This policy draft is adapted from the internal policy infrastructure applicable at One Future Collective and is made publicly accessible in the interest of our mission to build safe, just, and inclusive workplaces for all. If you are an organisation curious to know more about how to build socially just workplaces, we invite you to use and adapt these policies to make them relevant to your context. If you have used any of our policies, we request you to please credit us.
You can know more about us, our journey, how we work, and our commitment to Nurturing Radical Kindness through our internal organisational Manifesto: Sunflowers. We would also love to hear from you – if you have any feedback, questions, or comments, please feel free to use this form.
Some guidance on using this policy:
We understand that each organisation is distinctly placed, works in different contexts, and within diverse realities and organisational policies have to be resilient and responsive to these contexts. In this background, we would like to share the following guidance for your reference:
- All the segments marked in yellow and/or left blank are spaces for you to update with details that are relevant to your organisational contexts.
- The entire policy may not be applicable as it is – please treat this as an invitation to adapt parts of it to better suit your demands.
- The policies are developed in the context of the legal obligations, politics, and resources available to One Future Collective. Whenever you are developing your organisational policies, please ensure that you are conducting your due diligence about compliance and other obligations that you may have to adhere to.
- Some key identifying information and details about processes unique to our organisation are anonymised from the drafts below for reasons of privacy and confidentiality.
In case you would like to reach out to us to get to know more about a policy or are feeling a bit stuck, please don’t hesitate to reach out to us at info@onefuturecollective.org.
Our Data Management and Protection Policy
This policy is also subject to change, given the recent Digital Personal Data Protection Act, 2023 and related changes. This is an older version of the policy.
| Date of adoption | _____________________ |
| Date of review | _____________________ |
| Policy Holder | _____________________ |
| Queries | _____________________ |
1) Purpose
This Privacy policy outlines how we collect, use, disclose, and dispose of personal data, and the processes to be followed by <Name of Organisation> employees. By engaging with <Name of Organisation> and providing us with your data, you consent to the practices described in this Privacy Policy.
2) Scope and Applicability
This policy applies to all employees of <Name of Organisation>, both full-time and part-time, and includes within it independent contractors, volunteers, interns, partners and collaborators. This policy relates to the personal data of employees of <Name of Organisation> as well as <Name of Organisation> external members.
3) Definitions
- Personal data: Any information that is related to an identified or identifiable natural person.
- Consent: The active, informed willingness of a person to do or refrain from doing something.
- Employees: Full time and part time staff members including contractors, volunteers, and interns.
- External members: Individuals and organisations engaging with <Name of Organisation> including but not limited to participants, beneficiaries, subjects, advisors, mentors, service providers, and partners.
- Implied consent: A form of consent where the data subject’s agreement is inferred based on their actions, behaviour, or the context in which the data is collected.
- Legal obligation: An obligation imposed by Indian or foreign law, as applicable. It includes obligations under contracts.
4) Collection of personal data
We collect personal data from individuals in various contexts, depending on the nature of their engagement with <Name of Organisation>. The types of personal data we may collect include, but are not limited to:
- Contact information (name, address, email address, phone number)
- Demographic information (age, gender, caste, etc.)
- Professional and educational details
- Nature of engagement with <Name of Organisation>
- Queries registered with <Name of Organisation>
- Communication preferences
We collect personal data through different channels, such as online forms, surveys, interviews, and in-person interactions. The specific data we collect and the reasons for collecting it may vary depending on what it is being collected in relation to. We only collect personal data that is necessary for the purposes described in this policy.
5) Use of personal data of the employees
- The following personal data is collected from the employees at the time of their joining.
- Legal Name
- Personal Email Address
- Official Email Address
- Preferred name
- Pronouns
- Phone number
- City of residence
- Address (permanent and correspondence)
- Date of Birth
- Date of Joining
- Designation
- Nature of employment
- Bank account details
- Emergency contact details
- Relevant education certificates
- Relevant past employment details and documents
- Identity proof documents
- Passport Size Photo
- Scan of PAN Card, Cancelled Cheque Book, and COVID Vaccination Certificate
- Dietary and Medical requirements
- Employees’ personal data is used for the following purposes:
- To maintain the identification records of all <Name of Organisation> employees for the purposes of legal and policy compliance.
- To enrol the employees for access to employee entitlements and benefits at <Name of Organisation> including but not limited to payroll, relevant policies, communication and workplace channels, insurance related policies.
- Manage and plan <Name of Organisation’s> strategy, projects, and work-related allocation.
- Conduct of employee feedback and reviews.
- Process all <Name of Organisation> related communications internally and externally.
- Address and handle grievances and disputes.
- Any other employee related processes that require the use of such personal data.
6) Use of personal data and information of the <Name of Organisation> external members
- We engage with
external members in multiple different formats and collect data on the basis of the nature of their engagement with us. The following are the different formats in which our external members engage with us either individually or as an organisation. Please note that the following list is not exhaustive and may be updated to reflect on any newer programs that may engage in. - Participants in knowledge and leadership programs, sharing circles, and open community spaces which may take place online and/or offline.
- Advisors and mentors at <Name of Organisation>
- Subjects involved in the development of our research studies and outputs.
- Clients engaging <Name of Organisation> in the capacity of consultants.
- External members who access <Name of Organisation’s> resources.
- Organisations and individuals we partner with for the execution of different projects.
- External members reach out to us to get 1:1 advice on their legal rights, access to redressal mechanisms, and develop their own leadership and advocacy capacity to enforce their rights and enhance their well-being.
- The following are the different types of personal data that is collected. Please note that given the nature of an individual’s or an organisation’s engagement with
, different forms of personal data may be collected. - Legal Name
- Personal Email Address
- Preferred name
- Age
- Pronouns
- Phone number
- City of residence
- Correspondence address
- Date of Birth
- Photograph
- Preferred method of communication
- Relevant past experience and/or motivation to engage
- Details about the nature of complaint/redress sought
- Details about the nature of support provided by <Name of Organisation>
- Last date of engagement with <Name of Organisation>
- Details of the sums payable and/or paid to <Name of Organisation>
- Social media handles
- CV
- Details of past education
- The data collected above will be used for the following purposes:
- To maintain a record of the external members engaged with <Name of Organisation> and the different capacities in which they have engaged with us for legal and compliance purposes.
- To maintain a record of the services provided to show as proof of company expenses, payments received, and taxes payable.
- To maintain a record of the reach of <Name of Organisation> along with details about key demographics, regions, and other relevant information.
- To set up communication channels and use them as per the consent given by members of the community.
- To improve the quality of the services and programs offered by <Name of Organisation>.
- To shape the information that is being prepared within the resources, research output, and other material prepared by <Name of Organisation>.
- To tag them on relevant social media channels to facilitate the outreach of <Name of Organisation>.
- For any other purposes required for the full and satisfactory delivery of programs and services provided by <Name of Organisation>.
7) Sharing of personal data with third parties
<Name of Organisation> may be obligated to divulge your personal data to third parties under specific circumstances. Depending on the situation, such information may be shared ahead without having received your consent to do so. However, unless consent is implied or legal obligations prevent us from doing so, you will be promptly notified if your personal data is being shared.
Instances, when your data is shared with third parties, include:
- Service providers: We engage trusted third-party service providers to support the delivery of our programs and initiatives. These providers may have access to personal data in the course of their services. They are contractually obligated to handle personal data securely and confidentially. Your participation in the program serves as an implicit indication of consent in this case.
- Legal and regulatory obligations: We may disclose personal data if required by law or in response to valid legal requests, such as subpoenas, court orders, or government investigations.
- Protection of vital interests: Personal data may be shared without consent if it is necessary to protect someone’s life, health, or safety. This applies to situations where there is an immediate risk of harm to an individual or the public.
- Compliance with legal requirements: We may disclose personal data without consent to fulfil legal obligations imposed by Indian laws, regulations, or government authorities. This includes situations where sharing information is necessary for an investigation, audit, or legal process.
- Public interest: Personal data may be shared without consent when it is in the public interest. This can occur in cases where disclosure is necessary for preventing or detecting crimes, apprehending or prosecuting offenders, or ensuring the security and integrity of our programs and initiatives.
- Contractual obligations: In certain circumstances, sharing personal data without consent may be required to fulfil our contractual obligations. For example, if we partner with another organisation to deliver joint programs or initiatives, relevant personal data may be shared with that organisation.
It is important to note that whenever we share personal data without consent, we will do so in compliance with applicable Indian laws and regulations, ensuring that appropriate safeguards are in place to protect the privacy and security of the information shared.
8) Retention of personal data
We retain personal data for the duration necessary to fulfil the purposes outlined in this policy unless a longer retention period is required or permitted by law. Our general data retention periods are as follows:
- Employees/Consultants: Personal data collected from all employees (full-time and part-time) and consultants are retained for three (3) years after the end of their engagement with <Name of Organisation>.
- External Members’ Data: Personal data collected from External members will be retained for three (3) years from the date on which such data was collected unless they are engaged with us over multiple years. In such cases, the data will be retained for a period of (1) year from the date of last contact with <Name of Organisation>.
- Data of applicants: Personal data collected from potential applicants at <Name of Organisation> who are rejected will be deleted one month after their decision has been made. Personal data of applicants who are rejected but are to be retained for future roles can be stored provided they are informed of the same and they consented expressly or implicitly.
9) Disposal of Personal Data
- After the applicable retention period, <Name of Organisation> will securely dispose of or anonymise personal data from our database, unless we are required by law to retain it for a longer period.
will follow the following procedures to dispose of the personal data securely. - Data Identification: The first step is to identify the data that needs to be disposed of. This includes all personal data that is no longer required for the purposes for which it was collected as well as data which is no longer required to be retained in relation to Section 8.
- Data Disposal: Depending on the format in which the data is collected, the following steps will be taken towards their disposal.
- Physical and electronic destruction: This involves physically destroying the data, such as by shredding paper documents or deleting electronic files.
- Data anonymization: This involves removing all personal identifiers from the data so that it cannot be linked back to an individual.
- Data pseudonymization: This involves replacing personal identifiers with pseudonyms, so that the data can still be used for statistical purposes, but cannot be linked back to an individual.
- Data Disposal Documentation– The final step is to document the data disposal process. This documentation should include the following:
- The types of data that were disposed of.
- The methods that were used to dispose of the data.
- The dates on which the data was disposed of.
- Communication about the disposal of personal data to the relevant individuals and/or organisations will not be carried out unless specific requests for the same have been made.
10) Security Measures
- <Name of Organisation> will store personal data securely using up-to-date versions of G-Suite software. Only employees who are authorised to have access will have access to the relevant personal data. Unauthorised sharing of personal data will be addressed as a violation of the code of conduct at <Name of Organisation> and suitable grievance redressal processes will be initiated.
- We follow Google’s data deletion processes in order to ensure that all data is securely deleted.
- Despite our best efforts, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.
11) Your Rights and Choices
- You have certain rights and choices regarding your personal data.
- You can request access to the personal data we hold about you.
- You can request the correction of inaccurate or incomplete personal data.
- Unlawful processing: If we have collected or processed your personal data unlawfully, you have the right to request its deletion.
- Exercising your right to object: If you have concerns regarding the collection or purpose of your personal data, you have the right to object to its processing. If you exercise this right and we do not have valid reasons to continue processing your data, you can request the deletion of the relevant personal data.
- In order to exercise any of these rights, please reach out to us at <Email Address of Organisation> and we will address your query within 72 hours. Please note that this timeframe may be affected by holidays and weekends. In such instances, you will receive an out-of-office email notification from us.
12) Third-Party Links
Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third-party sites.
13) Updates to this Privacy Policy
We will update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website or other means. We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, disclose, and protect your personal data.
14) Grievance Redressal
If your personal data has been handled in violation of this policy or you are aware of mismanagement of personal data <Name of Organisation>, you are requested to raise a complaint through the grievance redressal form.