KB-450: Data Privacy and Confidentiality Policy

LeanTech IT Solutions — Internal Knowledge Base

Document ID: KB-450

Effective Date: January 5, 2020

Last Reviewed: January 12, 2025

Classification: Internal — All Staff

---

1. Purpose

This document defines the data privacy and confidentiality obligations of all LeanTech IT Solutions employees when handling client data, company information, and personal data. Compliance with this policy is mandatory and is a condition of employment.

---

2. Legal and Regulatory Basis

LeanTech IT Solutions services over 300 client companies, including international organizations. As such, LeanTech operates in compliance with the following regulations depending on the client’s jurisdiction and industry:

2.1 Philippine Regulations (All Clients)

• Republic Act No. 10173 — Data Privacy Act of 2012

• National Privacy Commission (NPC) guidelines and advisories

2.2 International Regulations (Where Applicable)

Regulation	Jurisdiction / Industry	Key Requirement	Applies When
GDPR (General Data Protection Regulation)	European Union / EEA	Strict consent requirements, data subject rights (access, erasure, portability), 72-hour breach notification, data processing agreements	Client is EU-based or handles data of EU residents
HIPAA (Health Insurance Portability and Accountability Act)	United States — Healthcare	Protected Health Information (PHI) must be encrypted, acc ess-controlled, and audit-logged. Business Associate Agreements (BAAs) required	Client is a US healthcare provider, insurer, or their business associate
PCI-DSS (Payment Card Industry Data Security Standard)	Global — Payment Processing	Cardholder data must never be stored in plaintext. Access to cardholder data environments is strictly logged and segmented	Client processes, stores, or transmits payment card data
SOC 2 (Service Organization Control 2)	Global — Technology / SaaS	Trust service criteria: security, availability, processing integrity, c onfidentiality, privacy	Client requires SOC 2 attestation for their vendor ecosystem

2.3 Client-Specific Agreements

• Data Processing Agreements (DPAs) — Contractual obligations specific to each client regarding how their data is handled, stored, and transferred

• Non-Disclosure Agreements (NDAs) — Signed upon onboarding; prohibit disclosure of any client information to unauthorized parties

• Internal Information Security Policies — LeanTech’s own baseline security controls that apply to all clients regardless of jurisdiction

---

3. International Client Compliance

Each client account in the LeanTech CRM is tagged with applicable regulatory frameworks. These tags determine additional handling requirements for Tier 1 engineers.

3.1 Regulatory Tags

Tag	Meaning	Additional Requirements
[GDPR]	Client subject to EU data protection law	Do not transfer or store client data outside of approved regions. Honor data subject requests (forward to client’s DPO). Breach notification within 72 hours.
[HIPAA]	Client subject to US healthcare regulations	Do not access, view, or discuss any patient/health data. All PHI-related work must use encrypted channels only. Log all access to PHI systems.
[PCI]	Client handles payment card data	Never access cardholder data environments unless explicitly authorized. Do not store or transmit card numbers in tickets, chat, or logs.
[SOC2]	Client requires SOC 2 compliance	All changes must be documented with before/after state. Access requests must go through formal approval. Maintain audit trail.
[DPA]	Client has a custom Data Processing Agreement	Refer to the client’s DPA document in the CRM for specific obligations before performing any data-related actions.

3.2 When In Doubt

If you are unsure which regulations apply to a client:

1. Check the client’s profile in the CRM for regulatory tags

2. If no tags are visible, treat the client as [DPA] by default and handle all data with maximum caution

3. Consult your Team Leader before performing any action that involves accessing, moving, or modifying client data

Note

Important: Regulatory violations can result in significant fines for LeanTech (up to €20 million or 4% of global annual revenue under GDPR) and personal liability for involved employees. When in doubt, do less — not more.

---

4. Classification of Information

Classification	Description	Examples
Public	Information that may be freely shared outside the company	Company website content, published press releases, job postings
Internal	Information intended for LeanTech employees only	KB articles, SOPs, internal memos, SLA reports, training materials
Confidential	Sensitive business information requiring restricted access	Client contracts, financial data, employee records, system architecture details
Restricted	Highly sensitive data with strict access controls	Client server credentials, encryption keys, personal data of individuals, audit logs

---

5. Employee Obligations

4.1 General Requirements

• Access only the data and systems necessary to perform your assigned duties

• Never share login credentials, API keys, or access tokens with anyone, including colleagues

• Lock your workstation when stepping away, even briefly (Win+L or Ctrl+Alt+L)

• Do not store client data on personal devices, USB drives, or unauthorized cloud services

• Report any suspected data breach or unauthorized access immediately (refer to KB-155, Tier 3)

4.2 During Client Interactions

• Do not ask clients for their passwords — direct them to self-service password reset tools

• If a client voluntarily shares sensitive information (e.g., passwords in a chat message), advise them to change it immediately and note this in the ticket

• Do not screenshot or copy client data outside of the ticketing system

• Use the client’s preferred name and verify identity before discussing account details

4.3 On Client Servers

• Access client servers only through authorized channels (SSH with assigned credentials)

• Do not browse, copy, or modify client files that are not related to your assigned incident

• Do not install unauthorized software or tools on client servers

• All commands executed on client servers are logged and subject to audit

---

6. Data Retention

Data Type	Retention Period	Disposal Method
Incident tickets	3 years after closure	Archived, then securely deleted
Client server logs	1 year	Automated rotation and deletion
Employee records	Duration of employment + 5 years	Secure shredding / digital deletion
Chat transcripts (MS Teams)	1 year	Automated purge

---

7. Breach Notification

If you discover or suspect a data breach:

1. Do not attempt to investigate or fix it yourself — this is a Tier 3 security incident

2. Immediately notify your Team Leader and report to #tier3-escalation on MS Teams

3. Document what you observed: what data, what system, when, and how you discovered it

4. Preserve evidence — do not delete logs, close sessions, or power off affected systems

5. Do not discuss the breach with clients, external parties, or unauthorized colleagues

LeanTech is legally required to report qualifying breaches to the National Privacy Commission within 72 hours of discovery. For [GDPR]-tagged clients, parallel notification to the client’s Data Protection Officer (DPO) and the relevant EU supervisory authority is also required within 72 hours.

---

8. Violations

Violations of this policy are treated as Major or Critical infractions under HR-201 (Code of Conduct and Disciplinary Action Policy) and may result in:

• Immediate suspension pending investigation

• Termination of employment

• Civil or criminal liability under the Data Privacy Act of 2012

• Company liability for damages, fines, and regulatory penalties

---

9. Annual Training

All employees are required to complete the Data Privacy and Information Security training module annually. Training completion is tracked by HR and is a factor in annual performance evaluations.

---