Data Governance & Management Policy

Purpose

This policy establishes a comprehensive framework for managing and protecting all data within Humanics Global Advisors (HGA). It ensures that HGA collects, uses, stores, and disposes of information responsibly and lawfully, in order to protect the privacy of individuals and the confidentiality of business information. The policy is designed to maintain the trust of consultants, clients, and partners by safeguarding data assets, preventing unauthorized access or disclosure, and ensuring compliance with applicable laws and regulations (such as GDPR and CCPA)[1]. It also aims to meet the expectations of multilateral donors and international organizations by aligning HGA’s data practices with industry best practices and ethical standards.

Scope

This policy applies to all data processed or stored by HGA across all systems and environments. It covers data in the HGA Digital Platform (formerly DevTender), consultant and staff email accounts, internal administrative tools, document repositories, support ticketing systems, and any other location under HGA’s control where data is handled. The policy governs all HGA personnel, including full-time staff, part-time employees, and external consultants engaged through HGA. Third-party contractors, service providers, or partners with access to HGA data are also expected to adhere to equivalent data protection standards through contractual agreements. The scope includes all categories of data (personal data, business data, client data, etc.) and spans the entire information lifecycle from collection and creation to final deletion.

Definitions

Personal Data: Any information relating to an identified or identifiable individual (data subject). This includes obvious identifiers like names, contact information, government ID numbers, as well as information such as resumes/CVs, professional qualifications, references, photographs, and any other details that can be linked to a person[2]. Personal Data may pertain to HGA consultants, HGA staff, clients, or any other individuals whose data HGA processes.
Confidential Information: Any non-public information (whether written, electronic, or oral) that is disclosed or generated in the course of HGA’s business. This includes, but is not limited to, HGA’s business strategies, pricing data, client lists and contacts, proposals or bids, internal processes, and proprietary documents[3]. It also encompasses information entrusted to HGA by clients or partner organizations (such as project data, reports, or technical documentation) and any information that HGA or its clients/consultants designate as confidential. (See Data Classification below for how Confidential Information is categorized and handled.)
Data Governance: The overall management of the availability, usability, integrity, and security of data within the organization. This policy is a key component of HGA’s data governance framework, assigning responsibilities and establishing rules for data handling.
GDPR: The EU General Data Protection Regulation, which imposes obligations on handling personal data of individuals in the EU, including principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
CCPA: The California Consumer Privacy Act, which provides privacy rights and protections for residents of California, including rights to notice, access, deletion, and opting out of the sale of personal information.
PCI DSS: The Payment Card Industry Data Security Standard, a set of security requirements for organizations that handle credit card and payment information. If HGA processes or stores credit card data, PCI DSS compliance (e.g. protecting cardholder data via encryption and restricted access) is mandatory[4].
Data Breach: Any incident that results in the unauthorized access, disclosure, or loss of data. This includes events like hacking intrusions, accidental exposure or sending of data to incorrect recipients, lost or stolen devices containing HGA data, or any situation where confidential or personal data may have been compromised. (See Incident Management for response procedures.)
Data Subject: An individual whose personal data is processed by HGA. This can include consultants on the HGA platform, HGA employees, client staff, or any person identifiable in HGA’s records. Data subjects have rights under privacy laws (e.g. the right to access or delete their data) which HGA will respect.

Note: Additional technical and role-based terms (e.g. “System Manager”, “Business Developer”) are defined in HGA’s internal documentation of the Digital Platform. For the purposes of this policy, “HGA personnel” or “staff” includes all employees and engaged consultants, and all are expected to uphold the same standards of data protection.

Data Classification

All data covered by this policy is classified into one of the following categories, in order to determine its sensitivity and the corresponding handling requirements. HGA uses three primary data classification levels: Public, Confidential, and Highly Sensitive.

Public Data: Information intended for public or unrestricted disclosure. This includes content that HGA publishes on its websites, marketing materials, job postings, or other communications readily available to the general public. Public Data poses minimal risk to HGA or individuals if disclosed. Examples: published research or articles, press releases, marketing brochures, and anonymized aggregate statistics. While this data can be shared freely, HGA still ensures its accuracy and integrity. Public Data does not include any personal data or internal business data that has not been approved for public release.
Confidential Data: Information that is sensitive in nature and is restricted to internal use within HGA or limited external use with authorization. Unauthorized disclosure or modification of Confidential Data could adversely impact HGA’s business, clients, or consultants. This category includes most business and operational data of HGA. Personal data of individuals (consultants, staff, or client contacts) is by default classified as Confidential, unless it falls under the higher “Highly Sensitive” category. Confidential Data also includes client-provided information, non-public client project data, internal communications, and any data HGA has agreed to keep confidential under contract[3][5]. Examples: Consultant CVs and profiles; client project documents; proposals and bids; contracts and agreements; internal financial records; email communications containing business information; and support tickets containing user queries. Confidential Data should be accessed only by authorized persons on a need-to-know basis and must not be disclosed outside HGA (or outside the intended external recipients such as the relevant client) without proper authorization.
Highly Sensitive Data: Information that requires the strictest protection due to its critical or personal nature. This classification is a subset of Confidential Data, but with elevated handling requirements. It includes data that, if breached or misused, could cause significant harm to individuals or to HGA. Personal Data that is sensitive (for example, government-issued identification numbers, passport scans, financial account or payment card details, health or medical information, or detailed personal background information) is classified as Highly Sensitive. HGA treats all personal data with care, but certain personal data elements are recognized as needing a high degree of protection[2][6]. Other examples of Highly Sensitive Data include: authentication credentials (passwords, MFA secrets), encryption keys, HGA’s proprietary trade secrets or highly sensitive business plans, and any client or donor data classified as highly confidential. By policy, Personal Data provided by consultants or clients is considered confidential indefinitely and does not lose its protected status over time[7][8]. Highly Sensitive Data must be encrypted in transit and at rest, stored only in secure environments, and accessed by the fewest necessary people. Extra caution must be taken in handling this data (for example, it should not be emailed or transferred without encryption, and it should not be stored on portable devices unless absolutely required and with encryption).

Each HGA staff member or consultant is responsible for understanding the classification of the data they handle and for treating it according to the rules defined in this policy. When in doubt, treat data as Confidential at a minimum, and seek guidance from HGA management if unsure how to classify particular information. Public Data should be clearly marked or approved for public release. Confidential and Highly Sensitive data should be labeled or identified as such where feasible (for instance, documents can be marked “Confidential” in headers/footers) to alert others to handle them properly.

Roles & Responsibilities

Proper data governance requires that all involved parties understand their responsibilities in protecting and managing data. The following roles and responsibilities are established under this policy:

All HGA Personnel (Staff and Consultants): Every individual working with or for HGA has a fundamental responsibility to protect HGA’s data. All personnel must adhere to this policy and associated procedures. This includes following the data handling rules in their daily work, preserving the confidentiality of information, and not attempting to bypass security controls. Personnel should classify information they create or handle according to HGA’s data classification scheme and treat it accordingly. They must use Confidential and Highly Sensitive data only for authorized business purposes and not disclose it to unauthorized parties[9]. All personnel are expected to exercise a reasonable standard of care to safeguard data (at least the same care they would use to protect their own sensitive information)[10]. If an employee or consultant is unsure about whether they have authorization to access or share certain data, it is their responsibility to consult a supervisor or the data governance officer before proceeding. Additionally, everyone must promptly report any suspected data breach or security incident (loss, theft, or accidental disclosure of data) to HGA management as soon as it is discovered (see Incident Management). There is zero tolerance for ignoring known security policies or mishandling data.
Executive Management: HGA’s leadership (CEO, Directors, and other executives) is responsible for enforcing this policy and providing the resources and support needed for effective data governance. Management shall promote a culture of compliance and data protection, including ensuring that all staff and consultants receive appropriate training on this policy. Management also designates specific personnel for key data governance roles (e.g. a Data Protection Officer or Data Privacy Officer, if required, or an IT Security Lead) and ensures that risk assessments and audits are conducted regularly. Ultimately, management is accountable for ensuring that HGA meets its legal and contractual data protection obligations and for taking corrective action in the event of non-compliance.
Data Protection Officer (DPO)/Compliance Officer: (If appointed by HGA) – This individual (or team) would be responsible for overseeing privacy and data protection strategy and compliance. The DPO or Compliance Officer’s responsibilities include monitoring adherence to this policy and relevant data protection laws, advising on data protection impact assessments for new projects, serving as the point of contact for data protection authorities or client inquiries, and helping coordinate responses to data subject requests (such as access or deletion requests). The DPO/Compliance role should remain informed about changes in privacy regulations (GDPR, CCPA, etc.) and update HGA policies and practices accordingly. Note: Given HGA’s global operations (including handling EU personal data), even if a formal DPO is not legally required, HGA will assign responsibility to a staff member or counsel for privacy compliance oversight[11].
IT Systems and Security Team: HGA’s IT personnel or any administrators of the HGA Digital Platform and internal systems (this may include the System Manager role identified in DevTender technical documents[12]) are responsible for implementing and maintaining technical controls to enforce this policy. Their duties include managing user access rights (provisioning or revoking system access based on role changes), maintaining authentication systems (e.g. enforcing strong passwords and multi-factor authentication), configuring encryption for data storage and transfer, and monitoring system activity for any suspicious behavior. The IT team ensures that regular data backups are performed and securely stored, and that disaster recovery plans are in place and tested[13][14]. They also handle software updates, security patches, firewall and network security configurations, anti-malware defenses, and other measures to protect HGA’s digital environment. The IT Security role will conduct or coordinate periodic security audits and vulnerability assessments[15], and will remediate any weaknesses identified. In essence, IT implements the “Security Controls” section of this policy and works closely with management to respond to incidents.
Finance and Administrative Staff: Personnel responsible for financial records (such as HGA’s payables and receivables officers, accountants, etc.) must handle financial and contractual data in accordance with this policy. Financial records (including consultant contracts, work orders, invoices, payment records, etc.) often contain personal and confidential information; they should be classified as Confidential or Highly Sensitive as appropriate and stored in secure systems. Finance staff must ensure that payment card data, if processed, is handled in compliance with PCI DSS requirements (e.g. never storing full credit card numbers or CVV codes in an unencrypted form)[4]. They are also responsible for adhering to the data retention schedule for financial and contractual documents (typically retaining records for at least 7 years for audit and compliance purposes). If finance staff use any third-party financial systems or cloud services, they must work with IT and Compliance to ensure those systems have adequate security and data protection controls.
External Consultants: Consultants engaged through HGA (who are not formal employees but are bound by HGA’s Consultant Agreement) are required to comply with this Data Governance & Management Policy whenever they handle data related to HGA’s platform, clients, or projects. Consultants must protect any HGA data or client information they access with the same care and obligations as HGA staff. Per the Consultant Agreement, any personal data about HGA staff or client personnel that a Consultant may encounter must be treated as confidential and safeguarded indefinitely[8]. Consultants must use data only for the purposes of the work they are engaged for and not for any personal or unauthorized purposes[9]. They are forbidden from disclosing HGA’s confidential information (including client data or other consultants’ personal data) to any third party, except as necessary for the assignment and as permitted by HGA[16]. Consultants should also ensure any devices or accounts they use to access HGA systems meet HGA’s security requirements (for example, using strong passwords and not sharing their access credentials). If a client or donor requires the Consultant to sign a separate Non-Disclosure Agreement (NDA) or comply with specific data handling rules for a project, the Consultant must do so as a condition of their assignment[17]. Any breach of confidentiality or misuse of data by a Consultant is considered a serious violation of their contract with HGA and can result in termination of the consulting agreement and legal action if warranted. Consultants are encouraged to report any security concerns or incidents to HGA, just as employees would, and will cooperate in any investigation of an incident.
Third-Party Service Providers: Although not HGA employees, any third-party vendors or cloud services that store or process HGA data (for example, providers of cloud hosting, email, CRM, or data analytics) are considered within the scope of HGA’s data management responsibilities. HGA management must ensure that appropriate Data Processing Agreements (DPAs) or contractual clauses are in place with such third parties, obligating them to adequate data protection measures in line with this policy and applicable laws. Vendors may be required to undergo security assessments or audits and must notify HGA in the event of any data breach on their side. HGA will only engage third-party processors that provide sufficient guarantees of their security controls and compliance (for instance, cloud providers certified under internationally recognized security standards). The IT and Compliance roles should maintain an inventory of third-party data processors and regularly evaluate their performance and adherence to data protection obligations.

By clearly defining these roles and duties, HGA aims to create a shared responsibility model for data governance. Every individual and partner has a part to play in ensuring that data is handled correctly. Failure by any party to fulfill their responsibilities can put the data and the organization at risk, and will be addressed under the Enforcement provisions of this policy.

Data Handling Rules

The following rules govern how data must be handled at each stage of its lifecycle: from the moment it is collected or created, through its active use and storage, and finally to its retention and deletion. These rules apply in accordance with the data’s classification level (Public, Confidential, Highly Sensitive) as defined above. All HGA personnel are required to follow these rules strictly.

Data Collection

HGA shall collect personal data and other sensitive information only for specific, legitimate business purposes and only as much as is necessary for those purposes. This reflects the principle of data minimization under laws like GDPR, which requires that data collected be “adequate, relevant and limited to what is necessary in relation to the purposes” for which it is processed[18]. Whenever HGA asks individuals (consultants, employees, or others) to provide data, it will ensure there is a clear need and legal basis for each data element.

Data collection will be done in a lawful, fair, and transparent manner. In practice, this means HGA will inform data subjects about what data is being collected and why. For example, when consultants sign up on the HGA Digital Platform, they provide personal and professional information for the purpose of matching with consultancy opportunities; the platform’s Privacy Notice or consent form will explain this purpose. HGA will obtain the individual’s consent for data collection when required (e.g., for any use of personal data beyond what is necessary for contract performance or legitimate interests). In other cases, collection may be justified by contract (e.g., collecting bank information to pay a consultant) or by legal obligation. Regardless of the basis, no personal data should be collected in secret or without the knowledge of the individual – HGA does not engage in covert data gathering.

When collecting data from third parties or public sources (for instance, if HGA obtains reference information or public profile data about a consultant to assist in proposals), HGA staff must ensure that doing so is compliant with any terms of use and that the data is relevant and not excessive.

HGA will also avoid collecting sensitive personal data (such as racial/ethnic origin, political opinions, health data, etc.) unless it is absolutely necessary for a specific purpose and permissible under law. In general, HGA’s activities should not require such special-category data, and our systems are not designed to request it. If an exception arises (e.g., if a client requires background checks or certifications that involve health or identity data), HGA will handle that on a case-by-case basis with appropriate safeguards and consent.

In summary, collect only what we need, and be clear and honest about why we need it. Any forms, applications, or data intake processes at HGA should be designed with this in mind – collecting the minimum fields necessary and providing privacy notices to users. Data collection practices will be reviewed periodically to ensure they remain aligned with the principles of purpose limitation and data minimization.

Data Storage

All data must be stored in a secure manner appropriate to its sensitivity level. HGA employs a combination of technical and organizational measures to protect data at rest (in storage). Key rules for data storage include:

Use of Secure Systems: Confidential and Highly Sensitive data should reside only in approved, secure systems or locations. This includes HGA’s cloud databases, encrypted storage services, and on-premises servers (if any) that have been vetted by the IT team. Data should not be stored on unapproved personal devices or personal cloud accounts. For example, consultants should avoid downloading client datasets to personal laptops; instead, they should use the HGA platform or secure HGA-provided storage. If temporary local storage is needed (such as working on a document offline), the individual must ensure the device is encrypted and secured, and that the data is transferred to an approved repository as soon as feasible and deleted from the local device.
Encryption: HGA implements encryption for data at rest in its systems. All sensitive personal information and credentials in databases are encrypted using strong algorithms (e.g. AES-256)[19]. HGA’s Digital Platform databases are protected behind firewalls and use encryption to protect data from unauthorized access[20]. Likewise, any documents uploaded (like consultant CVs, contracts, or reports) are stored in encrypted form (for instance, documents in the cloud are in Amazon S3 buckets with server-side encryption enabled)[21]. Encryption keys and passwords are managed securely by IT; they are not stored in plain text or shared improperly.
Access Controls on Storage: Storage locations (databases, file repositories, SharePoint/Drive folders, etc.) must be configured with access permissions such that only authorized users or systems can access the data. Role-based access control is used to restrict who can view or edit data in each system[22]. For example, the consultant database is accessible only to HGA staff who need to manage profiles, and each consultant can only see their own data; financial records are accessible only to finance personnel and management. The System Manager ensures that for each data repository, access rights are granted based on the principle of least privilege.
Preventing Unauthorized Storage: Employees and consultants are reminded that Confidential or Highly Sensitive data should never be stored in unsecured places such as public folders, open shares, USB drives without encryption, or personal email accounts. HGA provides secure storage solutions; if additional secure storage is needed, it must be requested through IT. Also, printing of sensitive data should be minimized – if physical copies are made, they should be secured (e.g., in locked file cabinets) and shredded when no longer needed.
Data Segmentation: Where appropriate, HGA segregates data by environment and purpose. For instance, production data is separated from test/development environments; personal data used for testing or training (if any) should be anonymized or masked. HGA also distinguishes data by client or project as needed to enforce that data is not intermingled improperly.
Backup Storage: Backup copies of data are themselves stored securely. Backups of critical systems are encrypted and stored either offsite or in cloud backup storage that is access-controlled[23]. Access to backups is limited to IT administrators. (See Security Controls for more on backups and disaster recovery.)

In summary, all stored data is locked down according to its classification. HGA uses modern security standards to protect data at rest, and employees/consultants must do their part by only storing data in authorized, secure locations. If you are unsure if a storage method is secure or allowed (for example, using a new SaaS tool to store HGA data), consult the IT Security team before doing so.

Data Access

Access to data is restricted based on business need and job role, consistent with the classification of the data. The following rules govern data access:

Role-Based Access Control (RBAC): HGA systems implement RBAC, meaning users are granted system access and data permissions according to their role within the organization or platform[22]. For example, a consultant logging into the HGA Platform can access their own profile and applications but not the data of other consultants; an HGA Business Developer can view and manage consultancy listings and consultant profiles; a System Administrator has broader access to system configuration but may not necessarily access personal data unless required for support. These roles and associated permissions are defined in the system design and enforced by the application logic and database queries. No user should attempt to access data outside the scope of their role. If a user’s role changes or they leave HGA, their access rights must be promptly adjusted or revoked by the IT team.
Least Privilege Principle: Even within a given role, users and processes should operate with the minimum level of access necessary. For instance, if certain financial data is only needed by Finance staff, other employees should not have access to it in systems. Where possible, sensitive actions (like exporting large data sets, or deleting records) are restricted to specific admin users. Administrative accounts (with broad access) are limited in number and are used only when necessary. HGA regularly reviews user access rights to ensure that permissions remain appropriate (at least annually, and during employee onboarding/offboarding or consultant contract changes).
Authentication Security: All access to HGA systems that contain Confidential or Highly Sensitive data must be secured with strong authentication. Multi-Factor Authentication (MFA) is required for all user logins to the HGA Digital Platform and internal systems[24]. This means users must provide a second factor (such as a one-time code via an authenticator app or SMS) in addition to a password, which greatly reduces the risk of compromised credentials. Passwords must meet HGA’s complexity standards (a strong mix of characters, minimum length, no common words) and default or temporary passwords are to be changed immediately upon first use. The IT system enforces regular password changes or offers periodic reminders to avoid stale credentials[25][26]. Sharing of passwords or accounts is strictly prohibited – each user is accountable for all actions taken under their own credentials.
Access Logging and Monitoring: Systems will maintain logs of user access and actions, especially for privileged operations on Confidential/Highly Sensitive data. For example, if a staff member views a consultant’s personal profile or downloads a document, that action may be logged. Access logs are monitored for unusual access patterns that might indicate unauthorized activity[27]. HGA’s security monitoring tools (described under Security Controls) generate alerts if, for instance, a user attempts to access data they should not, or if an account exhibits suspicious behavior (like accessing large amounts of data in a short time).
Remote and Physical Access: HGA staff and consultants often work remotely; therefore, secure access is critical. Remote access to HGA’s internal tools (like admin panels or databases) is done via secure VPN or encrypted connections. Physical access to HGA’s office computers or any on-site servers is controlled – offices should be locked when unattended, and servers (if any) are in secure locations. Consultants or staff using personal devices to access email or systems must ensure those devices have appropriate security (updated OS, antivirus, device encryption, and screen lock). If a device that has access to HGA data is lost or stolen, it must be reported immediately so that access can be revoked and remote wipe attempted if possible.
Need-to-Know Sharing: Users with access to Confidential/Highly Sensitive data must not further share that data with anyone (inside or outside HGA) who does not have a need-to-know. Just because one has access in a system does not mean it should be freely disseminated. For example, an HGA employee who has a database export must not email that file to another colleague unless that colleague is authorized to see the information. Internal teams should use secure collaboration tools provided by HGA and respect internal data sharing guidelines. Personal data in particular is tightly controlled – if in doubt whether someone should have access, err on the side of caution and consult a supervisor.

In essence, data access is on a strict need-to-know and least privilege basis. Through a combination of technical measures (RBAC, MFA, logging) and policy measures (user awareness and discipline), HGA ensures that people only access what they are permitted to. Attempts to circumvent access controls (e.g., using someone else’s login, exploiting a system bug to retrieve data) are violations of this policy and will lead to disciplinary action.

Data Use

Data use refers to any processing or utilization of data within HGA after it has been collected and accessed. All data use must comply with the purposes for which the data was collected and any conditions agreed with data subjects or clients. The rules for data use are as follows:

Purpose Limitation: Use personal data only for the specific, explicit purposes for which it was collected (or other purposes that have been expressly authorized). For example, if HGA collects consultant information to match them with projects, then using that data to prepare a proposal for a client is acceptable (and expected) – but using the same data for an unrelated purpose (such as marketing a product to the consultant, without their consent) would be outside the original purpose and is prohibited. HGA staff and consultants must not repurpose or mine data for reasons incompatible with what was communicated to the data subject. If a new use for data arises, HGA will seek fresh consent or ensure there is a lawful basis before proceeding. All personal data shall be used only for legitimate business purposes in connection with HGA’s services and contracts[16].
Data Minimization in Use: Even when data is collected and stored, employees should use or expose only the minimum necessary amount of data for a task. For instance, if generating a report or sharing information, avoid including unnecessary personal details. Internally, do not circulate entire data sets if a summary will do. If asked to provide some data to a client or partner, consider whether it can be anonymized or aggregated. As an example, if a client wants to see profiles of potential consultants, HGA can share relevant CVs but should not share extraneous personal info that isn’t needed for the client’s decision.
No Unauthorized Personal Use: HGA data resources are to be used for HGA’s business only. Employees and consultants must not use HGA databases, client information, or any non-public data for personal gain or non-work-related activities. For example, querying the consultant database to compile a list of contacts for an outside venture, or looking up information on a project out of personal curiosity, is strictly forbidden. Misusing internal data for any purpose not sanctioned by HGA is a serious breach of trust.
Sharing and Disclosure Controls: When using data, be mindful of the Data Sharing rules (next section). Any disclosure of data as part of usage (e.g., sending data to someone, publishing a document) must be vetted. Under no circumstances should Confidential or Highly Sensitive data be shared outside HGA unless it aligns with an authorized business purpose and has proper safeguards and approvals[16]. For example, sending a client a deliverable report that contains sensitive analysis is fine if it’s part of the project – but posting that same report publicly or sending it to another client would not be allowed without permission.
Anonymization and Pseudonymization: Where possible, especially in analytical uses or testing, HGA should use anonymized or pseudonymized data. Before using real personal data for training an AI algorithm or performing large-scale analysis, consider if the goal can be achieved with anonymized data (with direct identifiers removed or masked). HGA’s technical team should incorporate privacy-by-design, meaning building systems that reduce identification of individuals unless necessary.
Accuracy and Currency of Data: All users of data should endeavor to keep it accurate and up-to-date. If during use it is discovered that some data is incorrect or outdated (e.g., a consultant’s contact information has changed, or a data entry error is found in a record), users should update it in the authoritative system or inform the data management team. This ties into data quality – ensuring that decisions are made on correct data and reducing the risk of using faulty information.
Compliance in Use: Using data must also comply with laws and contractual requirements. For example, GDPR not only governs collection but also any profiling or automated decision-making using personal data – if HGA employs an AI agent to auto-submit consultant applications, it must ensure fairness and allow individuals to review those AI decisions[28]. HGA will refrain from any discriminatory or unethical use of data. All usage of data shall also respect intellectual property rights and confidentiality obligations – if using client-provided data or third-party data, abide by any use restrictions they provided.

In short, data should be used only as intended and in ways that are respectful to the individual’s privacy and HGA’s commitments. Any questionable intended use of data should be cleared with the Data Protection/Compliance Officer or senior management before proceeding.

Data Sharing

Data sharing refers to the transfer or disclosure of data from HGA to any third party, or even between departments or individuals internally beyond the original context. Because sharing can increase the risk of unauthorized access or misuse, it is governed by strict rules:

Internal Sharing (Need-to-Know): Within HGA, Confidential and Highly Sensitive data may be shared only with colleagues who have a legitimate need-to-know that information for their job[10]. Even within the company, employees and consultants should exercise discretion. For example, an HGA employee working on consultant recruitment might share a consultant’s profile with a Business Developer for a project opportunity, but it would be inappropriate to share the same profile with unrelated teams who have no need for it. When sharing internally, use secure channels (e.g., HGA’s internal file share or encrypted email) rather than public chat or personal email. Label the information as “Confidential” if it’s not obvious, so the recipient knows to handle it carefully.
External Sharing with Clients/Donors: A core part of HGA’s business is presenting consultant information to clients (such as UN agencies, World Bank, etc.) for project opportunities. Such sharing is permitted and expected, provided it is done for the legitimate purpose of securing or executing a Work Order and is limited to what is necessary[16]. HGA will share consultants’ CVs, credentials, and necessary personal data with clients or donor organizations only as needed for proposals, project administration, or compliance vetting[16]. For instance, submitting a consultant’s CV and biodata form in a proposal is allowed. However, HGA will not share personal data unrelated to the project (e.g. personal identifiers that the client doesn’t require) and will not disclose consultant data to any third parties beyond the relevant client/donor without consent. In line with the Consultant Contract, HGA will not misrepresent or alter a consultant’s information when sharing with clients[29], and will ensure any client receiving the data has agreed to appropriate confidentiality (often via the client’s contract terms or NDAs). If a client requests highly sensitive information (like copies of passports or certificates) for due diligence, HGA will only transmit these through secure means and ensure the client will handle them lawfully.
Sharing with Third-Party Processors: Sometimes HGA might use external services to process or store data (for example, an email marketing service, or a cloud analytics platform). Before sharing any personal or confidential data with such third-party services, HGA must ensure a proper Data Processing Agreement is in place as mentioned in Roles & Responsibilities. The third party must commit to confidentiality and adequate security. Only the data necessary for the service should be shared (e.g., if using a cloud translation service for a document, avoid sending documents that contain personal data unless absolutely needed). Data sent to third-party tools must be encrypted in transit (e.g., use HTTPS connections or secure file transfer). Additionally, HGA will verify that the third-party’s servers are in jurisdictions compliant with our data transfer rules (for instance, if transferring EU personal data to a processor outside the EU, ensure legal transfer mechanisms like Standard Contractual Clauses or an adequacy decision are in place[30]).
Cross-Border Data Transfers: HGA operates internationally, and data (especially personal data of consultants and clients) may be transferred across national borders (e.g., stored on cloud servers in the U.S. or accessed by HGA staff traveling abroad). All cross-border transfers of personal data must comply with applicable data protection laws. For EU personal data, HGA either keeps data on servers in jurisdictions deemed adequate by the EU or uses EU-approved safeguards such as Standard Contractual Clauses, as well as obtaining consent from data subjects where required[30]. Consultants have consented to the transfer and storage of their data across international borders as part of their contract[11], and HGA in turn commits to protect that data regardless of location according to GDPR-level standards. In practice, this means if HGA shares data with, say, a U.S.-based cloud provider, it will do so under agreements that ensure GDPR principles are upheld.
Method of Sharing: When sharing Confidential/Highly Sensitive data externally (when it is authorized to do so), HGA personnel must use secure transmission methods. This includes using encrypted email (or password-protected files), secure file transfer portals, or upload to client’s secure systems. Data should not be simply attached in plaintext to an email or sent via insecure channels. For example, if sending a financial report to a donor, you might encrypt the PDF with a password and share the password via a separate channel. For extremely sensitive data, consider arranging a secure download link that expires, rather than persistent email attachments.
Prohibited Sharing: Certain types of data sharing are flatly prohibited. HGA will not sell personal data to third parties. HGA will not share personal data with any third party for their own marketing or purposes unrelated to HGA’s business, without explicit consent from the individuals. Also, HGA staff should refrain from discussing confidential business or personal information in public forums or on social media. Even within professional circles, be cautious—e.g., do not share a client’s information or a project detail with another client or outsider without clearance.
Client and Donor Requirements: In some cases, clients or donors might impose additional restrictions on data sharing. For example, a UN agency might require that all project documents remain confidential and not be published elsewhere, or a development bank might have rules about releasing evaluation data. HGA will abide by any such contractual requirements. If a client contract has a stricter rule (for instance, prohibiting sharing any project data publicly for X years, or requiring that data be stored only in certain locations), those rules will be integrated into HGA’s process for that project. HGA’s consultants are made aware of and must comply with any client-specific data provisions (as noted, signing a separate NDA if needed)[17].

In summary, data sharing is tightly controlled and must be done only for legitimate reasons, using secure methods, and with proper authorization. All staff and consultants should think twice before sending out any HGA information: who is receiving it, do they have the right to receive it, and is this method of sending secure? When in doubt, consult the policy or the Compliance Officer.

Data Retention

HGA retains data only for as long as it is needed to fulfill the purposes for which it was collected or to meet legal, contractual, or regulatory requirements. Unnecessary retention of data can pose risks to privacy and security; therefore, HGA has defined retention periods for various categories of data in line with data minimization and storage limitation principles[31]. After these periods, data must be disposed of securely. The retention rules are influenced by industry best practices, including expectations of donors and laws like GDPR, which emphasize not keeping personal data longer than necessary.

Some key retention guidelines include:

Financial and Contractual Records: Records such as contracts (including consultant agreements and client contracts), work orders, invoices, payment records, and financial transaction logs are generally retained for seven (7) years at minimum[32]. This aligns with common legal requirements (e.g., tax law, accounting rules, and donor audit requirements). Many multilateral donor projects require that documentation be available for audit for a number of years after project completion (often 5 to 7 years). HGA uses 7 years as a standard to ensure compliance with the strictest requirements. In some jurisdictions or cases, such records might be kept even longer if required (or permanently for key corporate records), but 7 years is the baseline for operational records in this category.
Consultancy Applications (Unsuccessful): Applications submitted by consultants to project listings – including those submitted automatically by HGA’s AI agent – will be retained for a limited period of time if they do not result in an engagement. Specifically, if a consultant’s application to a consultancy is not successful (the consultant was not selected), HGA will retain the application data for no more than two (2) years from the date of application. This two-year period allows HGA to reference past applications (for example, to improve the AI matching or to consider the consultant for similar opportunities within a reasonable timeframe) without indefinitely holding personal data about rejected opportunities. This practice is consistent with common HR data retention norms where unaccepted job applications are kept for a period (often 1-2 years) then purged[33]. After two years, such application data will be deleted or anonymized in our system. (If the consultant wishes their application data removed sooner, they can request deletion, which HGA will honor provided it doesn’t conflict with legal obligations.)
Consultant Profiles and Personal Data: Consultant account data on the HGA Digital Platform (e.g., profile information, CV, credentials, references) is retained for as long as the individual remains an active consultant in our network. If a consultant becomes inactive or requests their account to be closed, HGA will archive their data and remove it from the active platform. Generally, personal profile data of an inactive consultant will be deleted after 2 years of inactivity if there are no ongoing contractual obligations or legal reasons to retain it. However, certain elements might be kept longer if the consultant had completed projects (see next bullet) or if needed for legal claims. Consultants have the right to request deletion of their personal data; HGA will comply with such requests to the extent possible, after retaining any data that must be kept for legal compliance (e.g., records of payments or contracts)[34]. In practice, once all retention-relevant periods lapse, the consultant’s personal data will be purged from our systems (with only minimal identifying info kept in a suppression list to avoid contacting them again, if applicable).
Project Deliverables and Reports: Documents and data produced during consulting projects (deliverables, reports, studies, analyses) and related project communications are retained for at least seven (7) years following project completion. These often form part of the contractual record with the client and may be needed for future reference, audits, or follow-up projects. Donor-funded projects often specify a retention period for deliverables (commonly 5 to 7 years) in their contracts, and HGA adheres to those requirements. Therefore, unless a different period is stipulated by the contract, 7 years is default. After that, deliverables may be archived or deleted as appropriate. (Deliverables that are public or published may be kept longer in archives, but their associated internal working data will follow retention rules.)
Client and Contact Information: Information about client organizations or contacts (e.g. client representatives’ names, emails, project history) is kept for the duration of the business relationship and as needed for business development. If a client engagement ends, basic information is retained for relationship management and record of past engagements (often indefinitely in CRM systems for reference). However, any personal data of client staff will be kept up to date and removed upon request or if outdated. Where required by law (for instance, EU individuals exercising GDPR rights), HGA will remove or anonymize contact data that is no longer needed.
Support Tickets and Communications: Records of support queries, helpdesk tickets, and general inquiries submitted through HGA’s support system will be retained for approximately 2 years after the ticket is resolved. This allows HGA to analyze support trends and refer to recent past issues if they recur. Older support records beyond 2 years will be deleted or anonymized, unless they contain information that must be retained longer for legal reasons. Internal email communications are generally not systematically deleted, but HGA may implement email retention limits in the future (e.g., auto-archiving or deletion after a certain number of years) to manage storage. Important communications that qualify as business records should be saved to an appropriate repository (and thus fall under other categories like project records or contracts). Non-record emails can be cleaned out periodically by users or IT per retention policy (typically 2-3 years for routine communications, unless litigation hold applies).
System Logs: System and security logs (logs of user logins, system events, etc.) are retained for a shorter period, usually 6 to 12 months, due to storage and relevance considerations. They are used for troubleshooting and security audits. For example, web access logs might be kept for 6 months, and audit logs of database access for 1 year. After that, they are securely deleted, unless flagged in an investigation to be kept longer. Aggregated statistics from logs (with no personal identifiers) may be kept longer for analytical purposes.
Legal Hold and Exceptions: If HGA is aware of any legal proceedings, investigations, or disputes that require certain data to be retained (a litigation hold), those specific records must not be deleted even if their retention period is expired. For instance, if a consultant or client is in a dispute with HGA, relevant communications and files will be preserved until the issue is resolved, notwithstanding the standard schedule. Similarly, if a law or regulation mandates a longer retention than HGA’s schedule (for example, some tax records or employment records might have 10-year requirements in certain jurisdictions), HGA will follow the law. Conversely, if law requires deletion sooner (e.g., certain jurisdictions limit how long particular personal data can be kept), those will override our default schedule.

The table below summarizes retention periods for major data categories managed by HGA:

Data Category	Retention Period	Notes
Financial Records and Contracts	7 years (minimum)	Includes invoices, payment records, consultant contracts, client contracts, work orders. May be retained longer if required by donor or law[32].
Project Deliverables & Reports	7 years after project completion	Aligns with donor audit requirements; unless client contract specifies otherwise. Critical project documents archived for reference.
Consultancy Applications (Unsuccessful)	2 years from application date	Auto-deleted after 2 years if no engagement results[33]. Facilitates future opportunities within timeframe; minimizes long-term storage of personal data.
Consultant Profiles & Personal Data	Active duration + ~2 years after inactivity	Deleted 2 years after consultant leaves platform or requests removal (subject to legal holds). Core profile data removed from active systems; minimal info retained if needed for financial records or to avoid re-registration.
Support Tickets & Customer Queries	2 years after resolution	Used for service improvement. Older tickets purged unless they contain info that must be kept for legal reasons.
System Access Logs	~1 year	Security and access logs for auditing. Automatically rolled over and deleted if older than retention period, absent any incident need.
Public Website Content	Indefinite (as archive)	Public data (press releases, blog posts) kept for historical archive unless updated or removed for accuracy. Contains no sensitive personal data.
Credit Card Data (PCI)	Not stored beyond transaction	HGA avoids storing cardholder data whenever possible. If needed (e.g., last4 of a card for record), it’s tokenized or encrypted. No CVV or sensitive auth data is retained[4].

(Table: HGA Data Retention Schedule – retention periods are counted from the end of the calendar year in which the data was created or received, unless stated otherwise. All retention is subject to extension for legal holds or shortened if required by law.)

HGA’s IT and Compliance team will implement this retention schedule by configuring system auto-deletion where feasible, and by conducting periodic reviews to identify data that is due for deletion. For example, the platform can automatically anonymize or delete consultancy applications past 2 years. Other data, like older contracts, might be reviewed annually and securely archived or deleted if past retention.

Importantly, once data has met its retention timeframe and is not subject to any hold, it will be securely disposed of to prevent any unauthorized access (see Data Deletion below). HGA maintains logs or certificates of destruction for certain high-risk data deletions as needed to demonstrate compliance with this policy.

Data Deletion

When data is no longer needed according to the retention schedule or when a valid deletion request is received, HGA will permanently and securely delete or destroy the data. Proper data deletion ensures that sensitive information does not linger indefinitely and reduces risk in case systems are compromised. The following rules apply:

Secure Deletion Procedures: Different types of data require different deletion methods. For digital data in databases or file systems, “deletion” will include removing references to the data and ideally overwriting or shredding the underlying storage blocks so the data cannot be easily recovered. HGA will use system features or specialized tools to sanitize data. For example, when a consultant profile is deleted, the platform will remove all personal records from the production database (or anonymize fields that must be kept, e.g. replace name with an ID for statistical counts). Backup copies of that data (if any exist) will eventually cycle out and be deleted as well as backups expire. For physical documents, secure shredding or incineration will be used. If HGA engages a document destruction service, it will be a certified provider and a certificate of destruction will be obtained.
Confirmation of Deletion: Upon deleting large sets of Confidential or Highly Sensitive data, the responsible HGA staff or an officer should confirm the deletion. The HGA Consultant Contract reflects that upon termination, the receiving party should return or destroy confidential information and, if requested, certify that destruction has been completed[35]. In practice, HGA may document the erasure of, say, a consultant’s data upon their request, for accountability. Internally, IT may log the execution of data purge scripts. If an outside party (consultant or client) requested deletion, HGA can provide confirmation once completed.
Exceptions – Archival Copies: HGA acknowledges there are some practical limitations and legal allowances regarding deletion. The Consultant Contract allows retaining an archival copy of confidential data solely for dispute resolution or legal compliance purposes, even after other copies are destroyed[36]. Therefore, HGA may retain minimal data if needed to defend legal claims or to comply with laws (such as tax records), even if a deletion request is made – but such data remains protected under continuing confidentiality obligations and is not used for other purposes[37]. Additionally, if data resides in routine backups that are not immediately accessible, HGA is not required to delete those backups immediately, provided they are secured and eventually overwritten as per the backup retention cycle[38]. For example, if a certain record was deleted from the live database, it might still exist in last week’s backup tape; HGA will not restore that backup just to delete one record, but the backup tape will be destroyed in due course. During that interim, the backup remains safely stored and is not used for active operations.
Data Subject Rights (GDPR and CCPA): If an individual (consultant or any data subject) submits a request to delete their personal data (the “right to erasure” or “right to be forgotten”), HGA will promptly evaluate and honor the request to the extent required. Before deletion, HGA will identify if any data must be retained (e.g., to comply with a legal obligation or if an exemption applies). Sometimes, as allowed by GDPR Article 17, we may not delete data that is still needed (for example, a consultant who had a contract might have financial records we must keep for 7 years)[34]. In such cases, we would inform the individual that certain data cannot be erased and the reason (legal requirement, etc.)[39]. We will then delete all other personal data that is not exempt. For CCPA requests, a similar process is followed for California residents – though CCPA has certain exemptions for business transactions and legal compliance, we will delete what we can and confirm to the requester.
Third-Party Deletion: Whenever HGA deletes data that had been shared with or processed by a third-party (say, data stored on a third-party CRM or a cloud backup), HGA will ensure that the third-party also deletes the data from their systems. Contracts with processors include obligations to delete or return data upon instruction or contract termination. HGA’s IT team will follow up with vendors to certify deletion if HGA systems are decommissioned or if we migrated data off a service.
Regular Purges: To enforce the retention schedule, HGA will conduct regular data purge activities. For example, on a quarterly or annual schedule, HGA might run a job to remove any support tickets older than 2 years, or anonymize old application records. These purges are logged. Any issues (like failures to delete certain records) are addressed promptly.

By adhering to these deletion practices, HGA minimizes the amount of data it holds at any given time, thereby reducing risk. No deletion process will be executed in a way that violates any law or contractual obligation – obligations to retain override deletion in case of conflict, as noted. But once data is cleared for deletion, HGA is committed to fully eradicating it so that it cannot be reconstructed or accessed anymore.

Security Controls

HGA implements a robust set of security controls to protect data confidentiality, integrity, and availability at all times. These controls apply to all systems and personnel and are continually reviewed and updated. Below is an overview of key security measures in place:

Encryption: All sensitive data is encrypted in transit and at rest. HGA enforces end-to-end encryption for data transmitted over networks – for example, the HGA Digital Platform uses HTTPS (SSL/TLS) for all web traffic, ensuring that personal data and financial information cannot be intercepted in transit[40]. For data at rest, HGA uses strong encryption (such as AES-256) for databases and storage systems containing personal or confidential data[41]. Passwords and authentication credentials are stored hashed (with salted hashes) rather than in plaintext. Documents uploaded to the platform (CVs, contracts, etc.) are stored in encrypted form on secure cloud storage[21]. Encryption keys are managed securely; only authorized IT personnel have access to key management, and keys are rotated periodically according to best practices.
Identity and Access Management: HGA uses Multi-Factor Authentication (MFA) and strict access controls for its systems. MFA is enabled for all user accounts (consultants, clients, and staff) on the platform, requiring an extra verification step at login[24]. Internally, admin access to servers or cloud consoles also requires MFA. The principle of least privilege is implemented through Role-Based Access Control – users are given access only to the data and functions they require, based on their role (Consultant, Organization user, HGA Finance, HGA Admin, etc.)[42]. Administrator or elevated privileges are limited to specific staff and service accounts, and such accounts use unique credentials (no shared admin accounts). Access rights are reviewed regularly (at least annually and during personnel changes) to remove any excess privileges. Additionally, automatic session timeouts and re-authentication are used for sensitive systems to reduce the risk from unattended sessions.
Network Security: HGA’s systems (including the Digital Platform and any internal networks) are protected by firewalls and network segmentation. The platform’s databases are not exposed directly to the internet; they reside in secure sub-networks accessible only by the application servers and authorized administrators[20]. Firewalls and security groups are configured to allow only necessary traffic (e.g., HTTPS on specific ports). Intrusion Detection/Prevention Systems (IDS/IPS) and continuous monitoring tools are deployed to watch for unusual network activity or attacks[43]. For cloud infrastructure, HGA leverages cloud security services and follows best practices (like disabling unused ports, using VPN for administrative access). Regular vulnerability scans are conducted on the network and systems to identify open ports, insecure services, or misconfigurations.
Secure Development Practices: The HGA Digital Platform is developed following secure coding guidelines to prevent common vulnerabilities such as SQL injection, XSS, CSRF, etc. The development team uses code reviews and security testing (including static code analysis and dependency vulnerability scanning) as part of the release cycle. Configuration of the application (like API keys, database credentials) is managed securely (not hard-coded, and stored in secure configuration with restricted access). The platform avoids storing sensitive data on the client side (browser) beyond what’s necessary for user experience. Also, production data is not used in test environments unless anonymized. All changes to systems go through testing and approval (change management) to avoid inadvertent security issues.
Endpoint and Device Security: HGA ensures that any computers or devices used in its operations are secured. Company-managed laptops or servers have up-to-date operating systems and security patches applied promptly. They run reputable anti-virus/anti-malware solutions with real-time protection and regular scans. Full disk encryption is enabled on laptops that contain sensitive data, so if a device is lost, the data remains protected. Users are instructed to never disable security software or install unapproved applications that could introduce malware. For personal devices (if accessing HGA email or data), HGA requires at minimum that those devices have a strong password/pin, encryption, and no known compromises. Remote wipe capability is utilized for mobile devices connected to HGA systems (e.g., if a phone with HGA email is lost).
Logging and Monitoring: As mentioned in Data Access and Incident Management, HGA has extensive logging in place. Security logs (logins, admin actions, data exports, etc.) are collected and monitored. Automated systems flag suspicious events, such as repeated failed logins (possible brute-force attack) or logins from unusual locations. HGA either has an internal security dashboard or uses a cloud SIEM (Security Information and Event Management) service to correlate and analyze logs in real-time. In addition, critical systems send out alerts to the IT security responsible when something anomalous occurs (for example, a new device connecting to the database server, or a sudden spike in outbound network traffic).
Data Backup and Recovery: HGA performs regular data backups for all critical systems and databases[23]. Backups occur on a defined schedule (e.g., nightly differentials and weekly full backups for databases), and backup integrity is periodically tested by performing test restores. Backup data is encrypted and stored in a secure off-site location (for cloud systems, backups may be in a separate region or with access controls). The combination of backups and a Disaster Recovery Plan[14] ensures that even in the event of data loss, corruption, or a major incident (like a ransomware attack or a data center outage), HGA can restore systems and data to a recent state and resume operations. The Disaster Recovery Plan defines RTO/RPO (Recovery Time and Recovery Point Objectives) for key systems and is tested (through drills or simulations) at least annually to verify that HGA can meet those targets.
Physical Security: Although much of HGA’s infrastructure is cloud-based, any physical offices or on-premise equipment are protected. Office doors are locked and access-controlled (keys or access cards only to authorized personnel). Servers, if any are on-site, are kept in locked rooms/cabinets with limited access. Printed documents containing sensitive information are kept in secure cabinets when not in use. Visitor access to offices (if applicable) is supervised. HGA’s policy is to maintain a clean desk environment – staff should not leave sensitive papers out when away from their desk, and should shred papers when no longer needed. Whiteboards or notes should be erased if they contain sensitive info. These measures reduce the risk of accidental disclosure in a physical setting.
Security Training and Awareness: Regular security awareness training is provided to all HGA staff (and key consultants)[44]. Training covers how to recognize phishing emails, how to handle sensitive data properly, use of strong passwords and MFA, identifying social engineering attempts, and the importance of following these policies. New employees/consultants are onboarded with privacy and security training so they understand HGA’s expectations from day one. HGA also sends periodic reminders or conducts simulated phishing exercises to keep security top-of-mind. A culture of security is encouraged – employees are praised for reporting potential issues or for challenging suspicious requests. There are clear guidelines on things like not plugging in unknown USB drives, not installing unauthorized software, and reporting lost devices immediately.
Privacy by Design and Default: When new systems or features are developed, HGA incorporates privacy considerations from the start. This means setting default settings to the most privacy-protective option (for instance, any new data field defaults to confidential access), and conducting risk assessments for new data processing activities. For example, before deploying the AI auto-application feature, HGA analyzed its impact on consultant data and ensured it included an option for consultants to opt-out or review AI applications[45]. Any significant change in how personal data is handled triggers a review (akin to a Data Protection Impact Assessment under GDPR) to ensure appropriate controls are in place and compliance is maintained.
Third-Party Security: As noted, third-party services are scrutinized. HGA prefers vendors with recognized security certifications (ISO 27001, SOC 2, etc.) or strong reputations. Data processing agreements with vendors include specific security requirements. If a vendor suffers a breach, they are obligated to inform HGA immediately so we can take action. HGA also restricts what data is shared with vendors to the minimum necessary, mitigating potential exposure.
PCI DSS Measures: If HGA processes payments (credit card transactions for any services or fees on the platform), it will comply with PCI DSS. In practice, HGA aims to outsource payment processing to certified payment processors so that credit card data is not stored on HGA servers (using redirect or tokenization methods). However, should any card data touch our system, HGA ensures encryption, truncation of card numbers (only last 4 digits stored if needed), regular PCI scans, and adherence to PCI’s 12 core requirements[4]. For example, our payment pages would be securely integrated, and our network segmented to isolate any payment environment. Annual PCI compliance self-assessments or audits would be done if applicable.

These security controls collectively create a strong defense-in-depth. They guard against unauthorized access, data leaks, and other threats. The Security Controls are not static; HGA is committed to continuously improving them by staying informed about new security threats and best practices. We conduct regular audits and penetration testing to validate our security posture[15], and address any findings promptly. Our goal is to not only meet compliance standards but to genuinely protect the data entrusted to us by consultants, clients, and partners, thereby maintaining their confidence in HGA.

Incident Management

Despite robust controls, security incidents or data breaches can still occur. HGA has an Incident Management plan to ensure a swift, effective response to any actual or suspected data breach or security incident. The objectives are to limit damage, secure the system, fulfill legal obligations (like breach notification), and learn from the incident to prevent recurrence. Key elements of incident management include:

Detection and Reporting: All personnel must be vigilant in watching for potential security incidents. This could include signs of a cyberattack (unusual system behavior, ransomware messages), lost or stolen equipment, misdirected communications (e.g., an email with sensitive info sent to the wrong address), or any situation where Confidential/Highly Sensitive data might have been exposed without authorization. If any employee or consultant suspects a security incident or data breach, they must immediately report it to the designated incident response team or HGA management. HGA provides clear contact points (e.g., email/phone of the IT security officer or an incident hotline). There is no penalty for reporting a false alarm – it’s better to report and investigate than to miss an incident. HGA’s monitoring systems also automate detection; for instance, if an intrusion detection system flags an anomaly or if unusual account activity is detected, an alert is generated for the security team to review[46].
Incident Response Team: HGA maintains an incident response team (even if small, it includes IT leads, the Compliance/Data Protection officer, and relevant management). This team is trained and authorized to take necessary actions when an incident is reported. They follow a predefined Incident Response Plan (IRP)[47] which outlines steps such as initial assessment, containment, eradication, recovery, and post-incident review. The team also consults legal counsel as needed, especially if personal data is involved and notifications might be required.
Containment: As soon as an incident is confirmed (or strongly suspected), the first priority is to contain it and prevent further damage. Depending on the scenario, containment measures might include: isolating affected systems (e.g., taking a server offline or disconnecting it from the network), disabling compromised accounts, applying emergency patches, or changing passwords/keys. For example, if a consultant’s account is suspected of being hacked, we would lock that account and force a password reset for safety. If malware is spreading, affected hosts are quarantined. The IRP includes guidance on containment strategies for different incident types.
Eradication and Recovery: Once contained, the team will identify the root cause of the incident (such as a specific vulnerability exploited or how an email leak occurred) and work to eliminate it. This could involve removing malware, closing attacked ports, restoring clean versions of files, etc. Data integrity is checked – if data was altered or corrupted, backups are used to restore it to correct state where possible. For example, if an attacker modified some records, we would restore those from backup after confirming authenticity. Recovery also means bringing systems back to normal operation after ensuring they are secure. For instance, a server taken offline is patched/formatted as needed and then put back online. Throughout recovery, careful steps are taken to ensure the attacker or issue does not persist or return.
Communication and Escalation: Internal communication is critical. The incident response lead will keep HGA leadership informed of the situation and escalate decisions (like shutting down a system or notifying clients) to the appropriate level. HGA avoids knee-jerk public communications but prepares to inform necessary parties.
Breach Notification: If a data breach results in unauthorized access to personal data, especially of EU individuals or other regulated data, HGA will follow applicable breach notification laws. Under GDPR, HGA (as a data controller) is generally required to notify the supervisory authority within 72 hours of becoming aware of a personal data breach, if it’s likely to result in risk to individuals’ rights[48]. Therefore, our Incident Response Plan calls for a rapid assessment of a breach’s severity and impact. If personal data was involved, the Data Protection Officer or privacy lead will be engaged to determine notification obligations. HGA will notify affected individuals without undue delay if the breach is likely to result in high risk to them (for example, if their sensitive information or financial details were compromised). Likewise, if the breach involves data HGA processes on behalf of a client (i.e., HGA as a processor), HGA will inform that client immediately in line with contract terms[48]. The notification will include details of what happened, what data was involved, what HGA is doing to mitigate it, and any steps individuals should take (like changing passwords). HGA understands the importance of transparency and will not hide breaches; our priority is to help those affected and comply with the law.
Documentation: Every security incident is documented in an incident log. We record the timeline of events, who discovered and reported it, actions taken, data involved, communications made, and the outcome. This documentation not only is useful for internal analysis, but also fulfills accountability requirements (e.g., GDPR requires controllers to document breaches and their responses even if not notified to authorities).
Post-Incident Review: After resolving an incident, the response team and relevant stakeholders will conduct a post-mortem analysis to understand what went wrong and how to prevent it in the future. They will identify lessons learned and update security measures or procedures accordingly. For example, if the incident was a phishing attack that fooled an employee, HGA might implement additional email filters and increase phishing training frequency. If it was due to a missing patch, we’ll improve patch management. The Incident Response Plan itself is updated if any step in handling the incident could be improved.
Practice and Preparedness: HGA periodically tests its incident response process. This could be through simulated exercises (a “tabletop exercise” where we walk through a hypothetical breach scenario) or by utilizing insights from real minor incidents. The team ensures contact lists are up to date and everyone knows their role during a crisis. By practicing, HGA can respond more confidently and swiftly in a real event[47].

The overarching goal of Incident Management is to minimize harm – to our consultants, clients, and the company – when adverse events occur. Time is of the essence in these situations. Thus, all employees and consultants must understand: if you see something, say something immediately. HGA’s culture supports prompt reporting of mistakes or issues (for example, if someone accidentally emails a file to the wrong client, they should report it rather than quietly hope it goes unnoticed). Swift reporting allows the incident team to possibly contain the breach (maybe that wrong recipient can be asked to delete the email before reading).

In the unfortunate event of a significant breach, HGA will act responsibly, inform necessary parties, and take all required steps to regain a secure state. Our clients and consultants entrust us with valuable data, and in case of an incident, we are prepared to work tirelessly to protect them and their information.

Compliance & Auditing

HGA is committed to full compliance with all applicable data protection laws, industry regulations, and the specific requirements of our clients and donors. This section outlines how HGA maintains compliance and how we audit and verify our practices:

Legal and Regulatory Compliance: HGA complies with key data protection laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Even in cases where these laws may not strictly apply (for example, HGA as a US-based LLC handling data of a non-Californian), HGA has chosen to adopt global best practices for data privacy by default[11]. This means principles like consent for personal data use, honoring opt-outs, enabling data subject rights (access, correction, deletion), and robust data security are ingrained in our policies. We also adhere to other relevant laws in jurisdictions we operate or have data subjects (e.g., CAN-SPAM Act for emails, state data breach notification laws in the US, etc.). For payment processing, as noted, we follow PCI DSS guidelines to secure payment data[4]. Should HGA’s services expand to handling health data or other regulated data, we would incorporate HIPAA or similar regulations as required.
Client and Donor Requirements: HGA often works with international development organizations (UN agencies, World Bank, regional development banks, etc.) that have their own data handling expectations. We ensure that any data governance requirements in client contracts are followed. For example, if a World Bank-funded project contract stipulates maintaining confidentiality of project data and retaining records for X years, HGA will integrate those terms (indeed, our standard practice of 7-year retention covers typical donor audit windows). HGA’s consultant contract explicitly requires compliance with donor guidelines[49] – this extends to data-related provisions, such as safeguarding any donor-provided data or not transferring certain data without permission. Additionally, if donors require data to be stored in certain jurisdictions or impose data sovereignty rules, HGA will accommodate those by using appropriate data centers or obtaining approvals. We treat donor and client data as a special trust: any data provided by a client for a project remains the property of that client, and we use it only for the intended purpose, returning or deleting it at project completion as the contract directs. Compliance with client confidentiality agreements (including NDAs signed by consultants for clients) is monitored; any breach would be addressed as a contract breach.
Cross-Border Data Compliance: As mentioned in Data Sharing, when transferring personal data across borders, HGA ensures compliance mechanisms. This includes using Standard Contractual Clauses (SCCs) for EU data exports if applicable, verifying vendor participation in frameworks (like EU-US Data Privacy Framework, if used), and obtaining consent from individuals for international transfers when required. HGA also respects local data residency laws – for instance, if a country where we operate requires certain data to remain in-country, we will use local data storage or otherwise abide by those laws.
Data Protection Impact Assessments (DPIAs): For any high-risk processing of personal data (new projects involving large-scale personal data, automated decision-making with legal effects, etc.), HGA will conduct a DPIA in line with GDPR guidance. This process, led by the Data Protection/Compliance Officer, evaluates the necessity and proportionality of the processing, identifies risks to individuals, and finds ways to mitigate those risks. The conclusions of DPIAs inform adjustments to system design or whether to even proceed with certain data activities. If a DPIA indicated unmitigable high risks, HGA would reconsider or consult authorities as needed.
Auditing and Review: Regular audits and compliance checks are performed to ensure ongoing adherence to this policy and relevant standards[15][50]. HGA takes a multi-layered approach to auditing:
Internal Audits: Our Compliance Officer and/or IT Security Lead conducts internal audits (at least annually) of practices such as user access reviews, storage of data against retention policy, security settings, and training completion. For example, an audit might check whether all consultants who left a year ago have had their accounts deactivated and data purged per policy, or whether every system has logs enabled and monitored. Any deviations are documented and corrected.
External Audits: Where appropriate, HGA may employ external security firms or certify under standards. For instance, if required by a contract or to demonstrate our commitment, we could undergo a SOC 2 Type II audit or ISO 27001 certification audit in the future. Additionally, vulnerability assessments and penetration tests by third-party experts are commissioned periodically; these tests probe our systems for weaknesses that our internal team might miss. The results are used to strengthen security.
Donor/Client Audits: We recognize that donors (like UN agencies or banks) might exercise audit rights in contracts. HGA will fully cooperate with any authorized external audit of our project records or data handling by a client or donor. We maintain organized records to facilitate such audits. Financial records and project documentation are kept in a manner that they can be readily reviewed by auditors (with sensitive personal data protected as needed during that process).
PCI Scans: If applicable, quarterly network scans and annual SAQ (Self-Assessment Questionnaire) for PCI DSS are done to validate ongoing compliance with payment security standards.
Policy Compliance Monitoring: Compliance with this Data Governance Policy itself is monitored. Managers ensure their teams are following procedures (e.g., managers spot-check that sensitive files are stored in approved drives, not personal USB sticks). The Compliance Officer may run spot checks or use tools (like DLP – Data Loss Prevention software) to ensure no large confidential data transfers are happening outside allowed channels. For example, DLP rules could flag if someone tries to email a list of all consultant emails outside the company. While we trust our team, these tools help enforce policies proactively.
Training and Certification: We treat training as a compliance requirement. All staff must complete data protection and security training annually, and we track this. Non-completion triggers follow-ups. Key personnel (IT admins, developers, etc.) might receive specialized training or certifications (like Certified Information Privacy Professional – CIPP, or Certified Information Systems Security Professional – CISSP) to deepen our internal expertise. Maintaining knowledgeable staff is part of compliance because it reduces human error and enhances our ability to comply with complex regulations.
Records and Documentation: HGA keeps documentation of its data processing activities (a requirement under GDPR for many organizations). This internal record includes what data we have, where it’s stored, who has access, the purposes of processing, and the legal basis – essentially a data inventory and processing registry. Keeping this updated helps ensure we know our compliance scope. We also document all consents obtained, privacy notices issued, contracts with data protection clauses, and any incident reports. These records would be crucial if we ever needed to demonstrate compliance to regulators or clients.
Continuous Improvement: Compliance is not a one-time task. Whenever laws change or new guidelines emerge (e.g., new standard contractual clauses, or an amendment to CCPA, or new privacy laws in other states/countries), HGA updates its practices and this policy accordingly. The policy will be reviewed at least annually and whenever significant changes in the law or our business occur. Changes to the policy are formally approved by management and communicated to all personnel (with training if needed to cover new aspects).
Privacy and Security by Contract: HGA ensures that all employees, consultants, and third parties are contractually bound to confidentiality and data protection commitments. Employees sign confidentiality agreements as part of employment. Consultants sign the Representation & Services Agreement which contains data protection clauses (Section 2.2 and Section 11 in the contract explicitly cover data privacy and confidentiality)[1][6]. Vendors sign DPAs. These contracts give HGA legal recourse if someone were to willfully violate data obligations, reinforcing compliance.
Accountability and Penalties: Ultimately, HGA’s leadership understands that non-compliance can lead to serious consequences (fines, legal liability, reputational damage). Hence, accountability is emphasized. If an audit finds gaps, we assign owners and deadlines to fix them. If a violation occurs, we treat it seriously under enforcement. We aim to foster an environment where compliance is seen not just as avoiding punishment but as doing the right thing for the people whose data we hold.

In conclusion, HGA strives not just to meet but to exceed the baseline requirements of data protection laws and donor expectations. Through regular auditing and a proactive compliance mindset, we maintain a strong posture that can be clearly demonstrated to clients, consultants, and regulators. We will “ensure ongoing compliance with all relevant laws, regulations, and standards, and update measures in response to new regulations or industry standards”[50], as stated in our platform requirements. This policy and its execution reflect HGA’s dedication to ethical and lawful data management in all our operations.

Enforcement

This policy is an official directive of Humanics Global Advisors. Compliance is mandatory. HGA will enforce this Data Governance & Management Policy through a combination of oversight, disciplinary action, and other remedies as appropriate. All HGA staff, consultants, and relevant third parties are expected to know and adhere to the rules set forth herein. Failure to comply with this policy will result in consequences that may include the following:

Disciplinary Action for Employees: Employees of HGA who violate this policy (whether through negligence or willful misconduct) will be subject to disciplinary measures in accordance with HGA’s HR policies. Depending on the severity of the violation, this can range from a warning or mandatory re-training, up to termination of employment. For example, an employee who accidentally shares a confidential file externally might receive a reprimand and be required to undergo additional training, whereas an employee found intentionally stealing data or repeatedly flouting security rules would likely be terminated for cause. HGA’s management will evaluate each incident case-by-case, but with a bias toward strict enforcement to protect the organization and its stakeholders.
Contractual Remedies for Consultants: External consultants engaged by HGA are bound by the Representation & Services Agreement and this policy as an extension of that. If a consultant is found to have breached data obligations – say, misusing client confidential data or failing to safeguard personal data – this constitutes a breach of contract. HGA may terminate the consultant’s contract or specific work order for cause as a result of such a breach. Additionally, the contract provides that in the event of unauthorized disclosure of Confidential Information, HGA is entitled to seek immediate injunctive relief and other legal remedies[51]. In plainer terms, HGA can go to court to stop the consultant from continuing the disclosure and seek damages. Consultants could also face being blacklisted from future opportunities with HGA or our partners. We treat consultant breaches seriously not only to protect data, but also because our reputation with clients depends on all team members upholding confidentiality.
Legal Action: Some violations may violate not just company policy but also laws (for instance, theft of personal data, or deliberate sabotage). HGA reserves the right to refer matters to law enforcement and pursue civil litigation if warranted. If someone’s actions cause HGA to suffer damages or legal penalties (for example, a data breach that leads to regulatory fines or lawsuits), HGA may seek to recover those costs from the responsible party. Both employees and consultants should understand that they could be personally liable for malicious or grossly negligent breaches of data security. The confidentiality obligations in contracts often survive termination, meaning even if someone has left HGA, we can enforce those obligations post-termination[6][51].
Third-Party Enforcement: When dealing with vendors or partners, HGA will enforce compliance via contract terms. If a vendor fails to meet required data protection standards or suffers breaches due to their negligence, HGA will exercise any rights in the contract – which may include termination of the service agreement and potential legal claims for damages. HGA carefully selects vendors, but we will not hesitate to cut ties with any third-party that endangers our data or fails audits, etc.
Incident Investigation: Whenever a potential violation of this policy is detected, HGA will investigate promptly and fairly. The investigation may be led by the Compliance Officer, HR, and/or IT Security, depending on the nature. Individuals suspected of a serious breach may be suspended from system access during investigation to prevent further harm. All employees and consultants are expected to cooperate fully with investigative efforts (providing relevant information, access to devices if needed, etc.). Findings will be documented, and if a violation is confirmed, appropriate action (as described above) will be taken.
No Retaliation for Reporting: As part of enforcement, HGA encourages a culture of reporting and improvement. No one who in good faith reports a security incident or potential policy violation will face retaliation or adverse employment consequences for that report – even if it turns out to be a false alarm. We want issues brought to light so they can be fixed. However, frivolous or malicious reports (knowingly false accusations) will themselves be treated as misconduct.
Remediation and Training: Enforcement is not only punitive. In cases where lack of knowledge or unclear guidelines contributed to a violation, HGA will also take steps to improve our controls or training. The individual involved may be required to undergo additional training or counseling on data protection. If the policy itself was not clear or a new scenario was unaddressed, we will update the policy or communicate clarifications to prevent future issues. Enforcement actions are thus accompanied by efforts to strengthen our overall compliance program.
Acknowledgment of Policy: All current and new HGA employees and consultants must formally acknowledge that they have read and understood this policy. This may be done through a signed document or an electronic acknowledgment. This ensures everyone is aware that these rules are not optional. Periodically, HGA may require re-acknowledgment, especially if significant updates to the policy are made.
Monitoring Enforcement Effectiveness: HGA management and the Compliance Officer will keep track of policy violations and their resolutions. If patterns emerge (for instance, multiple people making the same mistake), that’s a sign to improve training or controls. The ultimate measure of enforcement is that it should deter non-compliance. We expect over time to see very few incidents of internal violations, thanks to consistent enforcement and awareness.

Finally, it should be emphasized that HGA considers the protection of data a critical part of our organizational integrity. Any disregard for this policy is not just a minor infraction; it’s an affront to the trust that clients and consultants place in us. Thus, we respond accordingly. In severe cases of data abuse, the harm can be irreparable – “unauthorized use or disclosure of Confidential Information may result in irreparable harm” to HGA or individuals[51]. We will take whatever action is necessary, including legal action, to prevent or remedy such harm. This strict stance on enforcement ultimately benefits everyone: it protects individuals’ privacy, maintains client confidence, and upholds HGA’s reputation and legal compliance.

Conclusion: This Data Governance & Management Policy represents HGA’s comprehensive approach to responsibly managing data. All HGA personnel and partners must integrate these principles and procedures into their daily work. By doing so, we ensure that we honor the trust placed in us, reduce risks, and support the successful mission of HGA and its community “together for a better world.” Compliance is not merely about avoiding penalties; it’s about ethically stewarding the information that powers our business and impacts real people’s lives. HGA’s leadership fully endorses this policy and expects diligent adherence. Let us each do our part to maintain the highest standards of data governance and security.

Purpose

Scope

Definitions

Data Classification

Roles & Responsibilities

Data Handling Rules

Data Collection

Data Storage

Data Access

Data Use

Data Sharing

Data Retention

Data Deletion

Security Controls

Incident Management

Compliance & Auditing

Enforcement

Get Global Consulting Updates

Directly to

Directly to

Overview

Purpose

Contact

Services

Industries

Studies

Insights

Thinking

Career

Humanics Global Advisors

Humanics Sénégal

HGA Policy Framework