OBJECTIVE
The Objective of this Policy is to ensure privacy of the information about its’ customers and non-customers received / obtained by the bank in any form – electronic and / or otherwise.
SCOPE
The policy covers information received / obtained by the bank about customers and non-customers in electronic as well as any other forms like paper etc. The policy also covers information received/ obtained by the Bank through other sources like received from other Banks during the normal course of business such as Confidential Reports /Statement of account etc.
This policy covers information handling infrastructure like the Hardware, applications, Databases, Operating Systems, Network Assets, any electronic/non electronic device and oral information sharing.
This Policy sets out the basis on which information received / obtained by the bank is processed by the Bank Privacy policy.
DESCRIPTION
As a part of Bank’s commitment to the customers and non-customers and regulatory requirements, it shall be ensured that privacy of the information received about the customers is maintained which means that it is used properly and kept securely.
Definitions
- Customer – For the definition, please refer to the KYC Policy of the Bank.
- Non-Customer – There are no universal definitions of these terms, however it is safe to say that a "non-customer" is any entity that fails to meet the operative definition of "customer". Non-Customer means such Persons who are not Customers and who approach the Bank for availing the Non-Customer Services. The expression “Non-Customers” shall, as the subject or context may permit or require, mean any or each of such Non-Customers. Non-Customer means a natural or legal person who got into touch with the Bank, but does not have any existing relationship with the Bank on provision of a product or a service by the Bank and, at the same time, is not a Former Customer (the Former Customer becomes a Non-Customer at the moment when Bank deletes or anonymizes his/her data from its systems according to the Personal Data Protection Framework).
- “Personal information” means any information that relates to The Bank’s Customers and Non-Customers, which either directly or indirectly, in combination with other information available or likely to be available with the Bank, and is capable of identifying such Customer and Non-Customer. Personal Information may include Customer’s or Non-Customer’s name, age, gender, contact details, email addresses, passport number, Income, PAN, details of nominees, account numbers, types of accounts, type of relationship with Bank, credit ratings, litigation, claims, financial information, physical, physiological and mental health condition, medical records and history, Biometric information, any detail relating to the above clauses as provided to Bank for providing service, and any of the information received by Bank for processing, stored or processed under lawful contract or otherwise and other information that may directly or indirectly identify a particular Customer or Non-Customer
- Any information that is freely available or accessible in public domain or required to be furnished under the Right to Information Act, 2005 or under any other law for the time being in the force shall not be regarded as Personal information for the purpose of this policy.
- “Processing “means any operation or a set of operations whether carried out by automatic means or not that relates to
- The organization, collation, storage, updating, modification, alteration or use of personal data
- The merging, linking, blocking, degradation, erasure or destruction of personal data
Collection of Personal Information
- The Bank shall collect Personal Information, as may be required in the normal course of business and permitted by laws and regulations.
- If the Bank collects other Personal Information, in order to provide better services, the same also shall be classified as “Personal Information” as defined in this policy.
- The Bank shall obtain consent (express or implied) in writing through letter or fax or email from Customer or Non-customer, regarding his knowledge about the purpose of usage of and transfer of information by the bank before collecting such Information.
- Personal Information shall not be collected unless it is necessary or collected for a lawful purpose or connected with a function or activity or business of the Bank.
- The Bank may also collect information relating to –
- Visits to bank website, but not limited to traffic data, location data, web logs, etc.
- Information from third parties such as employers, joint account holders, credit rating agencies, fraud prevention agencies, etc.
- Computer used by the Customer or Non-Customer, including IP address, operating system and browser type, for system administration and share the same with third parties. This is statistical data and may not identify any individual.
- The Customer’s or Non-customer’s general internet usage by using a “cookie file” which is stored on the hard drive of the Customer’s or Non-customer’s computer. This data also may not identify any individual.
- Following precautions shall be taken while collecting Personal Information to ensure that the Customer or Non-Customer understands:
- That Personal Information is being collected
- The purpose for which the information is being collected.
- Relevant details like the name of the person collecting information on behalf of the Bank and the manner in which this information shall be retained.
- While collecting Personal Information, the Customers or Non-Customers shall be given an option to decline providing Personal Information. However, in such cases the Customers or Non-Customers shall be clearly informed that they shall not be entitled to certain services or products for which such Personal Information is required.
- If the Customer or Non-Customers provides Personal Information initially and later decides to withdraw the Personal Information, it shall be clearly informed to such Customer or Non-Customers that though the Bank shall return the Personal Information, certain services or products for which such Personal Information was required shall be discontinued.
- Personal Information shall not be retained for period which is longer than the required for the purpose for which it was collected.
Storing of Personal Information
- Once Personal Information is collected from the Customers or Non-Customers; it is the responsibility of The Bank to store it in a secure environment.
- Personal information is stored on secure servers. Where the Customer or Non-Customers has been given a user name, Password / Pin Number, which enables Customer or Non-Customers to access some services of the bank, the Customer or Non-Customers shall be responsible for keeping this user name, password/ Pin number confidential.
- In the event of information security breach, The Bank shall be in a position to demonstrate that information security is implemented as per the documented information security policies. To meet this objective, appropriate record of the implementation of Information Security controls should be maintained in such a manner that it would be acceptable as evidence.
- If the Personal Information is available in physical document form, it shall be kept in protected environment such as physical security system, cupboards, fireproof cabinets, file storing equipment and machines, etc.
- If the Personal Information is available in electronic format it shall be stored within the Bank’s environment and software systems, which shall be protected with the help of appropriate access controls, passwords, encryption and/or other such reasonable security measures. Personal Information of Customers or Non-Customers shall not to be copied, duplicated, or extracted for any purpose other than for the Bank’s operations/legal and/or regulatory requirement.
Modifications to the Personal Information
- The Bank shall provide facility to Customers or Non-Customers to review their Personal Information. In case any changes are required such as address, contact details etc., the Bank shall facilitate customers to make those changes, and ensure that necessary supporting documentation is obtained from the Customers or Non-Customers for Bank’s record.
- The Bank shall ensure that the Customers or Non-Customers are clearly informed that the Bank shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to The Bank or any other person acting on its’ behalf.
- Before collecting Personal Information, the Bank shall ensure that the Customer or Non-Customers is duly informed that it is purely in their interest to provide current, accurate, complete and valid Personal Information.
- A copy of Customer’s or Non-Customers Information shall be made available if requested by the Customer or Non-Customers and the Customer or Non-Customers is entitled to have any inaccuracies corrected.
Grievances / Complaints
The Nodal Officer for Public Grievances at Head Office shall be the Grievance Officer for Data Privacy related issues, whose name and contact details shall be provided on the Bank’s website.
The Complaints made to such Grievance Officer shall be redressed expeditiously, as per regulatory guidelines.
Sharing / Transfer of Personal Information
- In pursuance of the Policy, it shall be the responsibility of The Bank, not to disclose Personal Information of Customers or Non-Customers to any third party. However, the Bank may be required to share Personal Information to its Service Providers and Authorized Vendors in order to render service to Customers or Non-Customers. In such cases, before sharing any such Personal Information, The Bank shall ensure that a proper Agreement is signed by the recipient Service Providers and Authorized Vendors and they are bound by confidentiality conditions.
- The Bank shall ensure that such Personal Information shall be transferred / transmitted to other body, corporate or a person in India or abroad, as required in the normal course of business, only when the other entity ensures the same or higher level of data protection that is adhered to, by the Bank.
- Transfer of Personal Information of customer or Non-Customer to other entity shall only be allowed pursuant to a valid contract between the Bank and such other entity which clearly states the need to transfer such Personal Information of its’ Customers or Non-Customers
- The Bank may disclose personal information to credit reference and fraud prevention and law enforcement agencies and identity and address verification agencies who may record and use Customer or Non-Customer Information and disclose it to other organizations for debt tracing, fraud and money laundering prevention purposes.
Permitted Disclosure
- The Bank shall take prior permission of Customers or Non-Customers before disclosing, publishing any Personal Information provided by Customers or Non-Customers, unless the bank is required to make such disclosers under compliance of legal obligations.
- The Bank, shall share Personal Information without obtaining prior consent of Customer or Non-Customer to Government agencies mandated under the law to obtain such Information for the purpose of:
- verification of identity or
- prevention, detection, investigation of crimes or
- prosecution and punishment of offences or
- in national interest
- The Bank shall disclose Personal Information of Customers or Non-Customers, after due verification of the requirement from Government agencies, stating the purpose of seeking such Personal Information and that such information is required for some legal purpose. Moreover, the Bank shall also obtain commitment that the Personal Information so shared shall be used for the purpose for which it is obtained and shall not be published or shared with any other person.
- Personal Information shall be shared with a third party only as per an order received by the Bank under the prevailing law. Such disclosure of Personal Information shall be done by the Bank, only after receiving a commitment from the third party that it shall not make further disclosures.
- Personal information shall not be shared with third parties for the purpose of direct marketing unless express consent is obtained from the Customer or Non-Customer for the same
Retrieval of Personal Information
- The Bank shall ensure that the Personal Information retrieved in physical or electronic format, is returned to the secure environment or securely destroyed after the required usage.
- In case any copy of Personal Information needs to be created for the purpose of the Bank’s operations, it shall be the responsibility of the Bank to store the copies in a secured environment and restore such copies also to the secure environment or destroy securely.
Access of Personal Information
Only the Bank Employees, and employees of the Business Correspondents, Agents, Service Providers who are authorized by the Bank shall be allowed to access the Personal Information; provided a lawful contract is made and their operational duty demands access to such Personal Information on a need-to-know basis.
Prevention of Unauthorized disclosure
Bank shall maintain the following policies and procedures to prevent unauthorized disclosure of information
- Policy and procedure to secure the confidentiality of the data, information
- Policy and procedure to ensure that access to the data, information is permitted only to such of their managers or employees or designated officers, who are duly authorized for the purpose on a need to know basis;
- Policy and procedure to ensure and control, access to the data, information by means of physical barriers including biometric access control and logical barriers by way of passwords;
- Policy and procedure to ensure that the passwords used in this behalf is not shared by anyone else than who is authorized in this behalf and the passwords are changed frequently, but on irregular intervals;
- Policy and procedure to ensure that the best practices in relation to the deletion and disposal of data, especially where records or discs are to be disposed of off-site or by external contractors, are followed;
- Policy and procedure to ensure that the system adopted for the purpose shall provide for protection against an unauthorized modification or deletion of the data, information
- Policy and procedure to ensure maintenance of log of all accesses to data, including the following namely: -
- The identity of the person seeking access to the data
- The date and time of such access;
- The identity of the Customer or Non-Customer whose data were so accessed; and
- The records and entries pertaining to such log is preserved for minimum period as per backup policy/electronic record management policy/guidelines and the same could be available for examination by auditors / or by the Reserve Bank, as the case may be;
- Policy and procedure to ensure that the records and entries pertaining to maintenance of log of all unsuccessful attempts to access data end, all incidents involving a proven or suspected breach of security in respect thereof including therein;
- The requisite particulars the records affected, if any and action taken in respect of such access;
- Procedure for security incidence reporting and response
- Maintenance and review of records and entries of log, on a regular and frequent basis to detect and investigate any unusual or irregular patterns of use of or access to data including creation of the audit trails and verification thereof;
Accidental / Unauthorized Disclosure
- In case any Bank Employee or Service Provider or Authorized Agent identifies that Personal Information of any Customer or Non-Customer is erroneously disclosed in contravention of this Policy, then the entity shall immediately inform such incident through the reporting channel to the Grievance Officer.
- Depending upon the criticality of the information and its’ impact, the Bank shall take suitable actions in such matters.
Protection under Whistle Blower Policy
If any of the Bank’s Employee, Agent, Service Provider, Authorized Agent, etc., observes that Personal Information of a Customer or Non-Customer is being disclosed in contravention of this policy, such person/entity shall be encouraged to inform such incident pursuant to the Whistle Blower Policy of the Bank.
Disposal of Personal Information
The Bank shall destroy Personal Information in its possession, when it is concluded that such information is no longer needed and the bank is not under a legal obligation to retain the information anymore. Due precaution shall be taken prior to destruction of such information.
ENFORCEMENT
As per RBI guidelines the Bank shall have a “Chief Information Security Officer (CISO)”, who shall be a senior level official of the rank of GM/DGM/AGM.
The CISO shall be responsible for articulating and enforcing this Privacy Policy, protecting the Information of the Bank and also for coordinating the Personal Information security related issues/implementation within the Bank as well as relevant external agencies.
REFERENCE
- Master Circular on Know Your Customer (KYC) Norms / Anti-Money Laundering (AML) Standards / Combating of Financing of Terrorism (CFT)/Obligation of banks under Prevention of Money Laundering Act, 2002, dated Jul 01, 2011
- Master Circular on Know Your Customer (KYC) Norms / Anti-Money Laundering (AML) Standards / Combating of Financing of Terrorism (CFT)/Obligation of banks under Prevention of Money Laundering Act, 2002, dated Jul 1, 2010/ Jul 2, 2012.
- Information Technology (Reasonable security Practices and procedures and Sensitive personal data or information) Rules, 2011.
- Customer Identification Procedure Features to be verified and documents that may be obtained from customers [Annex to A.P. (DIR Series) Circular No. dated November, 2012] RBI/2012-13/45 DBOD. AML. BC. No. 11/14.01.001/2012-13 July 2, 2012
- Information Security Policy of the Bank
- Credit Information Companies (Regulation) Act, 2005
- National Cyber Security Policy – Notification dated 2nd July 2013
- Draft Bill – Right to Privacy – IT Act 2000 and ITAA 200