1.0 AUTHORITY/PURPOSE/OBJECTIVE
Section 6.0 of the Propel, Inc., (“Propel” or “Company”) Information Security Management Policy (“ISMP”) incorporated herein by reference and available upon request, identifies the need for sub-policies to address a variety of information security subjects, one of which is privacy, as addressed by the European Union (EU) through its General Data Protection Regulation (GDPR), the United Kingdom (UK) through its own General Data Protection Regulation (UK-GDPR, the state of New York through its Stop Hacks & Improve Electronic Security Act (SHIELD Act) and the state of California through its California Consumer Protection Act (CCPA) and its California Privacy Rights Act (CPRA). It is important to note that Propel® also strives to achieve substantive compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and other compliance standards to include the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Final Rule, all of which are addressed in separate policies. Further, as a matter of policy, the Company strives to comply with both the letter and spirit of applicable jurisdictional laws and regulations, and it acknowledges the more comprehensive requirements of the GDPR, UK-GDPR, SHIELD Act, CCPA and CPRA. Thus, this policy decision is a working effort to meet or exceed the highest applicable standards using a universal approach. Propel® seeks to construct its culture of privacy compliance upon a foundation of global privacy concepts, characterized by transparency, consent and a sense of “doing the right thing” at the front end of its decision-making processes. This means that when the Company seeks explicit consent from individuals, it is accompanied by a clear privacy notification, an understandable explanation of how and why we collect personal data, with whom it is shared and at what risk. For Propel, the collateral benefit is that its efforts to comply with these laws/regulations also serve to embrace the nearly global expectation that privacy is a natural right to be duly protected. While the terminology and definitions may differ politically, geographically and from one organization to another, the shared objective of data privacy is to protect the privacy rights of individuals. Propel’s stated objective is to secure and keep private the protected information that the Company handles in conjunction with its clients, its clients’ employees, its third-party data-center host and other mission related third-party vendors, etc.
2.0 SCOPE/UNDERSTANDING THE PROPEL BUSINESS MODEL
This sub-policy applies to all Propel employees, contractors, vendors and agents with a Propel-owned or personally-owned computer or workstation used to connect to the Company’s network (to all web application development, staging and production servers currently owned or maintained by Propel). The Company’s business model embraces two types of infrastructure with different functions, handling different amounts of personal data. The corporate infrastructure consists of a single server located in a secure area within the Company’s offices and is sometimes referred to as the corporate/office server. It handles less than 1 percent of collected personal data from our clients and their employees. Its two primary functions are to support Propel’s intra company applications as well as to provide a working platform or software workstation, upon which the Company’s team members develop, maintain, customize, revise and support what becomes a customized wellbeing program for use by our clients and their employees. See Section 3.0 below. This finished product, a client portal, formally activates upon the infrastructure known as the “Propel® platform” at the time of licensing, whereupon it is placed under client control at or about the time of program launch. Of course, appropriate Propel team members maintain access to the portal for maintenance purposes, etc. It is at this juncture that personal data begins to flow through the client’s portal. See Section 4.0 for an understanding of the dynamics of the “Propel® platform.
3.0 PROPEL OVERVIEW AND BUSINESS DESCRIPTION
Propel, Inc., is engaged in the development, maintenance, customization and support of the Propel® platform, a Software as a Service (SaaS) platform that is customized to run and manage comprehensive wellbeing programs.
4.0 UNDERSTANDING THE PROPEL PLATFORM SERVER/CLIENT DATA BACK-UP AND RECOVERY/DYNAMICS OF THE IBM THIRD-PARTY DATA CENTER ENVIRONMENT
Crucial to an understanding of this Compliance Sub-Policy is the concept of how Propel’s clients can access and utilize their data. Each Propel client accomplishes this via a separately installed web application and database located on one of the servers maintained for Propel, Inc., by IBM Corporation which serves as Propel’s third-party data center host at IBM Data Center locations, in the U.S. as well as outside the U.S. Daily backups of all databases for the Propel® platform servers (including those used as client portals) are conducted in accordance with configuration instructions furnished by Propel when servers are brought online. These servers are maintained, protected, guarded and carefully hosted within the IBM data center environment pursuant to written agreement between Propel and IBM Corporation. Specifically, these client portals use dedicated “bare metal servers” maintained solely for Propel and its clients. The use of such dedicated bare metal servers has two important operational advantages over those which are virtual/cloud based. First, any risk of improper or deficient load sharing is alleviated, the existence of which could affect the ability of our clients to access their respective data in a crisis. Second, more than 99% of our clients’ employees’ personal data (usually protected health-care information, PHI) is handled within the confines of the carefully controlled IBM data center environment and NOT on Propel’s corporate/office server. Each of IBM’s data centers is designed with a focus upon redundancy in its infrastructure systems and Network Point of Presence (POP). In simpler terms, this POP technology (housed in the data center’s carefully controlled environment) enables Propel’s clients to have a safe and secure access point from its data center to the rest of the internet. The Propel platform also includes one virtual “staging” server (machine) in IBM’s U.S. data center, dedicated to staging and testing as client portals are made ready for initial launch or to provide a secure stage upon which the entire range of testing (from interim to final) can take place in support of the Company’s system development life cycle (SDLC) or change management processes. Two of Propel’s Information Security Sub-Policies describe and control these processes (Propel, Inc., Information Security Sub-Policy Number 3—Platform System Development Life Cycle (SDLC) Compliance; and Propel, Inc., Information Security Sub-Policy Number 7—Change Control Management). The data center located outside the U.S. positions two bare metal servers, one which serves as a client portal and another used as a database server.
5.0 IBM DATA CENTER CERTIFICATIONS
A summary of IBM data center certifications includes compliance with the following laws, directives, standards and regulatory agency requirements: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27701, ISO 31000, Service Organization Control (SOC) Reports ( SOC 1, SOC 2, SOC 3), Payment Card Industry (PCI) Security Standards Council, Health Information Trust Alliance (HITRUST), The Federal Information Security Management Act of 2002 (FISMA), Federal Risk and Authorization Management Program (FedRAMP), Department of Defense Information Systems Agency (DoD-DISA), U.S. Securities and Exchange Commission Rule 17a-4 (SEC Rule 17a-4), The Information Security Registered Accessors Program-Australia (IRAP), Security Construction and Equipment Committee-Australia (SCEC), IBM ISO Management System Certification for ISO 9001, European Union (EU) Model Clauses, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Compliance Act (HIPAA), My Number Act (Japan), U.S. International Traffic in Arms Regulations (ITAR), Criminal Justice Information Systems (CJIS) as part of the U.S. Dept. of Justice Federal Bureau of Investigation (FBI), Cloud Security Alliance (CSA STAR), Federal Financial Institutions Examinations Council (FFIEC), The Center for Financial Industry Information Systems-Japan (FISC), “Good Practice” Quality Guidelines and Regulations (GxP), The Federal Financial Supervisory Authority (BaFN-Germany), The European Banking Authority (EBA-European Union), The Cloud Computing Compliance Controls Catalog (C5-Germany), The European Union Agency for Network and Information Security (ENISA-European Union), Esquema Nacional de Seguridad (ENS-Spain), Government Cloud (G-Cloud-U.K.), General Data Protection Regulation (GDPR-European Union), The Hebergeurs de Donnees de Sante or Health Data Hosting (HDS-France), IT-Grundschutz-Germany, The Multi-Tier Cloud Security (MTCS-Singapore), Information Security Management System-South Korea (K-ISMS) and The Network Information System (NIS Directive-European Union). It is important to note that these certifications and regulatory compliance accomplishments are an integral part of Propel’s decision making process for selecting the most reliable web/data center host for its clients. This selection process is now a formalized compliance policy identified as the Propel, Inc., Third-Party Due Diligence and Risk Management Policy, a copy of which is available upon request.
6.0 IBM COMPLIANCE IS PROPEL’S COMPLIANCE; PROPEL BENEFITS FROM IBM DATA CENTER CERTIFICATION(S)
With an understanding of Propel’s business model and its third-party relationship with IBM, the Company contractually relies upon the expertise and data center security certification(s) maintained by IBM , to secure and keep private the protected data entrusted to IBM Cloud for handling, storage and backup. In short, Propel relies upon IBM Corporation to maintain the certifications, etc., noted above, the importance of which cannot be overstated. A vital part of this compliance effort is the continual external auditing of its data center operations.
7.0 THE PROPEL WEBSITE/THE INTERNAL SERVER/COOKIE AUDIT/PRIVACY AND COOKIE NOTICE
As the result of a formal cookie audit, a first visit to the Propelwellness.com website (on the Company’s internal server) engages the following as a prompt:
PRIVACY NOTICE
You can browse our website without disclosing information about yourself. We use two types of cookies, the first is designed to ensure that you have a secure browsing experience. These “strictly necessary” cookies (your consent is not required) guard against unauthorized posting of content and serve to protect our website visitors. The second type, “performance” cookies (your consent is requested) help us to better understand how our site is used. This collected information never identifies you personally. If you choose to contact us on the website, your identifying information is NOT shared with any third-party. You also have a right to know what, if any, information we hold about you, as well as a right to ask that your personal information be updated, corrected, or deleted altogether. If you wish to make a request to us in this regard, please contact Propel at: privacy@propelwellness.com. You should also know that to opt out of being subject to Google Analytics across all websites you can visit http://tools.google.com/dlpage/gaoptout.
8.0 PROPEL, INC., DESIGNATION OF DATA PRIVACY OFFICER (DPO)/CONTACT INFORMATION FOR PRIVACY ISSUES
In accordance with the requirements of nearly all privacy laws/regulations, Propel, Inc., designates its Chief Compliance Officer (CCO) to assume the additional responsibility as Data Protection Officer (DPO). For additional questions, comments, suggestions, requests for more information, or if you would like to voice a complaint, please contact the Company by E-Mail at privacy@propelwellness.com, or in the alternative, send written correspondence to Propel, Inc., Attn: CCO/DPO, 105 Continental Place, Suite 400, Brentwood, TN 37027 (USA). The Company’s phone number is +1-615-377-6116. You also have the right to lodge a complaint with a supervisory authority.
9.0 DESIGNATION OF AGENT FOR SERVICE OF PROCESS AND UNITED KINGDOM (UK) REPRESENTATIVE/NO POST BREXIT REQUIREMENT FOR APPOINTMENT OF SEPARATE EUROPEAN UNION (EU) REPRESENTATIVE
In accordance with the UK-GDPR, Propel, Inc., has appointed Apex Agency Services, Ltd., 6th Floor, 125 Wood Street, London, EC2V 7AN (U.K.) as its agent for service of process in the U.K., which includes Apex’s ability to receive official notices or correspondence from the UK Information Commissioner. . Apex Agency Services Website Address is: https://apexprocessagent.com. Its E-mail address is processagent@apexfs.com. Of course, Propel’s CCO/DPO can be reached directly as shown above in Section 8.0. Additionally, it should be noted that post BREXIT, considering the totality of the circumstances, Propel’s CCO/DPO has determined that the Company is no longer obligated to appoint a separate EU Representative. This is because when the Company splits-out/separates the numbers of its wellness program participants (data subjects) in the UK from the rest of the EU, the EU numbers are extremely small. Thus, the CCO/DPO, further finds that post BREXIT, the EU is appropriately characterized as an “occasional processing” area in accordance with Articles 30(5) and 9.1 of the GDPR. However, Propel’s CCO/DPO can always be reached directly (by any supervisory authority or data subject as shown above in Section 8.0.
10.0 POLICY REVISION AS CONTINUING EXERCISE IN RISK MANAGEMENT / DATA PRIVACY IMPACT ASSESSMENT (DPIA)
As stated in Section 1.0 of the Propel, Inc., Information Security Management Policy (referenced below in Section 13.0 below, and available upon request), the process of revision for each compliance policy, etc., also constitutes a “big picture” review of the Propel platform, and further represents an exercise in continuing risk management. This is because each policy revision contains a review/consideration of at least the following items and/or activities: the CCO/DPO has considered the Company’s responsibilities relating to personal data (PD); that each client develops its own privacy notices and policies for posting on its wellness program portal (after reviewing Propel’s proposed Terms of Use Policy and Consent Agreement which in effect constitutes a portal specific privacy policy); that all PD processed by Propel is authorized via a transparent, clearly stated, “opt in” consent process; that a review of Propel’s information, data and cyber security programs currently in effect, reveal no unusual vulnerabilities or material, incident driven activities; that all PD is encrypted at rest, in transit and in storage; that PD is never sold to a third party, or shared with any entity outside the requirements of the wellness program, without the consent of the program participant, except as may be required by law; that there is no history of PD breach or compromise; that a review of Propel’s application development security posture reveals no unusual vulnerabilities; that a review of all information security sub-policies and privacy policies, etc., reveals no additional vulnerabilities; the Company’s CCO/DPO has reviewed (for regulatory updates) at a minimum the websites of the following organizations, whose owners have information and/or enforcement authority of privacy laws in their respective jurisdictions: a) The Information Commissioner’s Office in the United Kingdom, b) Office of the Privacy Commissioner of Canada, c) U.S. Department of Health & Human Services, d) State of California Office of the Attorney General; e) State of New York Office of the Attorney General; and f) EU’s official website for the European Data Protection Board (EDPB); that the Company’s use of encryption technologies is quite extensive and continually updated; that Propel’s President & Chief Executive Officer (CEO) approves all non-housekeeping policy revisions; that comments, suggestions, etc., are always welcome from the Chief Administrative Officer (CAO), Vice President-Application Architecture (VP-AA) as well as from all team members; from all of which, the CCO/DPO finds that pursuant to requirements and guidance of the applicable privacy/data security laws and regulations, there is no need to conduct a more formalized DPIA at the conclusion of this process; that the risk/potential for harm, and/or impact is extremely low and as such, Propel’s processing activities do not represent a significant risk to the privacy or security of program participants, or their PD.
11.0 DPO AS A MEMBER OF THE PROPEL INFORMATION SECURITY MANAGEMENT COMMITTEE
The DPO also occupies the position of CCO, and as such serves as a member of the Propel Information Security Management Committee, presently consisting of three (3) members and serving at the pleasure of the President and Chief Executive Officer (CEO). Sitting as Co-Chairpersons of the Committee are the Chief Administrative Officer (CAO) and the Vice President, Application Architecture (VP-AA). Serving as the Committee’s Secretary is the CCO/DPO who is also charged with taking minutes of meetings and drafting the various compliance policies and sub-policies. Relative to matters involving compliance with applicable privacy/data security laws and regulations, the DPO’s findings shall be controlling . The DPO reports directly to the President and CEO on such matters. The President and CEO encourages the CCO/DPO to seek the advice and consent from the other committee members (whenever possible) as well as from other team members about compliance matters relating to privacy and/or data security.
12.0 POLICY COMPLIANCE
12.1 Compliance Measurement
Propel’s CCO, in consultation with the Information Security Management Committee will verify compliance to this policy through various methods, which may include, but not be limited to one or more of the following: periodic internal and external technology audits, walk-throughs, video monitoring, business tool reports, inspection and log review. Feedback will be provided to the CAO, Information Security Management Committee and appropriate business unit manager(s).
12.2 Exceptions
An exception to the policy must be approved in advance by Propel’s CAO and the Information Security Management Committee.
12.3 Non-Compliance
A team member found to have violated this policy may be subject to disciplinary action, up to and including termination of employment for even the first offense.
13.0 RELATED STANDARDS, POLICIES AND PROCESSES
Please review the following policies for details of protecting information when working on privacy and GDPR Compliance:
Propel Information Security Management Policy (ISMP);
Propel Third-Party Due Diligence and Risk Management Policy;
Propel Information Security Sub-Policy Number 3–Platform System Development Life Cycle (SDLC) Compliance;
Propel Information Security Sub-Policy Number 7—Change Control Management;
Propel Information Security Sub-Policy Number 5—Acceptable Encryption; Technologies in Use
Propel, Inc., HIPAA Workstation Security Policy
Propel, Inc., HIPAA-Security Rule Requirements-Administrative Safeguards Policy
Propel, Inc., HIPAA-Security Rule Requirements-Physical Safeguards Policy
Propel, Inc., HIPAA-Security Rule Requirements-Technical Safeguards Policy
Propel, Inc., HIPAA-Protected Health Information (PHI) Use and Disclosure Policy
Propel, Inc., HIPAA-Privacy Policy, The Complaint Process and Breach Notification