ExceQ SERVICES (PTY) LTD
CONFIDENTIALITY POLICYPOLICY TITLE: CONFIDENTIALITY POLICY
REVISION NUMBER: Ver 1 of 2024
EFFECTIVE DATE: 01 January 2024
RELATED POLICIES/PROCEDURES: IT Policy
I. TABLE OF CONTENTS
- I. TABLE OF CONTENTS
- II. ABBREVIATIONS
- III. DEFINITIONS
- 1 INTRODUCTION
- 2 PURPOSE
- 3 SCOPE
- 4 POLICY STATEMENT
- 4.1 CONFIDENTIAL INFORMATION SECURITY
- 4.2 USE OF CONFIDENTIAL INFORMATION
- 4.3 INFORMATION QUALITY
- 4.4 TRANSFER OF INFORMATION
- 4.5 BREACH NOTIFICATION
- 4.6 ARCHIVING OF RECORDS
- 5 RELEVANT DOCUMENTATION, POLICIES AND REGULATIONS
II. ABBREVIATIONS
| Abbreviation | Phrase |
|---|---|
| GDPR | General Data Protection Regulations |
| ISO | International Organisation for Standardisation |
| IT | Information Technology |
| PII | Personal Identifiable Information |
III. DEFINITIONS
Confidential Information: Information that is not publicly known which might include technology, business, finance, transaction, or other affairs of an organisation. It includes commercially valuable information such as trade secrets or business information, as well as personal information.
Confidentiality Declaration: Information that is not publicly known which might include technology, business, finance, transaction, or other affairs of an organisation. It includes information which is commercially valuable such as trade secrets or business information, as well as personal information. Some examples include Personal Information, matters of a technical nature; trade secrets; technical data; marketing procedures and information; financial information; strategic and business plans in any form, i.e., physical, electronic, electromagnetic or otherwise
Privacy: Keeping certain personal information free from public knowledge and having control over its disclosure and use.
Processing: Any operation or set of operations which is performed on data whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1. INTRODUCTION
ExceQ Services as an organization is committed to responsible collection and handling of confidential information and the primary use of such information is to provide value to our stakeholders during the delivery of our services. The organization will ensure that the definition and planning of all new or significantly changed systems that collect or process confidential information will be subject to due consideration of privacy issues. The development of this policy is informed by the ISO/IEC 27701 standard which is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management and Botswana Data Protection Act.
2. PURPOSE
The purpose of this policy is to ensure ExceQ’s compliance with the relevant legislation and policies that require implementation of privacy and confidentiality principles in relation to collection and handling of confidential information. This policy should be read in conjunction with the ExceQ Data Protection Policy.
3. SCOPE
The policy applies to staff, contractors and suppliers who handle confidential information within ExceQ. All those covered by this policy will be expected to sign a Nondisclosure agreement (NDA) before handling any confidential information within ExceQ.
4. POLICY STATEMENT
4.1 Confidential Information Security
Confidential Information shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
4.2 Use of Confidential Information
ExceQ will only use confidential information for its intended purpose as required or permitted by law.
4.3 Information Quality
ExceQ will ensure that confidential information it collects, uses, or discloses is accurate, complete, and up to date.
4.4 Transfer of Information
ExceQ will not transfer confidential information outside its jurisdiction unless:
- It is necessary for the performance of a contract or duty.
- Reasonable steps have been taken such that the recipient will not use or disclose such information to a third party.
- Required by law.
4.5 Breach Notification
Where a breach to confidential information is known to have occurred which is likely to result in a risk to reputation, loss of revenue, exposure of personal data, the relevant authority will be informed within 48 hours.
4.6 Archiving of Records
Confidential Information will be stored and archived for a period subject to the ExceQ Data Retention Policy or as required by law.
5. RELEVANT DOCUMENTATION, POLICIES, AND REGULATIONS
- ExceQ Information Security Policy and supporting policies.
- Botswana Data Protection Act 2018 or latest.
- Cybercrime and Computer Related Crimes Act 2018 or latest.
- Botswana National Cybersecurity Strategy.
- ISO/IEC 27001 and ISO/IEC 27701.