Disclaimer: No Part of this document may be reproduced or transmitted in any form or by any means, electronic,

manual, photocopying, recording or by any information storage and retrieval system, without prior written permission

of Dubai Insurance Company (DIN).

Classification: Restricted

Data Privacy Policy

Document Reference: DIN-DP-POL-01

Version 1.0

Classification: Restricted

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 2 of 31

Document Control

Issue / Rev.

Date

Prepared by

Title

1.0

MBG

Data Privacy Policy

Document Revision History

Version No.

Date

Prepared By

Remarks

0.1

28-Jul-2023

DIN

Initial Draft

1.0

02-Aug-2023

DIN

Final

1.0

13-May-24

DIN

Reviewed

Distribution List

Name

Title

Department

Entity

All Employees

DIN

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 3 of 31

Document Verifier List

Date

Name

Title

Signature

Document Approval History

Version No.

Date

Name

Title

Signature

1.0

May-24

Ajay Sachdeva

CISO

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 4 of 31

Abbreviations

Abbreviation

Description

DIN

Dubai Insurance Company

CEO

Chief Executive Officer

CFO

Chief Financial Officer

CISO

Chief Information Security Officer

ISGC

Information Security Governance Committee

DOH

Department of Health AubDhabi

PHDP

Patient Healthcare Data Privacy

Information Technology

PHI

Patient Healthcare Information

PHI

Protected Health Information

PII

Personally identifiable information

Human Resource

Quality Assurance

HOD

Head of Department

TPA

Third Party Administrator

RCM

Risk Management Committee

DPO

Data Protection Officer

DPIA

Data Protection Impact Assessment

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 5 of 31

Abbreviation

Description

PbD

Privacy by Design

RPA

Record of Processing Activity

KPI

Key Performance Indicator

NDA

Non-Disclosure Agreement

PbD

Privacy by Design

SbD

Security by Design

SDLC

Secure Development Lifecycle

   
Data Privacy Policy 
Doc Ref: DIN-DP-POL-01 
 
  
Version 1.0  Restricted  Page 6 of 31 
Table of Contents 
 
 INTRODUCTION ................................................................................................................................................................. 8 
 SCOPE ................................................................................................................................................................................ 8 
 PURPOSE ....................................................................................................................... ERROR! BOOKMARK NOT DEFINED. 
 GOVERNANCE .................................................................................................................................................................... 9 
 DATA PRIVACY POLICY ROLES AND RESPONSIBILITIES ....................................................................................................... 9 
1.  BOARD OF DIRECTORS AND CEO ........................................................................................................................................ 9 
2.  RISK MANAGEMENT COMMITTEE ..................................................................................................................................... 10 
3.  DATA PROTECTION OFFICER/DESIGNEE .............................................................................................................................. 10 
4.  HEAD OF DEPARTMENT .................................................................................................................................................. 12 
5.  HEAD OF IT DEPARTMENT .............................................................................................................................................. 13 
6.  INCIDENT MANAGEMENT TEAM ....................................................................................................................................... 13 
7.  INTERNAL AUDIT TEAM .................................................................................................................................................. 14 
8.  MARKETING DEPARTMENT.............................................................................................................................................. 14 
9.  HEAD OF LEGAL DEPARTMENT ......................................................................................................................................... 14 
10.  IT DEPARTMENT........................................................................................................................................................... 15 
11.  HUMAN RESOURCE (HR) DEPARTMENT ............................................................................................................................. 16 
12.  EMPLOYEES AND AUTHORIZED THIRD PARTIES ..................................................................................................................... 16 
 DATA PRIVACY BY DESIGN ............................................................................................................................................... 16 
 OWNERSHIP AND REVIEW ............................................................................................................................................... 18 
 POLICY COMPLIANCE ....................................................................................................................................................... 18 
 PRIVACY POLICY STATEMENT .......................................................................................................................................... 18 
1.  NOTICE ...................................................................................................................................................................... 18 
2.  CHOICE AND CONSENT ................................................................................................................................................... 19 
3.  COLLECTION ................................................................................................................................................................ 20 
4.  USE, RETENTION AND DISPOSAL ....................................................................................................................................... 21 
5.  ACCESS AND CORRECTION............................................................................................................................................... 22 

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 7 of 31

9.6. DISCLOSURE TO THIRD PARTIES ........................................................................................................................................ 23

9.7. SAFEGUARDING PII/PHI ................................................................................................................................................ 25

9.8. QUALITY..................................................................................................................................................................... 26

9.9. MONITORING AND ENFORCEMENT .................................................................................................................................... 27

10. DEFINITIONS ................................................................................................................................................................ 28

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 8 of 31

1. Introduction

The Data Privacy Policy defines the statements to adhere to when handling the personally identifiable information/

Protected Health Information of Individual which is collected, processed, stored or transferred by DIN. This Policy is

intended to protect the PII/PHI and preserver the privacy of customers, employees, and third parties, (together

termed as “Individuals” in this policy) who provide PII/PHI to DIN. Third parties include vendors, suppliers, partners,

contractors and service providers. This policy has been designed keeping in mind DIN’s privacy requirements and

further improvements will be aligned to the same.

2. Scope

This policy applies to all business process operations, information systems, and physical paper forms in DIN that

involve the handling of an Individual’s PII/PHI.

Appropriate sections of this policy document shall be conveyed to DIN customers, employees, and third parties.

3. Objective

This policy is intended to protect the PII/PHI and preserve the privacy of Individuals who’s PII/PHI is collected by DIN.

Such PII/PHI is protected by avoiding (i) unlawful disclosure; and (ii) ensuring DIN and the third parties of DIN, works

with only use PII/PHI in accordance with DIN’s Privacy Policy.

The objectives of this privacy policy are:

• To ensure DIN pro-actively addresses customers’ expectations concerning their privacy and security in order

to create and ensure trust and confidence in DIN and the products and services it provides;

• To comply with relevant privacy and data protection laws thereby minimizing legal liability, regulatory risk and

brand and reputational exposure;

• To ensure that an individual’s PII/PHI is collected and processed in a fair and transparent manner and in

compliance with applicable laws and regulations;

The privacy policy covers DIN’s commitment to implement:

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 9 of 31

• Openness in privacy notices given to Individuals at the time DIN’s collects their PII/PHI to assist Individuals in

understanding how their information will be used or shared;

• Appropriate choice and consent options for Individuals;

• Principles on the collection, processing, usage, retention and disposal of PII/PHI;

• Appropriate safeguards to (i) protect PII/PHI that third parties process on behalf of DIN and (ii) ensure the

PII/PHI is used only for the agreed purpose;

• Processes that permit Individuals the right to access and amend their PII/PHI and

• A Privacy Permissions Label and Controls Matrix to ensure that the types and use of PII/PHI is appropriately

controlled within DIN.

4. Governance

This policy is applicable to DIN customers, employees, and third parties who can be one of the below actors in the

context of information privacy:

Data Subject – Individuals whose personal data is collected and processed. They will typically constitute customers,

employees, vendors and contractor’s staff.

Data Controller – Organization, employees, senior management, top management, who determine the purposes for

which and the manner in which any personal data are, or are to be, processed. This will constitute the organization

itself i.e. DIN.

Data Processor – Organizations or Individuals who processes the data on behalf of DIN. They will typically constitute

various third parties such as vendor and contractors that DIN partners with.

5. Data Privacy Policy Roles and Responsibilities

5.1. Chief Executive Officer (CEO)

The key responsibilities of CEO are as follows:

• Set an appropriate “tone at the top” in order to establish a culture of compliance.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 10 of 31

• Oversight of the Privacy Program and may delegate its responsibilities in part to its audit, risk or information

security governance committees, which may assume certain board risk & compliance program responsibilities.

• Assess the extent to which DIN is managing its privacy risk effectively.

• Assess at least annually, the performance of the privacy compliance function.

5.2. Information Security Governance Committee (ISGC) /Risk Management Committee

(RCM)

The key responsibilities of the ISGC or RMC are as follows:

 Responsible for reporting the overall status of privacy program milestones and metrics to the CEO;

 Report promptly to the CEO on any material breaches of laws, rules and standards;

 Review resource allocation issues that may have an impact on managing privacy risks;

 Approve privacy program strategies and facilitate the alignment with DIN’s business strategies;

 Provide top-down executive oversight and mandates to enable implementation of privacy objectives and stay

informed of progresses against privacy plans;

 Provide insights on common issues/ best practices and other topics in support to the privacy team programs;

 Approve the changes in internal policies as and when changes from Health Authority or relevant regulatory

authority occurs or requires amendment in the policy internally after the approval of DPO/Designee;

 Participate in the review of data privacy awareness program plan and content, and provide recommendations

to the DPO regarding any necessary changes and updates;

 Approve and support communication of the data privacy awareness program plan.

5.3. Data Protection Officer/Designee

The key responsibilities of the DPO/Designee are as follows:

 Manage all privacy budgets, initiatives and investments;

 Manage and oversee the overall planning, implementation, monitoring and continual improvement of data

privacy requirements according to the data privacy policy and procedure;

 Define plans regarding privacy strategy and roadmap;

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 11 of 31

 Stay informed of progress against best practice privacy program strategies;

 Ensure that the data privacy policy is reviewed at least once in a year or when necessary;

 Oversee the business functions in meeting the requirements of the privacy program and provide privacy

subject matter and risk management expertise;

 Act as the single point of contact for internal or external personal data and privacy-related related inquiries;

 Inform management and employees of DOH data privacy regulations and other applicable laws, regulations

and regulatory directives communicated by the regulatory body;

 Monitor and report on overall status of the privacy program milestones and metrics to the executive

management committee;

 Coordinate closely with the Head of Legal/Designee to provide strategic guidance and advice upon risks,

controls, and implementation of privacy program requirements;

 Work closely with legal, internal audit, IT and the other business functions to enable proper implementation

of privacy policies;

 Identify and communicate cross-regional and cross-functional privacy risks;

 Monitor compliance with local regulatory requirements.

 Review the Record of Processing activities registers of each relevant business unit.

 Support implementation and understanding of privacy and the program across the organization;

 Oversee data privacy agreements, and execute projects while consulting on new business initiatives;

 Evaluate the requests received from the Business Unit Sponsors with respect to the data protection impact of

a new project;

 Issue opinion about the feasibility of the project from a data privacy standpoint;

 Supervise the DPIA execution for the specific processing activity;

 Ensure that the DPIA forms are filled correctly by the Business Unit Sponsors and Identify privacy risks with

respect to the business processes;

 Complete and maintain repository of documentation required for privacy compliance;

 Report regulatory non-compliance issues to Risk Management Committee;

 Notify the relevant Regulatory bodies when a privacy data breach occurs;

 Attend training sessions and assist with incident response process if required;

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 12 of 31

 Build and review periodically, the data privacy awareness program in line with local regulatory and

international practices;

 Analyze and document employees’ needs regarding data privacy training and review their needs annually;

 Review the Data Privacy awareness content at least once in a year and update as applicable;

 Share awareness content and plan the awareness sessions in coordination with the Human Resource (HR)

department and respective head of business

 Attend trainings if required and remain up to date of the most recent privacy developments in laws and

regulations;

 Ensure that all stakeholders understand the concepts and objective of the Data Privacy awareness program;

 Contact Information of DPO/Designee shall be published and communicated to Regulatory Authority and

third-party entities related to data privacy matters.

5.4. Head of Department

The key responsibilities of the Head of Departments are as follows:

 Reinforce and communicate the “tone at the top” messaging established by leadership;

 Operationalize privacy policies and tools within business processes;

 Ensure that their team and other authorized individuals within their business units are informed to comply

with DIN’s Data Privacy policy;

 Ensure that all personal data held by their business units are included in the Record of Processing activities

 Ensure new and existing third parties (supporting the respective departments) are made aware of the data

privacy requirements of DIN, by regularly communicating or circulating the data privacy policy, procedure and

awareness material;

 Ensure compliance to the data privacy awareness program plan within their own area(s) of operations.

 Nominate the business unit sponsor to fill the DPIA form with guidance from the DPO/Designee.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 13 of 31

5.5. Head of IT Department

The key responsibilities of Head of IT are as follows:

 Receives and reviews high level incident assessment report from the Incident Management Team and reports

it to the ISGC;

 Reports lessons learned and policy weaknesses identified post-remediation to the ISGC or RCM Committee

and Operations Manager.

 Reports the need as applicable for outsourced non-legal resources and tools to DPO/Designee;

 Reports potential need to shut down a core business resource to CEO/CFO and Head of Legal Department;

 Reports potential need to inform media/customers to [Corporate Communications Representative] and Head

of Legal Department;

 Continuously reports touch points with ISGC (weekly updates);

 Assists with socialization of Incident Management Operations with the Management Committee;

 Review initial assessment done by Incident Management Team and declares the incident type (Security,

Privacy or both);

 Report damage and risk assessment reports of incidents to the CEO;

 Request additional IT Department resources and tools from IT Department.

5.6. Incident Management Team

The key responsibilities of Incident Management Team are as follows:

 Monitor for security and privacy possible incidents;

 Perform preliminary assessment and categorize a possible security incident using automated tools;

 Report findings to Incident Management Manager/DPO/CISO/Designee;

 Provide Incident Management report to the Incident Management Manager/DPO/CISO/Designee daily,

weekly and monthly as applicable

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 14 of 31

5.7. Internal Audit Team

The key responsibilities of Internal Audit Team are as follows:

 Deliver independent and objective data privacy assurance services that support management in striking the

balance between privacy risks and controls, and help the CEO fulfil its governance responsibilities;

 Review specific operations or processes related to privacy that are raised by the CEO, the Executive

Management Committee or DPO/Designee; and

 Conduct periodic audits/reviews of the Privacy Program.

5.8. Marketing Department

The key responsibilities of Marketing Team are as follows:

 Approve any data protection statements attached to communications such as emails and letters;

 Address any data protection queries from journalists or media outlets like newspapers;

 Ensure marketing initiatives abide by the data protection principles by working with other staff;

 Ensure privacy notices and consent management are in place on all public facing websites and marketing

campaigns

5.9. Head of Legal Department

The key responsibilities of Legal Manager are as follows:

 Provide legal and strategic guidance and advice to the business functions and DPO/Desginee;

 Identify and communicate the requirements of existing and new Law(s) and/or Regulation(s) applicable to DIN

and any changes thereto on a timely and ongoing basis;

 Interpret legal and regulatory obligations in terms of applicability and needs for DIN;

 Provide legal advice to DIN departments concerning data processing agreements with third parties, privacy

policies, privacy complaints, privacy impact assessments and data subject rights;

 Support DIN’s departments with legal advice in the event of a data breach.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 15 of 31

 Provide legal advice to aid approval/denial of requests such as “right to access” and “right to be forgotten”

when they are overly complex;

 Provide legal advice to departments when notice and consent needs to be implemented and what information

should be included;

 Provide guidance to the Incident Management Manager/CISO/Designee if an incident may have legal

consequences, including evidence collection, prosecution, or a lawsuit;

 Serve as a point of contact for legal third parties and outside contractors.

 Review requests from DPO to contact law enforcement or other outside government agency;

 Report the need to contact law enforcement to Management Committee

5.10. IT Department

The key responsibilities of IT Department are as follows:

 Work with the Incident Management Manager/Designee/IT Manager/CISO to provide required IT Department

resources, access and tools;

 Aid in providing Incident Management Manager/Designee/IT Manager/CISO more context on the incident as

received from IT Department;

 Provide remediation of incidents as requested by Incident Management Manager/Designee/IT Manager/CISO.

 Attend training sessions on IT role in the incident response process conducted by the Incident Management

Manager/Designee/IT Manager/CISO;

 Assist the remediation of affected systems under direction of Incident Management Manager/Designee/ IT

Manager/CISO (including remote wiping of corporate smartphone devices).

 Apply patches and updates to systems;

 Provide logs and system outputs for review as needed by Incident Management Manager/Designee/ IT

Manager/CISO;

 Assists with the shutdown/isolation/segmentation of system or configuration item during the containment

stage;

 Assist with system recovery and post-incident monitoring.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 16 of 31

5.11. Human Resource (HR) Department

The key responsibilities of HR Department are as follows:

 Ensure that all employees of DIN are accountable for their actions, and that appropriate remedial or

disciplinary action will be taken in case of any privacy breaches;

 Ensure any changes to the privacy policies are read and acknowledged by every individual accessing DIN’s

personal data.

 Provide guidance to Incident Management Manager/CISO/Designee if an incident involves sensitive employee

records or past/present employee actions, in accordance with the HR Policy.

 Ensure Data Privacy induction sessions for new joiners (employees) are delivered;

 Provide support in conducting Data Privacy awareness sessions (refresher session) for existing employees, as

per awareness content and awareness plan shared by DPO/Designee;

 Provide support in sharing awareness content with employees as instructed by DPO/Designee;;

 Maintain the relevant records of Data Privacy trainings conducted for employees.

5.12. Employees and Authorized Third Parties

The key responsibilities of employees and authorized third parties are as follows:

 Adhere to the Data Privacy policy and procedures;

 Report any actual or suspected privacy incidents (such as accidental exposure or loss, unauthorized access,

theft) to the DPO/Designee immediately;

 Attend Data Privacy trainings and awareness sessions.

6. Data Privacy by Design

6.1. Privacy by Design Principle

Privacy by design (PbD) is crucial to address both the privacy needs of data subject and the legitimate interests and

objectives of Matrix Exchange. PbD consists of seven 7 principles

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 17 of 31

Proactive not Reactive; Preventative not Remedial

Instead of waiting for privacy issues to arise, organizations are encouraged to prevent privacy issues from occurring

by anticipating privacy risks and developing controls to mitigate them.

Assess, identify, manage and prevent any data privacy risk before data breaches occur. Risks can be minimized through

good design and data management practices

Privacy by Default Setting

Data privacy measures must be integrated into processes and features of the systems. Individuals should not have to

take actions for their personal data to be protected, and measures to safeguard personal data should be automatically

provided as default settings.

Privacy Embedded into Design

Privacy should be built into the design of systems and processes. It should not be added on or considered after the

system or process is designed. Privacy should be considered and embedded from the start of the design process.

Therefore, privacy is a core function of the system or process.

Full Functionality — Positive-Sum, not Zero-Sum

Privacy does not need to hinder or diminish functionality of a system or process. Legitimate interests and objectives

should be considered in the design of a system or process along with privacy objectives and interests.

End-to-End Security — Full Lifecycle Protection

Strong security measures should be in place from the beginning of the design of an initiative to the end of the system’s

or process’ lifecycle. Personal data should be securely stored, used, securely, and destroyed.

Visibility and Transparency — Keep it Open

Stakeholders should maintain their systems and processes in a transparent manner, meaning that they operate as

designed and according to stated objectives, subject to verification.

Respect for User Privacy — Keep it User-Centric

The rights of the individual are the primary focus. Data subjects should be provided notice and choice, as well as other

data subject-friendly options.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 18 of 31

By following these Privacy by design principles, Matrix Exchange can respect the data subjects’ right to maintain their

information privacy while meeting the needs of the enterprise.

7. Ownership and Review

Chief Executive Officer (CEO) or Chief Financial Officer (CFO) shall be responsible for final approval of this Policy. The

Data Privacy Policy shall be revised taking into consideration the changes in the internal and external environment,

and amendments if any, proposed by all stakeholders. The proposed amendment shall be prepared in draft form and

shall be forwarded by the DPO/Designee in consultation with Legal/Compliance Head (if required) to the Chief

Executive Officer (CEO) with justification for the amendment. All changes to this document shall be approved by CEO

after being endorsed by the DPO/Designee.

DPO/Designee shall retain a version control form to record the approval of changes made to the document from time

to time

8. Policy Compliance

8.1. Any violation or breach to the policy shall be subject to DIN’s HR disciplinary procedure in accordance with

relevant HR Law, the Code of Conduct for Employees and any other applicable UAE Laws in this regard.

8.2. All departments shall be aware of and comply with the guidelines stated in this policy.

8.3. Any exceptions to this policy with valid business justification require approval from DPO/designee on a case to

case basis.

9. Privacy Policy Statement

9.1. Notice

Objective: To ensure DIN provides a privacy notice to the data subject prior to handling its PII/PHI.

Policy:

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 19 of 31

 The purposes for collection of PII/PHI at or before the time of collection shall be identified.

 The notice shall clearly state the identified purposes for which PII/PHI will be collected, used, retained and

disclosed.

 The notice shall clearly indicate the purpose for collecting PII/PHI and whether such purpose is part of a

business or legal requirement.

 Individuals shall be notified of the reasons for collection of PII/PHI in writing at the time of collection.

 DIN shall notify Individuals before using PII/PHI for any purpose not identified at the time of collection.

 Where DIN is bound by law to notify regulatory bodies about its use of PII/PHI, DIN will ensure that they

update any required notification with the identified business purpose prior to collecting PII/PHI for those

purposes.

Guideline

 DIN shall ensure that the operations staff who collects PII/PHI for the organization can explain the purpose of

collection to Individuals.

 DIN shall state and explain purposes in such a manner that Individual can reasonably understand how the

PII/PHI will be used or disclosed including third parties.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.2. Choice and Consent

Objective: To ensure DIN obtains implicit or explicit consent from the data subject with respect to the handling of

PII/PHI.

Policy

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 20 of 31

 DIN shall inform by means of a notice and seek implicit consent (By means of an Medical Insurance Policy

document) from Individual for collection, use, or disclosure of their PII/PHI for the identified business

purposes.

 DIN shall ensure that the consent obtained is informed consent. In case of subsequent uses or disclosures of

PII/PHI, DIN shall seek consent after collection but before use.

 Each Individual must be provided with clear and simple means of being able to withdraw consent at any point

as part of the Online Privacy Statement on DIN.

 In cases where the Individual’s PII/PHI is processed by a third party, DIN will ensure that any opt-out requests

are honored and accurately implemented.

Guideline

 Where consent is required, an Individual must be given the opportunity to take some action to indicate

consent; it is not permitted to infer the consent if the individual fails to respond to a request or question.

 DIN customers shall be informed if requested, regarding the procedure to register for the ‘Opt Out’ service.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.3. Collection

Objective: To ensure that minimum PII/PHI required to meet business purpose is collected from an Individual.

Policy

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 21 of 31

 The method of collecting PII/PHI shall be reviewed by management before they are implemented to confirm

that PII/PHI is obtained fairly and lawfully.

 The collection of PII/PHI shall be limited to that necessary for the purposes identified in the notice and as per

the prescribed regulatory purposes. DIN shall maintain an inventory of PII/PHI collected.

 All the PII/PHI collected from customers, employees, vendors and contractors will be categorized as PII/PHI

 DIN shall collect the PII/PHI by fair and lawful means and document its collection practices.

Guideline

 Customer service representatives shall limit their collection and documentation of information from

individuals to defined data elements.

 DIN shall indicate clear distinction of the information being obligatory or optional for the identified business

purposes while collecting it from the individual.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.4. Use, Retention and Disposal

Objective: To justify a legitimate business purpose for the usage, retention and disposal of PII/PHI.

Policy

 DIN shall limit the use of PII/PHI to the purposes identified in the notice and for which the individual has

provided necessary consent.

 DIN shall maintain an inventory of PII/PHI processed.

 DIN shall retain PII/PHI only as necessary for legitimate business purposes unless there are legal or regulatory

reasons.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 22 of 31

 DIN shall document the basis for retention periods and justify requirements to retain PII/PHI for periods longer

than the maximum retention period as per business and regulatory requirements.

 Upon the expiration of the permitted business purpose(s), individual’s PII/PHI will be either permanently

deleted, destroyed or anonymized.

 DIN shall develop disposal guidelines to ensure timely disposal of PII/PHI with a level of security appropriate

to the sensitivity of the PII/PHI.

 Destruction of physical documents must be conducted in an environmental friendly manner.

Guideline

 DIN shall process PII/PHI only where it is necessary for DIN ’s business purposes.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.5. Access and Correction

Objective: To ensure data subjects are allowed to access their PII/PHI handled by DIN for future review and update.

Policy

 Individuals will be informed of the procedure to be followed for reviewing or updating their PII/PHI;

 The identity of the individual who requests access to PII/PHI will be authenticated before they are given access

to that information.

 Individuals are informed, in writing, of the reason a request for access to their PII/PHI was denied, the source

of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such

denial, as specifically permitted or required by law or regulation.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 23 of 31

 PII/PHI is provided to the individual in an understandable form, in a reasonable timeframe, and at a reasonable

cost, if any.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.6. Disclosure to Third Parties

Objective: To ensure DIN implements appropriate privacy controls while disclosing PII/PHI to third-parties.

Policy

 Individuals shall be informed if their PII/PHI will be disclosed to third parties.

 Disclosure of PII/PHI to third-party shall be only for the purposes identified in the notice and for which the

individual has provided consent unless a law or regulation specifically allows or requires otherwise.

 Data Protection Manager shall be informed before sharing PII/PHI with any new vendor so as to ensure that

DIN or third party driven due diligence is conducted thereby confirming appropriate data privacy and security

controls at the vendor location.

 A list of third parties shall be created and periodically updated to create an inventory of all such third party

relationships that DIN is engaged with and where PII/PHI is exchanged.

 DIN shall specifically state ‘Right to Audit’ clause in its vendor contracts, so as to periodically review the

effectiveness of security and privacy controls at the vendor location.

 Vendor/third party should be under a contractual obligation to obtain DIN prior permission in order to use

sub-contractors to process the PII/PHI on behalf of DIN .

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 24 of 31

 Contract between DIN and the third party should clearly specify the DIN business purposes for which

Individual’s PII/PHI may be used/processed and the limitations or restrictions on usage/processing of the

PII/PHI for any other purposes outside the contract.

 Prior to sharing individual PII/PHI, DIN shall notify the third party about the privacy guidelines as stated in this

policy document as well as obtain the written acknowledgement over the adherence to the same.

 DIN shall identify the technical and process controls that needs to be implemented as a part of legal

compliances.

 DIN shall take remedial action in response to misuse of PII/PHI by a third party to whom DIN has transferred

such information.

 Where DIN ceases to use a third party who has processed the PII/PHI of individuals, DIN shall use its best

efforts to ensure that all PII/PHI is either returned to DIN or permanently deleted, destroyed or anonymized

at the third party premises.

Guideline

 DIN shall use privacy protection clauses in its contracts with third parties to ensure a comparable level of

protection while PII/PHI is with third parties for processing.

 Contracts should legally bind the third parties to act solely on the instructions of DIN in respect of handling

PII/PHI, including erasing or destroying the information upon completion of the purpose.

 The third party should meet DIN ’s minimum privacy requirements (i.e. they must demonstrate the ongoing

capability, not just express an intention or agree to provide privacy controls).

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 25 of 31

9.7. Safeguarding PII/PHI

Objective: To ensure DIN shall establish appropriate security safeguards and controls to protect PII/PHI from

unauthorized disclosure, use, modification and destruction.

Policy

 All PII/PHI (PII/PHI) shall be classified as ‘Confidential’ and appropriately labelled as per the DIN Information

Asset Management Policy & Procedure.

 DIN shall implement appropriate physical access controls to safeguard PII/PHI stored in paper documents. For

further reference, refer Information Asset Management Policy & Procedure

 Industry standard encryption and password protection measures shall be deployed for protecting PII/PHI

stored in electronic documents, IT applications and databases as well as while transmitting it through emails,

file transfer protocols as well as over other networks protocols. For further reference, refer DIN Information

Asset Management Policy & Procedure.

 Individual’s PII/PHI shall be stored in portable devices (CD, USB drives, memory cards etc.) only upon necessary

approvals obtained from Data Protection Officer. Further, the portable storage devices shall be encrypted and

password protected at any point of time.

 An information security audit/internal audit shall be conducted for all privacy critical applications.

 Additional security safeguards shall be applied to sensitive PII/PHI of the individuals.

 Secured scanners and printers shall be implemented at DIN premises to ensure accountability of

employees/vendors dealing with PII/PHI.

 DIN shall institute procedures for secure destruction or disposal of PII/PHI and secure disposal of equipment

or devices used for storing PII/PHI.

 Employees should be informed via Ethics Pledge Agreement (EPA) that, where access to PII/PHI is legitimately

granted, it is for work purposes only and information should only be accessed for legitimate business

purposes.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 26 of 31

Guideline

 PII/PHI shall be secured against accidental disclosure and protected against natural disasters and hazards.

 Appropriate Data Leakage Prevention (DLP) controls can be deployed to protect Special Category Personal

Data of the individuals.

 Dual factor Authentication methods can be deployed on DIN systems used for accessing PII/PHI outside DIN

premises.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.8. Quality

Objective: DIN shall ensure completeness and accuracy of the PII/PHI collected and that the PII/PHI shall be kept up

to date and validated on an ongoing basis.

Policy

 DIN shall ensure systems and procedures are in place to ensure that the PII/PHI that it holds is accurate,

complete, current and reliable to the best of its knowledge in relation to the purpose for which this

information is being processed.

Guideline

 DIN shall identify the types of PII/PHI that need to be routinely updated for accuracy and completeness.

RACI Matrix

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 27 of 31

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/ Designee

CISO/Designee

Legal Department

Corporate

Operations

9.9. Monitoring and Enforcement

Objective: To ensure compliance with privacy policies and procedures and enforce mechanisms to address privacy

related inquiries, complaints and disputes.

Policy

 DIN shall develop and implement a PII/PHI Management System (PIMS) and demonstrate management

commitment by providing necessary resources and embedding PIMS in the organization’s culture.

 The effectiveness and efficiency of the PIMS shall be monitored and reviewed periodically through audits or

management reviews.

 DIN shall establish an effective Regulatory Compliance Intelligence to periodically review privacy related laws

and regulatory requirements.

 DIN shall ensure that it has right kind of information sources that feed its intelligence on regulations.

 For the purpose of any investigation, DIN shall be entitled to access all PII/PHI details pertaining to an

individual under examination.

 A formal procedure shall be implemented to identify and report privacy incidents. The procedure for the same

shall be communicated to all DIN employees as well as third parties such as vendors and contractors.

 DIN shall provide periodic training and awareness on privacy to all employees, vendors and contractors who

access and process the PII/PHI of Individuals.

 DIN personnel and third-parties may access and use PII/PHI only if they are authorized to do so and in

compliance with the policy.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 28 of 31

 Any violation, breach or contravention of the policy or any part thereof shall be considered as non-compliance.

Guideline

 DIN shall publish periodic email based bulletins to increase privacy awareness among employees who access

and process the PII/PHI of individuals.

 DIN shall take appropriate actions in case of any non-adherence to the policy statements, which can lead to

termination of employment, contract as well as possible civil and/or criminal penalties based on appropriate

investigations conducted by the concerned authorities.

 For any disciplinary investigation process, DIN may also retain an employee’s desktop/laptop, mobile device

and any other handheld device.

RACI Matrix

Responsible

Accountable

Consulted

Informed

Business Process Owner

Data Protection

Officer/Designee

CISO/Designee

Legal Department

Corporate

Operations

10. Definitions

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 29 of 31

Term

Definition

Central System

Is the digital platform for the exchange of electronic health information between

health sector entities? In the Emirate of Abu Dhabi, this is represented by “Malaffi”,

the Abu Dhabi Health Information Exchange Platform.

Controls

The administrative, technical, and physical safeguards applied within entity to satisfy

privacy requirements.

Data

All that can be stored, processed, generated and transferred such as numbers,

letters, symbols, images and the like (including digital and non-digital).

Entity / Entities

Entity in Abu Dhabi that is involved in the direct delivery of healthcare and/or

supportive healthcare services, or in the financing of health such as health insurer

and health insurance facilitator, healthcare claims management entity, payer, Third

Party Administrator (TPA’s), hospital, medical clinic and medical center, telemedicine

provider, laboratory and diagnostic center, and pharmacy, etc.

Exchange of Health

Information

Access, exchange, copying, photocopying, transfer, storage, publication, disclosure

or transmission of health data and information

Health Authority

Any federal or local governmental body concerned with health affairs in the United

Arab Emirates. (DOH – Department of Health).

Information and

Communication

Technology

Technical or electronic tools or systems or other means that enable the processing

of information and data of all types, including the possibility of storage, retrieval,

dissemination and exchange

Health Information

Health data processed and made apparent and evident whether visible, audible or

readable, and which are of a health nature whether related to health facilities, health

or insurance facilities or beneficiaries of health services

Individually Identifiable

Health Information

Is health information that is held or transmitted by an entity or its contractors / third

parties in any form or media, whether electronic, paper, or verbal:

• Demographic data and general identifiers such as name, address, birth date,

mobile number, Emirates ID etc.

• Information that identifies the patient or for which there is a reasonable basis to

believe that it can be used to identify the patient.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 30 of 31

Term

Definition

• Protected Health Information including information on the Patient’s past, present

or future physical or mental health condition and the provision of health care to

the patient, or details of medical insurance.

• Past, present, or future payment for the provision of health care to the patient.

• Medical reports / records whether it is in electronic or paper format.

• Information about any organ donation to/by patient, of any body part or any

bodily substance of that patient, or derived from testing or examination of body

part

Least Privilege

The principle of providing users and programs with only essential and needed

privileges to complete a specific task, and provides adequate assurance that no

excess privileges are granted for users/programs/roles to complete a specific task.

Marketing

Marketing is any communication about a product or service that encourages

recipients to purchase or use the product or service.

Need to know

The principle of providing access to users and data only when there is an established

need for access.

Personally Identifiable

Information (PII)

Personally Identifiable Information - information that, when used alone or with other

relevant data, can identify a patient. PII may contain direct identifiers (e.g., passport

information) that can identify a person uniquely

Person / Individual

/ Patient

A natural or arbitrary person whose protected health information is or has been

captured by the entity.

Privacy Breach

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition,

or any similar occurrence where (I) a person other than an authorized user accesses

or potentially accesses data or (II) an authorized user accesses data for another than

authorized purpose.

Privacy Risk

The likelihood that entities / patients will experience problems resulting from data

processing, and their impact should they occur.

Privacy Risk Assessment

Sub-process of entity's risk management for identifying, evaluating, prioritizing, and

responding to specific privacy risks.

Privacy Risk

Management

Set of defined processes for identifying, assessing, and responding to privacy risks.

Generally, part of Risk Management practices.

Data Privacy Policy

Doc Ref: DIN-DP-POL-01

Version 1.0 Restricted Page 31 of 31

Term

Definition

Standard

Standards to protect patient's medical records and other protected health

information and applies to health plans, health care clearinghouses, and those health

care providers that conduct certain health care transactions electronically.

Processing

Creating, entering, modifying, updating or deleting information (digital and non-

digital).

Professional Guidelines

A description of the methods, actions and procedures used as a guidance.

Programs

Set of actions developed with the aim of improving the health conditions of a patient

Protected Health

Information (PHI)

Protected health information - “Relates to the past, present, or future physical or

mental health or condition of a patient; the provision of health care to a patient; or

the past, present, or future payment for the provision of health care to a patient”

Site

The entity where the PHI is stored, handled and used

System

A set of electronic data and health information exchange operations, involving a set

of electronic parts or components that link together and work together to achieve a

specific goal.