DATA PRIVACY COMPLIANCE POLICY
1. Introduction
Fortitude is committed to safeguarding the privacy and confidentiality of the personal information entrusted to us. This Data Privacy Compliance Policy outlines our principles and practices for ensuring compliance with data protection laws and maintaining the integrity of the information we collect.
2. Scope
This policy applies to all personal data collected, processed, and stored by Fortitude in the course of its coaching and mentoring activities for students.
3. Data Collection and Processing
Consent: Fortitude will obtain explicit consent from individuals before collecting and processing their personal data.
Purpose: Personal data will only be collected for specific, explicit, and legitimate purposes related to our coaching and mentoring programs.
Data Minimization: Fortitude will only collect and process personal data that is necessary for the intended purpose
4. Data Security
Access Controls: Access to personal data will be restricted to authorized personnel on a need-to-know basis.
​
Encryption: Fortitude will implement appropriate encryption measures to protect personal data during transmission and storage.
We will take measures to ensure the accuracy and completeness of personal data.
5. Data Privacy Compliance Policy
At Fortitude, the appropriate handling and Processing of Personal Data is vital to the continued success of our business and maintaining the trust of our Clients, Personnel and Stakeholders. We are committed to the implementation and continual improvement of a framework, which ensures that Personal Data is handled appropriately, consistently and in accordance with applicable Data Protection and Privacy Law. This Policy sets out our Data Protection and Privacy Objectives and Requirements through our Principles and Commitments.
​
5.1 Our Principles:
Data Privacy is built into everything we do. The 6 following principles are designed to help all Fortitude Personnel understand their responsibilities when using and handling Personal Data. They apply to everything we do, no matter where we do it. To this end:
-
Fortitude takes responsibility for the Personal Data we hold and process.
-
Personal Data of Individuals is always protected, secure and kept confidential.
-
Personal Data is collected only where necessary for legal, regulatory, and business purposes and only used for the purposes it was collected for.
-
Personal Data is collected and processed fairly, lawfully, transparently and in accordance with our Code of Conduct and Data Privacy Compliance Policy Framework.
-
Processing of Personal Data is documented and assessed at the outset to ensure the minimum privacy risk and impact to Individuals; and
-
Personal Data is only kept for as long as is necessary to achieve the original processing purpose or to satisfy our legal and regulatory obligations.
5.2 Our Commitments
Fortitude shall implement appropriate and effective measures to ensure that:
-
Appropriate internal controls and procedures are implemented and maintained to promote consistent standards when handling Personal Data across Fortitude, and with Third Parties.
-
Processing of Personal Data is always assessed at the outset and throughout new initiatives to ensure the minimum privacy risk and impact to Individuals.
-
Individuals are provided with clear and transparent information about the purposes for which their Personal Data is collected and processed.
-
Personal Data is only processed for the original purposes for which it was obtained.
-
Personal Data collection and processing is always adequate, relevant, and not excessive.
-
Personal Data is accurately recorded when collected and, where necessary, kept up to date.
-
Personal Data is retained only for as long as is necessary to achieve the original processing objective or to satisfy our legal, contractual, or regulatory obligations.
-
The rights and freedoms conferred to Individuals under applicable Data Protection and Privacy Law, including the right of access to Personal Data, are respected.
-
Appropriate technical and organizational security measures are implemented to preserve the confidentiality, integrity, and availability of Personal Data.
-
Third Parties and Suppliers processing Personal Data on our behalf undergo risk-justified due diligence and, where appropriate, ongoing assurance checks to ensure they have appropriate technical and organizational security and compliance measures in place to protect Personal Data.
-
Appropriate Data Privacy Compliance training is made available to all Personnel, and a commitment from Third Parties is secured to ensure that equivalent training is delivered to their Personnel.
-
Personal Data is not transferred across national or territorial boundaries unless the rights and freedoms of the Individuals that are the subject of the information can be adequately protected.
-
Any incidents involving the unauthorized disclosure, misuse, loss, alteration, or destruction of Personal Data are reported and escalated immediately to ensure appropriate management.
-
Any data protection and privacy enquiries or complaints are dealt with appropriately.
-
An inventory of the key processing of Personal Data by the organization is maintained; and
-
Personnel with specific accountabilities and responsibilities for data protection and privacy are appointed to advise on the implementation of this Policy and monitor compliance with its requirements.
6. Policy Requirements
6.1 Regional Variations
The Data Privacy Compliance Policy Framework sets out the minimum framework that all Fortitude businesses and subsidiary companies are required to implement to ensure they comply with applicable Data Protection and Privacy Law. In addition, each Fortitude business and subsidiary company is required to implement additional measures to address any specific national data protection and privacy legislation in the jurisdictions in which they operate or contractual requirements, that are not addressed by the Data Privacy Compliance Policy Framework.
6.2 Notifications
In accordance with applicable Data Protection and Privacy Laws, Fortitude will inform the relevant national data protection authorities before processing any Personal Data and will adhere to any applicable prerequisites for such processing. Fortitude businesses and subsidiary companies, as applicable, are obligated to confirm the presence and accuracy of their notifications to the relevant data protection authorities. These notifications should be directed to the designated point of contact for data protection documentation in the absence of a Data Protection Officer.
6.3 Incident Reporting
All incidents involving the unauthorized (e.g. deliberate or accidental) disclosure, misuse, loss, alteration or destruction of Personal Data must be reported immediately by Personnel to Thomas.gannon@fortitudeadvisory.org and in accordance with established incident reporting procedures. Where required by applicable Data Protection and Privacy Law and other legal and contractual requirements, Fortitude will notify the relevant national data protection authorities, Individuals, and clients in the event of a Personal Data incident or Personal Data Breach.
6.4 Privacy By Design
Fortitude must implement technical and organizational measures to show the consideration and integration of data privacy compliance measures into their data processing activities.
6.5 Penalties and Disciplinary Action
Any violation or attempted violation of the Data Privacy Compliance Policy Framework may result in disciplinary action, up to and including the termination of the volunteer engagement or, where appropriate, the termination of the member agreement with an Advisor. It should also be noted that in some of the jurisdictions in which Fortitude operates, Volunteers may be held personally liable for civil or criminal penalties if they knowingly or recklessly violate applicable Data Protection and Privacy Laws.
Any Volunteer that believes the Data Privacy Compliance Policy Framework has not been correctly implemented within their scope of engagement must contact their designated contact person in the first instance and then the Data Privacy Compliance team. Any inappropriate conduct may also be reported confidentially via Fortitude’s independent whistleblower reporting line in accordance with the Code of Conduct and Compliance Procedure.
6.6 Contact Information
For inquiries or concerns related to data privacy, please contact: Thomas.gannon@fortitudeadvisory.org
While the President of Fortitude is responsible for implementing and monitoring this Policy, all Advisors and persons working on our behalf must share these commitments. Everyone is empowered to speak up and act to ensure that they are met.
“If you see something, say something.”