(818) 528-6733 | info@1contactcenter.net

Privacy Policy

.

The 1 Contact Center Data Protection Policy shows our commitment to protection of personal data privacy and provides a basis for guidelines and procedures for conducting data protection impact assessment, enhancing data protection at 1 Contact Center and as a controller and processor, implement security measures that include the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as required in the GDPR. These major focus points are based on compliance with the EU General Data Protection Policy (GDPR) for of our EU clientele.

1.0 Introduction

1 Contact Center is involved in gathering and use of information on individuals who are citizens of states in the European Union. Our contact with personal data for EU citizens calls for the incorporation of the requirements of the EU General Data Protection Regulation that will come into effect on 25th May 2018. It includes personal data gathered from our customers, contacts and any other individual stakeholders who 1 Contact Center may need to store, process, analyze or use their data.

In the policy, there is the description of how personal data will be collected, handled and stored to meet the highest quality protection standards of the company’s data and to enhance the full compliance with the law.

1.1 Background of GDPR

The EU General Data Protection Regulation (GDPR) was designed to widen the scope previously covered by the 1995 Data Protection Directive. It is accomplished through harmonizing data protection across the European Union. It was adopted by the European Parliament and European Council in April 2016 and its official enforcement is on May 25 2018.

The regulation is meant to protect the data privacy for EU citizens by requiring anyone who collects processes or uses this personal data to disclose their intended use with personal data collected. Any business that carries out transactions with EU citizens must adhere to GDPR. Non-compliance will attract fines of €20 million or 4% of total annual worldwide revenue, whichever is higher.

Protection of individual data is a fundamental freedom that should be respected and accorded to individuals. Therefore, as a 1 Contact Center, we have the mandate to ensure that there is high level of data protection despite the high increase in the collection of data.

1.2 Why the policy exists:

Through the data protection policy, 1 Contact Center will:

  • Ensure that we are in compliance with GDPR and follow good business practice
  • Ensure that the privacy of data for the staff, customers and partners is well protected
  • Transparently disclose the purpose for collection, storage, processing, analysis and any subsequent use of individual’s data
  • Protects itself from any inherent risks and liabilities associated to a data break

1.3 The Scope of GDPR

1.3.1 Material Scope

This policy applies to the processing of personal data wholly or partly by automated means by the organization and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system for the organization

1.3.2 Territorial Scope

The GDPR applies to all organizations located in the EU and process the data for the citizens of EU member countries or countries located outside the EU which process data of the citizens of EU member countries in order to offer goods or services or to monitor behavior of EU residents.

1.4 Important Definitions

1.4.1 Personal Data

Based on GDPR personal data is any “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.” It is any information relating to a person such as name, photo, email address, bank details, social media updates, bank information, medical information or any other information which can be used to identify the physical, economic or social identity of that person processing.

Any set of operations that is performed on personal data whether or not by automated means such as such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination. Any processing of individual data should be based on informed consent, lawful use and should represent the interests of the individuals

1.4.2 Consent

A clear indication that a person has agreed to the processing of personal, data relating to him or her. Any individual consent should be freely given in an identifiable manner, should not exceed the purpose of which consent is given and individuals have the right to withdraw their consent at any time.

1.4.3 Breach of Personal Data

A security breach is a result to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation after lodging a successful legal complaint.

1.5 Data Compliance Principles and Responsibility for 1 Contact Center

1 Contact Center is accountable for any data in our possession and should demonstrate compliancewith the following data compliance principles:

1. Conduct data protection impact assessment before initiating a new collection of personal data and before developing or procuring IT to collect, maintain, or disseminate personal data.

2. Ensure personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject

3. Ensure the Business Continuity and Disaster Recovery protocol with a security plan and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

1.6 Existing Rights for Data Subjects

  • Right for full and transparent disclosure based on use of their personal data
  • Right to access their personal data
  • Right to rectify their data
  • Right to erase their data
  • Right to restrict processing of the data
  • Rights may be limited when there is consideration of issues relating to national security, public interest, investigation of criminal acts and any other restriction provided by EU member state

2.0 People, Risks and Responsibilities

2.1 Scope of the Policy

The policy is applicable to:

  • US Corporate Office, 1 Contact Center
  • Manila, Philippines Office, 1 Contact Center
  • All the 1 Contact Center Staff
  • All 1 Contact Center internet providers and any partners that may come into contact with personal data
  • Right to restrict processing of the data

The application of the policy is based on data that relates to the identification of the natural information and could be data related to:

  • Names of individuals
  • Phone number
  • Emails
  • Any other personal information related to the individuals

2.2 Data Protection Risks

Through the policy 1 Contact Center will be sufficiently protected through the following risks:

  • Data Breaches
  • Lack of Informed Consent
  • Damage of Reputation
  • Penalties

2.3 Responsibility:

All the people working for and representing the interests of 1 Contact Center have some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

2.3.1The Role of the Team of Managers

The ultimate responsibility of ensuring that 1 Contact Center complies with data protection law lies with the team managers. They are responsible for formulation of strategies important for ensuring the GDPR compliance.

2.3.2 Data Protection Officer

1 Contact Center lies within the criteria for the appointment of a DPO based on:

  • The core activities for 1 Contact Center consist of processing operations which require regular and systematic monitoring” of data subjects on a “large scale
  • Requirements of RDO

The data protection officer is a mandatory role under GDPR. It requires a person with extensive knowledge of data protection and GDPR law and qualified to advice the company on issues regarding to GDPR. However, neither the GDPR nor the WP29 sets out any formal test for determining that knowledge. The DPO should also be familiar with the sector within which the organization operates.

Moreover, the DPO must not be subject to any conflict of interest. The WP29 considers that combining the role of a DPO with senior management positions may give rise to a conflict of interest.

At 1 Contact Center, we intend to appoint a data protection officer from the IT department and an assistant from the quality control department. Also, there will be GDPR champions in each department that involves use of personal data to assist the data protection officer and his assistant.

Duties:

  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Provide advice and guidance to the organization and its employees on the requirements of the GDPR
  • Reviewing all data protection procedures and related policies, in line with the GDPR law and data protection policy.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data for 1 Contact Center holds about them.
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

2.4 Training Policy and General Staff Guidelines under GDPR

Majority of employees in the 1 Contact Center handle private data that is protected under GDPR. The only people able to access data covered by this policy should be those who need it for their work.

2.4.1 Employee Training Policy

  • The Data Protection Officer and his/ her assistant will access training from accredited data privacy trainers.
  • The Data Protection Officer and other Data experts will provide training on Data Protection Law and provide Certification of excellence
  • Employees will take regular tests on Data Protection necessary to understand the data protection law and are expected to score above 90%

2.4.2 Guidelines to Employees

  • Personal data should be handled with confidentiality and properly secures to eliminate the possibility of information sharing. Any access of any confidential personal data, employees will have to request from their respective line managers.
  • 1 Contact Center will provide training to all employees to help them understand their responsibilities when handling data.
  • Personal data should not be disclosed to unauthorized people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed off
  • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

3.0 Data Protection Impact Assessments

1 Contact Center Data Protection Impact Assessment will:

  • Describe the nature, scope, context and purposes of the processing personal data
  • Assess and adopt necessity, proportionality and compliance measures for personal data protection
  • Identification of any additional measures to mitigate those risks
  • In case of a high risk that cannot be fully mitigated 1 Contact Center will contact Information Commissioner’s (ICO) Office or representative before any processing of data is conducted
  • The ICO will give written advice within eight weeks, or 14 weeks in complex cases. In appropriate cases we may issue a formal warning not to process the data or ban the processing altogether.

3.1 Implementation Checklist

3.1.1 Calls:

  • The people involved in the call have given consent to be recorded.
  • Recording is necessary for the fulfillment of a contract
  • Recording is necessary to fulfill a legal requirement
  • Recording is necessary to protect the interests of one or more participants
  • Customers have the right to request deletion of their previously recorded calls

3.1.2 Emails and other Information

  • Any emails or any other personal data will be applied for legal intended purpose and any other compatible
  • Get consent from individuals for storage and use of personal emails and any other personal data
  • Collection of data is crucial for the fulfillment of the contract
  • Any information collected can be deleted based on the request of the customers

3.1.3 Assessment of the Necessity and Proportionality

The collection and storage of personal data is crucial to ensure efficient customer support services for our clients. 1 Call Center will focus on safeguarding this data based on the private data compliance principles.

Therefore, the use of any private data is limited to the scope provided by the Data Protection Impact Assessment that will adopt:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimization
  • Accuracy of data
  • Limitation of storage
  • Integrity and confidentiality

1 Contact Center will store data for six months from which it will be archived using an encryption and deleted after three years.

Moreover, there will be the compliance for the rights of the data subjects in relation to their data.

3.1.4 Measures envisaged demonstrating Compliance

  • 1 Contact Center will adopt a data Protection Policy and taking staff through data protection training program, both of which give you reusable resources essential to GDPR compliance
  • 1 Contact Center will ensure that good and updated IT systems are in place to create safety on personal data by preventing irrecoverable loss or corruption of data
  • Moreover, any third party that may come into contact with private data should provide reasonable assurance to protection of private data through compliance with GDPR.

3.1.5 Assessment of the Risks to the Rights and Freedoms

Risks related to private data are likely to result to a breach in rights and freedoms of the data subjects and they include:

  • Physical, material and non-material damages due to loss, corruption and unlawful use of personal data
  • Lack of control of their data
  • When the processing of personal data may lead to profiling based on race, ethnicity, religion and beliefs

These risks are likely to attract fines so there is need to ensure that they are well mitigated

3.1.6 Measures envisaged to Address the Risks

  • Implementation of strong IT and software systems that ensure that there is proper safeguard on private data
  • Preparation of audit checklist to enhance compliance
  • The data protection officer is in charge of the compliance with the private data law and in case of higher risk there will be the consultation of the ICO

3.1.7 Documentation

The data protection impact assessment has been sufficiently documented in the data protection review.

3.1.8 Monitoring and Review

There will be a review of the data protection impact assessment after every two months and when the 1 Contact Center engages in new scope that exposes it to data privacy challenges. DPIA should be continually carried out as a matter of good practice.

4.0 Information Security Policy

The IT security policy for 1 Contact Center provides the guidelines to enhance personal security for the business continuity company and security measures existing to enhance the compliance with GDPR.

4.1 Objectives

  • One of the objectives of the IT policy is to ensure that there are high levels for information security at 1 Contact Center information systems to ensure that any risks associated to theft, loss, misuse, damage or abuse are sufficiently mitigated.
  • Ensure that awareness towards the compliance to the current and relevant US, Philippines and EU legislations
  • Ensure that 1 Contact Center is protected from any liabilities and damages as a result of the misuse of any IT facilities

4.1.1 Scope

The IT policy is applicable to all employees, customers and stakeholders who are authorized to access to the IT facilities of the 1 Contact Center. The policy covers elements related but not limited to data related to cloud data, computers, storage, mobile devices, networking equipment, software and data.

4.2 Key Principles

  • Employees must abide by any contractual requirements, policies, procedures or systems while handling
  • Regular review through the use of annual internal audits and penetration testing

4.3 Legal and Regulatory Obligation

1 Contact Center has a responsibility to abide by and adhere to all Philippines, US and EU legislation as well as a variety of regulatory and contractual requirements.

4.4 Classification of Information

  • Confidential information – Normally accessible only to specified members of 1 Contact Center. The information should be held in an encrypted form.
  • Restricted information – It is normally accessible only to specific members of the 1 Contact Center staff
  • Internal use information – only accessible to the member of the 1 Contact Center Staff

4.5 Responsibility

4.5.1 The IT Department

The IT department has the responsibility for maintaining, governance and oversight of the enterprise information security program. They will:

  • Ensure that the right IT assets are installed
  • Providing assistance to the IT system users
  • Inputting IT security measures in the organization

4.5.2 Authorized Users

Individuals who have been granted access to specific information assets in the performance of their assigned duties are considered Authorized Users ("Users"). Users include, but are not limited to employees, cloud providers and customers. These users will:

  • Seek access to data only through the authorization and access control process.
  • Perform all responsibilities of Data Custodian when placing institutional data on personally owned or managed devices.

4.6 Technical Measures

  • Ensuring that there are firewalls that are properly configured and using the latest software
  • Unique passwords with sufficient complexity and regular expiry on all devices to defend against dictionary and rainbow table attacks.

4.7 Internet and Cloud Providers

Under the GDPR law, 1 Contact Center retains responsibility as the data controller for any data it puts into the system. It is because 1 Contact Center retains responsibility as the data controller for any data it puts into the can be fined for any data breach, even if this is the fault of the internet or the Cloud service provider. Therefore, any responsibility for contacting Information Commissioner’s Office lies with the 1 Contact Center. Therefore, 1 Contact Center is exposed to lawsuits for damages as a result of the breach. Therefore, it is of extreme importance for 1 Contact Center to have the ability to judge the appropriateness of a Cloud service provider’s information security provisions.

Therefore:

  • All internet and cloud providers need to specifically detail their security provisions
  • All internet and cloud providers need to adhere to GDPR regulations

4.8 Compliance, Policy Awareness and Disciplinary Procedures

  • Any security breach of LSE’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems.
  • The loss or breach of confidentiality of personal data is an infringement of the General Data Protection Regulation and it is against the 1 Contact Center Data Privacy Policy that could lead to a criminal or civil action against 1 Contact Center.
  • The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against LSE. Therefore, it is crucial that all users of the information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.

4.9 Reporting IT Security Breaches

  • Any form of data breach that has been identified should be reported to the IT service desk through Email or phone number
  • Breaches related to personal data involving EU citizens should be reported to the Information Commissioner’s Office the 1 Contact Center Data Protection Officer.

4.10 Reviews for IT Policy

The IT policy will be reviewed against the existing laws, data protection policy and GDPR provisions to ensure that it is up to date based on relevant changes to the law, organizational policies or contractual obligations.

5.0 Privacy Policy

The privacy policy procedure is governed on the organization’s data policy. 1 Contact Center has the obligation to collect, use, and discloses personal information for purposes that facilitate achieving its mandate and complying with law. There is also an obligation to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, or destruction in accordance to state legislation and the GDPR.

5.1 Collection of Personal Information

In any collection of personal information:

  • Data must be collected for specified, explicit and legitimate purposes only
  • Data must not be further processed in a way that is incompatible with those purposes
  • Individual rights on collection, modification and erasure should be observed

5.2 Use of Personal Information

Personal information will only be used:

  • For the purpose for which it was collected, or for a use consistent with that purpose
  • Where the individual the information is about has identified the information and consented in writing to the specified use.

1 Contact Center will only use personal information to the extent necessary, to enable the call centerto carry out its purpose in a reasonable manner. Personal information of an individual that is used to make a decision that directly affects that individual will be retained for at least one year and a maximum of three years after using it.

5.3 Disclosure of Personal Information

Personal information will only be used:

  • To respond to an access request for personal information regarding the person making the request as per the Access to Information Procedure
  • To comply to the legal laws in Philippines, US and the EU that requires the disclosure

5.4 Informed Consent

There has to be an express informed consent between 1 Contact Center and the data subject for storage and processing of their personal information. Moreover, the information collected should not be used for a purpose other than for which it was collected.

5.5 Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is a crucial process of analysis that helps to identify and address potential privacy risks that may occur in the operations of 1 Contact Center. They are to be referenced under the following circumstances:

  • Developing, or procuring any new technologies or systems that handle or collect personal information. Developing system upgrades
  • Issuance of new and updated regulations and laws regarding to personal information
  • Categorizing System Security Controls

5.6 Privacy Breaches:

A privacy breach occurs when there is an unauthorized access to or collection, use, or disclosure or disposal of personal information. It is against the data protection policy for 1 Contact Center. The steps to be taken include:

  • Containment
  • Evaluation
  • Notification
  • Prevention

5.7 Monitoring and Review

There will be a review of the IT policy after every two months and when the 1 Contact Center engages in new scope that exposes it to data privacy challenges. IT policy should be continually carried out as a matter of good practice.

6.0 Purpose

The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently and that we fully document any actions taken.

6.1 Review

Review is the examination of closed records to determine whether they should be destroyed, retained for a further period or transferred to an archive for permanent preservation.

6.1 Scope

The scope of the policy covers any:

  • Voice recording
  • Emails
  • Names
  • Occupation data
  • Employee information

6.3 How long information is to be used

Personal information of an individual that is used to make a decision that directly affects that individual will be retained for at least one year and a maximum of three years after using it. Thereafter it will be stored in an encrypted format.

6.4 The Trust’s Approach to Retention and Disposal of Records

  • The Policy supports the principle that all records should be managed in a way that allows the information contained within them to be available to the person who needs them, at the time and place they are needed.
  • The Policy provides the Trust with the necessary guidance in relation to our legal obligation and practical necessities for retaining and disposing of records

6.5 Storage of Records

Any voice recording or other personal information should be stored under secure servers that are properly backed up. Storage should ensure that there is informed consent of the data subject stored on a suitable location on trusted servers.

6.6 Disposal of Records

Any data will be archived before three years have elapsed since its use. Storage is informed of an encrypted format to mitigate data breach. Any retrieval of private data from the archives requires approval and authorization from the head of IT and the Data Protection officer.

7.0 Subject Access Request Form and Procedure

7.1 Responsibility

  • The Data Protection Officer provides guidance, oversight and approval on the request procedure. They will ensure that there is availability of electronic on request such as Emails, files and Databases.
  • Any request by the employee will be handled by staff from the human resources under the supervision and verification by the Data Protection Officer.

Consideration of Request

  • Confirmation of identity
  • Requesting for specific information to be supplied

Fulfilling the Request

  • Determine whether information requested will include the private data from a third party - delete any information related to a third party to avoid violation of privacy law
  • The obligation to supply the information

8.0 International Date Transfer Procedure

Any international transfer of customer data should be carried under the strict guidelines of the law in US, Philippines and the EU. 1 Contact Center is committed to complying with the provisions of GDPR in regards to sharing of information internationally. 1 Contact Center is Affected because it may engage with Cross-Border Data Transfers based on its locations in the US and Philippines. The transfer of personal data to recipients outside the EU is generally prohibited unless:

  • The jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
  • The data exporter puts in place appropriate safeguards; or
  • A derogation or exemption applies.

8.1 Responsibilities for 1 Contact Center

  • Ensuring that the transfer is made to an Adequate Jurisdictions and implement lawful data transfer mechanism
  • Understand that the Commission can repeal, amend or suspend Adequacy Decisions for jurisdictions no longer ensuring an adequate level of data protection
  • Ensure that our Binding Corporate Rules (BCRs) meet the requirements set out.

9.0 Data Portability Procedure

  • In our data portability procedure, there is a technical design and provision of the data subject rights. 1 Contact Center will need to ensure the systems, connected products; applications and devices that collect and store information on data subject also have the added functionality of porting and transmitting data.
  • The right to request or share a copy in a machine-readable format data is only possible if the following criteria is met:
  • Data is provided by the individual to 1 Contact Center (controller)
  • Processed by automated means
  • Processed based on consent or fulfillment of a contract.

9.1 Procedures:

Create technical abilities for:

  • Providing customers with a copy of all the personal data about them on request
  • Transfer the data to another data controller or service provider
  • Ensuring that data subjects have provided data actively and knowingly
  • Provision of data facilitates reuse

10.0 Complaints Procedure

A complaint will be used as expression for dissatisfaction about the standards of 1 Contact Center through actions and inactions with regard to data protection.

10.1 Responsibilities

  • The Data Protection Officer is responsible for the coordination of the complaints policy and procedure that includes any collected, stored and analyzed data.
  • The Customer Service Center is responsible for overseeing the process of monitoring and reporting the progress of the complaint and any responses made.

10.2 Complaints Handling Process

Complaints could be received verbally, in writing, anonymous tips and calls. The process for handling complaints includes:

  • The customer service is responsible for handling minor complaints
  • Serious data privacy complaints will be solved by top executives with the advice of Data Protection Officer

10.3 Staff Support

Members of staff will be provided with customer service training to ensure that they are able to effectively handle customer queries.

11.0 Audit Checklist for Compliance

11.1 Need for an Audit

As far as data protection is concerned, the key reasons for carrying out audit activities are:

  • To assess the level of compliance with GDPR
  • To assess the level of compliance with the organization’s own data protection system
  • To identify potential gaps and weaknesses in the data protection system
  • To provide information for data protection system review

11.2 Objectives of Data Protection Audit

  • To verify that there is a formal (i.e. documented and up-to-date) data protection system in place in accordance to the necessary laws
  • To verify that all the staff in the area involved in data protection
    • Are aware of the existence of the data protection system
    • Understand the data protection system
    • Use the data protection systems
  • To verify that the data protection system in the area actually works and is effectively

11.3 Types of Audits

1 Contact Center will carry out three types of audits:

  • First Party Audits – They are Internal Audits on the data protection policy and IT assets to check whether there is sufficient, proactive and best practice approach to data protection. It is an ongoing process that will increase the general level of data protection awareness among all the staff
  • Second party audits – Internal audits done on internet and cloud providers to ensure that they adhere to data protection laws with a significant focus on GDPR based on EU clients.
  • Third party Audit – Are audits conducted by independent third parties to determine the compliance with the data protection regulations. It could be carried out by the Information Commissioner Investigations or a contracted third party.

12.0 Privacy Notice

The Data Protection Policy by 1 Contact Center clearly depicts the commitment towards enhancing data security and sufficient safeguards for personal data. 1 Contact Center will only use personal information to the extent necessary, to enable the call center to carry out its purpose in a reasonable manner. Any shared data will be the one processed on automated form and Processing is based on consent or fulfillment of a contract.