Privacy Policy

Introduction

Diligent Delivery Systems (“Diligent”) employs information technology for management and delivery of services to its employees, customers, and stakeholders. Diligent ensure the protection and privacy of information and systems by implementing and maintaining a privacy policy to ensure that proprietary information and private data processed are kept safe and secured in compliance with applicable privacy regulations. This policy aligns with the National Institute of Standards and Technology Privacy Framework (NIST CSF) and supports the Privacy Act of 1974, the Texas Public Information Act (Chapter 552, Texas Government Code), and other applicable state and local laws about information privacy.

This Privacy Policy describes how personally identifiable information (PII), and protected health information (PHI) are protected, collected, transmitted, modified, disclosed, stored, and destroyed across the Diligent Delivery Systems network infrastructure.  This Privacy Policy ensures that Diligent personnel understand the rules governing the use of private data to which they have access in the course of their work.

This Privacy Policy also governs the control of removable media containing PII and PHI information to prevent unauthorized use, disclosure, modification, or destruction of Diligent data resources.

Definitions

Availability – ensuring timely and reliable access to and use of information.

Confidential Information – a classification that identifies sensitive information that, if disclosed, could damage the person or organization it relates to.

Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting private and proprietary information.

Consent – defined as the data subject agrees by a statement or positive action to the processing of his or her private data by a clear affirmative act that is freely given, specific, informed, and unambiguous.

Data controller – defined as the legal entity that decides the purpose and means of a certain kind of processing of private data.

Data processor – defined as a legal entity that processes private data on behalf of the controller, i.e., not for its purposes.

Data subject – defined as the natural living identified or identifiable person about whom we hold private data.

Private data – defined as any information relating to a data subject that we can identify (directly or indirectly) from that data alone or in a combination with other identifiers we possess or can reasonably access, e.g., name, address, birth date, employee number, photographs, IP address, information about education, training, role and salary, sickness and leave records, health data, online activities, etc.Integrity—guarding against improper information modification or destruction to include ensuring information non-repudiation and authenticity.

Private Information – information about a natural person that identifies or describes an individual, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial records, and medical or employment history, readily identifiable to that specific individual.

Personally Identifiable Information (PII) – any information that permits the identity of an individual to be directly or indirectly inferred, including any other information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, legal permanent resident, a visitor to the U.S., or employee or contractor of Diligent Delivery Systems.

Privacy Information – describes the privacy posture of an information system or organization.

Processing – defined as any operation or set of operations performed on private data, whether by automated means, e.g., collection, recording, organization, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction.

Protected Health Information (PHI) – individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity about the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).

Public Information – any information, regardless of form or format, that an entity discloses, disseminates, or makes available to the public.

Removable Media — portable devices that can be used to copy, save, store, and/or move data from one system to another. (e.g., USB thumb drives, external hard drives, SD cards, etc.)

Sensitive Information – information where its loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act); that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
Sensitive PII (SPII) – personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

Scope

The Policy applies to:

  • Diligent executives, managers and employees, service providers, vendors, contractors, consultants, and commercial entities that supply, develop, implement, administer, or use the Diligent information systems.
  • Diligent information technology assets – [capital or leased, including communications capabilities, as well as contracted managed services (hosted, cloud, and/or shared services/SaaS solutions, etc.)]
  • Diligent internal and remote systems, and internet-based resources and capabilities (including social media), wireless and mobile devices.
  • Diligent collected PII and PHI stored throughout the Diligent network infrastructure, on removable media, databases, and any other forms of storage media used utilized by the organization.

Governance of this Privacy Policy

This privacy policy is implemented and enforced by the Chief Information Officer (CIO)/Chief Information Security Officer (CISO), with support from the Diligent Information Technology and Cybersecurity Compliance departments. All employees are responsible for ensuring compliance with this Privacy Policy.  IT and Cybersecurity department is accountable for compliance enforcement.

All Diligent departments are required to incorporate best practices within their operations in accordance with this Privacy Policy. Periodically, the Cybersecurity department shall provide guidance on processes, techniques, procedures, and controls that achieve the objectives of this Policy.

Diligent management group shall be responsible for the overall governance of the Privacy Policy and shall determine risk appetite for PII, PHI, and information systems to authorize necessary protection requirements.

Roles & Responsibilities

Diligent management is committed to information privacy. As such, Diligent has established this Privacy Policy. Implementation and enablement of Policy objectives are accomplished with the following defined roles:

ROLE

RESPONSIBILITIES

Chief Information Officer (CIO)/Chief Information Security Officer (CISO)

  • Responsible for Privacy Policies, standards, and procedures within Diligent Delivery Systems
  • Ensure compliance with this Policy.
  • Promote efforts within Diligent Delivery Systems to establish and maintain effective privacy controls with the information systems and assets.
  • Ensure information privacy risks to protected Diligent Delivery Systems information systems are adequately addressed according to privacy plans.
  • Review Privacy Risk Assessment for information systems
  • Ensure data owners understand their responsibilities for privacy within the information systems.
  • Provide oversight for correct execution of the system privacy plans and policies

Data Owners

  • Act as data and system privacy owner for the Diligent Delivery Systems information systems or delegate a data Privacy owner for the information system.
  • Ensure that a Privacy Risk Assessment for Diligent Delivery Systems information systems is submitted for review periodically to the CIO/CISO or a designated alternate.
  • Ensure information security risks to protected Diligent Delivery Systems information systems are adequately addressed according to the Privacy Policy
  • Responsible for overall procurement, development, integration, modification, operation, maintenance, and disposal of privacy data in the information system
  • Determine the information system privacy categorization and data classification to ensure privacy protection requirements and risk levels in consultation with the CIO/CISO
  • Ensure creation and execution of required procedures and processes required to accomplish privacy policies, standards, and guidelines.
  • Maintain appropriate privacy and confidentiality consent, authorization forms, and notices. 

Exceptions to Policy

Exceptions to this policy may be granted on a case-by-case basis. A Request for Policy Exception Form shall be prepared by the requesting department, approved by the requesting department head or their designee, and submitted through the Cybersecurity department for review. Certain exception requests may require escalation to the executive management for review and risk decision. Periodic reviews of all granted exceptions shall be conducted by the CIO/CISO or designee to determine risk tolerance level.

Enforcement and Violation Handling

Enforcement of this policy shall be the responsibility of the stakeholders. As such violations of this privacy policy shall be reported to the CIO/CISO. Diligent Cybersecurity shall conduct regular reviews and actively monitor for violations of this policy.

Violations may include, but not limited to:

  • An act or event that exposes Diligent to actual or potential damage through the compromise of data and information systems privacy.
  • The unauthorized disclosure of PII, PHI, and/or private information hosted, stored, processed, or transmitted by Diligent or third-party data processer contracted by Diligent.
  • The unauthorized use of the Diligent Delivery Systems privacy data, resources, or the use of proprietary, private, PII, or PHI information systems for personal gain, and/or unethical, harmful, or illicit purposes is prohibited.
  • The theft, loss, unauthorized use or misuse, unauthorized disclosure, unauthorized modification of private information managed by Diligent.
  • Unauthorized destruction, degradation, or denial of service of privacy information stored in Diligent information systems.

Personnel regulations require that employees abide by applicable privacy laws, regulations, and standards of conduct. Intentional violations, regardless of the number of violations, may result in disciplinary action up to and including termination. Diligent reserves the right to refer information privacy incidents to external authorities and to seek commercial and criminal legal action against personnel, contractors or third-party vendors that misuse Diligent information systems in a manner that violates privacy law and applicable policy.

Program Structure and Supporting Elements

The structure of this Privacy Policy is defined by the following regulations and guidelines. This family of documents collectively serves as the policies for protecting the Diligent information systems and technology.

Privacy Policy

Diligent Privacy program is established by the scope, authority, governance roles, and responsibilities defined by this Privacy Policy and objectives aligned with the NIST CSF, Privacy Act of 1974, and other applicable state and local laws about information privacy. 

Privacy Standards and Controls

Information Security Standards and the program controls are defined using the NIST Cybersecurity Framework. These standards and controls provide a companion component of the Privacy Policy to ensure that the Privacy Program meets all required security protections and regulatory compliance mandates.

Privacy Guidelines

The Privacy Program will utilize Information Privacy Guidelines issued by Cybersecurity department to aid in the implementation of standards and controls for Diligent personnel and customers.

Policy Objectives

IDENTIFY

Diligent performs foundational activities for the effective use of the Privacy Framework. Inventorying the circumstances under which data are processed, understanding the privacy interests of individuals directly or indirectly served or affected by Diligent, and conducting privacy risk assessments that enable Diligent to understand the business environment in which it operates to identify and prioritize privacy risks.

Privacy Information Protection Impact Assessment and Controls

Diligent conducts privacy impact assessments on information systems in accordance with required and applicable privacy regulations. Diligent conducts assessment of risk, to include the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of PII, PHI, and private information processed, stored, or transmitted electronically.

Purpose:       Identify the risks associated with the confidentiality and integrity of privacy information (including electronic data) stored, maintained, processed, and transmitted by Diligent and provide privacy guidance.

Policy:          Diligent shall conduct a privacy risk impact assessment if a specific processing of private data (as carried out or intended) is likely to result in a high risk to the rights and freedoms of natural persons in accordance with required and applicable privacy regulations, and identify controls required to meet privacy regulations determined by the privacy impact assessment.

Privacy Information Management and Maintenance

Limiting management and maintenance of privacy information conforms to the requirements of applicable laws about information privacy.

Purpose:       Manage and maintain privacy information and confidential information on a need-to-know basis.

Policy:          Diligent Cybersecurity shall manage and maintain PII, PHI and private information on individuals only as allowed by law and limit that information to what is relevant and necessary to accomplish a lawful purpose. Cybersecurity department shall enforce the use of private information on a need-to-know basis and when a user’s job duties are required. Cybersecurity department shall implement guidelines on how to protect private information, implement information classification based on the required classifying marking. Cybersecurity shall implement guidelines on protection and non-disclosure of private information (as appropriate).

GOVERN

Governance focuses on privacy values and policies, identifying legal/regulatory requirements, and understanding organizational risk tolerance that is consistent with its risk management strategy and business needs.  Development and implementation of the Diligent Delivery Systems privacy governance structure enables an ongoing understanding of the risk management priorities that are informed by privacy risk.  

Purpose:           Ensure private data are collected fairly and lawfully and for specified purposes.  Ensure purpose limitation and data minimization, quality, and accuracy of PII, PHI and private information are collected or processed by Diligent.

Policy:               Diligent shall limit the collection and safeguard PII, PHI, and private information when it is necessary (i) for the performance of a contract with the data subject or to fulfill a request from the data subject, or (ii) to comply with a legal or regulatory obligation. Personal data may also be processed when it is necessary for the purposes of legitimate interest, including such as to maintain Diligent operational security and managing risks.

Only personal information that is necessary for the specified purpose may be processed.

If a purpose changes over time, it shall be considered as a new processing activity that requires a separate legal basis. Further, private information shall be adequate, relevant, accurate, up to date, and limited to what is necessary in relation to the purposes for which it is collected. It must not be processed further in a manner incompatible with those purposes. If a certain data process requires prior consent by the data subject, Diligent Delivery Systems will collect such consent before carrying out the relevant processing activity. Therefore, in addition to the deletion routines, Cybersecurity department shall ensure that reliable sources are utilized to collect data.  Where relevant, Diligent Delivery Systems will allow the data subject to update his/her own personal data.

Use of private information such as personally identifiable information without authorization is strictly prohibited at Diligent Delivery Systems. Additionally, use of classified information on personal equipment is strictly prohibited. The use of unauthorized privacy data on the Diligent Delivery Systems information systems and networks should be avoided.

Purpose:           Provide oversight of third parties that collect, store, process, or transmit private information stored in third-party hosted IT systems, cloud infrastructure or cloud applications.

Policy:               Private information of Diligent personnel may be shared with and processed by third parties or service providers on behalf of Diligent Delivery Systems as required for the provision of services to the Diligent Delivery Systems.   Privacy data may be disclosed to a third party if required to do so according to applicable laws and regulations or to detect and prevent fraud or other security or technical problems.  private information of the Diligent personnel may be disclosed when under legal compulsion including, but not limited to, warrant, subpoena, and/or court order.  Any and all such legal compulsions must be communicated to and coordinated with Diligent’s General Counsel. Additionally, Diligent may disclose personal information to a third party as required to provide employment benefits under the employment agreement with Diligent Delivery Systems. 

COMMUNICATE

Diligent develops and implements appropriate activities to enable departments and individuals to have a reliable understanding to engage in a dialogue about how data is processed and associated risks.  Diligent recognizes that both departments and individuals may need to know how data is processed to manage privacy risk effectively.

Privacy Awareness Training

Privacy awareness training programs ensure that education and awareness are provided to staff to communicate cybersecurity threats and expected actions.

Purpose:           Ensure that Diligent Delivery Systems personnel understand how to protect private information stored, processed, or transmitted by the Diligent information systems or by third parties with consistent security controls implementation.

Policy:              Diligent and affiliate personnel shall be provided privacy awareness education and adequate training to perform privacy-related duties and responsibilities consistent with related policies, procedures, and agreements.  Diligent will update the privacy education content to include new and evolving threats and train personnel on privacy policies and practices.

Purpose:           Ensure privacy notices are issued for Diligent owned or managed externally facing websites or information systems to ensure the information contained in privacy notices is kept up to date.

Policy:              As regards private customers of Diligent Delivery Systems that are natural persons with whom Diligent has a direct relationship. Information is provided to the customer in a privacy notice. As regards visitors to Diligent website, an external website Privacy Policy or Privacy Notice shall be available at the website, which includes information on the use of cookies. Diligent Delivery Systems shall issue privacy notices for Diligent Delivery Services owned or managed externally facing websites or information systems that contain PII, PHI and/or privacy-related information.

Purpose:           Ensure adequate steps are taken for suspected or confirmed data breaches involving PII, PHI and/or privacy-related information stored, processed, or managed by Diligent Delivery Systems.

Policy:              A data breach is deemed to occur where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to private information processed (hereafter a “Data Breach”). If an employee or consultant suspects that a Data Breach may have occurred, the CIO/CISO shall be informed as soon as possible, without delay.

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subject shall also be notified, without undue delay. The Cybersecurity department shall ensure that such notifications are carried out. However, the System or data owner shall assist and provide relevant information to the CIO/CISO. Furthermore, all breaches that occur shall be registered in a record of data breaches, which shall comprise the facts relating to the personal data breach, its effects, and the remedial action taken.  

 

PROTECT

Diligent provides data protection to prevent cybersecurity-related privacy events and synchronization between privacy and cybersecurity risk management.

Identity Management, Authentication, and Access Control

Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. Access controls help establish levels of authority that include IT administrators and privileged users, as well as normal employee business activities that use authentication to definitively identify users.

Purpose:           Protect important data by minimizing the risk of unauthorized access to information and systems.

Policy:               Diligent Cybersecurity team shall implement operational procedures and technical controls that limit access to information and systems to the principle of need-to-know and separation of duty i.e., users are granted the level of access and authority necessary for completing their official tasks. Access to physical and logical assets must be limited to authorized users, processes, and devices and must be managed according to the assessed risk of unauthorized access. The use of information, software, and hardware shall require authorization from the data owner/system owner specifying who can have access, under what circumstances, and the type of access.

Diligent shall follow industry standards on information security management to safeguard PII, PHI and private information.

To protect and limit the ingress and egress of privacy data, Diligent Delivery Systems Cybersecurity shall approve the security configuration of information systems, encryption modules, removable media to store private information on Diligent Delivery Systems information systems and networks, and other applicable security controls necessary to support business requirements.  

Purpose:           Maintain physical security for privacy information.

Policy:                 Diligent shall enforce physical access control through access control points (including designated entry/exit points) to the facilities or areas where information systems reside (excluding those areas within facilities officially designated as publicly accessible). Diligent shall verify individual access authorizations before granting access to facilities. Diligent shall control entry to facilities or areas containing information systems using physical access devices, cameras, and guards. Diligent shall control access to areas officially designated as publicly accessible by the organization’s assessment of risk. Diligent shall secure keys, combinations, and other physical access devices.

Diligent shall inventory physical access devices periodically.  Diligent shall change combinations and keys periodically when keys are lost, combinations are compromised, or individuals are transferred or terminated. Diligent shall conduct annual reviews to ensure confidentiality, integrity, and availability of private information collected.

 

Data Security and Continuous Monitoring

Data is considered a primary asset and should be protected according to its value. In addition, data requires protection from unauthorized or inappropriate access, use, modification, disclosure, or destruction. Information and records (data) require management consistent with the Diligent Delivery Systems risk strategy to protect the confidentiality, integrity, and availability of information. 

Purpose:           Data security ensures that data is protected in all its forms, on all media, and during all phases of its life cycle.  Privacy continuous monitoring ensures the utilization of private information for authorized use.

Policy:              Diligent shall require that information and records considered to be data are managed in accordance with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Diligent shall determine the data classification levels, sensitivity, and criticality of the information processed on Diligent Information systems to then ensure that required security protections are utilized. 

Diligent shall enforce information privacy monitoring in accordance with required and applicable privacy regulations.  A combination of administrative and technical controls will be implemented for continuous monitoring of these information systems.

Cybersecurity shall monitor for authorized use of privacy information on the Diligent Information Systems and enforce requirements outlined in this policy and supporting documents.

Information obtained during cybersecurity monitoring will be handled and retained in accordance with applicable federal and state laws, executive orders, directives, policies, regulations, standards, and operational requirements.

Removable Media Marking, Storage, and Transportation for Privacy Information

Diligent Information Security Policy and Standards establish documented procedures for marking, issuing as needed, restricting, storing, and transporting removal media. This policy restricts the activities associated with the storage and transport of such media to authorized personnel. The CIO/CISO or delegate is responsible for developing and implementing a removable media handling procedure that addresses the use, handling, procurement, and disposal of removable media at Diligent.

Propose:           Ensure that removable media with private information is labeled with the appropriate classification for storage (data at rest) and transportation (data in transit).

Policy:              Diligent shall label removable media with private information while in storage and during transportation. Diligent shall restrict access to removable digital media with private information to authorized individual/s while in storage and/or for use while transporting.  Diligent Delivery Systems shall protect removable media with private information stored on it until the media is destroyed or sanitized using approved equipment, techniques, and procedures.

Removable Media Tagged Assets for Confidential and Privacy Data

Purpose:           Ensure that removable media or assets that use removable media are tagged.

Policy:               Removable media or assets that use removable media shall only be used by the asset owner or custodian upon approval by the CIO/CISO. Exceptions to this policy may be granted by the CIO/CISO or designee.

These exceptions may include assets used by departments that have shared resources and are required for shift work, and/or asset owner or custodian accepts the responsibility to continuously track and log removable media or assets which use private data.

Removable Media Sanitization and Destruction

The Diligent Information Security Policy and Standards including the Hardware Sanitization Procedures establish documented procedures for sanitizing removable media after privacy data no longer needs to be stored.

Purpose:           Ensure that removable media with private information that meet sanitization and destruction requirements are done so securely.

Policy:              Diligent shall employ sanitation or destruction mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. Diligent shall ensure removable media is properly sanitized or destroyed when the retention period is met or when no longer needed. Diligent shall follow the Hardware Sanitization Procedure (TBD).

 

Reporting Suspected Noncompliance

To help reduce the risks associated with insider or external threats, users are to report any suspicious activity regarding the use of PII, PHI and private data to their department manager, Diligent Cybersecurity department, or Physical Security.

References

Privacy Act of 1974

Texas Public Information Act (Chapter 552, Texas Government Code)

National Information Infrastructure Protection Act

National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Computer Fraud and Abuse Act of 1986

The National Information Infrastructure Protection Act