Involta Safe Harbor Privacy Policy

Safe Harbor Principle

Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.

Involta Policy

Involta has included this principle in the following documents:

Involta Information Security Policy

This document provides policy information that aligns with ISO 27002, Information Technology – Code of Practice for Information Security Management, and includes reference to acceptable practices for handling information.

Involta Datacenter Acceptable Use Policy

This document provides contact information for inquiries or complaints.

Involta collects information about individuals in the screening processes associated with datacenter access and employment.  Involta also participates in a substance abuse testing program which includes proper notification to employees with regards to information disclosure and their rights in that regard.

Safe Harbor Principle

Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Involta Policy

Involta collects information about individuals in the screening processes associated with datacenter access and employment.  Involta also participates in an employee assistance program and a substance abuse testing program which includes proper notification to employees with regards to information disclosure and their rights in that regard.  Involta processes include the written authorization of the individual when information is to be gained from or shared with a third party.

Safe Harbor Principle

Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

Involta Policy

Involta has entered into a written agreement with the third party provider of its EAP services that references relevant principles that implement this Safe Harbor principle.

Safe Harbor Principle

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

Involta Policy

Involta has promulgated an employee handbook.  Section 16 of that handbook covers Information Security, Confidentiality and Conflict of Interest.  Client information and client access can be changed by utilizing the Involta Service Desk, whose contact information is provided to each client.

Safe Harbor Principle

Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Involta Policy

Involta has included this principle in the following documents:

Involta Information Security Policy

This document provides policy information that aligns with ISO 27002, Information Technology – Code of Practice for Information Security Management, and includes reference to acceptable practices for handling information.

Involta Datacenter Acceptable Use Policy

This document provides specific processes for datacenter access that serve to protect personal information consistent with this Safe Harbor principle.

Safe Harbor Principle

Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

Involta Policy

Involta has included this principle in the following document:

Involta Information Security Policy

This document provides policy information that aligns with ISO 27002, Information Technology – Code of Practice for Information Security Management, and includes reference to acceptable practices for handling information.

Safe Harbor Principle

Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

Involta Policy

Involta utilizes the Service Desk for providing an available method of contact and has an Administrative Manager assigned for resolution of employee issues and a Chief Security Officer assigned for the resolution of customer issues that involve breaches of information security.  Involta also has a Security Incident process documented to aid in the resolution of this type of issue.  Involta does utilize an audit plan and process to provide a mechanism to systematically identify the level of compliance to policies and procedures, with actionable items arising out of that process that are tracked.

Dispute Resolution: Involta utilizes BBB EU Safe Harbor.

US-EU Safe Harbor Principles

Involta has further committed to refer unresolved privacy complaints under the US-EU Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Involta, please visit the BBB EU SAFE HARBOR web site at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.

Affirmative Statement

Involta complies with the U.S. EU Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.  Involta has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.  To learn more about the Safe Harbor program, and to view Involta's certification, please visit, https://safeharbor.export.gov/list.aspx.

Here is the link to the privacy policy requirements for the BBB EU Safe Harbor program: http://www.bbb.org/us/european-dispute-resolution/privacy-policy/.

Here is the link to the Department of Commerce’s “Helpful Hints on Self-Certifying Compliance with the U.S.-EU Safe Harbor Framework”,http://export.gov/safeharbor/eu/eg_main_018495.asp.