The International Association for Hospice and Palliative Care (IAHPC) must restrict access to confidential and sensitive data to protect it from being lost or compromised, and thereby adversely impacting our members, donors, officers, directors and subscribers, through penalties for non-compliance and reputational damage. The organization must, at the same time, ensure users can access data as required to work effectively.
This document describes the IAHPC Data Protection Policy, lists the Principles, Action Steps and Scope of the Policy. It is not anticipated that this policy can eliminate all malicious data theft or breaches. Rather, its primary objective is to increase user awareness, avoid accidental loss scenarios, and outline the requirements to prevent data breaches.
The IAHPC collects information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.
This data security policy applies to all data pertaining to IAHPC members, donors and funders, as well as personal data, or other IAHPC data defined as sensitive by the IAHPC data classification policy (contact information, bank account and credit card numbers, etc.). It therefore applies to every server, database and IT system that handles such data, including any device regularly used for email, web access or other work-related tasks. Every user who interacts with IAHPC is subject to this policy.
Information that is classified as Public is not subject to this policy. IAHPC management has discretion to exclude other data from the policy based on specific business needs.
Data will be:
Data will not be:
In addition to how it handles the data, the IAHPC has direct obligations towards the people to whom the data belongs. Specifically, it must:
To protect personal data the IAHPC commits to:
Our data protection provisions are published on the IAHPC website.
The IAHPC shall provide all staff members with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.
The Executive Director and/or the Webmaster shall give access to IAHPC resources, accounts, email service and other platforms.
Requirements for password length, complexity and expiration are stated in the IAHPC password policy.
The IAHPC webmaster and the Executive Director will produce and handle incident reports. High-priority incidents discovered by the webmaster or any other officer shall be discussed with the Executive Director at the earliest possible moment.
The webmaster provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources. Everyone who has access to information resources, such as officers, members, consultants, and volunteers is considered a ‘user’.
Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment, membership or affiliation with the IAHPC.
This Policy will be revised and approved annually by the IAHPC Board of Directors.