Data Safeguards, Privacy and Destruction
Data Safeguards Policy
RWS Life Sciences (“Organization”) has implemented the following safeguards to protect the Organization, client, and personal information it obtains, uses, accesses, or processes in connection with its performance of translation services.
Network and Computer Security The Organization uses up-to-date virus protection software on all computers used by the Organization.
The Organization uses a firewall product, such as a firewall built into its operating system, a network appliance, or a personal firewall software package
The Organization’s vendors keep all applications, including operating systems, patched with any software patch product, including automatic update services, that are recommended for any application or operating system used in performance of translation services.
The Organization does not run or send programs of unknown origin.
The Organization disables hidden filename extensions.
The Organization makes regular backups of critical data, keeps a copy of important files on removable media, and uses a software backup tool if available. The Organization stores its backup disks in a secure location.
The Organization keeps a recovery disk in case its computers are damaged or compromised.
The Organization encrypts its wireless connection.
The Organization requires any vendor with which it works to affirm in writing its compliance with the above network and computer safeguards.
Protected information includes confidential and non-public Organization, client, and supplier personal information gathered and/or utilized in the course of establishing and maintaining business relationships and/or in the performance of translation services. Access to protected information is limited. The Organization may disclose such information to clients and suppliers, for the purpose of performing translation services or fulfilling audit activities, or may disclose such information to regulatory agencies or ISO registrars for the purpose of fulfilling certifications.
Personal Information in Client Documents
The Organization utilizes a procedure by which it takes reasonable and appropriate steps to identify personal information in documents supplied by clients. This information may include individual or patient names, addresses, phone numbers, fax numbers, email addresses, birth dates, social security numbers, medical record numbers, health plan beneficiary number, account numbers, photographs or other images, and any other unique information by which an individual or patient may be identified. Access to the client documents that may contain such personal information is limited to the Organization’s production staff assigned to the client’s projects. When such information is discovered, processing will cease, the documents will be segregated immediately, and the client will be informed. Based on determination by the client, the Organization will either redact the PII and continue with processing or destroy the original source documents and provide the client with Certificate of Destruction, as described below.
Protection of Documents
Any documents that the Organization receives or obtains in connection with its performance of translation services, including paper copies, computer disks, removable media, or electronic submission, which contains protected information, are stored in a secure location, accessible only by those Organization employees with a need for such access. Physical documents containing protected information are retained by the Organization only until the assignment is complete, and are then returned to the client. Any copies or backup files (including electronic copies) are not maintained and will be destroyed.
To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.
This Privacy Shield Policy Statement applies to all personal information received by the Organization in the United States from the EU and from Switzerland, in any format, including electronic, paper, or verbal.
The privacy principles in this Policy have been developed based on the Privacy Shield Principles.
Notice: Where the Organization collects personal information directly from individuals in the EU and Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non–agent third parties to which the Organization discloses that information, the choices and means, if any, the Organization offers individuals for limiting the use and disclosure of personal information about them, and how to contact the Organization. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to the Organization, or as soon as practicable thereafter, and in any event before the Organization uses or discloses the information for a purpose other than that for which it was originally collected.
Where the Organization receives personal information from its parent, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.
Choice: The Organization will offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual or client.
For sensitive personal information, the Organization will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual or client.
The Organization will provide individuals with reasonable mechanisms to exercise their choices.
Accountability for Onward Transfer: The Organization will obtain assurances from its agents that they will safeguard personal information consistently with this Policy. Where the Organization has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, the Organization will take reasonable steps to remediate.
Security: The Organization will take reasonable and appropriate measures to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation: The Organization will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual or client. The Organization will not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual or client. The Organization will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Access: Upon request, the Organization will grant individuals reasonable access to personal information that it holds about them. In addition, the Organization will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
Recourse, Enforcement, and Liability: The Organization will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that the Organization determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Any questions or concerns regarding the use or disclosure of personal information should be directed to the RWS Life Sciences Headquarters at the address given below. The Organization will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved between the Organization and the complainant, the Organization has agreed to participate in dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Privacy Shield Principles. For disputes involving personal information received by the Organization from its clients, the Organization will employ a licensed moderator to mitigate and resolve.
In reference to Data Privacy, the Organization is subject to the investigatory and enforcement powers of the FTC and any other U.S. authorized statutory body.
The Organization commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
In the context of an onward transfer, the Organization has responsibility for the processing of personal information it receives and transfers on its behalf. The Organization shall remain liable under the Privacy Shield Principles if its agent processes such personal information in a manner inconsistent with the Privacy Shield Principles, unless the Organization proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, the Organization commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact RWS Life Sciences at:
RWS Life Sciences
101 East River Drive, 2nd Floor
East Hartford, CT 06108
Independent Dispute Resolution ICDR/AAA
The Organization has further committed to refer unresolved Privacy Shield complaints to International Centre for Dispute Resolution American Arbitration Association (ICDR/AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit ICDR/AAA at the location listed below for more information or to file a complaint. The services of International Centre for Dispute Resolution Case Filing Services are provided at no cost to you.
For claims and disputes arising under or relating to this Policy, individuals may invoke binding arbitration in a location mutually agreeable to the parties. An award of arbitration may be confirmed in a court of competent jurisdiction.
ICDR/AAA ContactInternational Centre for Dispute Resolution American Arbitration Association
1101 Laurel Oak Road, Suite 100
Voorhees, NJ, 08043
Limitation on Application of Privacy Shield PrinciplesAdherence by the Organization to these Privacy Shield Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
Internet PrivacyThe Organization sees the Internet and the use of other technology as valuable tools to communicate and interact with consumers, employees, healthcare professionals, business partners, and others. The Organization recognizes the importance of maintaining the privacy of information collected online and has standard operating procedures to govern the information collected through the web sites it operates.
Changes to this PolicyThis Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles.
Paper or Electronic Documents and Files
1. Client data will be destroyed upon request by authorized clients.
2. All paper and electronic documents that contain client data will be destroyed using an acceptable method of destruction.
3. Acceptable methods of destruction for paper documents include shredding, incineration, pulverization and use of a bonded recycling company.
4. Computers, laptops, servers and hard drives are used to store client data. Data may be stored in a number of areas on a computer hard drive. For example, data may be stored in “Folders” specifically designated for storage of this type of information, in temporary storage areas and in cache. Simply deleting the files or folders containing this information does not necessarily erase the data.
a. To ensure that any client data has been removed, a utility that overwrites the entire disk drive with “1”s and “0”s must be used.
b. If the computer is being disposed of due to damage and it is not possible to run the utility to overwrite the data, then the hard drive must be removed from the computer and physically destroyed. Alternatively, the drive can be erased by use of magnetic bulk eraser. This applies to PC workstations, laptops and servers.
5. Backup or Data Tapes: Tapes, USB drives or diskettes that are being decommissioned must be degaussed before disposal. This can be accomplished using a bulk tape eraser. Alternatively, the media may be pulverized or shredded.
6. Compact Disks (CDs) and Diskettes: CDs containing resident health information must be cut into pieces or pulverized before disposal.
7. If a service is used for disposal, the vendor should provide a certificate indicating the following:
a. Computers and media that were decommissioned have been disposed of in accordance with environmental regulations as computers and media may contain hazardous materials.
b. Data stored on the decommissioned computer and/or media was erased or destroyed per the previously stated method(s) prior to disposal.
The Organization provides the client with a destruction certificate upon completion of the data destruction. These certificates are signed by the appropriate member of the management staff and stored indefinitely. A Destruction Log is maintained to identify the destroyed records. At a minimum, the Destruction Log must capture the information listed below.
a. Date of destruction (date/s records are destroyed),
b. Destroyed by (name/s of the individuals responsible for destroying the records),
c. Method of destruction (method used to destroy records), and
d. Description of destroyed item (file name, document title).
Effective Date: 14 August 2020