Internal Privacy Policy
Internal Privacy Policy
Internal Data Protection and Privacy Policy
1. Objective
This Data Protection and Privacy Policy (“Policy”) aims to define collection, protection, and usage of personal data and other confidential information of SNV Aviation Private Limited (“Akasa Air”) as per applicable laws and regulations. Akasa Air can collect Personally Identifiable Information, being information that can be uniquely used to identify, contact, or locate an individual (PII or personal information) either directly from employees or through its customers as part of business process engagements, regardless of its form and format, and protection and security of PII must be ensured throughout its life cycle against key threats such as unauthorized access/modification, loss of information, information leakage/theft, etc. The purpose of this Policy is to outline Akasa Air’s commitment towards meeting its responsibilities towards maintenance of privacy of personal information and customer data.
2. Scope
This Policy applies to all the employees, contractors, consultants and other engaged personnel/stakeholders of Akasa Air, and all the personnel affiliated with third parties (Covered Personnel). It applies to information assets which process, transmit and store the personal information of Covered Personnel, customer data, and Akasa Air’s confidential information (collectively referred to as Data).
3. Policy
3.1. Types of PII Collected from Covered Personnel: In relation to Covered Personnel, Akasa Air collects and processes the following broad categories of PII:
(i) Name, date of birth, gender, marital status, maiden name, mother ‘s maiden name, race, ethnic origin.
(ii) Background information – e.g. Indictments, criminal records etc.
(iii)Personal identification number, such as social security number (SSN), passport number, driver's license number, taxpayer identification number, insurance, financial account/bank account number and credit card number;
(iv)Address, contact information, such as street address, phone and email address;
(v) Personal characteristics, including photographic image (especially of face), fingerprints and other biometric data (e.g. retina scan);
(vi)Health and medical information;
(vii)Location and technical information such as IP address, login information, browser type, unique device identification information;
(viii)Other information generated in the course of engagement with Akasa Air such as information gathered through CCTV monitoring, workplace monitoring tools, security clearance processes, employment records, details of incidents, disciplinary proceedings and records.
3.2 Purposes of Collection and Processing: PII collected and processed for the following purposes:
(a) Identification, evaluation and communication with Covered Personnel including verification of details provided by them, conducting background and antecedent checks;
(b) Employment purposes and performance of contracts with Covered Personnel such as payroll processing, payment of remuneration/consideration, performance and productivity evaluation, time and attendance tracking, training and skills development, employee records management, employee wellness and engagement programs, workforce planning and staffing, facilitating travel, business expenses, and stay arrangements while traveling for engagement purposes, and implementing occupational health and safety measures;
(c) Fulfilling any post-cessation related processes and obligations including completing handover upon cessation of engagement term, full and final settlement processes, responding to reference checks, and fulfilling any other post-cessation obligation;
(d) Providing statutory and other benefits during the course of engagement;
(e) Enabling participation of Covered Personnel in ESG, volunteering, corporate social responsibility activities of Akasa Air;
(f) Regulatory purposes such as to comply with applicable employment and taxation laws;
(g) Undertaking Akasa Air’s operations and business activities through Covered Personnel including supporting internal activities such as accounting, IT support, and other internal processes for core and ancillary activities of Akasa Air;
(h) Monitoring, safeguarding, and protecting Akasa Air’s properties;
(i) Preventing and detecting unlawful activities;
(j) Protecting Akasa Air’s information and communication technology systems and information assets;
(k) Communication in emergency situations with emergency contacts;
(l) Enforcing legal, contractual, and equitable rights in relation to Covered Personnel; and
(m) Enabling actual or potential sale, transfer, merger, consolidation or purchase of some or more of Akasa Air’s assets or businesses, or other similar transactions.
3.3. Compliance with globally accepted data protection requirements and applicable laws:
(a) The Confidentiality, Integrity and Availability (CIA) of sensitive data including PIIs and customer data, regardless of its form and format, shall be protected throughout its life cycle against key threats such as unauthorized access/modification and loss of information.
b) Information classification and handling policy of Akasa Air as in force from time to time shall be followed to protect the PIIs and customer data from the key threats such as unauthorized access/modification and loss of information.
(c) Data shall be:
(i) Fairly and lawfully processed – Access, consent, enforcement, notice and security in line with legal requirements.
(ii) Processed for limited purposes – Clarify intent and purposes of processing.
(iii) Adequate, relevant, and not excessive.
(iv) Accurate.
(v) Processed in line with the data subject’s rights.
(vi) Secured through the implementation of necessary controls to safeguard CIA.
(vii) Transferred to a third party within India or to other jurisdictions only where the data importer provides similar level of data protection that is provided by Akasa Air under applicable law and this Policy, and if (i) transfer is necessary for performance of contract with the data subject, or (ii) where data subject has consented to the transfer of their PII.
(d) All Data including personal information shall be considered as confidential.
e) All customer data collected and processed shall be retained and disposed of as per applicable law and the contractual requirements.
(f) All Covered Personnel PII shall be retained and disposed of as per the applicable laws and regulations in the respective geography.
(g) Confidentiality of Data shall be protected by information owners and custodians in business units and service functions, who shall be responsible for implementing and maintaining reasonable security practices and procedures including appropriate managerial, technical, operational, and physical security control measures for protection of information assets and data taking into account the nature of business operations, the information asset sought to be protected, requirements under applicable laws, and policies and processes of Akasa Air.
(h) Websites collecting personal information (including entities, which do so on behalf of Akasa Air) shall provide the intent of data collection, assurance of protection and option for subscription/un-subscription to end-users from whom data is collected. Visitor privacy shall be protected using website privacy policy statements.
(i) The personal information owner shall authorize and be aware of the purpose of data collection and usage. PII may be collected from the customer for business purpose, wherein the customer has authorized Akasa Air to use the Data within the purview of applicable law/regulation.
(j) Third party contracts shall have clauses defined to ensure the security and privacy of Data.
(k) Data protection requirements shall be reviewed especially during contractual sign-off with customers on engagements involving confidential data access.
(l) While outsourcing sensitive work to third-party vendors or partnering with vendors especially involving processing of confidential data (personal, business); vendor assessment shall be carried out in line with the third-party security policy. In addition, confidentiality agreement shall be entered into with third-party vendors for protecting the confidentiality of Data.
3.4. Data Privacy Principles for Vendors
(a) Vendors and their staff working for Akasa Air shall understand Akasa Air’s Information Security Polices as provided by Akasa Air from time to time.
(b) Vendors and their staff shall comply with Akasa Air's Code of Business Conduct and Ethics as provided by Akasa Air from time to time.
(c) All vendor staff shall be made aware of the impact resulting from misconfiguration or human errors by a service provider.
3.5. Compliance and Regulatory
(a) The process owners shall conform to the following principles for personal information collection:
(i) Collection Limitation: Personal information shall be collected for specified and legitimate purposes only.
(ii) Purposes Specification: The purposes, for which personal information is collected, shall be based on the approved business requirement. The purpose shall be identified and specified at or before the time the information is collected or as soon as reasonably practical.
(iii) Consent: The knowledge and consent of the individual shall be ensured for the collection/ receiving, usage, storage, or disclosure of personal information except where the above processing is permitted without consent under applicable law.
(iv) Personal Information Quality: Personal information shall be relevant to and not excessive for the purposes for which they are collected and used. Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
The process owners shall follow the secure practices for personal information when using, storing, retaining, sharing, and/or disclosing personal information.
(v) Limitation on Use and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information shall be kept only if it is necessary for the purposes for which it was collected and processed and in accordance with personal information storage requirements under the Information Technology Act, 2000 (amended in 2008). Retention period of different types of data shall be defined and maintained based on the respective approved business requirement.
(vi) Disclosure of Personal Information: The process owners shall not disclose, sell or otherwise distribute to any third party any personal information which is in the nature of sensitive PII under applicable law without prior consent of individual, except where permitted under applicable law including the following circumstances:
· Where personal information is not sensitive PII and disclosure is essential for the purposes of processing such as disclosure of contact information in emergency situations for immediate help.
· Legal Requests and Investigations – Akasa Air may disclose any personal information when, in our opinion, such disclosure is necessary to prevent fraud or to comply with any statute, law, rule or regulation of any governmental authority or any order of any court of competent jurisdiction.
· Third-party Service Providers – Akasa Air may, from time to time, outsource some or all the operations of our business to third-party service providers. In such cases, it shall be necessary for Akasa Air to disclose personal information to those service providers. In some cases, the service providers may collect personal information directly from individual(s) on Akasa Air’s behalf. These service providers may have access to individuals’ personal information needed to perform their functions. However, Akasa Air shall ensure secure processes are followed by such service providers to access, use and disclose the personal information. Additionally, we may share Data with our affiliates and other group entities.
· To protect or defend Akasa Air’s rights, interests, and property or the same of our associates and affiliates, or our affiliate's employees, consultants, etc.
· For fraud-prevention purposes.
· To any person, including insurers and lenders who supply benefits or services to the individual.
· As permitted or required by any law/statute/regulator
(vii) Personal information shall be processed fairly and lawfully. Personal information shall be processed, having full regard to everyone’s lawful rights (as described in this policy or as provided by appropriate law).
(b) Reasonable Security Practices: All appropriate technical, physical, and organizational measures shall be taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to data. Akasa Air follows the best security practices in line with ISO 27001, to help in preventing unauthorized access to any customer’s information.
3.6. Processing Customer’s Data
(a) Customer data will be dealt with utmost care in accordance with the agreements entered into with the customer.
(b) Customer data will be securely stored, in manual or electronic form, and in accordance with the Information Technology Act.
(c) In addition, data collected for a specific purpose, product or service may be stored in Akasa Air with other information, and only in accordance with the information classification and handling procedure and data protection guidelines given hereunder.
3.7. Data lifecycle - Protection
(a) Data shall be protected during the stages of - creation, collection, storage, access, disclosure, transmission, retention and deletion.
(b) Sensitive personal information should not be kept for longer than it is required to reduce the risk of undesirable disclosure.
(c) When deleting personal information on systems, applications and services, the following should be considered:
(i) selecting a deletion method (e.g., electronic overwriting or cryptographic erasure) in accordance with business requirements and taking into consideration relevant laws and regulations.
(ii) recording the results of deletion as evidence.
(iii) when using service suppliers of information deletion (when disposing storage media/ assets), obtaining evidence of information deletion from them.
(d) Classification of Data according to the sensitivity level and business impact shall be carried out as per the information classification policy and procedures.
(e) Whether accessed locally or through a remote connection, Data shall not be copied, moved and stored on laptops, desktops or external removable storage such as USB hard drives/flash drives without encryption. If there is an exceptional requirement to copy the Data, it shall be encrypted, and the users shall exercise caution while carrying removable media in public places.
(f) Covered Personnel and custodians shall take reasonable steps to ensure that Data is available, reliable, accurate, complete, and current for its intended use.
(g) Only authorized individuals shall have access to the confidential data as required by them for fulfilling their job responsibilities.
(h) Covered Personnel handling sensitive and confidential data shall be made aware of the impact of breach or loss of Data to the Organization and its business partners.
(i) Information security risk assessment shall be conducted to assess the information security risks related to the sensitive or confidential data. Risk assessment shall be carried out irrespective of location of data. Identified security risks shall be treated (including through contract).
(j) Customer's sensitive and confidential data which is processed by third party service providers on behalf of Akasa Air shall be protected through data transfer agreements between Akasa Air and third-party service providers.
(k) Covered Personnel shall ensure that personal information accessible to them is safeguarded. While deciding the protection level, the associated legal, regulatory and statutory requirements shall be considered along with business impact.
(l) Covered Personnel’s access to the application processing & storing confidential data shall be granted based on business requirements on a "need to access" and "need-to-know" basis only. The authorization shall be obtained from the process owner as defined in the application access control matrix.
(m) Audit trails shall be maintained for creation, access and deletion of sensitive and confidential data by process owners.
n) Akasa Air maintains physical, technological, and procedural safeguards and security that comply with the IT Act.
(o) In addition, appropriate training will be given for all Covered Personnel to ensure high standards in relation to data protection.
(p) The principles of data protection as outlined in the Data Protection and Privacy Policy shall be followed addressing the rules of data processing, uploading into One drive / SharePoint and clean up the Data from the local systems and drives and deleting the Data after the retention period as required by law.
3.8. Data Loss Prevention – Monitoring
(a) Necessary technology controls for monitoring loss of confidential or internal data in storage or through all communication channels (such as email, instant messaging or Internet connectivity), shall be implemented depending on the business requirement and following all legal and regulatory controls in each country and domain.
(b) Workplace monitoring with the aim to protect confidential data shall be carried out in accordance with privacy laws and regulations.
(c) Workplace monitoring with the aim to protect confidential data shall be carried out in accordance with privacy laws and regulations.
(d) Any loss, breach or unauthorized access of confidential data processed by Akasa Air shall be reported by users as per policies and processes implemented by Akasa Air in this regard.
(e) In line with contractual commitments and local regulatory requirements (as applicable), customers shall be notified of any incident related to breach/loss of data by Functional Heads or Service Lines, in Business Units.
(f) Information security audits and self-assessments shall be carried out to assess the effectiveness of security control implementation in safeguarding confidential data.
g) Data Loss Prevention Monitor and block at End point, email, and other technologies used wherever possible.
(h) If data export is required, the data owner should be allowed to approve the export and hold users accountable for their actions.
(i) Taking screen shots or photographs is strictly prohibited, user violating the policy will face necessary disciplinary action.
3.9. Deletion Methods
(a) In accordance with the organization’s topic-specific policy on data retention and taking into consideration relevant legislation and regulations, sensitive information should be deleted when no longer required, by:
(i) Configuring systems to securely destroy information when no longer required (e.g., after a defined period subject to the topic-specific policy on data retention or by subject access request);
(ii) Deleting obsolete versions, copies and temporary files wherever they are located.
(iii) Using approved, secure deletion software to permanently delete information to help ensure information cannot be recovered by using specialist recovery or forensic tools.
(iv) Using approved, certified providers of secure disposal services.
(v) Using disposal mechanisms appropriate for the type of storage media being disposed of (e.g., degaussing hard disk drives and other magnetic storage media).
&w=3840&q=75)
&w=256&q=75)
