Gaine Technology

Data Privacy Policy

V. ​0.9

All information contained herein is highly confidential and the exclusive property of Gaine Solutions Inc. This information should not be copied or replicated in any way without express written authorization.


Overview

The protection and management of the various types of employee and client Personally Identifiable Information (PII) is critical to Gaine operations. Gaine computer systems and related devices collect and record data as required for business operation, management, and reporting purposes. This key information should never be disclosed to unauthorized individuals.


Purpose

This policy establishes general privacy requirements for information captured or generated by Gaine operations, systems, network devices, or communications. This includes systems and devices involved in the transmission and storage of voice data. The policy further delimits conditions where PII may be disclosed.


Scope

This policy applies to all Gaine staff that create, deploy, or support Gaine gathered or processed information.


Policy

  1. Gaine ensures that the public has access to information about the organization’s security and privacy activities and can communicate with its senior security official and senior privacy official.
    • Gaine’s HR department will ensure this document is made available on Gaine’s website.
  2. Gaine ensures that guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information.
    • See section 1.7 of the IPP for classification
    • See section 11 of the IPP for retention
    • See section 12 of the IPP for disposal
    • See section/s 3.4, 7, 8, 9 for handling and storage
  3. Gaine ensures that designated senior management within the organization reviews and approves the security categorizations and associated guidelines.
    • Gaine’s CISO and CTO are responsible for reviewing the security categorizations and associated guidelines. Reviews will take place annually; the meetings will detail changes to the security categorizations and updates to business structure. The CISO in conjunction with the CTO will approve the changes.
  4. Gaine ensures that it has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information.
    • See section 1.5 of the IPP
  5. Gaine ensures that records with sensitive personal information are protected during transfer to organizations lawfully collecting such information.
    • Gaine’s IT department shall ensure that encryption is used to transfer the information; at minimum AES 256 bit.
  6. Gaine ensures that covered information storage is kept to a minimum.
    • Gaine’s development department will ensure that only the needed amount of covered information is retained, by communicating with the clients to verify that the identifiable fields are still usable. The development department will create policies PER client that detail which information must be kept in order to maintain mastered data.
  7. Gaine will specify where covered information can be stored.
    • Gaine will only store covered information in Microsoft’s Azure cloud environment. See section 7.1 of the IPP regarding data encryption protection.
  8. Gaine ensures that when required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization.


General Statement of Client Data Privacy

Gaine’s policy surrounding data privacy falls into three broad classifications protecting information gathered to manage and deliver services to employees, clients, and governments. This policy is broken into three separate sections – general network data, client data (PII, PHI) and employee information.

Using data effectively and responsibly is foundational to security of such data. The Health Insurance Portability and Accountability Act as well as the NIST framework and other state or federal laws establish baseline parameters for what is permissible when sharing client PII or PHI.

Gaine uses additional guidelines and strict processes to protect the privacy of every employee and client to ensure the confidentiality and security of all PII or PHI collected and managed.


General Network Data

In the course of normal network operations, computer systems, voice systems, access control systems, and network devices generate and track logging data, source, destination internet protocol (IP) addresses, session times, port numbers, file sizes, etc. (referred to as Network Data).

Network Data Policy

Gaine treats all network data as confidential information. This information may be obtained, stored, and reported for legitimate business, compliance and audit purposes but shall not be exposed to unauthorized individuals except as specifically discussed in this policy.

Network data may be disclosed under the following conditions. Requests shall be authorized by Gaine’s chief information security officer (CISO) or their designee.

Network Operational Viability

Network data may be released under the following situations:

  1. Network performance monitoring or troubleshooting
  2. Security incident analysis and remediation
  3. Audit, group policy, and security log management and analysis
  4. Litigation holds and requests
  5. Copying, archiving, or otherwise preserving portions of any messages transmitted over the network in the course of business or maintenance

Legal or Gaine Policy Analysis

Network data may be released to appropriate authorities to indicate the presence of activities that violate internal policies, federal or state law. These requests shall be in response to legal discovery or court requests.

Network Security Threats

All relevant data, protocol, logs, and user information may be released as part of incident and breach analysis and remediation. Gaine shall investigate and remediate possible network security threats by means of capturing logging, examination of files, communications, and other traffic and transmissions over or on the network.

Network Data Requests

All requests to retrieve and share network data must be submitted to Gaine’s CISO or their designee. Any litigation and legal requests require confirmation by both the CTO and CISO. Such requests shall include:

  1. Name and role of the requestor
  2. Reason for the request, in accordance with the principles set forth in this policy
  3. Indented use of the requested data

Any network data intentionally shared with third parties must be sanitized and redacted to preserve the anonymity of network users unless that data is used directly in legal discovery or authorized by general counsel and the CTO. Requests shall be documented and stored as part of the implementation of this policy.


Employee Data

All employee data is treated as confidential and private. No employee related information shall be released or disclosed without the express approval of the CTO and Gaine’s head of HR.

Employee Data Policy – Gaine treats all employee data as private and confidential information. This information may be obtained, stored, and reviewed for legitimate business purposes related to personnel employment, compliance, and audit purposes, but shall not be exposed to unauthorized individuals, agencies, or external sources except as specifically discussed in this policy.

Requests shall be authorized by the HR department in concert with the CISO when electronic records are involved. Data shall be disclosed only under the following conditions and employees shall be informed of such activity prior to release:

Employee Performance or Transitions

Employee work data may be released under the following situations:

  • Security incident analysis and remediation
  • Litigation holds and requests
  • Personnel transitions involving email and work products
  • Restoration or otherwise preserving portions of messages transmitted over the network in the course of business

Legal or Agency Disciplinary Analysis

Employee data may be released to appropriate authorities to indicate the presence of activities that violate internal policies, federal or state law. These requests shall be in response to internal policy incidents, personnel management, legal discovery, or court requests.

Network or Agency Security Threats

All relevant data, protocol, logs and user information may be released as part of incident and breach analysis and remediation. Gaine shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all employee communications and component activities relevant to the incident or breach.

Employee Data Requests

All requests to retrieve and share employee data must be submitted through Gaine’s HR department. Any litigation and legal requests require confirmation by executive management including at a minimum the CTO. Such requests shall include:

  • Name and role of the requestor
  • Reason for the request, in accordance with the principles set forth in this policy
  • Intended use of the requested data and whether this information will be used as part of a personnel action
  • Employee notification of the event unless barred due to legal or disciplinary investigation. In all circumstances, employees shall be notified if information is placed in their permanent files related to an incident or discovery request

Any employee network data intentionally shared with third parties shall be sanitized and redacted to preserve the anonymity of the employee unless that data is used directly in legal discovery or authorized by Gaine General Counsel and CTO. Requests shall be documented and stored as part of the implementation of this policy.


Client PHI and PII

All client PII and PHI is confidential and private. Gaine client data privacy procedures adhere to the guidelines set forth in applicable federal and state law and include additional safeguards as follows:

  • Formal information security policy
  • Security and privacy policies
  • Policy review and revision by national experts and advisors
  • Specific liability language and support in vendor contracts/agreements around client data privacy, data breaches, appropriate uses and disclosures of client data and termination/penalties for non-compliance
  • Annual Hitrust compliance audits
  • All PII and PHI releases shall require the express approval of the CTO and CISO

Client Data Policy

Gaine treats all client PII and PHI as private and confidential information. This information may be obtained, stored, and reviewed for legitimate business purposes related to client development, accounting, contract services, operations, compliance and audit purposes, but shall not be exposed to unauthorized individuals, agencies or external sources except as specifically discussed in this policy.

Client data may only be collected and utilized when meeting the express business needs of the company and as mandated by state and federal law. It shall not be disclosed to any party unless they are designated as the data owner, or an “Authorized Representative” pursuant to federal HIPAA guidelines acting in the best interests of the client. All record release requests shall be authorized by the CISO. PII and PHI shall be disclosed only under the following conditions and clients shall be informed of such activity prior to release:

  1. Aggregated (Summary and De-Identified) Client Data including but not limited to:
    • Client and Internal Development Reports
    • Program Evaluation and Measurement
    • Client and Gaine Improvement Plans
    • Client Reporting
    • Audit Reporting
  2. Legal or Gaine Disciplinary Analysis – Client PII and PHI may be released to appropriate authorities to indicate the presence of activities that violate Gaine policies or federal/state law. These requests shall be in response to documented policy incidents, legal discovery, or judiciary requests.
  3. Network or Gaine Security Threats – All relevant data, protocol, logs, and client information may be released as part of incident and breach analysis and remediation. Gaine shall investigate and remediate possible network security threats by means of capture, logging, examination of files, communications and other traffic and transmissions over or on the network including all client communications and component network activities relevant to the incident or breach as stipulated in the incident response program.
  4. Consent from client’s disclosure (email, fax, verbal etc.) of data will be gathered by Gaine’s project managers. Project managers will send requests via email explicitly asking for the right to disseminate.
  5. Client Data Requests – All requests to retrieve and share client data must be submitted to the CTO through the CISO. Any litigation and legal requests require confirmation by executive management. Such requests shall include:
    • Name and role of the requestor
    • Reason for the request, in accordance with the principles set forth in this policy
    • Intended use of the requested data and whether this information will be used as part of a personnel action
    • Parental notification of the event (unless explicitly barred due to legal or disciplinary investigation) shall be made. In all circumstances, parents shall be notified when individual educational record requests are made that are not bound by legal constraints.

No client data shall be intentionally shared with third parties outside of legally compliant activities. All client data requests shall be documented and stored as a part of this policy.


Audit Controls and Management

On-demand documented procedures and evidence of practice should be in place for this operational policy as part of Gaine operations. Examples of audit control and evidence include:

  1. Process, authorizations, and documentation for PII, PHI requests
  2. Historical evidence or organizational compliance
  3. Procedures for executing legal holds, chain of command, and discovery requests


Enforcement

Staff members found in policy violation may be subject to disciplinary action up to and including termination.


Distribution

Gaine shall ensure that the public has access to information about the organization’s security and privacy activities and is able to communicate with its senior security official and senior privacy official.

Gaine’s data privacy policies and procedures will be made available on its website by Gaine’s IT department. The public will have the option to send an email using the form at the bottom of the privacy policy page which will be distributed to Gaine’s privacy and security officers. https://www.gaine.com/data-privacy-policy

This policy is to be distributed to all Gaine staff and made available to the public through Gaine’s website.

We reserve the right to make changes to this policy. Any changes to this policy will be posted.