Effective Date: June 3, 2020
All Employees at NKSFB must comply with this Policy. Any Employee who fails to comply with this Policy may be subject to disciplinary action, up to and including dismissal. You should immediately contact Legal if you become aware of a breach or potential breach of this Policy.
- Purpose and Scope of This Policy
- What Personal Information Does the Company Collect and How Is It Used?
- The Company’s Responsibility for Your Personal Information
- Disclosure and Transfer of Personal Information
- Restrictions on Access to Personal Information
- Retention and Disposal of Personal Information
“CONSUMER” means a living individual about whom the Company holds Personal Information.
“EMPLOYEE” OR “COVERED EMPLOYEE” refers to:
- current and former employees (including permanent, temporary and part time employees);
- job applicants and other Prospective Employees;
- owners, directors, officers, or contractors of the Company about whom the Company collects and processes Personal Information;
- dependents and beneficiaries of current and former employees, owners, directors, and officers about whom the Company collects and processes Personal Information.
“PERSONAL INFORMATION” means information (whether stored electronically or in paper based filing systems) relating to a living individual who can be identified from that data (or from that data and other information in our possession). The categories of Personal Information as defined by the California Consumer Privacy Act of 2018 (“CCPA”) that pertain to this Policy include:
|IDENTIFIERS||Name, address, email, phone, ssn, driver’s license|
|OTHER DATA1||Financial information, medical information, health insurance information|
|PROTECTED CLASSES||Race, gender, sexual orientation, religion, citizenship|
|INTERNET ACTIVITY||Browsing history, search history, IP address, website interactions|
|PROFESSIONAL DATA||CV, resume, employment history|
|EDUCATION DATA||Educational background, grades, scores|
“PROCESSING” or “PROCESSED” is any activity that involves use of the Personal Information. It includes obtaining, recording or holding the Personal Information, or organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Information to third parties.
“PROSPECTIVE EMPLOYEE” is an individual who has been offered a position with the Company, contingent upon the satisfactory completion of certain actions, which can include (where legally permissible) pre-employment drug screens, driving records and criminal background checks.
1 Personal Information under the CCPA also includes any other category of personal information not included within the CCPA’s definition that are defined in California Civil Code § 1798.80(e). We refer to this category as “Other Data,” and it includes information such as financial information (bank account number, credit card number, debit card number), medical information, health insurance information, and insurance policy number.
2. Purpose and Scope of this Policy
- ensure the security and confidentiality of Personal Information in a manner consistent with industry and legal standards;
- protect against threats or hazards to the security or integrity of Personal Information; and
- protect against unauthorized access to or use of Personal Information that creates a substantial risk of identity theft or fraud.
This Policy applies to all Personal Information that exists in any of the Company’s Processing environments, on any media, at all times, relating to the Company’s Employees.
As an employer, the Company needs to collect, store and Process Personal Information about its Employees. Personal Information may be provided to the Company by a variety of means, including through the Internet, the Company’s intranet, by email, by telephone, by fax or in person. Personal Information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards that impose restrictions on how the Company may Process Personal Information. The Company strives to uphold these key principles when Processing Personal Information:
2.1 OPENNESS: Provide information to Employees about how we Process their Personal Information, including not doing anything with their Personal Information that they would not expect or that we would be embarrassed for them to know about.
2.2 PURPOSE LIMITATION: Only collect Personal Information for a specific business need of the Company, and only use the Personal Information for that specific purpose.
2.3 ACCURACY: Keep Personal Information accurate, complete and up-to-date. Anyone whose Personal Information we Process has the right to obtain a copy of that Personal Information and to correct any inaccuracies.
2.4 SECURITY: Protect Personal Information with appropriate security measures from being lost or stolen, and to prevent to the extent possible accidental or unauthorized access, damage, loss or disclosure.
3. What Personal Information Does the Company Collect and How Is It Used?
- HUMAN RESOURCES, PAYROLL PROCESSING, EMPLOYMENT ELIGIBILITY VERIFICATION: For the purpose of performing human resource functions, payroll processing, and employment eligibility verification, the Company may request the following: Employee’s name, address, date of birth, Social Security Number(s), Employee driver’s license number(s), Visa status (where lawful and required), employment eligibility verification, and, where necessary, motor vehicle records, state identification card numbers, bank account information, where an Employee elects auto-depositing of paychecks, and garnishments.
- ESSENTIAL JOB DUTIES: For the purpose of determining whether an applicant or Employee can carry out the essential job duties of his or her position and/or determining whether to hire an applicant or promote an Employee, the Company may collect information from the Employees’ former employer(s) relating to an Employee’s job performance; background details relating to Employees’ and Prospective Employees’ record checks or credit checks (when permitted by law and related to the Employee’s position); confirmation of degrees and/or certification; information about criminal convictions and Sensitive Personal Information, in accordance with applicable local or national laws and regulations; insurance confirmation (where such information is required for the performance of the position’s essential job duties).
- BENEFITS: For purpose of providing Employees and their spouses, domestic partners, or dependents health plans, pension benefits, and/or any other type of Company-sponsored benefits, the Company may collect Employees’ current medical insurance information, Employees’ spouses’ medical insurance information, medical records and information relating to Employees’ primary physicians or medical providers.
- DRUG AND ALCOHOL POLICY: For purpose of administering the Company’s Drug and Alcohol Policy, the Company may collect Employees’ drug test results (where permitted by law), including: pre-employment but post-conditional offer drug test results; post-accident drug test results; results for random drug tests for regulated positions; and/or as required by customer contract and permitted under the law.
- PENSION AND RETIREMENT PLAN: For purpose of enrolling, maintaining, or assisting with the administration of a 401k plan, or any other type of company-sponsored savings, spending, deferred compensation, or retirement plan or account, the Company may collect Employees’ banking information, beneficiary information, retirement information, family details (including but not limited to dependents’ Personal Information, marriage status, and marriage history).
- ACCESS TO COMPANY IT RESOURCES: For the purpose of ensuring compliance with all of the Company’s employment-related policies and applicable law and regulations, as well as other security and confidentiality requirements, and as consistent with applicable federal and state law, the Company may collect information about each Covered Employee’s use of the Company’s computer systems and network, including without limitation browser history (regarding both internal network and external network [i.e., Internet] information access), search history, file access and transfer records, and website interactions.
- EMPLOYMENT CONTRACTS: To carry out its obligations arising from contracts of employment entered into between Covered Employees and the Company, including but not limited to payroll functions, reporting to the Internal Revenue Service or state or local or other applicable equivalent, enrolling Covered Employees in benefit programs, or dealing with disciplinary complaints about or actions against Covered Employees.
- LEGAL REQUIREMENTS: The Company may collect Personal Information as needed to comply with applicable laws and regulations.
Prospective Employees will be told in advance how and which aspects of their Personal Information will be verified and if any vetting will take place, and will be informed which, if any, external agencies are used.
Prospective Employees will be given the opportunity to explain any discrepancies that emerge as a result of any verification or any information uncovered by vetting that might negatively affect their application. Moreover, any vetting will also: (i) be restricted to roles where it is genuinely necessary; (ii) not involve approaches to colleagues or the family of individuals, except in exceptional circumstances; and (iii) be targeted at the collection of specific and not general information. All information collected will be in compliance with all applicable laws.
Except for the notice set forth in this Policy, Personal Information collected about Covered Employees is exempt from the provisions of the CCPA. All such information is collected and used by the Company solely within the context of the individual’s employment or the context of processing an individual’s employment application.
4. The Company’s Responsibility For Your Personal Information
4.1 SECURITY PROCEDURES
The Company will strive to protect your Personal Information through the following methods:
- The Company maintains security measures and technology to prevent Personal Information from being inadvertently disclosed to any unauthorized third party either orally, in writing, via the Internet, or by any other means, accidentally or otherwise. This includes, without limitation: monitoring the Company’s systems for unauthorized access; employing firewall protection and system security patches; and employing virus and malware protection.
- The Company ensures laptops, backup tapes, and other portable devices containing Personal Information are password protected and all Personal Information is encrypted as appropriate.
- The Company has the ability to remotely destroy Personal Information on company laptops and/or certain mobile devices that are lost or stolen.
4.2 SECURITY BREACHES
Any Employee who becomes aware of circumstances that may indicate an intrusion or compromise in the Company’s security is obliged to immediately report the incident to the Chief Information Officer. This includes evidence of unauthorized access to Personal Information in any format, loss or theft of equipment or records containing Personal Information, evidence of an intrusion into our system, or Personal Information transmitted or disclosed in error. The Company maintains logs of all monitoring and security activity. The Company has established a response plan to address breaches in its security that it reviews and updates periodically. If there is a breach of security, all the affected individuals will be notified as required by law. The Company reviews all security events and all responsive actions in order to improve its protection of Personal Information.
5. Disclosure and Transfer of Personal Information
5.1 SECURITY OF PERSONAL INFORMATION DURING TRANSFER
Where Personal Information is transferred within the Company’s organization in the course of performing its duties, the level of security appropriate to the type of Personal Information and anticipated risks will be applied. For example, if transferred by e-mail, Personal Information may be encrypted with the password supplied separately where it is appropriate and necessary. The Company also employs recognized technology or private networks to protect Personal Information transferred over the Internet where it is appropriate and necessary.
5.2 DISCLOSURES TO THIRD PARTIES
By providing Personal Information to the Company you agree that the Company may share certain information with third parties and by submitting Personal Information you agree to this transfer and Processing.
Personal Information should only be shared with third parties in limited circumstances, including:
- If the Company sells or buys any business or assets, in which case the Company may disclose your Personal Information to the prospective seller or buyer of such business or assets.
- If the Company is under a duty to disclose or share your Personal Information in order to comply with any legal obligation.
- To service providers that need the Personal Information to provide you or the Company with certain services.
- If the Company is required by customer contract to share drug test results, you will be provided with that information prior to undergoing the drug test and required to sign a waiver.
6. Restrictions on Access to Personal Information
The Company employs physical, administrative and technological means to restrict access to Personal Information including:
- Only those who have appropriate authority or are reasonably required to know or use Personal Information will have access to Personal Information, and only to the extent necessary for legitimate business purposes. This authority may be revoked at any time and for any or no reason.
- Physical records containing Personal Information (e.g., paper records and storage media) are required to be kept in restricted and secure areas. Access to these records is limited to authorized personnel only to the extent necessary for legitimate business purposes.
- Physical or Electronic access is terminated for Employees whose employment is terminated or whose authorization is revoked. Terminated Employees are required to return all equipment and are not permitted to maintain any copies or reproductions of Personal Information.
- The Company endeavors to disclose Personal Information only to the extent reasonably necessary. The Company masks Sensitive Personal Information and other details such as Social Security Numbers and financial account numbers, as applicable.
- The Company does not permit direct public access between external networks and any system component that stores Personal Information. The Company uses a DMZ to filter and screen inbound and outbound Internet traffic.
- Personal Information will also be anonymized where possible (e.g., where only statistical information is needed).
7. Retention and Disposal of Personal Information
7.1 RETENTION OF PERSONAL INFORMATION
The Company will only retain your Personal Information for as long as is necessary to perform its obligations to you or as is required by law. The Company has a legal duty to retain employment records that may include Employee Personal Information after the termination of employment. There are varying requirements as to how long an employer must maintain employment records depending on the type of record being maintained. Accordingly, different categories of Personal Information may be kept for different periods of time in compliance with the law.
7.2 DESTRUCTION OF PERSONAL INFORMATION
The Company shall destroy your Personal Information once the Company is no longer required to maintain or utilize the Personal Information, as described in this Policy. Such destruction shall be carried out in a secure and permanent way, regardless of the format in which the Personal Information is stored (e.g., paper, Electronic, etc.).
When a record containing Personal Information is to be disposed of, the following procedures will be followed by the Company:
- All paper documentation containing Personal Information will be permanently destroyed by shredding.
- All computer equipment or media that are to be sold or scrapped will have had all Personal Information completely destroyed, for example, by reformatting, over-writing, deleting, degaussing, or physical destruction of the storage media.
Any employee found to have violated this Policy is subject to disciplinary action, up to and including termination of employment. Any Consumer having questions or concerns about this Policy or their Personal Information should contact the Chief Human Resources Officer.