Introduction: Protecting the security and privacy of individual’s personal data is a top priority to Pietos and we are committed to protecting the privacy of our clients and their applicants and employees.
We hope the policy outlined below will help you understand what data Pietos may collect, how Pietos uses and safeguards that data and with whom we may share it.
Eligibility: Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data. Pietos always acts under the instruction of its Client who will determine what personal data is collected and processed in order to provide the Services.
In order to provide the Services, and to ensure that any information reported back to a Client is accurate, personal data must be collected. We ask client for the personal data that is required to perform the Services.
The types of personal data that may be requested could include:
Name and Former names - We ask for name as it appears on individual government issued ID and also any names that they may also be known as, or have been formerly known by. This is important particularly where they may be known professionally by a name other than that shown on their government ID document.
Date of Birth - Collecting this information increases the accuracy of results provided by sources.
Contact Details - This is to ensure that Pietos can keep in touch with subjects during the provision of the Services. Pietos do not use their contact details for any other purpose and these details are deleted from the Services Platform in accordance with retention polices set by our Client.
Address History – Clients ask Pietos to perform verifications over a certain period of time (the “Search Depth”). Therefore Pietos needs the address history covering the search depth to identify in which locations certain searches are to be conducted. Collecting address history also increases the accuracy of results returned from sources.
Employment History – Clients requires that this information be verified in accordance with the Search Depth.
Education History – Clients requires that this information be verified and in most cases requires the highest level of education achieved.
Referees- To support the verification of their employment history Pietos may ask client to provide
the contact details of a referee. They must always ensure that they have the referees consent to do
so. These contact details are not shared with any third party.
ID Number - This may be required by sources from which information is obtained as the records kept
by that source are associated with a government ID Number.
Gender - Some sources require that this information is provided in order to return results.
Supporting Documents – Pietos may ask clients to provide supporting documents during the course of the Services. These supporting documents may include a number of items and will dependent on the type of Services requested by Pietos’s Client. By way of example they may be asked to upload (where lawful to do so) a copy of your government issued ID; certificates showing professional qualifications; documents that verify any gaps in your employment history.
What personal data will be processed?
The personal data processed during the Services will be determined by Pietos’s Client. It is likely that Pietos’s Client will request for employment and education background be verified but may also request other bespoke services such as verification of any credit, criminal or open source information.
When does Pietos transfer data?
The personal data may be transferred in these circumstances:
To Pietos’s client in the form of a Screening Report at the conclusion of the Services;
To a third party in order to fulfil the Services. The third party may be located anywhere in India or outside India.
Each Pietos client has his own secure login and designated user of that account, including access rights to reports, to ensure maximum security of Screening Reports.
Third Party - The third parties are organisations, institutions, agencies or individuals from which information is collected for the purposes of fulfilling the Services only and may include local vendors, employers, educational establishments, referees, government agencies, courts, data providers or repositories (“Source” or “Sources”) or Pietos’s representatives (“Representatives”) who are performing specific research in connection with the Services (together “Third Parties”).
How do we ensure personal data is safe?
Pietos is committed to protecting client’s and their employee’s personal data. Measures are in place to protect personal data from accidental loss and from unauthorised access, use, alteration or disclosure and information security measures are in place, including access controls, physical security and robust information collection, storage and processing practices. Pietos also ensure that where electronic transfer of Personal Data to/from its representatives takes place that such transfers are also appropriately protected and are in compliance with relevant data protection
legislation and in accordance with any instructions provided by a data source.
Pietos is ISO 27001 certified.
Does Pietos use the personal data for any reason other than the provision of the services?
No: your personal data is used only to provide the Services. Once the Services are completed personal data is archived in accordance with data retention periods.
How long is personal data retained for?
Pietos’s standard data retention policy on the Services Platform is 6 months from the date that the Screening Report is completed. However, a Client may set their own customised retention period.
How can an individual withdraw his consent for Pietos to process their personal data?
Any individual can withdraw or modify their consent for future collection or use of your personal
information at any time.
In the event that they withdraw the consent Pietos will cease to process their personal data,
whether that be all their personal data or a specific component to which the withdrawal of consent
Pietos will contact the relevant Client to notify them that consent has been withdrawn. Processing
will only recommence if they reinstate your consent.
Pietos condemns the selling of information that assists in promoting “Identity Theft”
Protection of personal data is inextricably linked with privacy i.e. right of every person to enjoy his life and liberty without arbitrary interference with his private life, his family, his home or his correspondence etc. The word ‘private’ must be understood in contradistinction to ‘public’. Therefore, the right to be let alone and its protection is extremely important in the present obtrusive information technology age.
The Data Protection Act 1998 requires Pietos as data controller to process data in accordance with the principles of data protection. These require that data shall be: -
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
5. Not kept longer than necessary
6. Processed in accordance with the data subjects rights
7. Kept securely
8. Not transferred to countries outside India without adequate protection.
Data may only be processed with the consent of the person whose data is held. Therefore if they have not consented to their personal details being passed to a third party this may constitute a breach of the Data Protection Act 1998.
However caution should be exercised before forwarding personal details of any of the individuals on which data is held to any third party such as past, current or prospective employers; suppliers; customers and clients; persons making an enquiry or complaint and any other third party.
In addition all employees should ensure that adequate security measures are in place. For example:
• Computer screens should not be left open by individuals who have access to personal data
• Passwords should not be disclosed
• Email should be used with care
• Physical files and other personal data should be stored in a place in which any unauthorised
attempts to access them will be noticed. They should not be removed from their usual place of
storage without good reason.
• Physical files should always be locked away when not in use and when in use should not be left
• Any breaches of security will be treated as a disciplinary issue.
• Care should be taken when sending personal data in internal or external mail
• Destroying or disposing of personal data counts as processing.
Therefore care should be taken in the disposal of any personal data to ensure that it is appropriate. For example, it would have been more appropriate to shred sensitive data than merely to dispose of it in the dustbin. It should be remembered that the incorrect processing of personal data e.g. sending an individual’s details to the wrong person; allowing unauthorised persons access to personal data; or sending information out for purposes for which the individual did not give their consent, may give rise to a breach of contract and/or negligence leading to a claim against Pietos for damages from an client, subject or client contact. A failure to observe the contents of this policy will be treated as a
BUSINESS MONITORING AND SECURITY: We undertake processing activities during your employment which are designed to ensure that our business operations are protected. These activities include monitoring both the behaviour and activity of our employees and the use of our systems. This includes CCTV, call recording, email filtering and other monitoring activities, including the use of software or other tools.
This will also include investigations into security or compliance concerns, as appropriate. To run the processes set out above, we process Staff related data, Data related to your engagement with the Company, Recruitment data, Regulatory data, Vetting data, Remuneration and benefits data, Leave information, HR processes data, Monitoring data (to the extent permitted by applicable laws) and Employment claims, complaints and disclosures data.
We may also incidentally process special categories of personal information, and criminal records information, to the extent permitted by applicable laws.
We carry out these activities to protect our business. In particular, we do so in order to ensure compliance with applicable laws and Company policies and procedures, to monitor use of the Company’s IT systems and to manage the activities and behaviour of our employees.
SUPPLIERS AND SUB CONTRACTORS
As such we process their personal information as needed to administer and manage such supplier or
subcontractor's relationship with the Company and maintain the general records necessary to do
Communicating with them in connection with the relevant supplier or subcontractor& business with us
Contacting them to obtain pricing information and to finalise the procurement process regarding the supplier& goods and services
Facilitating payment for goods and services
Creating, managing and maintaining supplier databases, including organisational charts
Keeping records and audit information relating to our suppliers or subcontractors, including minutes of meetings and other notes
Supplier due diligence: Before we engage with any new supplier or subcontractor, we undertake due diligence to ensure that the supplier or subcontractor is appropriate and that any associated risk is identified and managed effectively.
This includes, where relevant and appropriate, vetting activities for individuals associated with such suppliers or subcontractors. These vetting activities may include credit checks, identity fraud checks and criminal record checks (if and to the extent permitted by applicable laws).
Supplier Training: We undertake checks and manage records to ensure that our suppliers and subcontractors have appropriate qualifications and training to ensure safe working on our sites.
Pietos will obtain assessments from a qualified, objective, independent third-party, who uses
procedures and standards generally accepted in the profession to assess Pietos’ administrative,
technical, and physical safeguards, as appropriate.
All principles described in this policy must be strictly followed. A breach of data protection guidelines
will invoke disciplinary and possibly legal action.