For purposes of this policy, confidential information includes personal identifiable information about employees or customers, such as social security numbers, driver’s license numbers, birth dates, personal addresses, financial account information (such as bank accounts), phone numbers, medical information, and insurance information.
All of our employees must respect and comply with this policy as well as any related polices from the Ajinomoto Group. In addition, all employees must also comply with all related legal requirements, including the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), State laws related to confidential information, and the European Union’s General Data Protection Regulation (GDPR).
Our CEO will appoint a privacy officer. As of the publication of this policy version, our privacy officer is Leora Coleman-Fire, Associate General Counsel, based in Portland, OR. Others may also be appointed to support the privacy officer.
1. Developing and implementing overall data privacy and security policies and procedures;
2. Working with company management to ensure compliance with the policies and procedures;
3. Conducting audits to monitor privacy compliance;
4. Ensure compliance with HIPAA, GDPR, and other laws that apply to the company’s information-gathering functions;
5. Coordinate with the company’s IT group to implement appropriate electronic safeguards to protect confidential information; and
6. Perform any other tasks assigned by our CEO or other relevant management personnel.
The company has implemented the following administrative, physical, and technical safeguards to protect confidential information.
As a company, we can only accept personal confidential information where (i) the information is necessary for us to perform our contracted functions and (ii) the individual has consented. Only employees who need to know confidential information in order to perform their assigned company responsibilities and who have been approved to handle confidential information may have access to confidential information. All of these employees must first receive appropriate training by the privacy officer (or designee) and sign appropriate confidentiality agreements. These employees must ensure that the confidential information they access is only the minimum necessary to accomplish their assigned responsibilities. For example, an individual’s entire file should never be disclosed unless it has been specifically justified and approved by the privacy officer (or designee). The company will limit employees’ access to confidential information in order to avoid unauthorized access.
The company will provide all necessary training to employees to ensure that they are informed and up to date on all privacy policies and procedures. Training will be provided under the direction of the privacy officer. No employee may handle confidential information unless they have been adequately trained. Only trained and authorized employees with a reasonable and demonstrable need to use, disclose, create, receive, maintain or access confidential information will have access to confidential information.
Social Security Numbers
We must be especially careful with the social security numbers of our employees and customers. To this end, we will not:
1. Require individuals to provide social security numbers over the Internet or other computer network unless the connection is secure, the transmission is encrypted, or a password is used;
2. Publicly display or divulge any part of a social security number;
3. Use any part of a social security number as a primary account number or other identifier;
4. Disclose any part of a social security number except as permitted or required by applicable law; or
5. Print any part of a social security number on a receipt or other document issued by the company.
Wherever possible, we will save personal confidential information in a digital format and not on paper. Paper files containing confidential information must be scanned and saved in an appropriate and protected location as soon as possible after receipt. Paper files that are retained for any reason must be safeguarded while they are being used and kept in a designated locked filing cabinet when they are not being used. Mail personnel must be trained not to access confidential information that comes in the mail. Faxes received or documents printed that contain confidential information may only be handled by trained and approved employees.
Electronic documents containing confidential information must be stored in digital locations that require access by password. Employees must log in to the applicable system and application when they need access and log out afterwards.
From time to time, it may be necessary for us to disclose confidential information to a third party, such as a government agency or insurance company. In these situations, it is imperative that the employee receiving the request provide the request to an employee who is authorized to access and transmit confidential information. Next, this authorized employee must verify that the request comes from an authorized and legitimate source. If it does, the next step is to determine whether the requested disclosure requires authorization per company guidelines and, if so, to obtain the authorization before making the disclosure. All disclosures must be recorded in our company disclosure log.
If an authorized employee intends to use, disclose, create, maintain, store or transmit confidential information regarding individuals in the United States outside of the United States, the employee must first obtain written permission from the privacy officer. Note that the use, disclosure, creation, maintenance, storage or transmittal of confidential information outside of the United States may require written permission from agencies within the United States and additional safeguarding measures. Therefore, access or use of confidential information outside of the United States regarding individuals in the United States is generally prohibited.
We will conduct an annual security risk assessment (and more often than that, if needed) to ensure the best protection for our confidential information. Our privacy officer will be responsible for the schedule and content of these assessments.
Vendors & Subcontractors
Our company has a physical security plan for all of our locations at all times. The security plan includes (i) an up-to-date list of all employees and their ID card numbers, (ii) a list of all hardware, storage cabinets, and other locations where confidential information may be stored, and (iii) a process for using and updating this information.
Employees must follow the company’s guidelines for safeguarding workstations. The guidelines (i) allow each workstation to be accessed by only the employee assigned to it, (ii) require a password to access each workstation; and (iii) do not allow access to workstations by visitors.
Confidential information stored on electronic systems and devices must not be accessible without a password. Passwords must be strong and must be changed on at least a quarterly basis.
Our IT department is responsible for implementing and maintaining our electronic systems and procedures to ensure privacy. In coordination with the privacy officer, the IT department will conduct periodic audits to ensure data security and privacy. The IT department will implement a backup process for all data stored by the company. The process should allow the company to continue to conduct business despite the loss or destruction of electronic systems or data and should include storing backup data in off-site, secure locations.
Where required by law, we must encrypt and decrypt confidential information when we send or receive by electronic transmission.
We will work hard to ensure this will never happen, but in the unlikely event of a security breach, the privacy officer and CEO must be notified immediately. Under the direction of the privacy officer, we will (i) identify and respond to the incident, (ii) mitigate harmful effects as much as possible, and (iii) document all steps taken. In some situations, we will be required to report data breaches to the affected individuals and to appropriate government authorities, as determined necessary by the privacy officer.
The company will retain confidential information in accordance with the company’s record retention policy.
When the record retention policy requires destruction of confidential information, the privacy and security officers will direct the shredding, erasure, or otherwise destroy the confidential information. Confidential information will be destroyed in a manner that makes it unreadable or undecipherable prior to discarding it. In the event a vendor is used to provide this service, the company will ensure that the vendor maintains all required government issued licenses to provide the service.
Individuals have the right to request and inspect their own confidential information that is in the company’s possession. Individuals also have the right to request a restriction on the use of their confidential information. In both cases, the individual must submit a request to the company, which will be reviewed and handled as appropriate by the privacy officer. Complaints about how the company handles confidential information may also be submitted to the privacy officer.