|
Scope
|
This policy outlines Lebanon Chapter policies with respect to the treatment of the personally identifiable information (PII)[1] of the following individuals:
o Current and past website users and individuals who purchase materials;
o Members (both current and past);
o Event attendees, speakers, sponsors, survey respondents, and other participants in Chapter programs; and
o Non-member volunteers who participate on Chapter projects and/or volunteer groups.
This policy does not describe Chapter policies with respect to personally identifiable information of employees, consultants, contractors, vendors, licensees, sponsors, or advertisers.
This policy applies to handling of personally identifiable information stored in all forms (whether on paper, electronically – including on computer hard drives, CD ROMs, removable flash drives – or otherwise) by Chapter. It does not describe the treatment of information by legally independent entities that may work with Chapter, including ISACA International.
This policy is for internal use by Chapter volunteers and by others (such as contractors, vendors, committee members, and the like) who have access in the course of their duties for Chapter to PII (as defined below) maintained by or on behalf of Chapter.
|
|
Responsibility and Accountability
|
The Chapter’s president is accountable for Chapter’s privacy program, the programs responsibilities can be delegated to one of the committee’s positions
|
|
Notice
|
Chapter provides notice about its policies and practices relating to personally identifiable information and identifies the purposes for which information is collected, used, stored shared, and secured. Chapter’s notice program includes the following elements:
- Chapter provides notice and obtains consent (as legally required) before information it maintains is used for a purpose that is either unrelated to the purpose for which the information was originally provided, or that is for a purpose that was not disclosed in the original notice to the individual.
- Chapter provides external notice about its privacy practices on its website. The notice describes how personally identifiable information is collected, used, stored, and shared, and secured.
- Chapter provides notice in its various printed information collection forms about how personally identifiable information will be used.
- Chapter also provides notice in situations other than traditional online or offline information collection, such as when people are taking surveys or attending meetings, and instructs its employees about when notice must be provided.
- This Privacy Policy is used to inform Chapter personnel (and others, such as volunteers, contractors, etc., who will access personally identifiable information maintained by Chapter and who have a responsibility to adhere to this policy) about Chapter’s responsibilities with respect to use of personally identifiable information, and is distributed to personnel
|
|
Collection
|
Chapter currently collects the following types of personally identifiable information (for the purposes described in the “use” section of this policy):
As provided by ISACA international reports
Chapter uses fair and lawful means to collect information, collects information using methods that have been reviewed and approved by the chapter designee responsible for the Chapter privacy program, and analyzes third-party sources of personally identifiable information to determine if those third parties are reliable data providers.
|
|
|
|
|
Use
|
Chapter uses personally identifiable information it obtains for the following purposes :
- Those purposes described in Chapter’s external privacy policy, and as described at the time it collects information (for example in an online or offline form);
- To process individuals’ requests;
- For purposes that a reasonable individual would view as related to the purpose for which an individual provided information; and
- For other legitimate business purposes of Chapter that are permitted by applicable laws, rules and regulations, and/or that are in keeping with appropriate industry guidelines and practices.
|
|
Sharing
|
Chapter shares personally identifiable information with third parties only for legitimate business purposes and as permitted by applicable law, rules and regulations. Instances when Chapter may share information include :
- To the IT Governance Institute, ISACA Headquarters, and from time to time volunteers (such as ISACA board members) performing tasks on Chapter’s behalf;
- To those who wish to determine if an individual is certified provided that the requester of the information provides to Chapter the certification number and last name of the individual;
- To investigate potentially fraudulent or questionable activities;
- When Chapter believes it is necessary to cooperate with law enforcement or in response to a government request.
When sharing information, Chapter limits the amount and type of information shared to that which the other party needs or that is relevant to the other party.
Chapter will take appropriate remedial actions if it becomes aware of any situation in which a third party misuses personally identifiable information.
|
|
Access
|
Those who wish to access their information or have their information updated are directed in Chapter’s privacy policy to contact Chapter by email, regular mail, or phone. Such requests will be answered and addressed under the direction and supervision of chapter designee responsible for the Chapter privacy program.
|
|
Completeness and Accuracy
|
Chapter relies on individuals to provide it with complete and accurate personally identifiable information, and in certain circumstances may require individuals to represent and warrant that the details they have provided are their own, are complete, and are accurate.
|
|
Retention and Disposal
|
Chapter’s current policy is to retain information for so long as it is needed by the business. Since most information is in continuous use, much is retained on an indefinite basis.
When Chapter finds that it has extensive information it is not using, it will determine appropriate means to dispose of personally identifiable information in a secure manner in keeping with its legal obligations.
|