Confidentiality
The Volunteer agrees to:
Acknowledge receipt of, and thereby adhere to, the GSEMA Comprehensive Information Security Program (CISP) which was developed, adopted and implemented by GSEMA to create effective administrative, technical and physical safeguards for the protection of personal information (defined as name, address, telephone numbers, credit card numbers, bank account information, social security numbers or other sensitive data) regarding residents of the Commonwealth of Massachusetts or citizens or individuals residing in the European Union (EU) that is collected, used, maintained, stored or transmitted by our organization and to comply with our organization’s obligations under the Massachusetts Data Security Laws and Regulations, the Federal Trade Commission’s so-called Red Flags Rule and General Data Protection Regulations (GDPR), which is a comprehensive European privacy law governing personal data for citizens or individuals residing in the EU. The policies, procedures and safeguards identified within this Program are specifically designed to secure and protect personal information from both internal and external risks.
Specifically the volunteer understands their responsibilities under CISP include but are not limited to:
-
Use of Personal Information by our workforce/volunteer base:
-
May not use or access personal information collected, used, maintained, stored and/or transmitted by our organization for any purpose other than to fulfill their assigned responsibility.
-
May not disclose or transmit, intentionally or unintentionally, directly or indirectly, any personal information collected, used, maintained, stored and/or transmitted by our organization to any third party unless such disclosure or transmittal is required to fulfill such individual’s assigned responsibility.
-
The amount of personal information collected, used, maintained, stored and/or transmitted by our organization shall be limited to that amount reasonably necessary to accomplish our legitimate business purposes or necessary to comply with applicable state laws, federal laws and the GDPR.
-
Personal information shall be retained only for such period of time that we reasonably need such information to accomplish our legitimate business purposes or is necessary to comply with applicable state or federal laws or regulations. The Chief Information Security Officer shall periodically, and at least annually, purge or remove or direct the purging or removal of personal information from records maintained by our organization which is no longer necessary for us to accomplish our business purposes or to comply with applicable state or federal laws or regulations. The Chief Information Security Officer shall maintain written documentation of the purging or removal of any unneeded personal information.
-
Access to records containing personal information shall be limited to those members of our workforce/volunteer base who are reasonably required to know or have access to such information in order to accomplish their responsibilities. Members of our workforce/volunteer base who do not need access to personal information regarding a member of our workforce or a customer shall not seek access to such information and shall not examine such information if they come into contact with such information outside the scope of their responsibilities.
-
Only employees, volunteers or contracted individuals that require access to our computer system to fulfill their job responsibilities shall have access to our computer system. Access to our computer system shall be restricted by the issuance of individualized user ID names and passwords.
-
Any member of our workforce/volunteer base who has been terminated or their contract or agreement has expired, voluntarily or involuntarily, shall no longer have physical access to any records maintained by our organization containing any personal information effective immediately upon such termination.
-
Hard-Copy Records Containing Personal Information
-
Members of our workforce/volunteer base are not permitted to take hard-copy records containing personal information off of our premises, unless authorized by the Chief Information Security Officer and necessary for such individual to fulfill their job responsibilities. If a member of our workforce/volunteer base takes hard-copy records containing personal information off our premises for any reason, whether authorized or not, such person shall maintain such records in a secure fashion (i.e., locked brief case, placed in a locked car trunk, etc.) and shall be responsible for ensuring that no third party (including family members or friends) has an opportunity to view or copy such records. Such hard copy records shall not be copied and shall be returned to the office as soon as practicable.
-
No member of our workforce shall transmit a copy of any hard-copy record containing personal information by facsimile or electronic transmission unless such transmission is specifically within the individual’s authorized scope of work. The person sending the facsimile or electronic transmission shall take steps to verify the appropriate recipient received the transmission.
-
Any member of our workforce/volunteer base who violates any part of the CISP or fails to fully comply with any Data Security Policy or Procedure contained in the CISP shall be subject to disciplinary action, up to and including termination of employment or contractual termination, all in accordance with our personnel policies and procedures as in effect from time to time. Independent contractors and other non-employees, including volunteers, who violate the relevant portions of the CISP or fail to comply with applicable Data Security Policies or Procedures, are subject to appropriate action by our organization, up to and including termination
It is my responsibility to familiarize myself with the contents of the CISP. I acknowledge, understand, accept and agree to comply with the information contained in the CISP provided to me by GSEMA. I understand that the CISP is not intended to cover every situation that may arise during my tenure, and that GSEMA reserves the right to modify the CISP in accordance with legal requirements at any time and without notice based upon business needs and conditions.