We recommend that you include the privacy notice in the platform. This information should be shared by implementing countries with their citizens. The privacy notice should have the following sections -
Purpose of processing
What information is collected
Retention of information
Grievance officer details
Sharing of information with third parties
Usage of cookies, what information is stored in cookies
Security measures taken for processing/storing information
Rights of individuals
We recommend that the following guidelines should be followed by a country that is implementing DIVOC:
A citizen's consent should be collected against the privacy notice and a centralised database should be maintained to log consent provided by the citizen (wherever applicable).
The privacy notice should ask people to connect with the privacy officer/grievance officer to exercise his/her right to withdraw their consent.
Personal data should only be accessible to limited individuals. In case third parties require access to the application for administrative purposes, we recommend you de-identify personal information.
Organisations should not retain the information for longer than is required for the purpose for which the information was originally collected.
A formal document should be created to define the roles and responsibilities of personnel having access to personal data stored in the application.
Document an access matrix for the application. It should also be ensured that regular reviews are conducted on the access matrix.
Review user access rights vis-à-vis the roles defined regularly.
Platform end-users (citizens) should be informed about the mechanisms to update their information through the privacy notice.
Platform end users (citizens) should be informed about the mechanisms to update their information through the privacy notice.
Perform security testing on the application regularly. We also recommend that you fix all the vulnerabilities, after the testing is performed, on-time.
Sign agreements/contracts with third parties, wherever applicable, including relevant security and privacy clauses.
Obtain explicit consent against the privacy notice from the individuals whenever sensitive personal data is processed.