Privacy Policy

Policy Objectives

In carrying out our mandate under both the Privacy Policy and the Personal Information Protection Law (Ley N°29733), we collect personal information as defined by section 3 of the Privacy Policy. As the guardian of Peruvian’ privacy rights, we are committed to respecting the privacy rights of everyone whose personal information we have collected. Please also see our Website terms and conditions of use to see how this policy applies to our website.

This Policy is designed to comply with the Privacy Policy and the principles of natural justice.

 

Why we collect personal information

We collect personal information for various reasons. Usually, it relates to the investigations that we conduct or the enquiries that we receive. We may also collect personal information for administrative reasons such as providing individuals with publications or other information that they ask for. We may also, for example, collect it for the purposes of holding a public consultation.

We can only use your personal information for the purpose for which it was obtained or for a use consistent with that purpose, or for a purpose listed in Section 8 of the Privacy Policy.

 

What personal information do we collect?

We only collect personal information that is directly related to one of our programs or activities. Wherever possible, such information will be collected directly from the individual about whom it pertains. The amount and the type of the information collected will be limited to that which is needed to fulfil the identified purpose(s). We only collect what we need.

We may for example, collect your name, contact information, and views in connection with an investigation or a consultation. We may also collect your IP address if you visit our website.

Sometimes we receive more personal information than is needed. We strongly encourage you not to provide us with information beyond that which is necessary.

We may also collect personal information from other sources, as appropriate, including witnesses, employers, government, or corporate files and records.

 

Who sees your personal information?

We will not disclose your personal information without your consent unless it is allowed under section 8(2) of the Privacy Policy. In this case, we will aim to disclose only the specific information that is needed under the circumstances and, wherever possible, will inform you about the disclosure.

Access to personal information within PRENISAC will be restricted to those staff members who need the information in order to carry out their job duties. Those employees will maintain the information in the strictest of confidence and will not provide access to the information to anyone who is not authorized. The level of staff access to personal information will be granted on a need-to-know basis.

All individuals we hire under contract or other means to conduct business on our behalf will be required to respect the provisions of the Privacy Policy as well as this Policy and related internal procedures. Violations of any part of the contractual agreement may result in termination of the contract.

 

How we protect your personal information

In any organization, failure to protect personal information can increase the risk of a privacy breach. These privacy breaches can lead to things such as reputational harm, fraud or identity theft.

We will protect personal information from loss or theft, unauthorized access, use or disclosure, modification or destruction through appropriate administrative, technical and physical security measures and safeguards.

The level of safeguards used to protect personal information will depend on the:

  • sensitivity of the personal information;
  • amount, distribution and format of the information;
  • method of storage.

We follow the Government of Peru’s Policy on Government Security and any other direction or guidance on information technology security received from the relevant institute.

 

Consent

Wherever possible, we seek a person’s consent before we collect their personal information. The form of consent may vary depending on the circumstances and the type of information being requested. Consent can be express or implied, and can be provided directly by the individual or by an authorized representative.

Express consent is preferred. Express consent can be given orally, electronically or in writing. Implied consent may be reasonably inferred from a person’s action or inaction. For example, providing a name and address to receive a publication or providing a name and telephone number to receive a response to a question. When determining the appropriate form of consent, we take into account the sensitivity of the personal information, the reasons we are collecting it, and the reasonable expectations of the person. When using personal information for a new purpose, we will document that new purpose and ask for consent again.

We will not use your personal information without your consent unless it is either:

  • for the same purpose for which the information was originally collected or compiled,
  • consistent with that purpose,
  • for a purpose that may be disclosed under section 8(2) of the Privacy Act.

 

Retention and destruction of personal information

We are responsible for ensuring that all personal information is managed within a set life cycle. According to the Privacy Act, personal information we use to make a decision about an individual shall be retained for at least two years after that decision was made. This allows the person time to exercise legal recourse and provides them with a chance to exercise all their rights under the Privacy Act.

We will retain personal information in accordance with the maximum retention periods set out under the Privacy Act.

 

Access or corrections to personal information

Individuals do not always need to use the Privacy Act to access to or correct their personal information (e.g. informal request). However, they do have the right to formally request access or corrections to their personal information under the Privacy Act. People also have the right under the Access to Information Act to formally request access to information in our files which may contain their personal information.

We make every effort to ensure that information we use to make a decision that directly affects someone is as accurate, up-to-date and complete as possible. This also applies to personal information disclosed to third parties.

Additional information about access and correction of personal information:

 

Our roles and responsibilities

We are responsible for the personal information that we collect, retain, use, disclose, and destroy in the course of fulfilling our mandate. We will continue to develop policies and practices to ensure that personal information is handled in strict accordance with the Privacy Act. Our IT Manager is responsible for overseeing the implementation of those policies and practices, including:

  • providing consistent training for all PRENISAC staff, (including casual staff and contractors) as outlined in the Employee Privacy Policy, this Policy and our expectations with respect to the handling of personal information;
  • ensuring open, full and timely communication with employees and individuals about our policies, practices and expectations with respect to the handling of personal information;
  • establishing standards for classifying the sensitivity of personal information, to determine the appropriate level of security required for the information;
  • the implementation of systems to ensure that only our staff whose responsibilities require access to personal information, are granted access to that information;
  • the inclusion of specific provisions in contracts or other arrangements with third parties, that require adherence to the Privacy Act as well as to this Policy and other internal procedures;
  • ensuring procedures are in place under which individuals may request access to their personal information, request correction of their personal information, and file complaints concerning the management of their personal information;
  • ensuring procedures are in place under which individuals are notified of an improper collection, retention, use, disclosure or destruction of their personal information; and
  • monitoring the degree of compliance with this Policy and, where required, initiating action to correct any issues.

Employees – staff that collect personal information on our behalf will be required to explain the purpose(s) for which the information is being collected. If unable to do so, they will be required to refer the individual to someone within our office who is able to explain the purpose(s). It is every PRENISAC employee’s duty to inform themselves of their obligations under this Policy and the Privacy Act. Employees must report any and all violations of the Policy or the Act to their IT staff.

Managers and Supervisors – along with the responsibilities noted above, managers and supervisors must instruct their staff to respect the Policy and the Act. They must also examine and/or make inquiries into any issues brought to their attention concerning this Policy and the Act. When appropriate, managers and supervisors must notify, work with, or refer certain matters to the HR and IT staff.

IT Manager – the IT Manager will provide advice and guidance to managers, supervisors and employees of the PRENISAC with respect to the treatment of personal information within our company. The IT Manager will also act as the main point of contact for individuals seeking information or who have concerns about our handling of their personal information.

Violation of this Policy through intent or neglect may result in disciplinary action up to and including termination of employment or association with the PRENISAC. Legal sanctions may also be pursued if appropriate.

 

 

Monitoring and evaluation

Measuring compliance with this policy is part of our internal audit program. We conduct periodic audits within all of our programs and services. The results of internal audits will be reported to the CEO, HR staff and IT Manager.

 

Related references

The following laws, policies and guidelines should be read along with this Policy:

  • Privacy Act and Privacy Regulations
  • Access to Information Act and Regulations
  • Policy on Privacy Protection
  • Directive on Privacy Practices
  • Directive on Personal Information Requests and Correction of Personal Information
  • Questions or complaints

If you have any questions about this policy or about how we manage personal information, you may also contact: comercial@prenisac.com

Where an individual is not satisfied with the actions we may have taken to rectify a matter, or with the explanations given, they will be informed of their right to file a Privacy Act complaint, and will be given direction as to how to do so.