# Security & Privacy Guidelines For Program Owners 1. Legal and contractual obligations * Design your program to be compliant with all relevant national and/or local laws and regulations. * Ensure appropriate language that clearly establishes your respective roles and responsibilities for security and privacy is included in all contracts / MOUs / agreements between your organisation and any software and/or service providers. * This includes contracts/agreements with third-party service providers, who may have integrations with the solution implemented for you (e.g. SMS providers, email providers). * Such contracts/agreements should also be put in place with other government agencies, where any PII is sought to be shared with them unless they are already explicitly covered by existing laws and regulations. * Enforce these obligations, by requiring implementing agencies/support agencies/third parties/any entity being provided access to data under such contract or agreement to demonstrate compliance. 2. Purpose limitation and data minimisation * Identify the purpose for which a given data point is being collected, processed, and/or shared. * Ensure that the purpose is part of the mandate of your organisation, and/or that the legal basis for that purpose is established. * Do not collect data for which there is not a clear and legally defined purpose. * Define a role-access framework, wherein only roles that have a clear and legally defined purpose for access to a given data point can access it. 3. Notice and/or Consent * Publish a privacy policy for your organisation, which explains the purpose for collection/use/sharing of data, and which roles have access to which data. * At each point of data collection, provide clear notice to the data principal about the purpose of data collection, with links to the privacy policy for additional details. * In cases where PII is sought to be shared or used in ways not covered in the notice provided at data collection, seek and record the consent of the data principal for such additional sharing or use. * When sharing data with other entities, ensure that such entities have suitable security and privacy policies in place before such sharing. 4. Secure operations * To ensure security and privacy are maintained in practice, develop standard operating procedures and guidelines for all personnel to follow. * Train all personnel on your organisation’s privacy policy, standard operating procedures, and guidelines. * In particular, train personnel on the importance of login credentials/passwords, and why these must not be shared with anyone. To reduce the administrative load on personnel, explore the use of single sign-on (SSO) or similar technologies. * Establish processes to change passwords when individuals move out of a given role, or leave your organisation. * Review audit logs periodically to identify who has accessed data; use this information to periodically verify or revise role-access mapping. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.digit.org/platform/guides/security-and-privacy-guide/security-and-privacy-guidelines-for-program-owners.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.