Last updated: 2023-03-01
URL for this page: https://hackmd.io/@investinopen/vendor-privacy-security
URL for this site: https://hackmd.io/@investinopen/how-we-work
What is this?
An internal guide for IOI staff to ensure the privacy and security of IOI's data accessed and/or processed by external vendors. Examples of external vendors include language translators, software developers, etc. Both the guide and the vendor questionnaires were designed by legal experts hired by IOI in 2022.
Who should use this?
Any IOI staff member who is in the initial stage of hiring an external vendor for a piece of work, particularly one involving data or personally sensitive information.
Please use this guide to select the most appropriate questionnaire for your vendor. Templates for each questionnaire are stored in IOI's Google Doc template gallery in Google Workspace (internal access only). Create a new questionnaire from the template gallery, then ask your vendor to complete the questionnaire document and return it to IOI.
There are a few basic types of data that a Vendor may process for IOI, as follows:
Vendor will not process any Personal Data. Vendor does not need to complete any diligence questionnaires.
Vendor will process basic Personal Data (e.g, any information that directly or indirectly identifies a person or a device that is not Sensitive Personal Data as defined immediately below, such as name, email, address, phone number, unique device identifiers, IP address, and any information tied to any of these pieces of information).
Will vendor require an online connection or other integration with IOI’s network or other systems to perform its services?
Vendor will process Sensitive Personal Data (e.g., health and wellness information, financial account information, social security numbers, government IDs, race, ethnicity, genetics information, biometrics information, children’s data, political views, religious beliefs, sexual orientation, trade union membership).
Vendor will process Personal Data of IOI employees or contractors (e.g. HR data).
Will vendor process personal data of individuals located in the European Economic Area, Switzerland, or the United Kingdom?
This assessment is appropriate for vendors that only process limited types of personal data on IOI’s behalf and that do not have direct access to IOI’s systems.
This Questionnaire is appropriate for vendors that process more sensitive information or that have direct access to IOI systems.
This page first published: 2023-03-01
about-us
process
onboarding