Data Protection and Privacy Policy
Eldercare Foundation (EF)
Version 1.0 – Effective from: 10th May, 2024.
1. Introduction
At Eldercare Foundation (EF) we work with people – their stories, needs, hopes, and sometimes their most sensitive information. Because each piece of data represents a real person, we treat it with the same dignity and care we offer face-to-face.
This policy explains – in plain language – how and why we collect, use, store and share personal information and what rights every individual has. It meets the requirements of India’s data-protection laws, including:
- The Information Technology Act, 2000
- The IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011
- The Digital Personal Data Protection (DPDP) Act, 2023
2. Why This Policy Matters
- Respect & Trust – People share data with us because they trust us. We must honour that trust.
- Safety & Dignity – Wrong use of data can hurt people. We commit to keeping them safe.
- Accountability – Good data practice is not optional; it is the law and a donor expectation.
- Efficiency – Clear rules help staff avoid mistakes and focus on serving communities.
3. Who Must Follow This Policy
Everyone who touches personal data for EF, no matter where they sit:
| Group | Examples |
|---|---|
| Employees | program, M&E, finance, admin, communications |
| Contract & Part-time staff | project hires, short-term researchers |
| Consultants / Experts | IT firms, evaluators, trainers |
| Interns & Volunteers | students, fellows, community volunteers |
| Vendors & Service Providers | MIS developers, auditors, survey teams |
| Partner Organizations | NGOs or CBOs working with / funded by EF |
These rules apply in every EF office, field site, and any online system we use.
4. Key Terms You Should Know
| Term | What It Means in Simple Words |
|---|---|
| Personal Data | Anything that can identify a person – e.g. name, phone, photo, UIDAI Id, address. |
| Sensitive Personal Data | Extra‑private details – e.g. health, finances, caste, biometrics, gender identity. Needs stronger protection. |
| Data Principal | The person the data belongs to (beneficiary, staff, donor, etc.). |
| Data Fiduciary | The organization that decides “why” and “how” the data is processed – here, EF. |
| Data Processor | A third party that handles data for us (e.g. payroll company, survey vendor). |
5. When We Are Allowed to Use Personal Data
We will only collect or use data if at least one of these grounds applies:
- Clear Consent – The person has said “yes” after understanding what we will do with their data. Consent can be withdrawn at any time.
- Legal Duty – A law, court, or regulator says we must keep or share the data.
- Contract – We need the data to deliver what we promised in a contract (e.g. pay salary).
- Vital Interests – To save a life or handle a medical emergency when consent is impossible.
- Legitimate Organizational Purpose – We have a genuine program need that does not override the person’s rights (e.g. anonymized data for research). We will run a quick “legitimate‑interest check” before doing this.
6. Our Guiding Principles
- Lawful, Fair & Transparent – We act openly and within the law.
- Purpose‑Limited – We only use data for the reason we collected it.
- Data‑Minimal – We ask for the least information needed.
- Accurate & Up‑to‑date – Wrong data can cause harm; we keep it current.
- Time‑Bound – We do not keep data forever. Retain only as long as needed or legally required.
- Secure & Confidential – Locks, passwords, and encryption keep data safe.
- Accountable – We document what we do and fix problems quickly.
7. Consent and Notices – Keeping People in Control
- People will always get a plain‑language notice (English + local language) that covers:
- What we are collecting
8. How We Collect Data
| Method | Typical Use |
|---|---|
| Registration forms (paper / digital) | Enroll beneficiaries, staff, volunteers |
| Mobile apps & MIS dashboards | Real-time field data, geo-tags |
| Surveys, interviews, PRA tools | Baseline, end line, feedback |
| M&E templates | Monthly activity logs, attendance, case follow-ups |
| Special case files | Child protection, health interventions |
Every tool is designed to capture only what is necessary.
9. Why We Collect Data
- Deliver Services – Identify who needs what.
- Run Trainings & Events – Track attendance, learning, and certificates.
- Manage HR & Payroll – Pay salaries, maintain records, handle grievances.
- Report to Donors & Regulators – Show evidence of impact, comply with audits.
- Research & Advocacy – Produce anonymized insights to improve programs or influence policy.
10. Your Rights (Data Principals)
| Right | What It Means |
|---|---|
| Know | Ask what data we hold and why. |
| Access | Get a copy within 15 working days. |
| Correct | Fix mistakes or update details. |
| Withdraw Consent | Stop us from using your data (unless a law requires us to keep it). |
| Erase | Ask us to delete data that is no longer needed. |
| Complain | Raise an issue with our Data Protection Officer (details below). |
| Nominate | Appoint someone to manage your data if you are unable to. |
11. Sharing Data – With Care
We share personal data only:
- With the person’s explicit consent – and only with named parties.
- When the law demands it – e.g. court order, government audit.
- With donors/partners – mostly in anonymized or aggregated form. Identifiable data requires consent and a clear data-sharing clause.
- With vendors – under a strict Data-Processing Agreement (confidentiality, security, no re-use).
- In emergencies – to protect life or safety.
12. How We Keep Data Safe
- Role-based access – staff see only what they need.
- Encryption – data locked both while stored and while moving.
- Secure servers & backups – with firewalls, anti-virus, and regular patching.
- Physical security – locked cabinets, controlled entry to record rooms.
- Device safety – password / biometric login, remote-wipe on loss.
- Regular training & drills – everyone knows phishing risks and breach steps.
- Vendor checks – third-party systems must meet our security standards.
- Incident Response Plan – clear steps and contacts for any breach.
13. How Long We Keep Data & How We Dispose of It
| Type of Data | Typical Retention | Disposal Method |
|---|---|---|
| Donor-project records | 5–7 years post-project | Secure digital wipe / shredding |
| HR files | 7 years after exit | Secure digital wipe / shredding |
| Beneficiary data | Review yearly; delete if inactive | If deleted / anonymize |
| Legal or audit hold | Until case closed | As advised |
All disposals are logged and, for paper, witnessed.
14. If Something Goes Wrong – Data Breach Protocol
- Report Immediately – Staff inform the DPO and Executive Director.
- Rapid Assessment (within 24 h) – How serious? What data? How many people?
- Contain & Fix – Revoke access, patch systems, restore backups.
- Document – Log every step in the Breach Register.
- Notify Regulators (within 72h) – if risk of harm.
- Notify Affected People – explain what happened and what we’re doing.
- Review & Learn – root-cause analysis, update controls, extra training.
15. How to Raise a Concern
Contact our Data Protection Officer (DPO):
- Name:
- Email:
- Phone:
- Office Address:
We will acknowledge within 3 working days and aim to resolve within 30 days.
No one will face retaliation for raising a genuine concern.
16. Keeping Ourselves Accountable
- Policy is part of on-boarding and annual refreshers for all staff.
- Program teams keep consent forms and audit their data tools.
- The DPO runs quarterly checks and reports to the Executive Director & Board.
- An internal data audit happens every year with documented action points.
17. Reviewing and Updating This Policy
- Annual review led by the Executive Committee with the DPO.
- Early review if laws change, a major breach occurs, or new tech is adopted.
- All updates are version-controlled and shared with staff, along with refresher training.