1. Introduction
In its everyday business operations Serene Insurance makes use of a variety of data about identifiable individuals, including data about:
- Current, past and prospective employees
- Customers
- Users of its websites
- Subscribers
- Other stakeholders
In collecting and using this data, the organization is subject to legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps Serene is taking to ensure compliance.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, employees, suppliers and third parties.
The following policies and procedures are relevant:
- Information Classification Procedure
- Information Labelling Procedure
- Acceptable Use Policy
- Electronic Messaging Policy
- Internet Acceptable Use Policy
- ISMS Incident Response Procedure
- ISMS Roles, Responsibilities and Authorities
2. Privacy and Personal Data Protection Policy
2.1 The Data Protection Act, 2012
The Data Protection Act, 2012 is a key piece of legislation governing how Serene processes information. It protects individual privacy by regulating how personal data is obtained, used, stored, and disclosed.
Serene ensures compliance with this Act and other relevant laws at all times.
2.2 Principles Relating to Processing of Personal Data
The Act establishes principles that apply to all personal data, whether stored electronically or manually.
The following Eight (8) Basic Principles must be applied:
- Accountability
- Lawfulness of Processing
- Specification of Purpose
- Compatibility of Further Processing with Purpose of Collection
- Quality of Information
- Openness
- Data Security Safeguards
- Data Subject Participation
Serene ensures compliance through its Information Security Management System (ISMS) aligned with ISO/IEC 27001.
2.3 Rights of the Individual
The rights of data subjects are supported by appropriate internal procedures.
2.4 Privacy by Design
Serene ensures privacy is considered in all new or modified systems involving personal data.
Privacy Impact Assessments include:
- Purpose of data processing
- Necessity and proportionality
- Risk assessment to individuals
- Controls to mitigate risks
Techniques such as data minimization and pseudonymization are applied where appropriate.
2.5 Privacy Statement of Websites
Serene is committed to protecting customer privacy. This statement outlines how personal data is collected, used, and protected.
Information We Collect
- Personal Information: Name, email, phone number, etc.
- Non-Personal Information: IP address, browser type, system data.
- Cookies: Used to enhance user experience.
How We Use Your Information
- Provide requested services
- Improve website functionality
- Send promotional content (if opted in)
- Analyze usage
Disclosure of Your Information
- With service providers
- For legal compliance
- During business transfers
Your Choices
- Unsubscribe from emails
- Manage cookies via browser settings
Security
Appropriate safeguards are implemented to protect personal data.
Changes to This Privacy Statement
Updates will be posted with a revised date.
Contact Us
For questions regarding privacy, please contact us.
2.6 Breach Notification
Serene will notify the Data Protection Commission (DPC) within 72 hours of any breach posing risk to individuals, in line with ISMS procedures.
2.7 Addressing Compliance to the Data Protection Act
To ensure accountability, Serene implements the following:
- Clear legal basis for data processing
- Staff awareness and responsibility
- Regular training
- Periodic reviews
- Privacy by design implementation
Documentation includes:
- Organization details
- Processing purposes
- Categories of data subjects
- Data recipients
- Retention schedules
- Security controls
These measures are reviewed regularly as part of ISMS management processes.