Definitions
Within this document, the term “personal information” includes any data that is not Public Information as defined in the Information Classification section of Cadence Sports Incorporated and its subsidiaries, Cadence Event Management, LLC, Cadence Equipment, LLC, H2O Operations, LLC (collectively the “Company”) Security Policy. Within this document, the term “personnel” includes any employees, contract personnel, officers, and board members of Company that have access to or handle personal information.
Organization of Privacy Program
Company’s Chief Executive Officer (“CEO”) is responsible and accountable for the organization’s privacy program, and the Board of Directors includes privacy periodically in its regular review of overall corporate governance. Annually, Company’s CEO reviews and updates the Security and Privacy Policies. Company also has an ongoing process in place to monitor, assess, and address the effect on security and privacy requirements from on-going changes resulting from:- Legal and regulatory environments- Industry requirements- Contract requirements- Business operations and processes- Personnel assigned responsibility for privacy and security matters- Technology (prior to implementation)Policies and procedures are updated where required as a result of any changes. Policies may also be updated to resolve inconsistencies between the policies and new contracts entered into by Company. All changes to the policies must be approved by the CEO, legal counsel, and the Board of Directors. If changes are made to the policies, Company will provide revised copies of the policies to all employees, contract employees, subcontractors, and vendors along with a summary of the changes that were made.Monitoring activities include but are not limited to the review of control reports, trend analysis, complaint resolutions, and/or regular internal reviews. All security exceptions or situations not specifically addressed in Company’s policies are referred to and handled by the CEO.
Information Collection & Retention
Company does not collect personal information or any information directly from individuals. Individuals’ personal information is received from clients, potential clients, and strategic partners.
Information Classification
Please see Security Policy.
Information Labeling
Please see Security Policy.
Data Handling
Company uses personal information only for legally-permissible reasons related to operating its business. Personal information is not sold or shared with third parties except in the context of a business relationship governed by appropriate contracts, and in accordance with all relevant laws and regulations. Standards for storing, transmitting, printing, and destroying data can be found in the Security Policy. In addition to those standards, personnel must take precautions when verbally communicating about PII or Client Confidential information including not discussing PII or Client Confidential information while in the presence of other people who may overhear the conversation. Personnel must also take reasonable precautions when working in public places including ensuring laptop screens and physical papers with PII or Client Confidential information cannot be seen by other people.Communications & Operations Management
Disclosure of Personal Information
Company discloses personal information only with implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise.Human Resources Privacy
Employees & Contract Personnel
Background checks are performed on all employees during the hiring process and prior to any access grants to company data. These checks are renewed annually as part of our annual risk assessment process as well. Employees must remain in good standing in order to retain access privileges. Company requires all personnel to attest to reading all policy and procedure documents.
Part-Time Employees & Vendors
Company investigates all complaints related to the misuse of personal information by a part-time employee or vendor and responds to any knowledge of a variance with Company’s privacy policies and procedures or contractual arrangements in accordance with its privacy incident management policies. Company will also take remedial action, where appropriate, and will mitigate, to the extent practicable, any harm caused by the misuse of a subcontractor or vendor.
Violations & Sanctions
Personnel found to violate this policy will be subject to escalating sanctions up to and includingtermination of their relationship with Company.
Personnel Termination & Security
In the event Company terminates its relationship with personnel or vice versa-Access credentials to all systems will be revoked at close of business on personnel’s final day with Company.- Personnel will be notified they have one week to return any Company owned assets includinglaptops or other technology devices.However, if Company determines that the terminated personnel pose a security or privacy risk:- Access credentials to all systems will be revoked prior to Company notifying personnel of termination or within one hour if personnel terminates the relationship with Company.- Personnel will be notified they have 1 week to return any Company owned assets includinglaptops or other technology devices.
Privacy Incident Management
A “privacy incident” is any incident in which PII is, or may have been, improperly disclosed.All personnel are required to immediately raise privacy incidents to the attention of the CEO. Immediately upon notification, CEO will work with the appropriate parties to establish technical and business action plans. The Board of Directors will coordinate with legal counsel if necessary to identify any remediation actions and/or notification requirements under applicable laws and regulations. The Board of Directors will contact law enforcement, regulatory, or other authorities when required by law or when warranted by the specific nature of the incident. The Board of Directors will then notify any affected third-parties including clients, partners, suppliers, or vendors. After any “privacy incident”, a review is conducted to identify root-causes and remedies to prevent similar incidents in the future. The program is evaluated at least annually and shortly after the implementation of significant system or procedural changes.
Risk Assessment & Treatment
See Security Policy.