Winrock is dedicated to protecting the personal data of our donors, beneficiaries, employees, partners, vendors and service providers from unauthorized access, use, disclosure, modification or loss. Winrock has established the global Privacy and Personal Data Protection Principles (“Principles”) to guide Winrock employees worldwide on the underlying core principles that apply to the collection, use, and disclosure of Personal Information in the course of Winrock’s operations and in accordance with law and regulation in the jurisdictions where Winrock operates.

Notice

When appropriate and in accordance with applicable law, Winrock will strive to provide individuals with informed and meaningful notice of its privacy practices. Appropriate notices include those provided on Winrock’s website at winrock.org and notices provided for staff. Notices should include the following:

• The types of Personal Information collected;
• The purposes for which Personal Information is collected;
• How Personal Information may be used;
• Whether Personal Information will be disclosed to third-parties;
• Any choices offered to individuals regarding the use of their Personal Information; and
• How to contact Winrock with privacy inquiries or complaints.

Choice

Where required by applicable law or otherwise deemed reasonable and appropriate, Winrock will strive to provide individuals with choices regarding its collection, use and disclosure of Personal Information about them and/or tracking technology that can be used to track them or their device. Choice will be presented in a form that is appropriate based on the circumstances and applicable law. Special attention may need to be paid when Sensitive Personal Information is involved, as explicit consent may be required under some circumstances.

Data Integrity and Access/Correction

Winrock asks that employees help it maintain accurate, complete and current Personal Information, and inform Winrock in case of changes to their Personal Information. Winrock also takes reasonable steps to maintain accurate, complete and current Personal Information, as required, to accomplish the purpose(s) for which it was collected and used. Winrock generally allows individuals to request reasonable access to their Personal Information to verify and correct it. In some instances, Winrock may deny such requests, consistent with applicable law.

Collection and Use

Employees must strive to collect and use Personal Information only through means that are lawful and fair and use Personal Information only for purposes that are stated in Winrock’s privacy notices, applicable to them, or that can be reasonably understood by reasonable individuals from the context. Winrock requires consent of beneficiaries whose data we collect. Employees should thoughtfully consider information collection practices and limit collection to only that information that is relevant and reasonably necessary to accomplish the intended purposes.

Disclosure

Winrock takes reasonable steps designed to ensure that Personal Information is only disclosed to third parties for legitimate business reasons.
When retaining a service provider that will receive Personal Information, employees (who are authorized to engage such service providers) should take reasonable steps designed to ensure that those service providers use Personal Information only as instructed by Winrock and properly protect the Personal Information consistent with the sensitivity of the Personal Information.
Winrock also uses technical and organizational security measures designed to limit access to and processing of Personal Information to authorized Winrock personnel, partners and service providers who require access for the performance of their obligations to Winrock and in accordance with the purpose(s) for which it was collected.

Transfers and Storage

When sharing information cross border, Winrock will seek to make such transfer of Personal Information in accordance with local laws of: (i) the country from which the data is being transferred; and (ii) the country to which the data is being transferred.
Winrock’s Data Classification Policy (in this Code) and Data Classification Standard Operating Procedure describe how Winrock is to store, transfer and destroy personal data.

Retention

Winrock has a Records Management Policy designed to retain Personal Information only as long as is necessary for the purpose(s) for which it was collected and used and securely dispose of it when it is no longer needed.  

Security Winrock strives to protect Personal Information through appropriate administrative, technical, physical and contractual safeguards designed to prevent unauthorized access to, or use or disclosure of, Personal Information. Winrock requests that service providers who process Personal Information on its behalf agree to undertakings that require them to implement appropriate security measures to safeguard this Personal Information.
ICT and other appropriate Winrock staff will respond to reports of incidents in accordance with Winrock’s incident response plan.

Enforcement and Compliance

Winrock provides training on the proper processing and protection of Personal Information as part of the onboarding and compliance training provided to relevant Winrock personnel. In conjunction with the ICT Department, the Compliance Office is tasked with the monitoring of compliance with these Principles and updating these Principles, as needed.
The Winrock Service Desk, servicedesk@winrock.org, or the Chief Risk and Compliance Officer, respond to questions or complaints regarding Winrock’s handling of Personal Information.

Key Definitions

The following definitions shall apply in these Principles:

“Personal Information” means any information that identifies an individual or can reasonably be used to identify an individual. Such information is likely classified as Internal or Confidential under the Data Classification Policy and should be managed per that Policy and related Procedure.

“Sensitive Personal Information” means Personal Information that requires an extra level of protection and a higher duty of care based on applicable law. Examples of Sensitive Personal Information include: credit card or bank account number, social security number, information on medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences, or information related to offenses or criminal convictions. Such information is likely classified as Confidential or Highly Confidential under the Data Classification Policy and should be managed per that Policy and related Procedure.

Winrock strives to protect Personal Information through appropriate administrative, technical, physical and contractual safeguards designed to prevent unauthorized access to, or use or disclosure of, Personal Information. Winrock requests that service providers who process Personal Information on its behalf agree to undertakings that require them to implement appropriate security measures to safeguard this Personal Information. ICT and other appropriate Winrock staff will respond to reports of incidents in accordance with Winrock’s incident response plan. Enforcement and Compliance Winrock provides training on the proper processing and protection of Personal Information as part of the onboarding and compliance training provided to relevant Winrock personnel. In conjunction with the ICT Department, the Compliance Office is tasked with the monitoring of compliance with these Principles and updating these Principles, as needed. The Winrock Service Desk, servicedesk@winrock.org, or the Chief Risk and Compliance Officer, respond to questions or complaints regarding Winrock’s handling of Personal Information. Key Definitions The following definitions shall apply in these Principles: “Personal Information” means any information that identifies an individual or can reasonably be used to identify an individual. Such information is likely classified as Internal or Confidential under the Data Classification Policy and should be managed per that Policy and related Procedure. “Sensitive Personal Information” means Personal Information that requires an extra level of protection and a higher duty of care based on applicable law. Examples of Sensitive Personal Information include: credit card or bank account number, social security number, information on medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences, or information related to offenses or criminal convictions. Such information is likely classified as Confidential or Highly Confidential under the Data Classification Policy and should be managed per that Policy and related Procedure.

Table of Contents