SWEET seeks to “Enable the SWEET Mission through ensuring the privacy and proper use of the data of our members, collaborators, and systems by implementing policies, procedures and safeguards.” SWEET works closely with a contracted data protection officer to:
SWEET’s data protection and data privacy measures incorporate the following seven specific privacy principles:
Where SWEET collects Personally Identifiable Information directly from individuals, it will provide notice about the purpose(s) for which it collects and uses the Personally Identifiable Information, the non-vendor third parties (names are excluded due to confidentiality) to which SWEET discloses the Personally Identifiable Information, and the choices and means, if any, SWEET offers individuals for limiting the use and disclosure of their Personally Identifiable Information. Where SWEET processes Personally Identifiable Information of Data Subjects on behalf of its members (the ‘Data Controller’), SWEET will provide its members with the information that the member as a Data Controller needs to assess compliance with data protection laws.
Where required by law, SWEET will offer Data Subjects the option to choose whether or not their Personally Identifiable Information may be disclosed to a non-vendor third party, or may be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject.
When collecting Personally Identifiable Information as a Data Controller, and where required by law, SWEET will provide Data Subjects the opportunity to affirmatively and explicitly consent to the disclosure of their Personally Identifiable Information to a non-vendor third party or to the use of the Personally Identifiable Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject.
SWEET will only use Personally Identifiable Information in ways that are compatible with the purpose(s) for which it was collected, subsequently authorized by the Data Subject or as authorized by law. To the extent possible, SWEET will take reasonable steps to assess and verify, where applicable, that Personally Identifiable Information is relevant to its intended use, as well as accurate, complete, and current.
SWEET will obtain assurances from third-party vendors with whom Data Subject’s Personally Identifiable Information is rightfully shared, that the third-party vendors will safeguard the Personally Identifiable Information consistent with SWEET’s privacy policies. Where SWEET is aware that a third-party vendor is using or disclosing Personally Identifiable Information in a manner contrary to SWEET’s policies, SWEET will take reasonable steps to stop the third-party vendor from such improper use or disclosure.
Upon request and verification, SWEET will grant Data Subjects reasonable access to their Personally Identifiable Information. In addition, SWEET will take reasonable steps to permit Data Subjects to correct, amend, or delete Personally Identifiable Information that is demonstrated to be inaccurate or incomplete.
SWEET will take reasonable precautions to protect Personally Identifiable Information in its possession from loss, misuse and unauthorized access, disclosure, alteration, and destruction.
* Personally Identifiable Information: information that can identify an individual.
** Data Subject: an identified or identifiable person
*** Data Controller: the party that determines the purposes and means of the processing of personal data
Any SWEET employee or contractor directly involved in processing Personally Identifiable Information or Sensitive Information is required to be trained and made aware of his/her responsibilities regarding this information. SWEET is supported by a contracted data protection officer, who helps to enable the implementation of security safeguards including role-based access, standardized authentication methods, audit and monitoring capabilities, encryption, and other standard controls. SWEET has a data breach response process in place that provides for a swift analysis, escalation and response process in case of data privacy incidents.
SWEET proactively performs privacy impact assessments to identify, assess and addresses privacy risks. Additionally, SWEET ensures that the appropriate privacy provisions are incorporated into third party contracts.