1. Overview and Objectives
The protection of personal data, as well as compliance with privacy and data protection laws and regulations, is important to our organisation and its subsidiaries (“Hummingbird Hearingcare”, “we”, “us”).
This Policy creates a comprehensive governance framework for managing privacy and data protection risks. It and its supporting documents lay out processes and tools that deliver a consistent approach to privacy risk management across the organisation. Failure to address privacy risk adequately and in compliance with the law can cause brand and reputational damage as well as result in legal penalties. The protection of personal data of employees, applicants and non-employee workers, customers and prospects, and suppliers is fundamental to preserving trust. Furthermore, personal data used responsibly can create huge business opportunities for our organisation and customers.
1. sets out the data protection principles that underpin the privacy framework;
2. identifies and explains the data protection roles and responsibilities;
3. establishes the Privacy Management Programme;
4. identifies the internal policies, procedures and standards which support this Policy and, together with this Policy, constitute our organisation’s privacy framework; and
5. sets out a (non-exhaustive) list of the requirements that employees must comply with.
• This Policy does not provide an exhaustive list of permitted or prohibited conduct or set forth every rule.
• This Policy is not a substitute for the responsibility to exercise good business judgment and proper care.
• Individuals should continue to seek proper advice through appropriate channels regarding any specific concerns and issues that are not specifically addressed in this Policy.
2. Scope and Enforcement
This Policy applies to all directors, managers, employees and non-employee workers (including contractors) within Hummingbird Hearing with respect to all operations carried out by our organisation around the world which involve the processing of personal data.
It is the responsibility of every director, manager, employee and non-employee worker (including contractors) throughout our organisation to comply with this Policy. Acknowledgment and understanding of this Policy is required through contracts and mandatory training. Failure to comply with this Policy may be a breach of the terms of employment and may lead to disciplinary actions up to and including termination of employment or services contracts.
Senior management is ultimately responsible for ensuring adherence to this Policy. The company Directors are responsible for monitoring compliance with this Policy.
“Data breach” or “security incident” is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (e.g. an email with personal data is inadvertently sent to the wrong recipients, a paper record with personal data is lost or stolen, or a cyber-attack has been carried out by hackers).
“Data subject” or “individuals” is any living individual to whom the personal data or sensitive data relates. Examples of data subjects are employees and individuals at customers and suppliers.
“Personal data” means any information relating to an individual that identifies the individual or could reasonably be used to identify the individual regardless of the medium involved (e.g. paper, electronic, video, audio). Examples of personal data include contact details, financial data, passwords, IP addresses, pictures, online search history, geolocation information. Unless otherwise stated, personal data is intended to include sensitive data (as defined below).
“Processing” means any use of personal data by Hummingbird Hearingcare (or a third party on behalf of Hummingbird Hearingcare), including data collection, data sharing and data storage (note the mere storage of data is processing).
“Sensitive data” means information about an individual’s:
• racial or ethnic origin;
• political opinions;
• religious or similar beliefs;
• trade union membership;
• physical or mental health or condition;
• sexual life;
• genetic and biometric data (e.g. fingerprints, facial recognition, retinal scans); and
• criminal offences committed or alleged to have been committed.
4. Data Protection Principles
Our organisation’s business operations shall always be consistent with the Data Protection Principles set out below. These principles are binding across our business.
Lawful, fair and transparent processing
Our organisation only uses personal data in a way that is lawful, fair and transparent.
We comply with data protection and privacy laws within each of the jurisdictions in which we operate. We are also committed to helping individuals understand what information we collect, how we use it and what choices they have. We explain this to employees and business contacts within our customers and suppliers in a simple and clear way in our privacy notices. We review our privacy notices regularly to keep them up to date, and to ensure they match our internal practices.
We only collect personal data for specified, clear and legitimate purposes and we only collect as much personal data as we need to achieve those purposes. Though personal data is necessary to provide our services, we only use it in ways which are proportionate to clear goals.
We take steps to ensure that the personal data we hold is accurate, up-to-date and relevant to the purposes for which it is collected.
We only keep personal data in an identifiable form for as long as is necessary for the purposes for which we are using it.
We think carefully about how long we keep personal data. We have developed our systems and processes and there are clear guidelines on retention periods and the process applicable to the safe disposal of information containing personal data in the Data Retention Policy.
Rights of the individuals (data subject rights)
We are fully committed to address the privacy rights of individuals with respect to our processing of their personal data, in accordance with the applicable laws.
We use appropriate technical and organisational measures to keep personal data secure and ensure its integrity, confidentiality and availability across all systems always.
We have implemented appropriate security measures, which are regularly reviewed against best-practice. These policies include the Information Security Policies located on the company intranet.
We require the same level of information security from our various service providers to protect the personal data that they may process on our behalf and under our instructions.
Data protection accountability
We are all responsible for upholding the Data Protection Principles and respecting individuals’ privacy rights. We have a collective and individual duty to protect our employees’, business partners’, suppliers’ and other customers’ personal data. To create an environment of trust and to comply with applicable laws, all individuals operating within or on behalf of our organisation must comply with our privacy policies (as identified in this Policy at “Policy Framework”) and help the organisation to uphold its commitments to the protection of personal data.
5. Roles and Responsibilities
All directors, managers, employees and contractors are responsible for preserving the confidentiality of the personal data they use and for handling this information securely and in accordance with this Policy and any other supporting policies, procedures and standards (as identified in this Policy at “Policy Framework”).
Outlined below are the specific functions which may handle compliance, adherence and control of this and related Data Privacy controls.
• Legal and Compliance – Responsible for ensuring all Policies, regional requirements and legal obligations are defined and incorporated into this and related policy documents.
• Data Governance Council Members – Will provide guidance to all supporting areas and are ultimately responsible for the publication, application and awareness of this and other policy documents. Along with application of suitable controls in relation to Data Privacy across Hummingbird Hearing.
• Data Steering Council Members – Will effectively control the requirements as defined by the Data Governance council, report issues and identify areas of improvement. In addition, may complete additional requirements as defined by the Data Governance Council.
• Data Manager – Acting as a data expert will work as an independent internal auditor and alongside business units to access the data controls, data handling reporting effectiveness and improvements as part of the Data Governance Council. In addition will ensure employees are suitably trained in data handling requirements and work with external parties to ensure compliance across the group.
• IT Function – Will provide systems, solutions and applications which enhance and support the data privacy requirements. In addition, promptly raise visible data security incidents which may need technical solutions or direction for resolution. Further to this, the IT function should ensure controls which permits access to data specific to the user role and provides controls to areas which may include sensitive / confidential data.
6. Policy framework
Our organisation shall operate always in compliance with this Policy, and all internal policies, procedures and standards relating to privacy. The current privacy related policies, procedures and standards are listed below. Please note that these may, from time to time, be updated or replaced and the scope of the list below may be expanded to additional policies.
Policy name Purpose / Brief description
1. Data Breach Management Policy Policy setting out the procedure and modalities of how to address incidents concerning the security of personal data and execute appropriate risk mitigation strategies.
2. Data Retention Policy Policy setting out the principles applicable to the retention, storage and deletion of personal data within the organisation in compliance with applicable data protection laws.
3. Data Subject Rights Policy Policy setting out the various rights that any data subject is entitled to exercise in compliance with applicable data protection laws.
4. Customer Privacy Notice Notice setting out what Hummingbird Hearing is committed to doing to protect customer personal data.
5. Information Security Policy Policy setting out principles and procedures applicable to information security addressing, for example, encryption (at rest and in transit), data access controls and technical security measures (anti-virus etc.).
7. Third Party Service Provider Policy (including Third Party Due Diligence Checklist) Policy setting out principles and procedures regarding third party vendor due diligence, third party vendor agreements and auditing/monitoring of third-party vendors.
8. Internal Subject Access Request Procedure Procedure setting out principles and procedures applicable to internal access requests / investigations and employee monitoring, and related data access controls and limitations.
7. Privacy risk assessment and management
On a yearly basis, nominated parties will conduct a strategic risk assessment. The strategic risk assessment will assess changes in our internal business and technologies, our broader industry environment and our legal and regulatory regimes, to measure our sources of strategic privacy risk. Its output will contribute to the compliance / risk mitigation plan for the following year.
Where necessary, because of the privacy risk assessment, the Data Governance Council with support of other key contributors will issue recommendations of changes or controls to address the key risks. These recommendations will need to be implemented by the relevant business functions including addressing compliance gaps where required.
Internal Audits will on a regular basis assess the effectiveness of the risk assessment and management of our organisation’s ability to ensure compliance with the Data Protection Principles (as outlined in this Policy).
The Legal team will always maintain processes that enable our organisation to understand, comply with, and where necessary, influence legal requirements in privacy and data protection. The Legal team will also ensure that privacy laws are addressed consistently across the region where such laws apply.
The Data Manager will determine where its main establishment in the EU might be located based on Hummingbird Hearing data processing activities to identify the lead supervisory authority in the EU for cross-border processing. Such decision should be documented by Hummingbird Hearing. The Data Governance Council will monitor their lead supervisory authority closely for guidance and other output issued and understand their enforcement priorities.
Documentation of data protection compliance (decisions, implementation and audit)
Business unit heads, supported by the business functions concerned, will create and maintain records of the decisions and actions taken towards privacy risk management and compliance with applicable data protection laws. This will also enable effective collaboration with the regulators as and when required and it will enable our organisation to document and demonstrate its privacy compliance always.
Where privacy related decisions and actions are taken at regional or business level, the relevant policies and procedures will establish ownership of and responsibility for maintaining appropriate records.
They will also be responsible for ensuring and supervising the development of any additional records which may be required to demonstrate compliance under applicable data protection laws (e.g. consent forms, notices to data subjects, register of personal data breaches).
Records of processing activities (“RoP”)
The business with support of the Data Steering committee will gather in a living document the list of all processing activities within Hummingbird Hearing at a given time; this document will be updated from time to time automatically and reviewed annually.
Data protection impact assessments (“DPIAs”)
The Data Governance Council will establish guidelines and procedures to perform DPIAs with respect to new products, technologies and business operations, where required by applicable laws or where this appears appropriate to manage privacy risk. The DPIAs will require the input and involvement of the relevant business functions. The DPIA is part of the privacy risk assessment,
Third party vendor privacy risk management
Risk management for engaging third party vendors will be governed by a set of policies and procedures requiring appropriate controls on third party vendor due diligence, third party vendor agreements and auditing/monitoring of third-party vendors. Local business units will provide any privacy content necessary for third party risk assessment, keeping it up-to-date as necessary to address emerging privacy risks. Risks associated with a third party must be escalated to the Head of Data Security & Compliance / Data Governance Council.
The Legal and Compliance team will support the business where requested so it can perform appropriate due diligence to ensure proper evaluation of privacy risks early in the third-party engagement process. The local business units will also ensure that appropriate data protection safeguards and obligations are established throughout vendor processing and, where applicable, transfer agreements.
8. Mergers and acquisitions (“M&A”)
To ensure proper evaluation of privacy risks and risk mitigation strategies related to M&A activities, the local business along with Data Governance Council will be engaged early in discussions of a planned deal and is part of the M&A due diligence team where there is significant privacy risk. The recommendations of the due diligence team will include an evaluation of all significant privacy risks posed by the deal and a high-level mitigation plan.
9. Training and awareness
Online privacy awareness training will be a part of the annual compliance training plan and required of all employees on a regular basis. Head of Data Security or appointed person will ensure that training content remains up to date and appropriate to our organisation’s business operations, and that it is refreshed on a regular basis. Training completion rates will be monitored and documented by Head of Data Security in conjunction with HR department.
The HR function will ensure that any necessary role or subject matter-specific training, ad-hoc communications, informal alerts and other necessary updates are communicated to the business as needed.
10. Security incident identification and response
All business units are responsible for monitoring business operations for incidents concerning the security of personal data, capturing them on a timely and consistent basis, and executing appropriate risk mitigation strategies.
All employees and business units are responsible for immediately escalating any actual or suspected security incidents (data breaches) according to our Data Breach Management Policy.
Any relevant office and business functions are required to take part in security incident management according to the Data Breach Management Policy.
The IT Team in conjunction with the Head of Data Security will ensure that known security incidents and risk events are identified, evaluated and remediated appropriately, and will evaluate trends so that root causes can be addressed. The Head of Data Security will work with the business unit to escalate security incident risk events to the Data Governance Council where necessary.
11. Metrics and reporting
The Data Governance council will define the metrics necessary to monitor privacy risks and the effectiveness and maturity of the Privacy Management Programme. The Data Steering committee will report annually on the overall status of the Privacy Management Programme and will work with the Data Governance Council to ensure accurate and complete reporting to the appropriate senior management.
12. Product development (privacy by design)
The IT function with support from the local business units are responsible for adopting privacy by design policies and guidelines to ensure privacy considerations are met from the very early stages of the development process of any product / service which may impact on personal data protection (e.g. development of new services).
Privacy risks associated with product / service development and launch must be evaluated and signed off by the Data Governance Council. IT and any other business function involved in the various phases of product / service development will be responsible for engaging the Data Steering Committee in the product / service development process to prompt and facilitate the required privacy assessment.
13. Data subject rights
As per the Roles & Responsibilities Hummingbird Hearing will establish a Data Subject Rights Policy to respond effectively and appropriately to any individual request from data subjects regarding the use of their personal data by Hummingbird Hearing. This policy will set out (i) the rules for employees receiving the request to escalate it to the appropriate office or individual; (ii) the roles and responsibilities within the business to respond to data subject requests (e.g. retrieving the relevant data to respond to a data subject access request, erasing data upon request and where appropriate etc.); and (iii) the technical and organisational measures to address or respond to a data subject request according to the applicable data protection laws.
14. What Employees Must Do
Apply the Data Protection Principles to the collection and use of personal data and follow the policies, procedures and standards regarding privacy (as reported in this Policy at “Policy Framework”):
Learn how to identify personal data and report any queries to the relevant function / person.
Only collect personal data that is directly relevant and necessary to accomplish the specified purpose(s) and only retain personal data for as long as is necessary to fulfil the specified purpose(s).
Use personal data solely for the purpose(s) for which it was collected.
Ensure that personal data is accurate, up-to-date and relevant to the purpose(s) for which it is collected.
Secure personal data (paper and electronic) through appropriate security safeguards against risks such as loss, unauthorised access or use, destruction, modification, or unintended or inappropriate disclosure (e.g. avoid leaving papers, documents or files containing personal data in plain view when you are away from your work area).
Avoid accessing, collecting or storing personal data that is not necessary for their current job responsibilities.
Always dispose of personal data securely, for example by shredding or appropriate electronic erasure.
Remember that personal data belongs to Hummingbird Hearing and may not be copied, transferred or otherwise removed without permission.
Use Hummingbird Hearing data and equipment appropriately
Use Hummingbird Hearing data and equipment for legitimate business purposes only and in accordance with applicable policies, guidelines and instructions.
Do not install or use any other software on their computer without Hummingbird Hearing’s approval.
Business applications on Hummingbird Hearing computers and telecommunications devices are to be managed in accordance with policy and always in a manner consistent with the Information Security Policy.
Report data security incidents
Immediately report the following situations:
any suspicious activity related to a computer, network, or software application;
any potential or actual loss, misuse, improper access or modification of personal data (including loss of electronic mobile devices or paper records);
the security of any system or device containing personal data has been compromised; or
that personal data has been accessed, used or disclosed in violation of any applicable policy.
Once submitted, the security incident will be investigated, and corrective actions implemented, as necessary.
Complete required training
Undertake and complete all required privacy and information security training.
Consequences in case of non-compliance
Non-compliance with the terms of this Policy may result in disciplinary action up to and including termination of employment or business relationship, as well as legal action.
15. Exceptions and Escalations
Any exception to this Policy must be reviewed and approved. The Head of Data Security may escalate any non-adherence or exception request to the Data Governance Council as needed. All exceptions to this Policy must be approved before implementation.
The Legal and Compliance team is responsible for resolving questions about the appropriate interpretation of this Policy considering legal and regulatory requirements, with input from Legal. The Head of Data Security is responsible for resolving any escalated questions about interpreting this Policy, outside of questions related to legal or regulatory requirements.
16. Policy Status
This policy remains property of Hummingbird Hearing and retains the rights to review and amend this policy to reflect changes in its requirements without notice. It is the user’s responsibility to ensure compliance with policy.
This Document is maintained and audited electronically, Uncontrolled if Printed.