The International Association for Hospice and Palliative Care (IAHPC) must restrict access to confidential and sensitive data to protect it from being lost or compromised, and thereby adversely impacting our members, donors, officers, directors and subscribers, through penalties for non-compliance and reputational damage. The organization must, at the same time, ensure users can access data as required to work effectively.

This document describes the IAHPC Data Protection Policy, lists the Principles, Action Steps and Scope of the Policy. It is not anticipated that this policy can eliminate all malicious data theft or breaches. Rather, its primary objective is to increase user awareness, avoid accidental loss scenarios, and outline the requirements to prevent data breaches.

The IAHPC collects information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.

Scope

In Scope

This data security policy applies to all data pertaining to IAHPC members, donors and funders, as well as personal data, or other IAHPC data defined as sensitive by the IAHPC data classification policy (contact information, bank account and credit card numbers, etc.). It therefore applies to every server, database and IT system that handles such data, including any device regularly used for email, web access or other work-related tasks. Every user who interacts with IAHPC is subject to this policy.

Out of Scope

Information that is classified as Public is not subject to this policy. IAHPC management has discretion to exclude other data from the policy based on specific business needs.

Underlying Principles

Data will be:

• Accurate and up-to-date.
• Collected fairly and for lawful purposes only.
• Processed by the IAHPC within its legal boundaries.
• Protected against any unauthorized or illegal access by internal or external parties.

Data will not be:

• Communicated informally.
• Transferred to organizations, states or countries that lack adequate data protection policies.
• Shared with any party other than the ones agreed upon by the data’s owner.

In addition to how it handles the data, the IAHPC has direct obligations towards the people to whom the data belongs. Specifically, it must:

• Advise them about what data of theirs is being collected.
• Inform them about how it will be processed.
• Inform them about who has access to their data.
• Provide for exceptions such as lost, corrupted or compromised data.
• Allow them to request that we modify, erase, reduce or correct data that has been collected.

Commitment

To protect personal data the IAHPC commits to:

• Restrict and monitor access to sensitive data.
• Develop transparent data collection procedures.
• Build secure networks to protect online data.
• Establish clear procedures for reporting privacy breaches or data misuse.
• Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

Our data protection provisions are published on the IAHPC website.

Process

The IAHPC shall provide all staff members with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.

General

1. Each staff member shall be identified either by a unique username and email address to ensure proper identification.
2. The use of shared identities is permitted only where appropriate, such as service or general accounts (i.e. [email protected] )
3. User access records may be made available as evidence for security incident investigations.
4. Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.

Access Control Authorization

The Executive Director and/or the Webmaster shall give access to IAHPC resources, accounts, email service and other platforms.

Requirements for password length, complexity and expiration are stated in the IAHPC password policy.

Application and Information Access

1. All IAHPC members as well as officers and directors shall be granted access to the data and applications required for their jobs.
2. IAHPC staff shall access to data and systems only if there is a job-related need and with approval from the Executive Director.

Access to Confidential, Restricted information

1. Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it.

Reporting

The IAHPC webmaster and the Executive Director will produce and handle incident reports. High-priority incidents discovered by the webmaster or any other officer shall be discussed with the Executive Director at the earliest possible moment.

Ownership and Responsibilities

The webmaster provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources. Everyone who has access to information resources, such as officers, members, consultants, and volunteers is considered a ‘user’.

Enforcement

Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment, membership or affiliation with the IAHPC.

This Policy will be revised and approved annually by the IAHPC Board of Directors.