Home
Home/Data Privacy Policy

Data Privacy Policy and Procedure

1. Introduction

iSON Secure ("Company", "we", "our", or "us") is committed to protecting the privacy, confidentiality, integrity, and security of personal information processed through its platforms, services, applications, websites, and operational processes.

This Data Privacy Policy and Procedure establishes the principles and controls adopted by the Company to ensure responsible collection, processing, storage, sharing, retention, and disposal of personal data in accordance with applicable regulatory, legal, and industry requirements.

The policy is aligned with applicable data protection and information security best practices, including internationally recognised frameworks such as:

  • ISO/IEC 27001 – Information Security Management System (ISMS)
  • ISO/IEC 27701 – Privacy Information Management System (PIMS)
  • Applicable healthcare and cybersecurity governance standards where relevant

2. Purpose

The purpose of this policy is to:

  • Ensure lawful, fair, and transparent processing of personal data
  • Protect personal and sensitive information from unauthorized access, disclosure, misuse, alteration, or loss
  • Establish standardised data privacy and protection procedures
  • Define responsibilities related to privacy and information security
  • Promote compliance with applicable regulatory and contractual obligations
  • Support continuous improvement of privacy and security practices

3. Scope

This policy applies to:

  • All employees, contractors, consultants, and authorised personnel
  • All systems, applications, websites, databases, cloud platforms, and communication channels operated by the Company
  • Third-party vendors, partners, and service providers processing information on behalf of the Company
  • All personal and sensitive information collected, processed, stored, or transmitted during business operations

4. Definitions

4.1 Personal Data

Any information relating to an identified or identifiable individual, including but not limited to:

  • Name
  • Contact details
  • Identification information
  • Insurance or service-related information
  • Device or system identifiers
  • Communication records

4.2 Sensitive Personal Data

Sensitive Personal Data may include:

  • Health-related information
  • Financial information
  • Identity verification information
  • Biometric information
  • Any information classified as confidential or sensitive under applicable laws or contractual obligations

5. Privacy Principles

The Company follows the following core privacy and information security principles:

  • Lawfulness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy and integrity
  • Confidentiality and security
  • Accountability and governance
  • Privacy by design and by default
  • Risk-based security management
  • Continuous monitoring and improvement

6. Collection and Processing of Data

Personal data may be collected through:

  • Websites and portals
  • Mobile or web applications
  • Customer onboarding processes
  • Service delivery activities
  • Customer support interactions
  • Email and communication channels
  • Authorised third-party partners or service providers

The Company collects only the information necessary for legitimate business, operational, regulatory, or contractual purposes.

Personal data shall be processed only for authorised and defined purposes.

7. Lawful Basis for Processing

Personal data shall be processed only where:

  • Consent has been obtained where required
  • Processing is necessary for contractual or service obligations
  • Processing is required for compliance with legal or regulatory obligations
  • Processing is necessary for legitimate business purposes permitted under applicable laws

8. Data Subject Rights

Subject to applicable laws and regulations, individuals may have the right to:

  • Access their personal information
  • Request correction of inaccurate information
  • Request deletion or restriction of processing where applicable
  • Withdraw consent where processing is consent-based
  • Raise concerns regarding privacy or data handling practices

Requests shall be reviewed and addressed in accordance with applicable procedures and regulatory requirements.

9. Information Security Controls

The Company implements appropriate administrative, technical, and organisational safeguards to protect personal data, including:

  • Access control mechanisms
  • Authentication and authorisation controls
  • Encryption of sensitive information where applicable
  • Secure infrastructure and hosting environments
  • Firewall and endpoint protection
  • Monitoring and audit logging
  • Vulnerability management and security assessments
  • Backup and recovery procedures
  • Incident response and breach management processes

Access to personal and sensitive information is restricted to authorised personnel only.

10. Data Retention and Disposal

Personal data shall be retained only for as long as necessary to:

  • Fulfill operational and contractual obligations
  • Meet legal, regulatory, and audit requirements
  • Support dispute resolution and business continuity requirements

Upon completion of the retention period, information shall be securely deleted, archived, anonymised, or disposed of using approved methods.

11. Third-Party Sharing and Processing

Personal information may be shared with authorised third parties where necessary for operational, contractual, regulatory, or service-related purposes.

Third parties processing information on behalf of the Company are expected to:

  • Maintain confidentiality obligations
  • Implement appropriate security measures
  • Process information only for authorised purposes
  • Comply with applicable privacy and information security requirements

The Company does not sell personal information to third parties.

12. Cross-Border Data Transfer

Where personal data is transferred across jurisdictions, reasonable safeguards and security measures shall be implemented to ensure adequate protection of information in accordance with applicable legal and contractual obligations.

13. Incident and Breach Management

Any suspected or confirmed privacy or security incident shall be:

  • Reported through appropriate internal channels
  • Investigated and assessed promptly
  • Contained and remediated where necessary
  • Escalated to relevant stakeholders or authorities where required by law or regulation

Corrective and preventive measures may be implemented to reduce future risks.

14. Employee Responsibilities

Employees and authorised personnel are responsible for:

  • Protecting confidentiality of information
  • Following approved privacy and security procedures
  • Reporting incidents or suspicious activities promptly
  • Using organisational systems responsibly
  • Participating in required awareness and compliance training programs

Failure to comply with this policy may result in disciplinary or legal action where applicable.

15. Governance and Continuous Improvement

The Company maintains ongoing governance and continuous improvement practices to strengthen privacy and information security controls through:

  • Periodic policy reviews
  • Risk assessments and audits
  • Security awareness programs
  • Compliance monitoring activities
  • Continuous enhancement of operational and technical safeguards

16. Policy Review

This policy shall be reviewed periodically or whenever significant changes occur to:

  • Regulatory or legal requirements
  • Business operations or services
  • Technology infrastructure
  • Security or privacy risks

Updated versions may be published through official organisational channels where applicable.

17. Contact Information

For questions, concerns, or requests related to this Data Privacy Policy and Procedure, users may contact the Company through the official communication channels available on the website.

18. Effective Date

This policy becomes effective upon publication and remains subject to periodic review and updates.