DATA Security
Guest and Member Data, Administration and Information Technology
BACKGROUND:
This policy defines the guidelines for the security and confidentiality of data maintained by Chuchaiburi Hotel Company and its subsidiaries both in paper and electronic form. This policy informs guests and members as well as each person who is entrusted to access guest, visitor, member, employee and/or institutional data of their responsibilities with regard to confidentiality and safeguarding both paper and electronic data.
POLICY STATEMENT:
All custodians and guardians of uploaded and administrative data are expected to manage, access, and utilize the data in a manner that maintains and protects the security and confidentiality of that information.
DEFINITIONS:
There are two primary categories of data-handling and access defined in this policy.
Data Custodians
Data custodians function as gatekeepers for the data that is collected and maintained by individuals in their divisions. Custodians are responsible for establishing access procedures for the administrative data available in their area and for approving access requests for that data. The table below indicates the administrative areas that maintain Chuchaiburi’s primary data stores and the respective data custodians.
Data Guardian
A data guardian is defined as anyone who, as a function of their position at Chuchaiburi Hotel Company or any of its subsidiaries, possesses or has access to Chuchaiburi Hotel guest, member or administrative data, either electronic or otherwise. Guardianship and its associated responsibilities apply to individuals who receive, disseminate, reviewer utilize data.
Department heads are responsible for signing off on data access requests for employees under their supervision.
PROCEDURES:
Chuchaiburi employees, or others who are associated with the Chuchaiburi , who request, use, possess, or have access to guest, member or administrative data must agree to adhere to the protocols outlined above. In addition, guardians, custodians and data users are prohibited from:
Changing data about themselves or others except as required to fulfil one’s assigned duties or as authorized by a supervisor;
Using information to enable actions by which other individuals or third parties might profit from;
Disclosing ANY information to ANY party about without prior authorization by a supervisor;
Engaging in what might be termed “administrative voyeurism” (reviewing information not required by job duties) unless authorized to conduct such analyses;
Circumventing the level of data access given to others by providing access that is broader than that available to them, unless authorized. For example, providing an extract file of a guest or member to someone who does not have security access to such data is prohibited by this policy;
Allowing unauthorized access to Chuchaiburi’s administrative systems or data base by sharing an employees’ username and password;
Engaging in any other act that violates the letter and spirit of the policy, either purposefully or accidentally.
Improper Guardianship
In assuming responsibility for the interpretation and use of ANY and ALL available data, guardians are expected to recognize the potential serious consequences of their improper guardianship. Improper maintenance, disposal, or release of guest, member or administrative data exposes Chuchaiburi to significant risk, including lawsuits, loss of employee and guest and member trust, and loss of Chuchaiburi partner confidence. Guardians who are found in violation of this policy will be subject to Chuchaiburi’s disciplinary processes and procedures including, but not limited to, those outlined in the Employee Handbook. Acts that prove to be illegal under the law will subject users to prosecution by local, state, and/or federal authorities in Thailand or elsewhere. Chuchaiburi Hotel Company DOES NOT tolerate Guardianship infringements of any kind and will prosecute offenders of this policy to the fullest extent of the law.
POLICY APPLIES TO:
ALL employees and consultants engaged by Chuchaiburi Hotel Company either through employment agreements or through consulting agreements.
EXCEPTIONS:
This policy does not prevent the release of data to external organizations or governmental agencies as required by legislation, regulation, or other legal vehicles as there may be required under the law.
RESPONSIBLE DEPARTMENT:
Technology Department
ADDITIONAL AUTHORITY:
Questions regarding this policy or the application of this policy to a specific situation should be referred to the Managing Director and the Chief Technology Officer. Changes to this policy will only be authorized by the approval of the Managing Director in conjunction with the Chief Technology Officer, the Business Director and the Group Legal Officer of the Company.