#FutureReadyHealthcare

Who We Are
Investor Relations
News
Careers
Indegene

Privacy Policy

1. INTRODUCTION

Protection of personal data/protected health information (PHI)/personally identifiable information (PII) is important to Indegene and its clients.

Indegene has established this Data Privacy Policy to protect and control collection, processing, storage, and/or transmission of such data.

This policy is intended to be shared with our clients, vendors, business associates and employees so that they are aware of the policies and practices with respect to personal data/PHI/PII managed by Indegene as part of any services delivered.

2. DATA PRIVACY POLICY

Indegene is committed to protect personal information in accordance with its responsibilities under various regulatory frameworks and individual rights. As a healthcare solutions company, Indegene‘s leadership, management, employees and its business associates shall strive to protect personal information by:

Identifying internal and external interested parties and the extent to which they are involved in the governance of the organization‘s personal information management system

Providing best-in-class resources and methods to process personal information lawfully, fairly and in a transparent manner in relation to the rights of data principles or data subjects

Safeguarding the personal information by collecting, processing, storing and transmitting in forms that permit identification of individuals for nothing other than explicit, specified purposes

Providing clear information to natural persons (including special safeguards while collecting information from children) about how their personal information can be used and by whom; and by respecting individual‘s rights in relation to their personal information

Assuring that further processing or archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes

Processing in a secure manner that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction or damage

Taking adequate steps to establish that the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Taking reasonable steps to ensure accuracy of the personal information

Following best practices for safe data storage, transmission and destruction

Implementing appropriate backup and disaster recovery systems

Responding to personal data breaches in the most appropriate and fastest manner possible: In the events such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Indegene shall promptly assess the risk to individual's rights and freedoms and report such breach to the Data Protection Cell (Refer to section 5:Governance Structure for Personal Data Protection) for taking further actions as per the regulatory requirements

General Provisions to This Policy:

Applicability: This policy is applicable to all personal information processed at Indegene.

Ongoing Compliance: The Data Protection Cell shall be responsible for Indegene's compliance with this policy.

Cognizance: This policy shall be made available to all employees and associates of Indegene as documented information and shall also be communicated appropriately.

This policy shall be made aware to all of Indegene's employees, its associates, and interested parties effectively.

Review: This policy shall be reviewed at least once annually.

3. SCOPE

This policy applies to all personal data/PII and PHI processed by Indegene.

This policy would be relevant to all applicable services or projects managed for Indegene‘s clients.

4. DEFINITIONS

TermsDefinition
Business Associate Agreement

Refers to the agreement between the business associate (Indegene) and the covered entity.

Business Unit (BU)

Refers to different departments in Indegene.

Covered Entity

Refers to an organization that routinely handles personal information, PII, and PHI.

Data Protection Officer (DPO)

Refers to the person heading all data privacy-related programmes and initiatives within the organization.

Engagement

Refers to the project, programme or engagement conducted or performed by Indegene on behalf of its clients or covered entity.

Electronic Protected Health Information (EPHI)

Refers to all individually identifiable health information that is created, maintained or transmitted electronically.

General Data Protection Regulation (GDPR)/(EU) 2016/679

Legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Health Insurance Portability and Accountability Act (HIPAA)

Act of 1996 that specifies laws for the protection and use of personal (or protected) health information (PHI), which is essentially an individual‘s medical records.

Personal identifiable information (PII)

Refers to any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered as PII. Any information about an individual‘s identity such as their name, social security number, date and place of birth, mother‘s maiden name and biometric records can be considered as PII.

PII also can constitute “PHI” under HIPAA Act of 1996.

Privacy Rule

Refers to the part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient‘s own right to access.

PHI

Refers to any information that identifies an individual AND relates to:

The individual‘s past, present or future physical or mental health; OR

The provision of healthcare to the individual; OR

The past, present or future payment for healthcare.

Privacy Single Point of Contact (SPOC)

Refers to the person monitoring the personal data/PII/PHI management under each BU.

Security Rule

Refers to the part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.

SPOC

Refers to the single point of contact/point persons.

Online Channel

Preselected website that can automatically send updated information for immediate display or viewing on request.

High-risk personal information

The following types of data are categorized as high risk personal information:

Special category personal information

Personal bank account and other financial information;

National identifiers, such as national insurance numbers;

Personal information relating to vulnerable adults and children;

Detailed profiles of natural persons (including children); and

Sensitive negotiations which could adversely affect natural persons.

5. GOVERNANCE STRUCTURE FOR PERSONAL DATA PROTECTION

Data Privacy Cell

Indegene shall ensure appropriate governance of personal data/PII/PHI. In pursuance of this objective, a personal data privacy cell has been structured as shown below:

Data privacy cell consists of DPO and all the BU-SPOCs.

csr-policy

The objectives of the personal data privacy cell are as follows:

To identify personal data/PII/PHI under all operations and projects across Indegene

To analyze risks and implement control measures to protect personal data/PII/PHI

To provide a support framework to manage the rights of data subjects

To address requests and grievances of data subjects

To ensure compliance with the data privacy requirements of data controllers

To ensure compliance with various legal and regulatory requirements across jurisdictions

To provide adequate measures for data privacy with processors/subprocessors as required

To provide for appropriate technology and operational controls for transfer/import/export/storage/destruction of personal data/PII/PHI

The summary of proceedings of data privacy governance shall be discussed in the quarterly Information Security Group review meeting.

6. SOURCES OF PERSONAL DATA/PII/PHI

The methods and technologies by which the personal data/PII/PHI are collected are as follows:

Collection of Personal Data/PII/PHI Directly From the Individual

In the instance where Indegene collects personal data/PII/PHI about an individual, measures shall be taken to respect the privacy preferences of the individual.

Engagements/Programmes/Projects

Personal data/PII/PHI is collected from participants in an engagement who access Indegene websites, portals, platforms, etc. We may collect additional information relating to an individual‘s participation in Indegene programmes. Please note that we also collect personal data/PII/PHI relating to an individual at the time of enrolling in an Indegene programme, as well as in the course of allocating and issuing a unique ID and password to access the Indegene websites, portals, platforms, etc.

Automatic Collection of Information

When an individual visits an Indegene website, we automatically collect and analyze certain information about the individual‘s computer. This information includes, but may not be limited to the Internet Protocol (IP) address used to connect the individual‘s computer to the Internet, information about the browser type and language, the date and time the individual accessed the website, the content of any undeleted cookies that the browser previously accepted from Indegene and the referring website address.

Cookies and Other Technologies

We use various technologies to collect information on an Indegene website. Cookies: When an individual visits an Indegene website, we may assign the computer one or more “cookies.” A cookie is a small text file that contains information that can later be read by Indegene to facilitate access to the site and personalize the online experience. For example, when an individual signs into an Indegene site, we may record his/her user ID in a cookie file on the individual‘s computer. In addition, through the use of a cookie, we may automatically collect information about the online activity on Indegene site, such as the web pages visited, the links clicked and the searches conducted. Most browsers automatically accept cookies; however, an individual can usually modify the browser setting to decline cookies by visiting the Help section of the browser‘s toolbar. If an individual chooses to decline cookies, please note that he/she may not be able to sign in or use some of the interactive features offered on Indegene websites.

Other technologies: Indegene may use standard Internet technology such as Web beacons (also called clear GIFs or Pixel tags) and similar technologies, to deliver or communicate with cookies and track usage of Indegene sites. We may also include Web beacons in e-mail messages or newsletters to determine whether messages have been opened and acted upon. The information we obtain in this manner enables us to customize the services we offer and measure the overall effectiveness of our online content, advertising campaigns, and the products and services offered through the website. Also, we use cookies to provide social media features, and to analyze our traffic.

7. MANAGING DATA PRIVACY RIGHTS IN PROJECTS

The scope of business at Indegene does not require us to disclose personal data/PII/PHI to any parties out of designated programme area except for legal and statutory obligations.

Before the initiation of a project, we ensure that:

The business SPOC is communicated regarding the project/programme

Contract-specific clauses for the project/programme are reviewed and monitored

Risk analysis and treatment is carried out for the complete programme/project and contingency and mitigation is put in place

Each and every member of the programme/project shall be responsible to ensure the PII/PHI is kept confidential

Access to the entire or limited PII/PHI, based on their role in the engagement should be restricted

We recognize the covered entities that are to be provided access to the PII/PHI in a de-identified format

Any third parties who have access to the PII/PHI comply with Indegene‘s policies and give proof of compliance

The respective privacy SPOC of the team should provide reports to the DPO on updates, problems, and breaches with regard to PII/PHI

The BU SPOC ensures that all the team members are trained with information of do‘s and don‘ts of the data

8. MANAGING DATA PRIVACY RIGHTS FOR PERSONAL DATA/PII/PHI COLLECTED FROM WEBSITES AND OTHER ONLINE CHANNELS

In general, any individual may access Indegene websites or online channels without providing any personal information about themselves. However, we collect certain information such as:

Information that is provided via our websites, including information provided when an individual registers on our website, for example, name, email address, designation, company, country and telephone number

Information about an individual‘s computer, visits and the use of Indegene websites, such as IP address, demographics, computer‘s operating system, and browser type and information collected via cookies.

Use of Personal Information

We may use the personal information we obtain to:

Provide and administer our products and services

Communicate about and administer our products, services, events, programmes and promotions (such as by sending alerts, promotional materials, newsletters and other marketing communications)

Conduct and facilitate surveys, sweepstakes, focus groups and market research initiatives

Perform data analytics (such as market research, trend analysis, financial analysis and customer segmentation)

Provide customer support

Process, evaluate and respond to requests, inquiries and applications

Operate, evaluate and improve our business (such as by administering, enhancing and improving our products and services; developing new products, services and online channels; managing our communications and customer relationships; and performing accounting, auditing, billing, reconciliation and collection activities)

Conduct investigations and comply with and enforce applicable legal requirements, relevant industry standards, contractual obligations and our policies and terms (such as this Privacy Policy and other online channels terms of use)

Maintain and enhance the safety and security of our products, services, online channels, network services, information resources and employees

We may combine personal information we obtain through online channels with information we obtain through offline channels, as well as other information, for the purposes described above. We may anonymize or aggregate personal information and use it for the purposes described above and for other purposes to the extent permitted by applicable law. We also may use personal information for additional purposes that we identify at the time of collection. We obtain the individual‘s/data subject‘s consent for these additional uses to the extent required by applicable law.

Consequences of Not Providing Personal Data/PII/PHI

If an individual/data subject chooses not to provide their personal information that is mandatory to process a request, then, Indegene may not be able/restricted from providing the corresponding service.

Conditions for valid consent

The data controllers are free to adopt methods to obtain consent as necessary for their operations. However, while processing personal data based on the PII Principals consent, adherence to the below criteria shall be demonstrated:

Satisfactory supporting artefacts or data should be made available to establish link between personal data processing and consent obtained in connection to the same. The act of demonstrating valid consent should not lead to excessive or additional processing of data in itself;

The statements of consent and such records showing how the consent was obtained, and information provided to the PII Principals at the time of obtaining consent must be demonstrable;

Accountability in terms of information rendered to the PII Principals, and that the PII Principals was informed, and the controller‘s workflow meeting all relevant criteria for a valid consent should be demonstrable.

Withdrawal of the consent

The right to withdraw consent anytime rests with the PII Principals. Prior to obtaining the consent, the PII Principals shall be informed that it will be as easy to withdraw consent as it is to give. Also, the withdrawal process shall be made easy from the PII Principals’s standpoint. This does not necessarily mean that the method of consent withdrawal should be the same as that used for giving the consent.

E.g.: 1. If the PII Principals have given consent by electronic means through a single click, tap, swipe or key stroke, then the method to withdraw the consent should be made equally convenient.

E.g.: 2. If the PII Principals have given consent via telephonic records, written document, emails, any device interfaced with internet, etc., though they should have the option to withdraw consent using the same means, it should also be ensured that they do not undergo undue efforts.

The withdrawal of consent shall not be a chargeable operation.

The other services that may be associated shall not be lowered in terms of or service levels, quality or any other attributes that are critical to the PII Principals.

The PII Principals shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the legitimacy of processing based on consent prior to withdrawal.

Consent from special PII Principals

If the need arises to obtain consent for personal data processing from PII Principals that are incapable of understanding the rights, risks and consequences associated with their personal data, then additional obligations are imposed, which leads to additional protection at the time of obtaining consent.

The following safeguards shall be considered:

In case of PII Principals being defined as ‘children‘, the lawful age definition of the PII Principals based on the applicable laws shall be considered. The consent will be valid only to the extent given by the authorised holder of parental responsibility.

Informed Consent: In order to obtain “informed consent” from a child, the intent to process the personal data collected must be explained in language that is clear and plain for children. If it is the parent or persons with parental responsibility that are supposed to give the consent, then a set of information may be required that allows adults to make an informed decision.

Refreshing Consent

Though there are no specific time limitations on validity of consent defined by most regulations related to personal data processing, it is important that consent is re-established at appropriate intervals. Refreshing consent after providing all the relevant information helps the PII Principals keep themselves informed about their personal data usage and also their rights. Also, this helps in maintaining the trust that is held by the PII Principals in Indegene as a responsible processor.

Below are the circumstances under which consents shall be mandatorily refreshed:
a. If there is previously given consent based on an old regulation/law and is no more applicable for the operation at hand.
b. If the lawful basis for the operation at hand changes.

9. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA AND THE LEGAL BASIS

The purposes are programme/project specific. However, the common purposes are mentioned as follows:

We process personal data/PII/PHI when it is necessary for the performance of a contract to which the individuals/data subjects are the party or in order to take steps at a request prior to entering into a contract. This applies in any case where we provide services to a client in pursuance to a contract, such as when an individual/data subject uses our website or processes for registration on the websites/online channels.

We process the personal data/PII/PHI when it is necessary for the purposes of a legitimate interest pursued by us or a third party (when these interests are not overridden by the data protection rights and regulatory obligations). This applies in the following circumstances:

To identify the individuals/data subjects

To contact and respond to the individual‘s questions or requests

To provide access to desirable content and/or services based on preferences/contractual obligations

To use feedback from surveys and other interactions to improve our products and services

Sharing of Personal Data/PII/PHI

We share personal data/PII/PHI (as per business needs) with:

Indegene (for internal purposes)

Third parties

In general, our clients are the data controllers responsible for processing the personal data/PII/PHI.

Transfer of Personal Data/PII/PHI Outside the European Economic Area (EEA)

We transfer personal information to countries outside the EEA ) or outside the UK and the EEA , where UK data protection rules apply (generally referred to as third countries only if included in our contractual agreement that we have signed with the client, including to countries which have different data protection standards to those which apply in the UK or EEA, as appropriate. Our service providers are primarily located in the United States, Singapore, India and the United Kingdom. Where service providers process personal data/PII/PHI in countries deemed adequate by the European Commission or UK authorities (where UK data protection rules apply), we rely on the European Commission‘s or UK authorities‘ decision to protect transfer personal information.

For transfers to Indegene group companies and service providers outside the EEA (or outside the UK and EEA, where UK data protection rules apply), we use standard contractual clauses or a service provider‘s (EU or UK Data Protection Authority approved) binding corporate rules that are in place to protect the personal data/PII/PHI.

When required, Indegene discloses personal data/PII/PHI to external law enforcement bodies or regulatory authorities to comply with legal obligations.

Access, Correction, Objection With Regard to Personal Data/PII/PHI

Data subjects have the rights to request access to correct, delete or transfer personal data/PII/PHI that we hold, including profile and preferences. Data subjects also have the rights to object to certain processing and, where our client or we have asked for the consent to process the personal data/PII/PHI, to withdraw this consent.

Where we process the personal data/PII/PHI because we have a legitimate interest in doing so, data subjects also have a right to object this. These rights may be limited in some situations, for example, where we can demonstrate that we have a legal requirement to process the personal data/PII/PHI.

Data subjects can assert their rights where such information was provided by contacting us at   privacyofficers@indegene.com

United States residents can contact us on the below mentioned address and phone number as well

Indegene Inc. Office Address: 150 College Rd W, Suite 104, Princeton, New Jersey 08540 Board line Number: +1 732 750 2901

Data Security

Indegene adopts reasonable and appropriate security practices and procedures including administrative, physical security and technical controls to safeguard the personal information.

We take precautions including organizational, technical and physical measures to help safeguard against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data/PII/PHI we process or use.

Data Retention and Destruction

Indegene will retain the personal data/PII/PHI as per the project/programme agreement. On the completion of agreed period, the data shall be archived/destroyed/transmitted to client according to the regulatory norms.

If the client wishes to retain the personal data/PII/PHI, the client‘s employee identified in the statement of work or service agreement should request for the data in writing. Indegene will provide the data in the prescribed format.

Below is list of commonly processed PII across Indegene’s BUs and Functions with indicative retention periods:

#PII SourceIndicative Retention Schedule
1.Client Provided Data/Agency Provided DataAs per the terms of Data Privacy Agreement or Agency terms or Regulatory requirements.
2.Human Resource DataAs per regional Regulatory requirements.
3.Data collected from Visitors (Such as CCTV Footage, visitor register, movement registers, temporary ID cards etc.)One year from the time of collection.
4.Data collected by marketing or business development for the purposes of disseminating information on Indegene’s products, services and promotions.Retention period will be limited by business requirement.

Reference document : Procedure for Retention of Records.

Children‘s Personal Information

We do not knowingly collect personal data/PII/PHI from children under the age of 16. If the parents or guardians believe that their child/ward has provided us with personal data without their consent, such parents or guardians can contact us at privacyofficers@indegene.com and we will take steps to delete such personal data/PII/PHI from our systems.

Restrictions on Automated Processing and Decision Making With Significant Effects on the Data Subject(s)

Restrictions on automated processing of data and decisions based solely on automated processing without human intervention (which could include profiling) shall apply if the decisions produce legal effects or similar significant effects on the data subject, individuals have a right to object to automated decision making.

Automated processing of data may be used if it is:

Necessary to enter into, or to perform, a contract between a data subject and controller

Authorized by Union or Member State law

Based on the individual`s explicit consent

10. REFERENCES

Indegene Data Breach Notification procedure

ISO/IEC 27701:2019(E). Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

HIPAA_Privacy Rule

GDPR ([EU] 2016/679)

California Consumer Privacy Act, AB-375 (2017–2018 Session)

11. APPENDIX-1 RESPONSIBILITIES OF KEY STAKEHOLDERS

Responsibilities of a DPO

Indegene‘s DPO shall be responsible for the development and implementation of policies and procedures that are designed to achieve ongoing compliance with global laws with regard to PII/PHI. The responsibilities of a DPO are as follows:

Establishing data privacy and data protection objectives

Approval and periodic reviewing of the Data Privacy Policy

Designating data privacy point persons (SPOCs) for every BU

Ensuring adequacy of the data privacy/data protection framework across the enterprise

Responsibilities of Data Privacy SPOCs (BU)

The point persons/SPOCs shall be responsible for data privacy/protection for the respective BUs that they are assigned with. The responsibilities include:

Performance of risk assessment before the on boarding of a project or an engagement on the personal data/PII/PHI collected, maintained, used, stored or transmitted, based on GDPR, HIPAA and other applicable data protection regulations

Determination of the physical, administrative, operational and technical controls that may be necessary to adequately address the identified risks, based on the risk assessment

Implementation of controls after on boarding the engagement/project as defined in the risk assessment documentation

Maintenance of engagement-specific risk assessment documentation

Ensuring that the proposals, master services agreements, statements of work, work orders and change requests adhere to the terms of this Data Privacy Policy

Monitoring for adherence with approved and permitted methods of collection, processing, storage and transmission of personal data/PII/PHI

Directing an individual‘s/data subject‘s rights-related requests to  

Contact Information in Case of Questions, Concerns or Complaints

Questions, concerns or complaints about Indegene’s personal data practices or this Data Privacy Policy may be addressed to the DPO.

If an individual or a data subject believes to have suffered harm due to a breach of data privacy rights by Indegene under this Data Privacy Policy, and Indegene has not handled the complaint in a satisfactory manner, any EU resident may also file a complaint with the concerned supervisory authority.

Contact Person (DPO): Mr. Nathan Navarasu

Contact Address: Indegene Limited, Manyata Embassy Business Park, Outer Ring Road,

Aspen Block G4, Nagawara,

Bengaluru, Karnataka-560045

Phone: +9180-3920 4567

Contact Address and phone number for United States Residents

Indegene, Inc. Office Address: 150 College Rd W, Suite 104, Princeton, New Jersey 08540

Board line Number: +1 732 750 2901