Mahindra United World College of India (“MUWCI”) respects the privacy of individuals and is committed to protecting personally identifiable information. This General Data Protection Policy. (“Policy”) sets forth basic principles by which MUWCI shall lawfully process personal data of all individuals including employees, volunteers, alumni, students, consultants, and other service users and indicates their responsibilities while processing such data. This Policy addresses different activities undertaken by MUWCI and puts in place appropriate safeguards that shall ensure that processing of personal data is carried out in accordance with applicable data protection and privacy laws (“Applicable Laws”).
Scope and applicability
This Policy applies to all defined processes of MUWCI where personal data is collected, stored, processed, or transferred in electronic or paper formats. This Policy is to be followed not only internally by employees including temporary staff, but also by all MUWCI service providers, business partners and consultants while processing personal data on behalf of MUWCI. In case there is any conflict between provisions of law and this Policy, the stricter of the two shall prevail.
MUWCI shall adhere to the principles relating to processing of personal data as required by Applicable Laws. Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject and shall not be processed unless specific conditions are met;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects and for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
MUWCI shall define and document a privacy governance organization structure and related roles and responsibilities. An individual with the required expertise and reporting directly to UWC International Data Protection Policy - as approved by the UWC International Board in July 2016, updated paragraph 2 as of 2 October 2017,
updated the name of the Data Protection Officer as of 15 October 2021 the highest management level in MUWCI shall be appointed as the Data Protection Officer (DPO)/Data Protection Representative (DPR). MUWCI shall develop and implement privacy related policies like data protection notices, consent management policy and procedures for data subject rights, data protection impact assessment, register of processing activities, data breach policy and notification, etc.
This Policy shall be reviewed regularly and approved by the Board to address any changes in the regulatory, legal, organizational or privacy landscape. MUWCI shall ensure dissemination of this Policy across all levels in the organization.
MUWCI shall notify data subjects, through a privacy notice, about the purposes for which it collects, processes, stores and/or discloses their personal data. Such notice shall be communicated in a clear easy-to-understand manner. The notice shall disclose:
- the type of personal data that is collected.
- the purpose for which the personal data is collected.
- the legal basis of processing
- if personal data is collected by or disclosed to third parties, a statement of this fact and the purposes for doing so.
- rights of the data subjects with respect to their personal data
- how long shall MUWCI retain personal data
- how to contact MUWCI in case of any query, correction, complaint, or dispute.
MUWCI shall also consider what other information should be included in any specific privacy notice. Where feasible, MUWCI shall provide notice to data subjects before collection of personal data. The privacy notice shall be linked to or displayed at relevant points of data collection.
MUWCI shall obtain consent from data subjects where legally required in accordance with Applicable Laws. MUWCI shall consider the following points while designing necessary procedures and privacy statements for each type of processing where consent is required:
- Prior to obtaining consent, has the data subject received specific and sufficient information on and clearly understands why his or her personal data is needed, how it will be used, for what purpose(s) his or her personal data will be processed and with whom it will be shared so that MUWCI gets an unambiguous indication of the data subject’s wishes.
- Has the data subject been informed that it is as easy to withdraw consent as it is to give consent.
- Has new consent been obtained from the data subject if personal data will be used for a different purpose than originally disclosed to the data subject.
- Has the data subject understood what the consequences would be, should he or she decide not to give consent to processing his or her personal data.
- Has the data subject given a statement or a clear affirmative action signifying agreement to the processing of his or her personal data.
- Is the data subject competent enough to give the required consent and has the consent been freely given without any duress.
- Have additional safeguards been provided that may be required and which may vary from country to country.
Data collection and usage
MUWCI shall process personal data where needed to carry out its legitimate activities with UWC International Data Protection Policy - as approved by the UWC International Board in July 2016, updated paragraph 2 as of 2 October 2017, updated the name of the Data Protection Officer as of 15 October 2021 appropriate safeguards. The term “processing” or “processes” or “process” or “processed” includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
MUWCI shall process:
- personal data which includes any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- sensitive personal data which includes personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation or alleged or actual criminal offences.
Where personal data is processed, at least one of the following conditions shall be met:
- The data subject has given consent to processing of personal data for one or more specific purposes;
- processing is necessary for performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which MUWCI is subject;
- processing is necessary to protect the vital interests of the data subject;
- processing is necessary for the administration of justice, for the exercise of any functions of government or any other functions of a public nature exercised in the public interest or in the exercise of official authority vested in MUWCI as the controller;
- processing is necessary for the purposes of legitimate interests pursued by MUWCI or by a third party to whom personal data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.
MUWCI acknowledges that it shall largely (but not solely) rely upon the first two conditions.
Sensitive Personal Data
Where sensitive personal data is processed, at least one of following conditions shall also be satisfied:
- The data subject has given explicit consent to the processing of personal data for one or more specified purposes;
- processing is necessary for the purposes of exercising or performing any right or obligation that is conferred or imposed by law on MUWCI in connection with employment;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- The information contained in the personal data has been made public as a result of UWC International Data Protection Policy - as approved by the UWC International Board in July 2016, updated paragraph 2 as of 2 October 2017, updated the name of the Data Protection Officer as of 15 October 2021 steps deliberately taken by the data subject;
- processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), obtaining legal advice, or for the purposes of establishing, exercising or defending legal claims;
- processing is necessary for medical purposes and is undertaken by a health professional or a person who in the circumstances owes a duty of confidentiality that is equivalent to that which would arise if that person were a health professional;
- In the case of processing information on racial or ethnic origin, the processing is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained and is carried out with appropriate safeguards for the rights and freedoms of data subjects.
MUWCI acknowledges that it shall largely (but not solely) be relying upon the first condition.
Data retention, storage and security
MUWCI shall retain and store personal data either to pursue its legitimate interests or to fulfill a contract or based on data subjects’ consent or a legal requirement subject to the implementation of appropriate technical and organizational measures. Security measures include:
- Industry standard firewalls and other network security features such as well encrypted cloud or physical server systems
- Clear guidelines for staff and volunteers on device and network security with expectations placed on them
- Robust data backup and recovery processes provided by leading industry suppliers
- Periodic security audits of online systems.
MUWCI shall follow reasonable processes and procedures to keep personal data accurate, complete, and up to date as needed for the purposes for which it was collected. Records relating to data subjects shall only be accessible to authorised staff and volunteers as is necessary for them to perform their job functions. Records shall be stored for as long as it is required, for legitimate purpose(s) and shall be disposed off appropriately. MUWCI shall ensure that all personal and non-personal data is non-recoverable from any electronic or paper systems previously used within the organization.
In case of accidental or unauthorised access, MUWCI shall notify the supervisory authorities, management, and the data subjects if there is likely to be a high risk to the rights and freedoms of the data subject because of the personal data breach.
MUWCI shall provide training on Applicable Laws to ensure that this Policy and other specific procedures relating to processing of personal data are understood and followed by staff and volunteers. Everyone processing personal data must understand that they are contractually responsible for following good data protection practices. All staff and volunteers shall be made aware that a breach of Applicable Laws shall lead to strict disciplinary action being taken against them.
Rights of the Data Subjects
As prescribed by Applicable Laws, taking into consideration the exemptions laid out therein, MUWCI shall upon the data subjects’ request allow them to exercise their rights in relation to their personal data and how it is processed after confirming their identity. In case some of the requests cannot be fulfilled, MUWCI shall provide a justification for the same. MUWCI shall take appropriate measures to process requests from data subjects within the prescribed timelines by providing them with information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language in the prescribed form.
Disclosure and Onward Transfer
MUWCI shall only disclose personal data to third parties who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing of personal data meets the requirements of Applicable Laws and ensures the protection of the rights of the data subject for the legitimate purposes. MUWCI shall require third parties to adhere to a baseline of privacy and information security controls through standard contractual clauses or data processing agreements. MUWCI shall be responsible to ensure that the third party complies with this Policy in letter and in spirit.
Monitoring and Enforcement
- inform employees, volunteers, alumni, students, consultants, and other service users as to how they can contact MUWCI in case of any concerns, queries, or complaints about MUWCI's privacy practices.
- acknowledge, formally document, investigate, address, and respond in a timely manner to complaints or personal data breach notifications that are received.
- regularly perform compliance assessments of MUWCI ́s privacy practices to ensure that they conform to this Policy and related standards as well as to Applicable Laws.
In the event of a personal data breach, as per Applicable Law, MUWCI shall communicate to relevant stakeholders including data subjects, without undue delay, after becoming aware of a breach which is likely to result in high risk to the rights and freedoms of natural persons to allow him or her to take the necessary precautions. Where such notification cannot be communicated without a certain delay, MUWCI shall provide reasons for the same.
Under certain limited or exceptional circumstances, MUWCI may, as permitted or required by Applicable Laws process personal data without providing notice or seeking consent. Examples of such circumstances may include:
- investigation of specific allegations of criminal activity;
- protecting employees, public or MUWCI from harm or wrongdoing;
- co-operating with law enforcement agencies such as supervisory authorities;
- to comply with legal obligations;
- auditing financial results or compliance activities;
- meeting and/or responding to legal or insurance requirements/processes or defending legal claims or interests.
Roles and Responsibilities
Everyone working for and on behalf of MUWCI is responsible for ensuring that personal data is processed in accordance with Applicable Laws. Key areas of responsibilities for processing personal data lie with the following organizational roles:
- The Board of Directors shall decide and approve MUWCI strategies on personal data protection.
- The Data Protection Officer (DPO)/Data Protection Representative (DPR) shall monitor compliance with Applicable Laws and shall be responsible for development and promotion of end-to-end personal data protection policies and processes including assignment of responsibilities, training of staff and related audits, among other tasks.
- updating and disseminating notices, policies, procedures, standards, and guidelines related to privacy
- training of staff on their roles and responsibilities with respect to privacy; and
- monitoring performance of the privacy program and compliance with this Policy and Applicable Laws.
- The Legal Department along with the DPO/DPR, shall monitor and analyse changes in Applicable Laws, develop compliance requirements, and assist various functions in complying with Applicable Laws.
- The IT Security team shall be responsible for:
- ensuring all systems, services and equipment used for storing personal data meet acceptable security standards.
- performing regular checks and scans to ensure that the hardware and software is functioning properly and securely.
- Privacy Operational Liaisons shall be responsible for:
- reporting to the Privacy Office and functional teams.
- helping to implement privacy requirements and privacy policies within functions
The responsibility for operational implementation of this Policy lies with the respective functions processes and related departments and privacy representatives.