Information Privacy Policy

Version: 9.0

Effective Date: 11- February-2025

Policy Statement

Personal information at Airtel Payments Bank shall be secured across its entire lifecycle, such that the brand is protected, information provider is kept informed, confidentiality, integrity and availability of personal information is maintained, personal information is used only for the purpose it is collected, and all legal, regulatory and contractual requirements are met.

1. Information Privacy Policy (APBIPP – 001)

1.1. Introduction

The customer base of the Bank is expanding at a tremendous rate. Also, Bank collects and processes a large amount of personal information of its employees, temporary staff and third party personnel. These facts, coupled with introduction of new innovative value added services, have led to increase in the personal information handled by the Bank. Bank is committed to ensure that privacy of personal information is maintained during its entire lifecycle. The APBIPP provides management direction and support to ensure privacy of personal information collected by the Bank in order to allow collection, retention, processing, dissemination and destruction of the personal information in accordance with the appropriate laws, regulations and contractual obligations.

1.1.1 Purpose of the Document

This document provides management intent towards ensuring privacy of personal information handled by Bank’s employees, temporary staff and its authorized third parties.

1.1.2 Scope

APBIPP is applicable to all employees of bank and all third parties (including strategic partners) of bank who have access to personnel information of customers, employees and vendors. This Policy shall be applicable to personal information of customers, employees and vendors/partners , which because of the manner in which it is collected, or because of its nature or the context in which it is processed or stored, poses a danger to the privacy of an entity (individual, group of individuals or organization). The APBIPP is applicable across all business functions of bank and across all geographies of the Bank in India including airtel centre.

1.1.3 Definition

Personal information means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with bank in any capacity including banker-customer relationship, is capable of identifying such person.

The term ‘individual’ includes but is not limited to any customer, employee, third party staff, sub-contractor, temporary staff and/or other stakeholders.

Sensitive personal data or information of a person means such personal information which consists of information relating to password, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information, any detail relating to the above mentioned information types as provided to the bank for providing service, and any of the information received as mentioned above by the bank for processing, retention, dissemination or destruction under lawful contract or otherwise.

Any information that is freely available or accessible in public domain shall not be regarded as sensitive personal information.

Information Provider: Information provider refers to any individual whose personal information resides with or is provided to the bank. It includes but is not limited to any customer, employee, third party staff, sub-contractor or temporary staff.

Information Privacy or Data Privacy means

To protect privacy of personal information from unauthorized use, disclosure, modification or misuse. Privacy is the right of an individual to control the collection, use, retention, disclosure and disposal of his/ her personally identifiable information consistent with his/ her interests and values.

Third party is a service provider who associates with the bank and is involved in handling, managing, storing, processing, transmitting and destruction of information residing at the bank. The third party could be a service provider/strategic partner as mentioned below but not limited to:- a. IT service provider

b. Business Associates/ Business Partners

c. Content Partner

This definition also includes all sub-contractors, consultants and/or representatives of the third party.

Third party staff refers to the employees, agents, consultants and representatives, of all third parties of the Bank.

Explicit consent is the documented consent obtained directly from the individual, for example, by requiring the individual to check a box and/or sign a form.

Systems: Includes operating systems, databases, and applications.

1.1.4 Policy Owner

The owner of the APBIPP is the Chief Information Security Officer (hereinafter referred to as CISO). The CISO shall be responsible for the maintenance and update of the APBIPP document.

1.1.5 Responsibility

Information Security (Steering) Committee (ISC/ ISSC): The ISC/ ISSC shall act as the Privacy Steering Committee. The ISC/ ISSC shall be responsible for approving the APBIPP and any subsequent modifications to the APBIPP. The accountability for implementation of the policy shall reside with ISSC.

Information Security Management Representatives (ISMR): The ISMR shall act as the Privacy Management Representative from different department/ verticals. ISMR shall be responsible for defining and enforcing the implementation of relevant APBIPP clauses within their area of responsibility.

Chief Information Security Officer (CISO): The CISO shall act as the Chief Information Privacy Officer for the Bank. CISO shall be responsible for ensuring that the APBIPP is current and reflects the requirements of the Bank.

All Employees: It is the responsibility of all employees, temporary staff and third party staff to read, understand and adhere to the APBIPP.

1.2. Policy Objective

Personal information collected by the Bank is of utmost importance and privacy of personal information shall be maintained at all times by abiding to the privacy principles as described in section 3 of this document through controls commensurate with the sensitivity of personal information.

The management shall take steps including, but not limited to, the following in order to ensure privacy of personnel information:

a. Devising the information privacy control matrix and privacy policy for the organization;

b. Aligning the privacy framework with the business objectives;

c. Ensuring that information privacy control matrix and policy of the bank are regularly updated to include the latest regulatory, contractual and organizational changes and to ensure swift and effective implementation of privacy controls;

d. Deploying appropriate technology, processes, resources and infrastructure for timely implementation of privacy controls to comply with latest privacy laws and regulations and incorporate industry best practices;

e. Taking appropriate actions including consequence management for any violations of the APBIPP; and

f. Increase privacy awareness in the organization.

1.3. Review and Evaluation

The APBIPP document shall be reviewed at the time of any major change(s) in the existing environment affecting policies and procedures or once every year, whichever is earlier. The APBIPP document shall be reviewed by the CISO and approved by the Board. The review shall take into account any change in the business processes, legal/ regulatory environment, IT/Network architecture/ application environment, and/or third party environment which might impact the privacy requirements for the Bank.

1.4. Consequence Management for Non-Compliance

a. All employees, temporary staff of APBL and third parties are required to comply with the APBIPP.

b. Non-compliance with the APBIPP is ground for consequence management, and the action may include termination of the Bank employees, change of third party staff or termination of the contract.

1.5. Exceptions

The APBIPP is intended to be a statement of information privacy requirements that need to be met in the Bank.

If legal/ regulatory restrictions prevent application of any aspect of this policy, the risk arising from it shall be formally recorded in the Security Override Document (hereafter referred to as SOD) with a detailed description explaining reason for not implementing the control, alternative mitigating controls implemented, and the residual risk. The management should take appropriate steps to ensure mitigation of this residual risk.

However, exceptions against individual controls in specific policy domains should be discussed with CISO and the business should seek his approval for the same. Following this, the exception shall be formally documented in the SOD, which shall include, at a minimum, the following:-

a. Justification for the exception;

b. Risk due to the exception;

c. The mitigation controls to manage the risk;

d. The plan of action to manage the risk;

e. The validity period of the exception; and

f. Details of assets/ PII containers/ information on which the SOD is applicable.

The exception request, validation and management shall be done as defined in latest version of Airtel Payments Bank Information Security Policy.

2. Information Privacy Organisation (APBIPP – 002)

2.1. Introduction

The Information Privacy Organisation has been defined by the Bank with representation from all business functions and locations in order to provide management direction for information privacy and to coordinate and control the implementation of information privacy within bank.

2.1.1 Responsibility

It is the responsibility of the ISC/ ISSC and CISO to manage the information privacy organisation within bank.

2.2. Policy Objective

The objectives of Information Privacy Organisation are to ensure that:-

a. A privacy framework is established to implement, monitor, manage and improve organisationwide information privacy controls;

b. The privacy roles and responsibilities are defined and assigned at all levels ensuring that the individuals understand them;

c. Information privacy awareness is created among employees;

d. The privacy framework and controls are reviewed at regular intervals and updated to incorporate latest legal and regulatory requirements and industry best practices.

2.3. Airtel Payments Bank Information Privacy Organisation Structure

The Information Privacy Organization of the Bank shall operate as a hub and spoke model. Chief Information Security Officer (CISO) and Information Security (Steering) Committee (ISC/ ISSC) shall provide management direction and ensure that Information Privacy Policy and Framework are regularly updated and adhered to. SPOCS from different functions shall ensure implementation of APBIPP at each function.

2.3.1 Information Security (Steering) Committee (ISC/ ISSC)

The ISC/ ISSC shall perform the supervisory role to the information privacy organization within APBL. The ISC/ ISSC shall provide the direction and support for the information privacy initiatives. CISO shall be the coordinator of ISC/ SSC.

Following additional tasks pertaining to Information Privacy, shall form the part of the responsibilities of the ISC/ ISSC:-

a. Regularly review the APBIPP and framework to incorporate latest legal and regulatory requirements and to conform to industry best practices;

a. Allocate resources required for adherence to APBIPP and conduct annual review of the assignment of budget and allocation of other resources to bank’s privacy program;

b. Monitor the information privacy controls within the organisation to ensure compliance to information privacy framework;

c. Communicate to the various teams on the information privacy plans and programs to maintain information privacy awareness in the Bank;

d. Decide the acceptable levels of risk and providing the feedback for the improvement of the information privacy framework;

e. Ensure adherence of any new or significantly changed products, services, business processes, and infrastructure to APBIPP; and

f. Ensure that system development and change management processes for all technology used for collection, processing, retention, dissemination and destruction of personal information are documented and implemented only after authorization as described in “Systems Acquisition, Development & Maintenance Standard and approval of CISO.

2.3.2 Chief Information Security Officer (CISO)

The CISO shall be an information privacy liaison who shall be responsible for the establishment and maintenance of the Information Privacy Policy and Framework. The CISO shall have following additional roles pertaining to Information Privacy:-

a. Ensure alignment of information privacy objectives to the organization’s strategic plan;

b. Ensure regular review of Information Privacy Policy in order to ensure compliance to latest privacy laws and regulations;

c. Ensure training and awareness programs are regularly organized to inculcate privacy awareness amongst the employees;

d. Guiding privacy representatives to ensure effective implementation of Information Privacy Policy and Framework;

e. Review exceptions against Information Privacy Policy and approve/ suggest mitigating controls to ensure information privacy; and

f. Oversee investigations/forensics of privacy breaches.

2.3.3 Information Security Management Representative (ISMR)

The ISMR shall have following additional responsibilities, pertaining to Information Privacy:

a. ISMR shall ensure compliance of various functions at airtel centre with APBIPP. For this purpose, ISMR shall carry out periodic audits of various functions within airtel centre to ensure their compliance;

b. Assist in consequence management and legal matters associated with privacy breaches, as necessary;

c. Ensure compliance of third parties with the information privacy policy and framework. This should be ensured by circulating privacy checklists and carrying out surprise audits; and

d. Develop information privacy initiatives to spread awareness at the Bank and mitigate information privacy risk.

2.4. Third-party Security

• All third parties including the strategic partners should comply with the privacy requirements laid down in the APBIPP. Bank shall ensure that the privacy requirements as laid down in APBIPP are communicated to all the third parties having access to personal information in any form. The contracts with third parties shall incorporate these requirements as part of the legal contract.

Further, third parties shall submit their consent to comply with these requirements before any personal information is shared with them;

• The third parties handling personnel information shared by the bank shall establish a privacy policy to incorporate the privacy requirements as laid down by the contract as well as all the applicable legal and regulatory requirements;

• Before sharing any personal information with a third party, bank must ensure that there is an NDA signed with the third party backed with a legal contract or LOI(Letter of Intent);

• If the third parties sub-contract any service/ work involving personal information shared by the Bank, the subcontracted parties and their employees shall also adhere to the APBIPP;

• It shall be the responsibility of the third party to ensure implementation of controls as per APBIPP in their organization as well as at sub contracted organization;

• The third parties as well as their sub contracted organization shall not disclose any personal information shared by the bank without explicit consent of CISO;

• Third-parties shall be subject to independent reviews of their compliance with the APBIPP; and

• Any personal information to be shared with a third party must be shared through a secure communication channel and data should be encrypted wherever possible.

3. Information Privacy Principles (APBIPP – 003)

The Bank shall establish privacy principles in order to identify controls that bank shall implement to ensure compliance with the information privacy best practices and applicable privacy laws and regulations.

3.1. Management

Policy Objective: The Bank shall define, document, assign accountability, regularly update and communicate APBIPP to the various stakeholders in a timely manner.

3.1.1 Communication to Internal Personnel

The privacy policy (APBIPP) shall be made readily available to all the respective employees of the Bank.

a. The policy shall be enforced by the CISO, through regular information privacy related training and awareness campaigns; and

b. Trainings shall be conducted for the employees on their roles and responsibilities towards ensuring privacy of personal information on an annual basis.

3.1.2 Responsibility and accountability for policies

a. Chief Information Security Officer (CISO) shall be responsible for developing, documenting, enforcing, monitoring, and updating privacy policy and privacy related controls; and

b. The contact details of the CISO shall be communicated to all the employees of the Bank.

3.1.3 Consistency of Privacy Policies and Procedures With Laws and Regulations

The privacy laws, regulations and standards that are applicable to the Bank shall be identified. The review of the policy shall be carried out on an annual basis to ensure that policy is consistent with the applicable laws, regulations, and appropriate standards.

3.1.4 Personal Information Identification and Classification

a. Users, processes, systems and third parties handling personal information shall be identified; and

b. The personal information shall be classified based on the sensitivity of the information.

3.1.5 Risk Assessment (Privacy assessment)

Privacy assessment of all the functions shall be carried out initially for all processes to identify the risk of leakage of personal information and its criticality. Thereafter, such assessments shall be carried out whenever there is a change in the process or governing laws and regulations. ISMR shall carry out the privacy assessment of all the business functions of bank.

3.1.6 Consistency of Commitments With Privacy Policies and Procedures

Contracts and Service Level Agreements shall be reviewed and updated on periodic basis by the business functions to ensure consistency with APBIPP.

3.1.7 Infrastructure and Systems Management

a. ISMR shall assess the impact of new and significantly changed products, services, business processes, and infrastructure on privacy of personal information;

b. Documented systems development and change management process shall be used for all information systems and related technology (including manual procedures, application programs, technology infrastructure, organizational structure, and the responsibilities of users), used to collect, use, process, retain, disclose, and destroy personal information;

c. Potential effect on privacy shall be assessed for new systems and changes;

d. Changes to system components shall be tested to minimize the risk of any adverse effect on the privacy of personal information. A controlled test database shall be maintained for full regression testing to ensure that changes to one program do not adversely affect other programs that process personal information;

e. All test data involving personal information shall be anonymized;

f. Procedures shall be implemented to ensure integrity and protection of personal information during migration from old to new or changed systems;

g. Documentation and approval by the CISO, business function manager, and IT management shall be taken before implementing changes to systems and procedures that handle personal information, including those that may affect its security. Emergency changes shall maintain the same level of protection of personal information; however, they may be documented and approved post implementation;

h. The IT and Network function shall maintain a listing of all applications/software that process personal information and the respective level, version, and patches that have been applied;

i. Where systems are involved, appropriate procedures shall be followed, such as the use of separate development, test, and production libraries to ensure that access to personal information is appropriately restricted; and

j. Personnel responsible for initiating or implementing new systems and changes, and users of new or revised processes and applications shall be provided training and awareness sessions related to privacy.

3.2. Notice

Policy Objective: Bank shall provide notice to the information providers about its privacy policies and practices, purposes of collecting personal information, usage, retention, dissemination and destruction, the identity and location in the bank where the personal information resides and , information on whom to contact at the bank on privacy related issues.

3.2.1 Communication to Individuals

All business functions shall ensure that while collecting any personal information the information providers are informed about the purpose of collection of the information. The privacy notice provided to the information provider shall include following points:-

a. If any personal information is collected, the purpose for collection of such information and whether this purpose is a part of a legal requirement;

b. Consequences, if any, of not providing the requisite information. The consequences of information provider’s refusal to provide the consent or, at a later date, withdrawal of the consent with regard to collection, processing, retention and disclosure of his/her personal information;

c. Whether certain behaviour patterns based on usage of product(s) or service(s) by the individuals may be developed. For example, buying patterns of the individuals;

d. The process to be followed by the information provider to exercise the choices available to them with respect to their personal information (for example signing the consent clause or checking the opt in box for giving consent);

e. The options with information provider to change the contact preferences and withdraw consent with regard to processing, retention, dissemination and destruction of the personal information at any later date;

f. The retention of personal information for only as long as necessary to fulfil the stated purposes, or for a period specifically required by law or regulation and thereafter is disposed of securely;

g. The procedure to be followed by information providers to update and correct their personal information (for example, in writing, by phone, by email, or by using the entity’s Web site);

h. Communication of the method of resolution of disagreements related to personal information;

i. Information may be disclosed to the authorized third parties for providing service(s) to the information providers;

j. Information may be transferred to entities located within or outside India for the purposes of providing service(s) on explicit consent from the information provider or if it is necessary for the performance of the lawful contract between bank and the information provider and post ensuring the same level of data protection is being adhered to by such entity;

k. Notification about the web tools such as web cookies and web beacons which are used by the bank to collect information providers’ personal information while they are on APBL’s website and about their choice to turn off cookies and beacons and as a result not provide such information to bank;

l. Notification that reasonable physical and logical access controls are implemented to ensure privacy of their personal information; and

m. Description of the procedure of registering complaints regarding their personal information.

3.2.2 Provision of Notice

a. Notice shall be provided to the information providers in a timely manner (that is, at or before the time personal information is collected) to enable them to decide whether or not to submit personal information; and

b. Notice shall be dated to allow information providers to determine whether the notice has changed recently.

Policy Objective: Bank shall communicate to the information providers, the choices available to them and obtain explicit consent with regard to collection, processing, retention, dissemination and disclosure of the information.

3.3.1 Implicit or Explicit Consent The business functions shall ensure that:-

a. The information provider’s consent is obtained in a timely manner and properly documented and retained till the time the information provider is availing the product(s) or service(s) of the bank or as mandated by the local laws (whichever is longer); and

b. Any changes to the information providers’ preferences with respect to their consent are recorded and are implemented within seven working days of obtaining them.

The business functions shall ensure that:-

a. When personal information is to be used for a purpose not previously specified, the individual is notified and the new purpose is documented. The business function shall obtain and document consent or withdrawal of consent to use personal information for the new purpose; and

b. The use of personal information provided by the information providers is in accordance with their preferences.

Any sensitive personal information shall be collected only after explicit consent of the information provider.

3.4. Collection

Policy Objective: Bank shall collect personal information only for the purposes communicated to the information providers furthermore, any such information shall be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the end customer concerned.

3.4.1 Collection Limited to Identified Purpose

In case the business function needs to collect the personal information, the business function shall:-

a. Clearly indicate the fields of personal information which are essential for the purpose of providing product or service and differentiate it from the non-essential fields of personal information; and

b. Periodically review the business’ necessity of collection of personal information and ensure that the fields of information being requested are consistent and limited to those required for providing the product or service. Also, it shall be ensured that all personal information mandated by the applicable laws and regulations is collected before providing product(s)/ service(s).

3.4.2 Collection from Third Parties

a. Contracts signed with the third parties shall include provisions requiring them to collect personal information fairly and lawfully and in accordance with APBIPP requirements; and

b. Collection methods adopted by the third parties responsible for collecting personal information of the information providers shall be reviewed. Business shall ensure that information providers are provided with the choice and their consent is obtained before collecting such information.

3.5. Use and Retention

Policy Objective: The information provided by an individual to the bank shall be used only for the purposes for which it was provided and consented by the individual and shall be retained for only as long as necessary to serve the purpose or as required by the applicable laws or regulations. Personal information shall be securely disposed of to prevent its retrieval and mishandling post the retention period.

3.5.1 Use of Personal Information

While using personal information, the concerned business function shall ensure that:

a. The information is used in accordance to the purposes intimated to the information provider while collecting the information; and

b. The applicable laws and regulations are adhered to all times.

3.5.2 Retention of Personal Information

For retention of the personal information, adherence to following controls shall be ensured:-

a. Retention period shall be defined and implemented as per the business requirement or legal requirements, whichever is later;

b. Retention periods of different types of records of personal information are defined;

c. The interception communication recorded through lawful interception, if any, shall be retained for a period of two months from the date of discontinuance of the interception;

d. Third parties should define and implement the “retention policy” for personal information, which should be aligned to the APBL’s retention policy. This policy should clearly define the retention period for various records containing personal information; and

e. Any personal information not required for providing service(s) or mandated by law and captured by APBL’s systems is removed in a timely and secured manner to prevent mishandling;

3.5.3 Disposal and Destruction of Personal Information

While disposing of personal information, following privacy controls shall be adhered to:-

a. Information is disposed of in accordance with the timelines defined in the retention policy of APBL or its third parties depending upon the ownership of the information;

b. Time of disposal is documented to include the details of the disposed off records containing personal information. For example, document the name of the record owner, date created, date destroyed, method of destruction, fields of personal information contained by it and primary purpose for the creation of the record;

c. Destruction of personal information which is no longer required for providing the services or as per applicable laws and regulations; and

d. Any information retained by bank after the expiry of its retention period is retained only after obtaining consent of the information provider.

3.6. Access and Correction

Policy Objective: Information providers, at all times, shall be able to access their personal information available with the bank. Bank shall provide the information providers with an option to update their personal information.

3.6.1 Access by Individuals to their Personal Information

Any business function, while maintaining personal information, shall ensure that:-

a. All information providers are intimated of different means of accessing their personal information as part of the notice;

b. Information providers are able to access their own personal information only. No individual, who is not an authorized personnel to access personnel, shall be provided with access to personal information of any other information provider;

c. All such requests of information providers to access their personal information are processed within seven working days from the date of request; and

d. All such requests for access to personal information along with action taken by bank are recorded. If bank is unable to provide the requisite information or in case of unresolved complaint or dispute, the reasons for not complying with the request shall also be documented.

3.6.2 Confirmation of an Individual’s Identity

a. Identity of the information providers shall be verified before allowing them access to their personal information; and

b. Communication with the information provider about updating his/her personal information shall be carried out only over mobile number or at the postal address provided by the information provider. In case of change of postal address, such communication shall be sent to both, the new postal address and the old address.

3.6.3 Updating or Correcting Personal Information

a. Information provider shall be communicated of the procedure for updating personal information;

b. Personal information shall be updated in a time bound manner after receiving the request for change;

c. Personal information shall be updated only after verification of the identity of the information provider; and

d. Procedures for resolving the discrepancies related to the personal information shall be communicated to the information providers.

3.6.4 Internal Access to Personal Information

a. All functions handling personal information shall be identified and the relevant processes within these functions shall be reviewed for adequacy of privacy controls of personal information;

b. Access to personal information shall be provided to bank employee (part time/ full time), contractual employee or third party employee only after authorizations of the functional head of his/her function. All such authorizations shall be obtained over mail or in hard copy format; and

c. Any changes to an individual’s personal information shall be efficiently updated in all the systems of bank. If any third party is facilitating in updating this information on bank’s behalf, it shall be the responsibility of the third party to accurately update the records.

3.7. Disclosure to Third Parties

Additionally, bank shall ensure that the third-party adheres to all applicable privacy principles and regulations.

3.7.1 Disclosure of Personal Information

Following points shall be kept in mind while disclosing personal information to the third parties or any other agencies:-

a. Business functions shall disclose the personal information to Government agencies only after verifying that such agencies are lawfully authorized to seek such information. Further, all such requests shall be obtained in writing clearly mentioning the purposes and the powers of such agencies to seek personal information from bank.

b. Personal information shall be disclosed to third parties of bank on need basis only for the purpose of executing business. Further, business function shall ensure that all such third parties have signed a Non-Disclosure Agreement (NDA) with bank to ensure privacy of personal information of information providers. Also, the contracts with such third parties shall be updated to include a clause on privacy of personal information of bank’s information providers available with them; and

c. Business functions shall document the nature and extent of personal information disclosed to the third parties.

3.7.2 Protection of Personal Information

a. The purpose, for which information is collected, shall be communicated to the third parties with whom the information is being shared, as part of the legal contracts signed with them and they shall be instructed not to use this information for any other purposes. The third parties shall further disclose the personal information to their sub-contractors only if such disclosure is necessary for providing service(s) to the information providers; and

b. All third parties shall provide periodic statement of compliance stating that they are compliant with the APBIPP requirements. Apart from this, audits shall be conducted by bank or representatives appointed by bank to ensure compliance of third parties with APBIPP requirements.

3.7.3 Non-compliance to protection of Personal Information

Non-compliance of any third party with the privacy practices followed at bank, is ground for disciplinary actions up to and including termination of the contract. The Third party will establish a procedure to ensure that the associates are made aware of their personal liability of personal information and that any deviation to the policy may lead to the associate’s services being discontinued/ terminated.

3.8. Security

Policy Objective: Bank shall ensure protection of personal information against unauthorized access, usage and dissemination.

3.8.1 Information Privacy Program

Following shall be taken into consideration while handling personal information:-

a. Periodic vulnerability assessment of the physical and technical environment shall be carried out to gauge effectiveness of privacy controls implemented. Apart from this, penetration testing shall be carried out periodically to assess the resilience of websites and other systems of bank accessible through internet;

b. Adequate authentication parameters and logical access controls , as described in the APBISP, shall be implemented at all access points of personal information;

c. Access rights of all the employees handling personal information shall be periodically reviewed, at least once every quarter; and

d. Information Privacy Control Matrix shall be applied to all new processes handling personal information to ensure adequate information privacy controls.

3.8.2 Logical Access Controls

a. Employees shall not divulge the security procedures followed at bank to mitigate the risk of compromise of personal information; and

b. Logical access controls, as defined in the Airtel Payments Bank Access Control Standard, shall be applicable at all points from where personal information is accessible.

3.8.3 Physical Access Controls

a. Bank shall provide adequate protection to its information systems containing any personal information and facilities against unauthorised physical access and environmental threats using measures as described in the APBISP;

b. Hard copy of any form or any other document containing any personal information shall be secured physically by adopting adequate security measures as described in the APBISP; and

c. Bank shall log and monitor access areas hosting personal information. Any attempted breach and unauthorized destruction of information shall be dealt with in accordance to COC.

3.8.4 Environmental Safeguard

Privacy of personal information of any information provider shall be ensured, even at the time of disaster. Business continuity and disaster recovery plans shall be updated to ensure privacy of personal information in such an event.

3.8.5 Transmitted Personal Information

a. All documents and records containing personal information shall be encrypted before transmitting them by mail or other means. The encryption techniques employed should be in accordance to the Airtel Payments Bank Encryption Standard; and

b. All personal information transmitted to external networks shall be transmitted through secure lines. Any remote access to bank systems containing personal information shall be according to the Airtel Payments Bank Access Control Standard.

3.8.6 Personal Information on Portable Media

a. Personal information shall not be stored on portable media or device unless it is required by business. Even if required, an approval shall be taken from the business head and the CISO. If it is stored, care should be taken to mitigate the risk of its leakage by encrypting it and protecting it using password; and

b. Mechanisms shall be defined by each business to report loss of media containing personal information and ensure timely documentation of all such incidents. In case of loss of media, business, in consultation with the ISMR shall take mitigating steps to minimize the risk arising from any such incident. To proactively prevent future occurrence of similar incidents, all such incidents shall be investigated and action points from such investigation acted upon.

3.9. Accuracy

Policy Objective: Bank shall strive to maintain the completeness and accuracy of the personal information of information providers available with it.

3.9.1 Accuracy and Completeness of Personal Information

To maintain the accuracy of the personal information available with bank, following points shall be taken into consideration:-

a. Bank shall maintain complete and accurate personal information of information providers, as provided by them, as long as bank retains it;

b. It shall be communicated to the information providers at the time of collection, that :

• they are responsible for providing complete and accurate Personal Information;

• methodology to contact bank in case their Personal Information needs to be updated; and

c. If any changes to their personal information are requested by the information providers, such requests shall be processed in a time-bound manner and the record of all such change requests shall be maintained.

3.10. Monitoring and Enforcement

Policy Objective: Bank shall incessantly monitor the compliance of employees, third parties and other direct stakeholders with this policy and shall address privacy related complaints, queries and disputes appropriately.

3.10.1 Inquiry, Complaint and Dispute Process

a. The steps to contact bank management in case of privacy related complaint or queries shall be clearly defined and also be published on bank’s official website;

b. It is the duty of all employees and third parties of bank to cooperate for effective and timely resolution of information provider’s complaints and queries;

c. The information provider shall be intimated of any breach of personal information with all relevant details as per the last communication address shared by the information provider;

d. Information provider’s complaints records shall be periodically reviewed to identify trends and APBIPP and relevant processes shall be updated to address those specific issues.

3.10.2 Ongoing Monitoring

a. All employees of bank shall go through the information privacy training post joining the organization;

b. Employees and third parties shall inform CISO if they observe any privacy vulnerability or security breach; and

c. Whenever an employee’s roles and responsibilities change, his access to personal information shall be reviewed and appropriately modified within 72 hours of such change. If an employee is leaving the organization, his access to the personal information shall be immediately revoked.

References

a. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011;

b. Section 43 of Information Technology Act, 2000;

c. Section 72 of Information Technology Act, 2000;

d. UIDAI – Aadhaar Act

e. RBI Regulations

f. Generally Accepted Privacy Principles.

g. APBISP – Airtel Payments Bank Information Security Policy

h. IRDAI regulations