1. INTRODUCTION

Protection of personal data/protected health information (PHI)/personally identifiable information (PII) is important to Indegene and its clients.

Indegene has established this Data Privacy Policy to protect and control collection, processing, storage, and/or transmission of such data.

This policy is intended to be shared with our clients, vendors, business associates and employees so that they are aware of the policies and practices with respect to personal data/PHI/PII managed by Indegene as part of any services delivered.

 

2. DATA PRIVACY POLICY

Indegene is committed to protect personal information in accordance with its responsibilities under various regulatory frameworks and individual rights. As a healthcare solutions company, Indegene's leadership, management, employees and its business associates shall strive to protect personal information by:

  • Identifying internal and external interested parties and the extent to which they are involved in the governance of the organization's personal information management system

  • Providing best-in-class resources and methods to process personal information lawfully, fairly and in a transparent manner in relation to the rights of data principles or data subjects

  • Safeguarding the personal information by collecting, processing, storing and transmitting in forms that permit identification of individuals for nothing other than explicit, specified purposes

  • Providing clear information to natural persons (including special safeguards while collecting information from children) about how their personal information can be used and by whom; and by respecting individual's rights in relation to their personal information

  • Assuring that further processing or archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes

  • Processing in a secure manner that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction or damage

  • Taking adequate steps to establish that the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

  • Taking reasonable steps to ensure accuracy of the personal information

  • Following best practices for safe data storage, transmission and destruction

  • Implementing appropriate backup and disaster recovery systems

  • Responding to personal data breaches in the most appropriate and fastest manner possible: In the events such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Indegene shall promptly assess the risk to individual's rights and freedoms and report such breach to the Data Protection Cell (Refer to section 5:Governance Structure for Personal Data Protection) for taking further actions as per the regulatory requirements

General Provisions to This Policy:

  • Applicability: This policy is applicable to all personal information processed at Indegene.

  • Ongoing Compliance: The Data Protection Cell shall be responsible for Indegene's compliance with this policy.

  • Cognizance: This policy shall be made available to all employees and associates of Indegene as documented information and shall also be communicated appropriately.

    This policy shall be made aware to all of Indegene's employees, its associates, and interested parties effectively.

    Review: This policy shall be reviewed at least once annually.

 

3. SCOPE

  • This policy applies to all personal data/PII and PHI processed by Indegene.

  • This policy would be relevant to all applicable services or projects managed for Indegene's clients.

 

4. DEFINITIONS

 

Terms 

 

Definition 

 

Business Associate Agreement

 

Refers to the agreement between the business associate (Indegene) and the covered entity.

Business Unit (BU)

Refers to different departments in Indegene.

 

Covered Entity

 

Refers to an organization that routinely handles personal information, PII, and PHI.

 

Data Protection Officer (DPO)

 

Refers to the person heading all data privacy-related programmes and initiatives within the organization.

Engagement

 

Refers to the project, programme or engagement conducted or performed by Indegene on behalf of its clients or covered entity.

 

Electronic Protected Health Information (EPHI)

 

Refers to all individually identifiable health information that is created, maintained or transmitted electronically.

 

General Data Protection Regulation (GDPR)/(EU) 2016/679

 

Legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

 

Health Insurance Portability and Accountability Act (HIPAA)

 

Act of 1996 that specifies laws for the protection and use of personal (or protected) health information (PHI), which is essentially an individual's medical records.

 

Personal identifiable information (PII)

 

Refers to any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered as PII. Any information about an individual's identity such as their name, social security number, date and place of birth, mother's maiden name and biometric records can be considered as PII.

 

PII also can constitute “PHI” under HIPAA Act of 1996.

 

Privacy Rule

 

Refers to the part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient's own right to access.

PHI

Refers to any information that identifies an individual AND relates to:

  • The individual's past, present or future physical or mental health; OR

  • The provision of healthcare to the individual; OR

  • The past, present or future payment for healthcare.

 

Privacy Single Point of Contact (SPOC)

Refers to the person monitoring the personal data/PII/PHI management under each BU.

Security Rule

Refers to the part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.

SPOC

Refers to the single point of contact/point persons.

Online Channel

Preselected website that can automatically send updated information for immediate display or viewing on request.

Special categories of personal information

The following types of data are categorized as special categories of personal information:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade-union membership

  • The processing of genetic information

  • Biometric information for the purpose of uniquely identifying a natural person

  • Information concerning health or information concerning a natural person's sex life or sexual orientation.

 

High-risk personal information

 

The following types of data are categorized as high risk personal information:

  • Special category personal information

  • Personal bank account and other financial information;

  • National identifiers, such as national insurance numbers;

  • Personal information relating to vulnerable adults and children;

  • Detailed profiles of natural persons (including children); and

  • Sensitive negotiations which could adversely affect natural persons.

 

5. GOVERNANCE STRUCTURE FOR PERSONAL DATA PROTECTION

Data Privacy Cell

 

Indegene shall ensure appropriate governance of personal data/PII/PHI. In pursuance of this objective, a personal data privacy cell has been structured as shown below:

Data privacy cell consists of DPO and all the BU-SPOCs. 

  • To identify personal data/PII/PHI under all operations and projects across Indegene

  • To analyze risks and implement control measures to protect personal data/PII/PHI

  • To provide a support framework to manage the rights of data subjects

  • To address requests and grievances of data subjects

  • To ensure compliance with the data privacy requirements of data controllers

  • To ensure compliance with various legal and regulatory requirements across jurisdictions

  • To provide adequate measures for data privacy with processors/subprocessors as required

  • To provide for appropriate technology and operational controls for transfer / import / export / storage / destruction of personal data / PII / PHI

 

The summary of proceedings of data privacy governance shall be discussed in the quarterly Information Security Group review meeting.

6. SOURCES OF PERSONAL DATA/PII/PHI

The methods and technologies by which the personal data/PII/PHI are collected are as follows:

Collection of Personal Data/PII/PHI Directly From the Individual

In the instance where Indegene collects personal data/PII/PHI about an individual, measures shall be taken to respect the privacy preferences of the individual.

Engagements/Programmes/Projects 

Personal data/PII/PHI is collected from participants in an engagement who access Indegene websites, portals, platforms, etc. We may collect additional information relating to an individual's participation in Indegene programmes. Please note that we also collect personal data/PII/PHI relating to an individual at the time of enrolling in an Indegene programme, as well as in the course of allocating and issuing a unique ID and password to access the Indegene websites, portals, platforms, etc.

Automatic Collection of Information

When an individual visits an Indegene website, we automatically collect and analyze certain information about the individual's computer. This information includes, but may not be limited to the Internet Protocol (IP) address used to connect the individual's computer to the Internet, information about the browser type and language, the date and time the individual accessed the website, the content of any undeleted cookies that the browser previously accepted from Indegene and the referring website address.

Cookies and Other Technologies 

We use various technologies to collect information on an Indegene website. Cookies: When an individual visits an Indegene website, we may assign the computer one or more “cookies.” A cookie is a small text file that contains information that can later be read by Indegene to facilitate access to the site and personalize the online experience. For example, when an individual signs into an Indegene site, we may record his/her user ID in a cookie file on the individual's computer. In addition, through the use of a cookie, we may automatically collect information about the online activity on Indegene site, such as the web pages visited, the links clicked and the searches conducted. Most browsers automatically accept cookies; however, an individual can usually modify the browser setting to decline cookies by visiting the Help section of the browser's toolbar. If an individual chooses to decline cookies, please note that he/she may not be able to sign in or use some of the interactive features offered on Indegene websites.

Other technologies: Indegene may use standard Internet technology such as Web beacons (also called clear GIFs or Pixel tags) and similar technologies, to deliver or communicate with cookies and track usage of Indegene sites. We may also include Web beacons in e-mail messages or newsletters to determine whether messages have been opened and acted upon. The information we obtain in this manner enables us to customize the services we offer and measure the overall effectiveness of our online content, advertising campaigns, and the products and services offered through the website. Also, we use cookies to provide social media features, and to analyze our traffic.

7. MANAGING DATA PRIVACY RIGHTS IN PROJECTS

The scope of business at Indegene does not require us to disclose personal data/PII/PHI to any parties out of designated programme area except for legal and statutory obligations.

Before the initiation of a project, we ensure that:

  • The business SPOC is communicated regarding the project/programme

  • Contract-specific clauses for the project/programme are reviewed and monitored

  • Risk analysis and treatment is carried out for the complete programme/project and contingency and mitigation is put in place

  • Each and every member of the programme/project shall be responsible to ensure the PII/PHI is kept confidential

  • Access to the entire or limited PII/PHI, based on their role in the engagement should be restricted

  • We recognize the covered entities that are to be provided access to the PII/PHI in a de-identified format

  • Any third parties who have access to the PII/PHI comply with Indegene's policies and give proof of compliance

  • The respective privacy SPOC of the team should provide reports to the DPO on updates, problems, and breaches with regard to PII/PHI

  • The BU SPOC ensures that all the team members are trained with information of do's and don'ts of the data

 

8. MANAGING DATA PRIVACY RIGHTS FOR PERSONAL DATA/PII/PHI COLLECTED FROM WEBSITES AND OTHER ONLINE CHANNELS

In general, any individual may access Indegene websites or online channels without providing any personal information about themselves. However, we collect certain information such as:

  • Information that is provided via our websites, including information provided when an individual registers on our website, for example, name, email address, designation, company, country and telephone number

  • Information about an individual's computer, visits and the use of Indegene websites, such as IP address, demographics, computer's operating system, and browser type and information collected via cookies.