Back to Homepage
DATA PROTECTION POLICY
Last updated September 29, 2021
Massy need to collect and use certain types of information with regards to individuals, companies and Service contractors whom they do business with. Personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The purpose of this policy is to describe how personal or confidential data must be collected, handled, and stored to meet the company’s data protection standards. It also addresses the prerequisites for Massy Group companies to comply and operate within the laws of the country.
The data protection policy ensures that Massy Group companies adhere to the following:
1. DATA PROTECTION LAW
The Massy Group intends to ensure that personal information is treated lawfully and appropriately. The principles of Data Protection as outlined in any laws and regulations that may exist in any country in which the Massy Group operates are listed below. Such principles have been drafted to cover, as far as possible:
2. DATA PROTECTION RISKS
This policy helps to protect Massy from data security risks such as:
3. DATA COLLECTION
When collecting data, each Massy company must ensure that the data collected is within the boundaries defined in this policy. This applies to data that is collected in person, or by completing an electronic form. When collecting data from customers all Massy companies must ensure the following:
4. DATA USE
Personal information is of no value to any Massy company unless the business can make use of it. However, when personal information is accessed and used which can be at the greatest risk of loss, corruption or theft, the company must ensure the following:
5. DATA STORAGE
Information and records relating to customers must be stored securely and must only be accessible to authorized staff. Information must only be stored for as long as it is needed or required by the law of the country. Sensitive information is to be physically stored on a server with restricted access to the area enforced, and all personally identifiable information must be stored encrypted.
6. ACCESS TO CUSTOMER INFORMATION
Any Massy company collecting and storing sensitive information on customers is required to follow IT best practice worldwide. This ensures that the IT infrastructure security is proactive and prevents unauthorized access to data. Each Massy company is to enforce authentication, segregation of duties, secure the services running on the server, set the right permissions on files and folders, secure the infrastructure using a firewall, perform regular audits and scans of the network for vulnerabilities and ensure that data is backed up regularly and stored at on offsite location.
7. DATA DISPOSAL
It is the responsibility of each Massy company to ensure that computers previously used by the organisation that has been passed on or sold to the third party are properly disposed of. It is also the responsibility of each Massy company to ensure that all data and licensed software stored on the computer is non-recoverable. All company assets are to be disposed of in an eco-friendly manner. Company assets containing sensitive information should not be placed by the way side to cause damage to the Massy image or reputation. Massy companies’ assets should be disposed of through a recognised e-waste company bearing the Certificate of Environmental Clearance (CEC) seal.
Any violations of the Data Protection Policy must be reported immediately to the ICT department of the respective Massy company and the employee’s manager. Violating this policy or any of its tenets could result in disciplinary action.
The Massy Group will enforce the Security Policy Framework and establish standards, procedures, and protocols in support of the policy. Any employee found to have violated this policy may be subject to disciplinary action. It is the responsibility of the Users to read, understand and comply with the various matters set out in this policy.
10. MODIFICATION TO THIS POLICY
Please note that from time to time this policy will be reviewed and changed to reflect IT standards and best practices, worldwide. If you are in any doubt as to which laws, regulations, codes of conduct, and company guidance are relevant to your situation you should seek advice from your supervisor, HR representative, or legal department.
11. ACKNOWLEDGMENT OF DATA PROTECTION POLICY
This form is used to acknowledge receipt of and compliance with the company’s Data Protection Policy.
Back to Homepage