Adopted 30 March 2016
|Scope||This policy outlines Chapter policies with respect to the treatment of the personally identifiable information (PII) of the following individuals:
This policy does not describe Chapter policies with respect to personally identifiable information of employees, consultants, contractors, vendors, licensees, sponsors, or advertisers.
This policy applies to handling of personally identifiable information stored in all forms (whether on paper, electronically – including on computer hard drives, CD ROMs, removable flash drives – or otherwise) by Chapter. It does not describe the treatment of information by legally independent entities that may work with Chapter, including ISACA International.
This policy is for internal use by Chapter volunteers, employees and by others (such as contractors, vendors, committee members, and the like) who have access in the course of their duties for Chapter to PII (as defined below) maintained by or on behalf of Chapter.
|Responsibility and Accountability||For years 2016-2017 Arman Oramalov, CISA, CISM is responsible for Chapter’s privacy program and data security in the Chapter activities.|
|Notice||Chapter provides notice about its policies and practices relating to personally identifiable information and identifies the purposes for which information is collected, used, stored shared, and secured. Chapter’s notice program includes the following elements:
|Collection||Chapter currently collects the following types of personally identifiable information in a variety of ways, including (for the purposes described in the “use” section of this policy): information as contained in the Chapter membership list, member completed survey’s, completed meeting critiques or other use by Chapter leadership as approved by the individual member. In the online environment, Chapter uses some common passive data collection mechanisms, including cookies.Chapter uses fair and lawful means to collect information, collects information using methods that have been reviewed and approved by the chapter designee responsible for the Chapter privacy program, and analyzes third-party sources of personally identifiable information to determine if those third parties are reliable data providers.
It is Chapter’s policy not to develop or acquire additional information about those individuals whose personal information is covered by this policy, unless it has obtained consent from those individuals. Certain exceptions apply, including to build behavioral profiles or to obtain information to verify applicants for courses or certification
|Choice and Consent||To the extent feasible – keeping in mind Chapter’s legal obligations, business goals and resources – Chapter gives individuals choice about how their information will be used. This choice includes, for example, seeking consent and/or providing clear notice about use of personally identifiable information.Chapter informs individuals what choices they have about how information will be used, stored, or shared with third parties. The following are some representative examples of the types of situations when Chapter gives individuals choice or seeks consent posting name in newsletters for certifications awarded, new member welcome, chapter or national events.
|Use||Chapter uses personally identifiable information it obtains for the following purposes:
|Sharing||Chapter shares personally identifiable information with third parties only for legitimate business purposes and as permitted by applicable law, rules and regulations. Instances when Chapter may share information include:
When sharing information, Chapter limits the amount and type of information shared to that which the other party needs or that is relevant to the other party.
If Chapter shares personally identifiable information with a vendor or other third party providing services on Chapter’s behalf, Chapter requires that the third party use the data as directed by Chapter and that it maintain the confidentiality and security of the data.
Chapter will take appropriate remedial actions if it becomes aware of any situation in which a third party misuses personally identifiable information.
|Completeness and Accuracy||Chapter relies on individuals to provide it with complete and accurate personally identifiable information, and in certain circumstances may require individuals to represent and warrant that the details they have provided are their own, are complete, and are accurate.|
|Retention and Disposal||Chapter’s current policy is to retain information for so long as it is needed by the business. Since most information is in continuous use, much is retained on an indefinite basis.When Chapter finds that it has extensive information it is not using, it will determine appropriate means to dispose of personally identifiable information in a secure manner in keeping with its legal obligations.
 Defined to include any information that could be used to directly or indirectly identify an individual, such as name, email or home address, phone number, as well as information that is maintained in connection with individually identifiable information, like credit card numbers, demographic information, and the like.