The American Society for Deaf Children values privacy and will comply with applicable privacy, data protection, and data security laws. American Society for Deaf Children employees, contractors, and volunteers will only collect, use, and disclose personal information in accordance with this policy. This policy governs the activities of the American Society of Deaf Children (ASDC).  ASDC is permitted to adopt additional privacy, data protection, and data security policies and procedures that are consistent with this policy and compliant with the laws of their jurisdictions. Questions? Contact the executive director of ASDC at cheri@deafchildren.org  

PROCEDURES

Permitted Uses of Personal Information. “Personal Information” means any information that identifies, or in combination with other information is capable of identifying, ASDC participants, employees, volunteers, fans, donors, and website visitors (collectively “Data Subjects”). This policy governs the following categories and permits use of Personal Information set forth in this Section. Where ASDC intends to process Personal Information for a purpose other than that for which the personal data were collected, ASDC will provide notice to the Data Subject prior to such further processing with information on that other purpose and with any relevant further information.

  • Contact Information is used to provide information to Data Subjects regarding ASDC activities and our mission and to solicit donations to support ASDC. Contact Information includes:
    1. Name
    2. Address
    3. Phone number
    4. Email address
    5. Parent or guardian information if Data Subject is a minor or an adult with a legal guardian
  • Participation Data are used to operate ASDC activities, promote ASDC, solicit donations, recognize ASDC sponsors and partners, and maintain the history of ASDC. Participation Data includes:
    1. Name
    2. Age
    3. Gender
    4. Competition results
    5. Participation history
    6. Images and video
    7. Biographical information
  • Donation History is used for accounting, tracking donations, and thanking donors for their gifts. Donation History includes:
    1. Name
    2. Dates of donations
    3. Amounts of donations
    4. Payment method
  • Online Message Boards and similar online tools maintained by ASDC may allow Data Subjects to disclose information about themselves publicly.
  • Employee Data are used for performing employment-related activities and communications, including activities related to the employees’ job duties, payroll and benefits administration, performance evaluations, and personnel actions. Employee Data includes:
    1. Name
    2. Contact information
    3. Salary, benefits, and tax information
    4. Bank information
    5. Work history and biographical information
  • Operations. ASDC may also process Personal Information to perform computer operations, quality assurance, testing, and other operations activities necessary for the above purposes.

ASDC only uses Personal Information to publicly promote ASDC, solicit donations, and recognize ASDC sponsors and partners in accordance with the written consent of Data Subjects. Where ASDC intends to further process Personal Information for a purpose other than that for which the personal data were collected, ASDC will provide notice to the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.

Sharing of Personal Information. Personal information may only be disclosed as described in this Policy:

  • ASDC Organizations. Personal Information may be shared among ASDC applicable Programs, including their relevant staff and volunteers, as necessary to perform permitted uses relevant to the Data Subject.
  • Data Subjects. A Data Subject’s Personal Information may be disclosed to the Data Subject or his/her authorized guardian or representative.
  • Payment Processing. ASDC uses third parties to provide credit card, bank, payment, and information processing services. Such service providers are only authorized to use Personal Information as necessary to perform services on our behalf or to comply with legal requirements.
  • Contractors. ASDC uses agents and contractors to help with our operations. ASDC organizations shall obtain satisfactory contractual assurance that contractors and data processors with access to Personal Information will appropriately safeguard such information. Each contractor or data processor shall be required to sign an agreement containing terms as set forth in Appendix A.
  • Medical Emergency. ASDC may disclose Personal Information to medical professionals in an emergency.
  • Third-Party Researchers. ASDC may disclose Personal Information confidentially with researchers, such as universities or public health agencies, who are studying Deaf/HH issues, families & children, and the impact of ASDC activities. This kind of disclosure may only be made with the Data Subject’s written consent. Information may only be published in an aggregate form without identifying any individual Data Subjects.
  • Necessity. ASDC may disclose personal information as necessary to protect the Data Subject’s vital interest, protect the vital interest of another person, protect public safety, respond to government requests, and report information as required by law.
  • Donor List Exchange. Renting or exchanging donor names and contact information with non- ASDC organizations is permitted only in accordance with ASDC List Management Policies and Procedures and is currently limited to the United States.

Where ASDC intends to further disclose Personal Information other than as described above, ASDC will provide notice to the Data Subject prior to that further disclosure and, if required by law, obtain the Data Subject’s written consent.

Notice of Privacy Practices. ASDC will notify Data Subjects of its privacy and data protection practices when they register with ASDC, provide information on a ASDC website, or otherwise provide Personal Information to ASDC. Where required by law, ASDC websites shall also notify website visitors of any cookies used on the website and obtain consent where necessary. Current privacy and data protection notices are posted on the ASDC website.

 Rights of Data Subjects. Each Data Subject (or any authorized guardian or representative) has the right to ask to access, rectify, or erase his/her own Personal Information, or have the processing restricted, or to object to the processing. Each Data Subject also has the right to lodge a complaint to a competent supervisory authority, if applicable. Where the processing of personal information is based on consent, the Data Subject has the right to withdraw consent at any time with effect to the future.

 Principles of Data Processing. ASDC has adopted the following principles to govern its processing of Personal Information, except as specifically provided by supplementary policies or as required by applicable laws or regulations.

  • Lawfulness, Fairness, and Transparency. Personal Information shall only be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.
  • Purpose Limitation. Personal Information shall be obtained only for specified, explicit, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
  • Data Minimization. Personal Information shall be adequate, relevant, and not excessive in relation to the purposes for which they are processed.
  • Accuracy. Personal Information shall be accurate and, if necessary, kept current, as appropriate to the purposes for which they are processed.
  • Storage Limitation. Personal Information shall not be kept in a form that permits identification of the Data Subject for longer than necessary for the permitted purposes.
  • Integrity and Confidentiality. Personal Information shall be processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Data Protection by Design and by Default. Technical and organizational measures shall be designed to implement data protection principles and to ensure that, by default, only personal information necessary for each specific purpose of the processing are processed.

 Safeguards. Considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, ASDC will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. ASDC will implement and maintain appropriate measures to protect Personal Information from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored, or otherwise processed. ASDC shall also be able to demonstrate how data processing is being performed in compliance with applicable laws, including GDPR. The following measures should be considered and implemented as appropriate in accordance with the above principles:

    • Office access control such as lock and key, swipe cards, and building security to ensure that only authorized persons are able to enter the premises;
    • Paper safeguards including (i) secure storage of written or printed Personal Information to safeguard against disclosure to individuals not involved with the use of the information, and (ii) shredding when use of the printed information is complete;
    • Digital storage only in data systems approved by the administration of each ASDC organization for the Personal Information the system holds;[2]
    • Unique login credentials used to access Personal Information with passwords of sufficient length and character types (e.g., numbers, upper case letters, lower case letters, special characters) consistent with industry best practices;
    • Automatic lock of computers and devices holding Personal Information after a short period of non- use;
    • Computers and devices secured when unattended in a locked house when at home or locked trunk when traveling by automobile;
    • Monitoring, logging, and audit controls on computers, devices and systems holding Personal Information;
    • Malicious software protection on computer systems, including regular and prompt updating of anti- virus, operating system, and application software to maintain current security features;
    • Prompt access removal upon termination of an employee, contractor, or volunteer with access to Personal Information, including return of facilities keys, return of computing equipment, and removal or access to data systems by changing or terminating login credentials;
    • Appropriate device and media disposal, including wiping of Personal Information and other confidential information prior to disposal or re-use;
    • Remote locking and wiping capability on computers and devices holding Personal Information in order to safeguard data in the event of loss or theft;
    • Pseudonymization and encryption to limit risk of unauthorized disclosure of Personal Information;
    • Back-up systems to ensure the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
    • Firewalls to protect against network intrusions and configured to enforce ASDC policies, such as blocking prohibited websites; and
    • Wireless networks configured in accordance with industry standards for wireless security.

 Technical safeguards capabilities should be among criteria for continued use of and/or procurement of any new computing hardware or software.

Impact Assessment. Where a type of Personal Information processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of Data Subjects (taking into account the nature, scope, context and purposes of the processing), ASDC will conduct an assessment of the impact of the processing operations on the protection of Personal Information. ASDC should conduct this assessment before beginning the contemplated data processing.

 Violations and Security Incidents.

  • Duty to Report. Any employee who becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information shall immediately report the incident to his/her supervisor and/or the Data Privacy Coordinator. Supervisors receiving reports of potential violations and/or security incidents shall immediately report the matter to the organization’s Data Privacy Coordinator.
  • Incident Response. Upon learning of a potential breach of security or potential violation of this policy or applicable data protection laws, the Data Privacy Coordinator shall respond appropriately based on the circumstances, according to ASDC’s incident response policies and procedures, and at all times directed by legal counsel. This response may include, but may not necessarily be limited to:
    1. Notification of executive management where appropriate;
    2. Notification of affected individuals, organizations, and/or government officials as required by applicable rules, laws, regulations and contractual obligations;
    3. Retraining and/or disciplinary action for responsible employees as appropriate if the incident involved a violation of this policy; and/or
    4. A post-incident analysis conducted by the Data Privacy Coordinator and the Legal Department to incorporate any lessons learned into ASDC’s incident response policies and procedures, to evaluate ASDC safeguards, and to recommend to management any changes believed appropriate.

Privacy and Data Security Training. Employees and volunteers will be given privacy and data security training and/or guidance appropriate to their roles and responsibilities. The Data Privacy Coordinator shall ensure that training on this policy is provided when it is substantially changed.

Contingency Planning.ASDC organizations shall develop contingency plans to prepare for system failures and to prepare procedures for maintaining critical operations in the event of system failure.

 Periodic Review. The Data Privacy Coordinator shall conduct periodic reviews of the organization’s privacy and data security practices. Types of evaluation may vary and may include vulnerability scanning and remediation, firewall audits, penetration tests, social engineering exercises/tests, IT asset audits, audits of policies and procedures for compliance with applicable regulations, and/or audits of compliance with policies and procedures.

APPENDIX A: CONTRACT TERMS FOR CONTRACTORS AND DATA PROCESSORS Each contractor or data processor with access to Personal Information shall be required to sign an agreement containing terms that safeguard the Personal Information. For contractors and data processors receiving or processing Personal Information of Data Subjects residing in the European Union, European Economic Area, or Switzerland, a separate data processing agreement consistent with GDPR Article 28 must be executed with the contractor. A template for this data processing agreement will be provided by the legal counsel. For contractors that will not be receiving or processing Personal Information of Data Subjects residing in the European Union, European Economic Area, or Switzerland, agreements with contractors should include provisions that are the same or substantially similar to the following:

    • The relationship contemplated by this Contract may require Contractor to access individually identifiable personal information of ASDC participants, employees, volunteers, fans, donors, website visitors, and other people associated with ASDC that is held by ASDC, Inc. Contractor may access, use, and disclose Personal Information only to the extent necessary to complete Contractor’s obligations outlined in this Contract. Regarding Contractor’s access, use, and disclosure of Personal Information, Contractor agrees to consider and implement the following measures:
      • Office access control such as lock and key, swipe cards, and building security to ensure that only authorized persons can enter the premises.
      • Paper safeguards including: (i) secure storage of written or printed Personal Data to safeguard against disclosure to individuals not involved with the use of the information and (ii) shredding when use of the printed information is complete;
      • Digital storage only in data systems approved by the administration of Consultant for the Personal Data the system holds;
      • Unique login credentials used to access Personal Data with passwords of sufficient length and character types (e.g., numbers, upper case letters, lower case letters, special characters) consistent with industry best practices;
      • Automatic lock of computers and devices holding Personal Data after a short period of non-use;
      • Computers and devices are secured when unattended in a locked house when at home or locked trunk when traveling by automobile;
      • Monitoring, logging, and audit controls on computers, devices, and systems holding Personal Data;
      • Malicious software protection on computer systems, including regular and prompt updating of anti-virus, operating system, and application software to maintain current security features;
      • Prompt access removal upon termination of an employee, contractor, or volunteer with access to Personal Data, including return of facilities keys, return of computing equipment, and removal or access to data systems by changing or terminating login credentials;
      • Appropriate device and media disposal, including wiping of Personal Data and other confidential information prior to disposal or re-use;
      • Remote locking and wiping capability on computers and devices holding Personal Data in order to safeguard data in the event of loss or theft;
      • Pseudonymization and encryption to limit risk of unauthorized disclosure of Personal Data;
      • Back-up systems to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
      • Firewalls to protect against network intrusions and configured to enforce Consultant’s policies, such as blocking prohibited websites;
      • Wireless networks configured in accordance with industry standards for wireless security;
      • Periodic privacy and data security risk assessments and related ongoing compliance monitoring activities in coordination with applicable organizational departments;
      • Ensuring delivery of privacy training and orientation to employees and volunteers with access to Personal Data;
      • Investigating and addressing privacy and data security incidents and/or policy violations; and
      • An appropriate response, based on the circumstances, to any potential breach of security or potential violation of data privacy policies or applicable data protection laws, according to the Consultant’s incident response policies and procedures. 

[2]ASDC should assess the security of its email system to determine if the transmission of Personal Information by email should be permitted in light of the principles described in this Section.

Verified by MonsterInsights