Effective Date: January 31, 2020
We, at Soroco covering all the entities Soroco Americas Private Limited, along with its UK affiliate Soroco Private Limited and Indian affiliate Soroco India Private Limited (together referred to as Soroco), is a provider of end-to-end automation services. Soroco provides automation services to its clients across various functions such as transaction services, core financial operations for financial products/ corporate functions, and human resources.
We respect the personal data entrusted to us by our employees, clients/customers, third-party vendors, consultants, prospective candidates, and visitors. We are committed to fair, transparent and secure processing of personal data.
This policy outlines how Soroco collects, processes and uses personal data in compliance with Global Data Protection Laws. This policy sets the minimum standard and shall guide all Soroco employees even if local laws are less restrictive.
This policy shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law and other binding agreements.
The scope of the policy is as follows:
- All individuals who provide Personal Data, such as but not limited to employees, clients' third-party vendors, participants in proof of concept, investigators, investors, facility visitors, and regulators etc.
- All locations where Soroco operates and where personal data is collected from, even where local regulations do not exist.
The purpose of this policy is to provide direction towards ensuring the privacy of individuals from whom personal data is collected by Soroco.
The key objectives of this policy are:
- To provide adequate guidance and framework for the secure handling of personal information in compliance with all regulations applicable to Soroco.
- Increase awareness of data privacy and instil a privacy-oriented mindset among the employees of Soroco.
Roles & Responsibilities
Each employee bears personal responsibility for complying with this policy in the fulfillment of their responsibilities at Soroco.
Respective DPO, Data Privacy Working Committee and regional Data Privacy Executives shall ensure adherence to this policy and shall be responsible for appropriate remedial action.
All persons who are covered by this policy must comply with it, and where requested demonstrate such compliance. Failure to comply with this policy can result in disciplinary action which may include termination of services of employees or termination of the engagement of a consultant or dismissal of interns or volunteers, as the case may be.
Soroco complies with the EU‑U.S. Privacy Shield Framework set forth by the United States Department of Commerce with respect to the collection, use and retention of Personal Data transferred from the European Union and the United Kingdom to the United States, as further described in the Scope section below. This Privacy Shield Policy outlines our commitment to the Privacy Shield Principles (the “Principles”) and our practices for implementing the Principles. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework, please visit the Department of Commerce’s dedicated Privacy Shield website, located here.
Data Privacy Principles
Soroco has adopted the following principles to govern its use, collection, storage and transmission of personal data:
- Personal Data shall only be processed fairly and lawfully.
- Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
- Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.
- Personal Data shall be accurate, complete and current as appropriate to the purposes for which they are collected and/or processed.
- Personal Data shall not be kept in a form which permits identification of the data subject for longer than necessary for the permitted purposes in accordance with the applicable laws depending upon the source of personal data.
- Appropriate physical, technical, and procedural measures shall be taken to:
• Prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of personal data; and
• Prevent accidental loss or destruction of, or damage to, personal data.
• Transfer of data out of a region (such as the European Union) / country (such as the United States, India etc.,) shall be performed in compliance with local privacy laws and with adequate protection.
Strategy & Governance
Office of the Data Privacy Officer (DPO)
- Soroco has appointed a DPO who shall be responsible to manage compliance to applicable privacy regulations within the organization and shall be independent of conflicting duties. Soroco shall equip the DPO with the resources, support and training required to perform his/her role.
- Name and contact details of the DPO shall be communicated and accessible to all employees and data subjects.
- DPO shall implement formalised processes to track and address any inquiries and complaints received from data subjects in a timely manner, not later than a month
- Soroco follows a risk-based approach towards its Data Privacy program. DPO shall carry out data protection & privacy risk assessments on a periodic basis to identify risk and appropriate mitigation plans, controls and/or processes to remediate the risks.
- DPO shall define and document a privacy compliance plan and update the plan annually to incorporate changes in its environment (such as a change in operations, privacy landscape, legal and regulatory requirements, contracts) including service level agreements with third parties, business operations and processes, IT security matters and technology etc.
- From time to time, DPO shall develop/ update procedures, guidelines and best practices around data protection and privacy, and publish it to the relevant stakeholders.
- Effectiveness of privacy controls shall be monitored by DPO on an ongoing basis and appropriate measures shall be taken to address identified deficiencies which shall be monitored for remediation.
- Findings and recommendations that come as a result of risk assessment, reviews, audits and monitoring activities of the privacy program are communicated to the Soroco management as applicable.
Training & Awareness
- Training & awareness materials around data protection and privacy shall be developed by the Data Privacy Team for Soroco employees, Consultants, Subcontractors, third parties. DPO shall also develop role-based training for individuals or teams considering their role and nature of the processing.
- Data Privacy training and awareness programs shall be conducted on a periodic basis (at minimum, annually) for all applicable employees, consultants, sub-contractors, third parties working at/for Soroco.
- Training attendance records shall be maintained for documentation and audit trail.
Collection of Personal Data
- Soroco shall ensure that any personal data collected is relevant and limited to what is necessary for relation to the purposes for which they are processed.
- If personal data is collected directly from the data subject, Soroco shall:
a. Provide a concise, transparent, intelligible, easily accessible, and adequate notice to the Data Subject (employee/ customer/ vendor or others) in physical or electronic format in a timely manner (before or at the time of data collection)
b. The notice shall be written in a clear and plain language
c. Notify the data subject if there is a change in the purpose of data collection
d. Notice shall include the mechanism of denying/ withdrawing consent as applicable
e. Notice shall include the consequences of denying/ withdrawing consent if applicable
- If Personal Data is collected from someone other than the Data Subject, Soroco shall ensure that Data is only collected from sources, which collect data in a privacy-compliant manner with respect to local laws and regulations.
- Personal data may be disclosed by/to Soroco physically or electronically. The receipt or form shall be retained along with a record establishing the fact, date, content, and method of disclosure.
- Soroco shall ensure that any personal data collected is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed.
- These records shall be maintained using Personally Identifiable Information (PII) Inventories and Data Flow Diagrams (DFDs).
- As a Data Controller or Data Processor, Soroco shall document the following within the PII Inventories and DFDs:
a. Details of the controller/ joint controller(s)/ processors
b. Purposes of the processing
c. Description of the categories of data subjects
d. Description of the categories of personal data
e. Categories of recipients to whom the personal data is disclosed/ transferred including third parties
f. Geographies of recipients
g. Retention periods
- General description of the technical and organizational security measures shall be in place for both the data controller and data processor.
- Business units and enabling functions handling personal data shall develop, maintain and update their PII inventories and DFD's. The PII Inventories and DFD's shall be reviewed and updated periodically (at minimum semi-annually) or in the event of any changes to the processing activities.
Processing of Personal Data
- The processing shall be conducted with due regards to the privacy and equality of data subjects.
- Soroco shall not process personal data in the absence of the following valid business and legal basis:
a. Data Subject has provided valid consent for the processing of their personal data.
b. Processing is necessary to fulfil Soroco’s contractual obligations towards the data subject or an organization.
c.Processing is necessary to fulfil Soroco’s legal obligations towards a
government or regulatory authority.
d. Processing is necessary to protect vital interests of the individuals or of another person, in the public interest, or in the exercise of official authority vested in the controller.
e. Processing is necessary to protect the legitimate interests of Soroco. In such cases, care shall be taken to not pose a high risk to data subjects, and to protect the interests and rights of data subjects.
- If the processing of personal data relies on consent from the data subject, Soroco shall stop the processing of personal data if the consent is withdrawn/revoked.
- Sensitive personal data shall not be processed unless:
a. Such processing is specifically authorized or required by law.
b. The data subject provides explicit consent.
c. The processing is required for preventive medicine, medical diagnosis, or health care treatment; provided the data are processed by a health professional subject to national law or rules with an obligation of professional secrecy or by another person with an equivalent obligation of secrecy. If Soroco is relying upon this medical exemption, all contracts with employees and independent consultants who will have access to the Sensitive Data must contain confidentiality requirements equivalent to those imposed on health professionals.
d. Processing is necessary to protect a vital interest of the data subject, wherein the data subject is physically or legally incapable of giving consent. This exemption may apply, for example, where emergency medical care/treatment is needed.
e. Data relating to criminal offences may be processed only by or under the control of regulatory/ statutory authority.
- As a Data Controller, Soroco shall only use the personal data for the purposes the data the subject has been made aware of in the privacy notice provided to them.
- As a Data Processor, Soroco shall only use the personal data in line with instructions provided by the Data Controller (such as clients).
- Periodic reviews/ audits shall be conducted to verify and ensure that function teams and client operations teams collect/ process personal data appropriately in compliance with privacy notices, contracts and this policy.
Privacy Impact Assessment (PIA)
- PIAs shall be carried out on processing activities that are likely to result in a high risk to data subject’s interests.
- PIA shall at a minimum:
a. Have a description of nature, scope, context and purposes of the processing;
b. Assess necessity and proportionality
c. Identify and assess risks to individuals; and
d. Identify any additional measures to mitigate those risks
- DPO and Data Privacy Executives (where necessary) shall be consulted while carrying out PIAs.
- For any risks identified during PIA, where appropriate mitigation measures do not exist, DPO shall consult with the relevant data protection authorities prior to starting the processing.
- As a Data Processor, Soroco shall support its clients and carry out the PIAs in line with their written instructions.
- Mechanisms shall be implemented to perform periodic Privacy Impact Assessments (PIAs) for key processing activities carried out within Soroco.
- Documented procedures shall be maintained around conducting PIAs.
Disclosure to Third Parties
Note: This section is not applicable for day to day operation but when personal data (of employees/ customers/ visitors/ vendors/ volunteers) is shared with the third parties for processing on Soroco’s behalf.
- Soroco has established a vendor governance program to ensure:
a. Appropriate due-diligence covering data privacy and security is carried out prior to onboarding new third-party vendors (vendors) that process any personal data of/or on behalf of Soroco or its clients.
b. Contract signed with vendors covers adequate security and privacy obligations as well as clear instructions around how personal data shall be handled.
c. Compliance of vendors to their security and privacy obligations is reviewed/monitoring periodically.
- The Compliance team is responsible to oversee the vendor governance program.
- Only Compliance team empanelled vendors shall be utilized for processing any personal data on behalf of Soroco.
- Soroco shall clearly notify the Data Subjects prior to the transfer of their personal data to third-party vendors. If not notified previously, the data subject shall be notified prior to perform the transfer and obtain their consent (where necessary).
- Personal data shall be shared to third party vendors only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law.
6. With respect to personal data received or transferred, Soroco is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Soroco may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Cross Border Transfer of Personal Data
- Personal Data shall be transferred by Soroco only if any of the below mechanisms are in place:
a. The Data Subject has given consent to the proposed transfer;
b. The transfer is necessary for the performance of a contract between the data subject and Soroco, or the implementation of pre-contractual measures taken in response to the data subject's request;
c. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Soroco and a third party;
d. The transfer is necessary in order to protect the vital interests of the data subject;
e. The transfer is required by law;
f. The transfer is necessary or legally required on important public interest grounds;
g. The transfer is necessary for the establishment, exercise, or defense of legal claims; or
h. The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.
- Transfer of personal information across borders shall be performed in compliance with the following procedures:
a. Data subjects shall be clearly notified of any transfer of personal information across borders of the country in which the information was collected.
b. Personal data shall not be transferred to another entity/ country/ territory unless reasonable and appropriate steps have been taken to maintain the required level of data protection.
c. Personal Data shall be communicated to third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law.
d. Sensitive personal data transferred outside of Soroco or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption.
e. Personal data of data subjects residing in the European Union (EU) shall not be transferred to a country or territory outside the EU unless the transfer is made to a country or territory recognized by the EU as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data, or is made in compliance with one of the mechanisms recognized by the EU (such as the use of model contracts/ Binding
Corporate Rules (BCR)/ EU-US Privacy Shield) as providing adequate protection when transfers are made to countries or territories lacking an adequate level of legal protection.
f. For non-EU regions, transfers to another country or territory shall be performed in compliance to the above procedures or specific regulations mandated by region’s law (such as notifying data subject, obtaining consent and/ or obtaining approval from the local privacy regulator/ governing body, where applicable, and mandated by law)
- Additionally, in order to fulfil Soroco’s obligations as a data processor, Soroco shall ensure that their clients have authorized the transfer of personal data across borders of the country in which the information was initially collected.
Security of Personal Data
- Soroco has implemented adequate technical and organizational safeguards, in line with industry standards to ensure the security of personal data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
- Soroco has developed and published information security policies, procedures and guidelines to all employees and consultants.
- Employees and consultants shall adhere to Soroco security policies, practices and any additional guidance issued by the DPO while processing personal data.
- Confidentiality agreements & NDAs covering data protection and privacy responsibilities shall be signed by all employees & consultants on or before their joining date.
- Employees, consultants and third-party vendors involved in any stage of processing Personal Data shall explicitly be made subject to a requirement of secrecy which shall continue after the end of the employment relationship.
- Employees, consultants and third-party vendors shall have access only to the personal data necessary for the fulfilment of their employment/ contractual duties.
- Soroco shall comply with the security safeguards as per its contractual and legal requirements in consultation with its Corporate IT Team.
- The Corporate IT Team and DPO shall assess the security measures implemented to safeguard personal data on a regular basis and update the same, where required.
Data Retention and Disposal
- Personal Data shall not be retained longer than required for the purpose it was collected for, or as defined by the data retention and disposal policy, after considering other regulatory requirements.
- Personal Data shall be erased if their storage violates any of the data protection rules or if data is no longer required by Soroco or for the benefit of the data subject rights.
- Personal Data shall be blocked and restricted, rather than erased, insofar as the law prohibits erasure, erasure would impair legitimate interests of the Data Subject, erasure is not possible without disproportionate effort due to the specific type of storage, or if the data subject disputes that the data is correct and it cannot be
ascertained whether they are correct or incorrect.
- Disposal of personal data shall be handled with the utmost care and shall be governed by the data retention and disposal policy.
- In order to fulfil Soroco’s obligations to their clients, personal data obtained from clients shall be retained in line with the written instructions of the client. In the absence of any requirement by the client, personal data used for a project shall be disposed of once the project is complete, or as defined by Soroco’s data retention and
- Soroco shall ensure to implement reasonable processes to monitor the quality of the personal information it stores/ processes.
- Each function shall take steps to ensure that personal data it collects, or processes is complete and accurate in the first instance and recorded in a manner to give a true picture of the current representation of the data subject.
- Soroco shall implement a process to ensure that employees and consultants periodically (at least yearly) review, update and confirm on the accuracy and completeness of their personal data collected and processed.
Data Subject Rights
- To the extent allowed under applicable local laws, data subjects shall have the right to:
a. Request access to copies of their personal data.
b. Request information on the processing activities carried out with their personal data.
c. Request that their personal data is rectified if it is inaccurate or incomplete.
d. Request erasure of your personal data in certain circumstances.
e. Request that the processing of their personal data is restricted in certain circumstances.
f. Object to processing of their personal data in certain circumstances.
g. Lodge a complaint with the respective data protection authority.
h. Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significant effects on the data subject.
i. Withdraw consent as and when requested by the data subject.
- Data Subject shall be notified of the cost incurred, if any, in fulfilling such requests. The cost incurred shall be transferred to the data subject accordingly.
- Soroco shall not impose any restriction on the method and channel of raising requests by the data subject.
- Soroco shall not restrict any individual requesting for their data based on any characteristics, including language, disability status, technological knowledge, etc.
- Soroco shall review and ensure all requests raised by data subjects are addressed in a timely manner and in compliance with the local laws & regulations.
- Soroco shall advocate the feasibility of fulfilling such requests and provide a reasonable justification in writing (physically or electronically) in case of delay/ denial of such requests.
- Soroco shall maintain records of such requests irrespective of their fulfilling status.
- As a Data Processor, Soroco shall support its clients in fulfilling requests they receive from their data subjects based on the written instructions provided by the client.
- Documented procedures shall be maintained around handling data subject request.
- Data Subjects with questions about how Soroco processes Personal Data should first contact the Soroco or Soroco clients that collected the Personal Data. Soroco's Legal Department can be contacted by emailing email@example.com
Privacy by Design
- Soroco shall establish a process to proactively embed privacy at the initial planning/design stages and throughout the complete development process of new processes/ services/ technologies that involve the processing of personal data.
- Considerations shall be made for technical and organizational measures to enhance privacy protection (e.g. pseudonymization, anonymization, data minimization, data aggregation etc.). In addition, appropriate technical and organizational measures shall be considered to ensure that personal data collected, processed or stored is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed.
Data Privacy and Breach Management
- Soroco shall formulate and implement an incident and breach management mechanism to ensure that breach in data privacy compliance is promptly reported to the incident response teams and DPO.
- All the employees shall be aware of the mechanism of raising data privacy and security incidents.
- The Soroco shall work closely with the Incident Response Team to investigate potential data privacy and data breach incidents and track it to closure.
- Soroco shall maintain an inventory of such incidents and shall record the lessons learnt.
- Soroco shall ensure timely notification of breaches is provided to relevant data protection authorities and data subjects, where necessary, in line with local data protection laws and regulations.
- As a Data Processor, Soroco shall promptly notify its client of any potential data privacy and data breach incidents in line with the written instructions provided by the client.
- Documented procedures shall be maintained to identify, track, review and notify data breaches to data protection authorities and data subjects.
Automated Profiling and Decision Making
- Processing activities involving fully automated decision-making, including profiling and decision making by processing personal data shall not be performed unless:
a. It is necessary for entering into or performance of a contract between Soroco and the data subject;
b. It is authorized by law (e.g. for the purposes of fraud or tax evasion
c. The data subject has provided explicit consent.
- Processing activities involving profiling that does not involve automated decisionmaking of personal data, shall not be performed unless:
a. The data subject has provided explicit consent;
b. Processing is necessary for the performance of a contract;
c. Processing is necessary for compliance with a legal obligation;
d. Processing is necessary to protect the vital interests of the individual;
e. Processing is necessary for the performance of a task carried out in the public interest or exercise of official authority, or
f. Processing is necessary for the legitimate interests pursued by the controller or third party.
- PIA’s shall be conducted prior to carrying out any processing activities involving automated profiling or decision making to identify the potential risks to data subjects.
- DPO and Data Privacy Executives shall be engaged during the PIA process to assess the risks and identify appropriate mitigation measures.
- Soroco shall ensure to notify Data Subjects prior to or during the collection of personal data that shall be subject to automated decision making or profiling.
- The notice shall be provided to the data subject with fair processing information about solely automated decision-making (including profiling) that has significant or legal effects:
a. Meaningful information about the logic involved:
i. the categories of data used to create a profile;
ii. the source of the data;
iii. why this data is considered relevant.
b. The significance and envisaged consequences of such processing;
- Data Subjects shall be provided with the opportunity to object to automated decision making or profiling.
a. In such circumstances, data subjects shall be given the opportunity to:
i. obtain human intervention;
ii. express their point of view; and
iii. obtain an explanation of the decision and challenge it.
- As a Data Processor, Soroco shall only carry out automated decision making and profiling activities on the personal data received from clients based on the authorization and written instructions from the client.
Managing Changes to Processes/ Solutions/ Technology
- No new or expanded collection or processing activities involving personal data may be undertaken without first obtaining approval from the DPO.
- PIAs shall be performed for any new/ changes to major process/solution/ technology, which requires or involves the processing of personal data.
- Personnel at all levels shall apply the following while making changes in existing processes/ technologies:
a. Collection and Use of Personal Data shall be avoided or limited when reasonably possible.
b. Personal Data shall be de-identified when the purposes of data collection or processing can be at reasonable cost achieved without personal identification.
c. The purpose(s) of the collecting or processing of Personal Data shall be expressly identified by the business unit preparing any new or expanded data collection and processing activity or function.
d. Personal data may only be used for the purposes for which they were originally collected, other than historical, statistical, scientific, or legally mandated purposes.
Liability for Onward Transfers
Soroco complies with the Privacy Shield’s Principle regarding accountability for onward transfers. Soroco remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles unless Soroco proves that it was not responsible for the event giving rise to the damage.
Resolution of Disputes
Resolution of disputes reported by Employees
Employees with inquiries or complaints about the processing of their personal data shall first discuss the matter with their immediate supervisor. If the data subject does not wish to raise an inquiry or complaint with an immediate supervisor, or if the supervisor and the data subject are unable to reach a satisfactory resolution of the issues raised, the employee should bring the issue to the attention of the DPO in writing.
Resolution of disputes reported by Non-Employees
Non-employees with inquiries or complaints about the processing of their personal data shall bring the matter to the attention of the DPO in writing. Any disputes concerning the processing of the personal data of non-employees will be resolved by the DPO by following due process of law through arbitration.
Resolution of Privacy Shield disputes
In compliance with the Privacy Shield Principles, Soroco commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Soroco at:
(Dr. Wolfgang Richter; Email: Wolf@soroco.com)
Soroco has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
The client or User also may refer the matter to the U.S. Federal Trade Commission, which has Privacy Shield investigatory and enforcement powers over Soroco. Under certain circumstances, Customers and Users may be able to invoke binding arbitration to address complaints about Soroco's compliance with the Principles.
If an issue is not resolved through consultation with the data subject’s supervisor or the DPO, or through other mechanisms under existing employment agreements, union agreements, or statutory procedures, then the data subject may, at its option, seek redress through resort to mediation, binding arbitration, litigation, or complaint to a data protection authority with jurisdiction (all as permitted by applicable local law or procedure).
Monitoring and Enforcement
For the purpose of periodic monitoring, the following processes shall be implemented:
The DPO shall develop key performance indicators (KPI’s) for measuring the compliance and performance of the current processes related to data privacy. The DPO shall periodically track and monitor the KPIs and identify appropriate remedial actions for functions and client operations teams.
The DPO shall work with the risk leadership to develop processes to carry out periodic reviews for all functions and client operations to ensure processing activities are carried out in line with this policy.
This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Intranet Portal of Soroco or e-mail communication and to others through an appropriate mechanism selected by the DPO.
Key Terms & Definitions
|Data Controller||The entity that determines the purposes, conditions and means of the processing of personal data|
|Data Subject||A natural living person whose personal data is processed by a controller or processor|
|Data Processor||The entity that processes data on behalf of the Data Controller|
|Processing||Any operation performed on personal data, whether or not by automated means, including collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Third-Party||Third-party, in relation to personal data, means any person other than the data subject, the data controller, or any data processor or other person authorized to process data for the data controller.|
|Personal Data||Any data related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person.|
e.g., Name, Address, Phone Number, IP Address etc.
|Sensitive Personal Data||Sensitive Personal Data is defined as information that if lost,|
compromised, or disclosed could potentially harm, cause
inconvenience, embarrassment, or unfairness to an individual.
e.g., Bank account information, Government ID’s, Income or Credit history, Credit/Debit card No, data relating to offences, or criminal convictions, Sexual Orientation, Health/ Medical records either Past or Present or Future, Racial or ethnic origin, political opinions, religious or philosophical beliefs etc.