plan. In formulating and implementing this Plan, Together for Girls has:
Scope
This Plan applies to Together for Girls, including its employees, contractors, temporary employees, and other users at Together for Girls, as well as those users affiliated with third parties who access/use Together for Girls information systems. The Plan uses the term, “user,” which refers collectively to all such individuals, and is not limited to all information systems under the jurisdiction or ownership of Together for Girls.
Together for Girls is committed to protecting the security and privacy of all information entrusted to it. Our internal operating processes and procedures will comply with applicable laws and regulations, as well as established industry practices.
This Plan is necessary to serve goals pertaining to operations, records and facilities.
Such goals include, among other things:
The objective of this Plan is to document effective administrative, technical and physical safeguards for the protection of consumer and employee PII, and to comply with our obligations under various state and federal laws.
The Plan sets forth our protocols for evaluating and addressing our electronic and physical methods of accessing, collecting, processing, storing, using, transmitting, and protecting PII through to its proper and secure disposal. PII shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Legal framework
For purposes of this Plan, PII is information protected under the following laws and their implementing regulations:
Responsibility
Together for Girls designates the Operations Team, led by the Chief Operating Officer (COO) to implement, supervise, and maintain the Plan. They will be responsible for:
Authority and reporting
Whenever a policy or procedure related to the Plan requires action or decision by a decision maker and the decision maker is not clearly identified in such policy or procedure, the COO shall be the decision maker or shall designate the decision maker.
Security and controls
The Operations Team, led by the COO, is responsible for developing an information security program to control the risks identified through its assessment, commensurate with the sensitivity of the information and the complexity and scope of Together for Girls’ activities. The Operations Team will implement the technical controls and measures necessary to address the identified risks. They shall include:
Information systems activity review procedures
Together for Girls may review information systems activity on a periodic basis to determine whether Protected Information is accessed or disclosed inappropriately.
The COO shall determine the records to be reviewed, the frequency of such reviews and the individual responsible. Examples of information system activity records may include, but are not limited to, audit logs, access reports and security incident reports.
Any security incidents identified as a result of information systems activity review shall be investigated as outlined in any related security incident policies and procedures.
Employee security policy procedures
Together for Girls shall ensure that employees requiring access to Protected Information have appropriate access while other workforce members who do not require Protected Information to perform their job duties are prevented from accessing such information.
Authorization to access Protected Information shall be granted as necessary based on job functions.
Access to Protected Information may be periodically monitored by the CEO and COO.
Privacy and security incident policy
All privacy and security incidents shall be reported to the COO who shall take appropriate steps to block further incidents, repair and restore service, and preserve evidence. Any information concerning a known or suspected privacy or security breach (an “Incident”) must be reported to the COO without delay and in writing. The COO is responsible for managing mitigation efforts. The COO shall conduct a prompt assessment of the nature and scope of the incident and identification of what PII has been accessed or misused. Together for Girls shall promptly notify the appropriate authorities once the organization becomes aware of an incident involving unauthorized access to or use of PII. In collaboration with the CEO, the COO shall implement measures to contain and control the incident to prevent further authorized access to or misuse of PII, preserving records and other evidence.
Data protection officer
Together for Girls designates the COO to serve as the organization’s Data Protection Officer (“DPO”) who will ensure Together for Girls complies with the GDPR’s requirements and applicable data protection laws. The DPO will be responsible for staff training, data protection impact assessments, internal audits, and maintaining records of all data processing activities by Together for Girls. The DPO will also serve as the primary contact for regulatory authorities, and individuals whose data is processed by Together for Girls (“data subjects”), and responsible for responding to data subjects to inform them about how their personal data is being used and what measures Together for Girls has put in place to protect their data. The DPO will also ensure that data subjects’ requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary.
Evaluation assessment
Through its outsourced IT provider, Together for Girls shall perform a periodic technical and non-technical evaluation to make certain that Together for Girls’ security policies and procedures continue to comply with all applicable laws, regulations, and administrative policies.
Destruction of protected information policy
This Plan covers all media containing Protected Information. All media shall be wiped or destroyed in a manner to safeguard confidentiality of Protected Information.
Plan exceptions
TfG acknowledges that, in rare circumstances, certain users will need to employ systems that are not compliant with these policies. The COO must approve all such instances in writing in advance.
Point of contact
Questions regarding this Plan and other information security policies may be directed to the Together for Girls Operations Team: operations@togetherforgirls.org
If you have a concern about how Together for Girls has processed your data, you can make a complaint via our AllVoices platform https://togetherforgirls.allvoices.co/
Plan compliance
Failure to comply with this Plan and all supporting or related information-security policies, procedures, and guidelines will be investigated and presented to Together for Girls’ appropriate executive officers and management for disciplinary action, up to and including termination of employment and/or legal action, as appropriate.