DISHAM Foundation

Applicable Laws: Data protection practices comply with the Digital Personal Data Protection Act, 2023 (primary framework); Information Technology Act, 2000 (Sections 43A, 72, 72A); Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; Consumer Protection Act, 2019; and the Indian Penal Code, 1860 (Sections 406, 408, 499-500).

Regulatory Oversight: Data practices are subject to oversight by the Data Protection Board of India (DPBI), relevant government ministries and agencies, and state data protection authorities.

Personal Data: Information relating to an identified individual ("data principal") or that directly or indirectly identifies an individual, including:

Direct Identifiers: Name and surname; unique identification numbers (Aadhaar, PAN, voter ID, passport); contact numbers and email addresses; postal and residential addresses; and government-issued identification documents.

Sensitive Personal Data (processed with heightened safeguards): Financial information (bank accounts, transaction history); health records, medical history, health conditions; caste, religion, community, tribal affiliation; biometric information (fingerprints, iris scans, facial data); educational records and qualifications; employment and occupational information; and social security and government benefit information.

Technical and Behavioral Data: Internet Protocol (IP) address and device identifier; browser type, operating system, device specifications; pages visited, content accessed, navigation patterns; time spent on pages and interaction behavior; search queries and keywords used; and cookies, pixels, and tracking identifiers.

Demographic Data: Age, date of birth, gender; occupation and employment status; education level; income level or socioeconomic status; household composition; and geographic location.

Data Principal: An identified individual to whom personal data pertains. Data principals have specific rights under the DPDP Act and this Privacy Policy.

Non-Personal Data: Information that does not identify or relate to an identified individual is not subject to this Privacy Policy, though ethical handling practices apply.

Collection Principles: DISHAM Foundation collects personal data only when collection serves a lawful purpose aligned with Foundation mission; data minimization principles are observed; informed consent is obtained where required; and transparency regarding collection is maintained.

Specific Purposes for Collection:

Program Administration and Beneficiary Management: Identifying and registering beneficiary households and individuals; maintaining beneficiary records for program implementation; tracking beneficiary participation in education, skill training, or livelihood programs; monitoring outcomes in income, education, and socioeconomic status; and assessing eligibility for program benefits.

Education and Skill Development: Enrolling students in educational programs and learning modules; tracking academic progress and learning outcomes; identifying skill development needs and providing customized training; and certifying skill achievements and competencies.

Communication and Stakeholder Engagement: Sending program updates, newsletters, and opportunities; inviting users to events, training programs, and community activities; responding to inquiries and feedback; and notifying about skill development and livelihood opportunities.

Program Management and Impact Evaluation: Generating progress reports and performance metrics; monitoring program implementation across geographic areas; conducting impact assessments and outcome evaluations; and measuring changes in education, livelihood, and socioeconomic indicators.

Research and Evidence Building: Conducting rigorous impact evaluations; supporting academic research with appropriate anonymization; publishing findings and contributing to development evidence base; and assessing program effectiveness and cost-effectiveness.

Donor Reporting and CSR Compliance: Documenting beneficiary stories and case studies (with consent); generating impact reports for funding agencies; ensuring fund utilization transparency; and complying with CSR reporting requirements.

Personalization and User Experience: Customizing educational content and recommendations; tailoring program offerings to individual beneficiary needs; and improving website functionality and user experience.

Legal and Regulatory Compliance: Meeting government scheme requirements; responding to government information requests; complying with Right to Information (RTI) requests; and maintaining legal records.

Direct Collection from Users: Website forms, registration forms, program application forms; surveys, questionnaires, and evaluation forms; email submissions and inquiries; phone calls and in-person interactions; and interviews, focus groups, and community consultations.

Indirect Collection from Sources: Government databases and public records (where legally accessible); partner organizations' information sharing; and community representatives and referrals.

Automated Collection: Website analytics tracking user behavior; server logs recording IP addresses and access times; and performance monitoring and technical data collection.

Cookies and Tracking Technologies:

Analytics Cookies: Track aggregated user behavior to understand website usage and optimize design. Users may disable analytics cookies; this does not significantly impact functionality but reduces personalization.

Functional Cookies: Remember user preferences, language settings, login information. Disabling may impair functionality.

Security Cookies: Prevent fraud and maintain session security. Essential and cannot be disabled.

Third-Party Cookies: External services may place cookies. Users should review those providers' privacy policies.

Opt-Out Options: Adjust browser privacy settings; use "do not track" browser features; or request manual opt-out via email. Note: Cookie decline may affect website functionality, personalization, or certain feature access.

Legal Basis for Processing: Under the Digital Personal Data Protection Act, 2023, personal data may be processed only when:

Consent of the Data Principal: Processing based on free, specific, informed, unambiguous consent; consent represents clear affirmative action (active opt-in); consent obtained prior to or contemporaneous with collection; and individuals can withdraw consent at any time.

Lawful Purpose: Processing serves lawful purpose aligned with DISHAM's mission; processing necessary for government welfare services; and processing required for legal, contractual, or statutory obligations.

Exempted Processing (consent not required): Processing data made public by the data principal themselves; processing for government welfare or educational functions; processing for emergency situations affecting public health or safety; and processing of anonymized or de-identified data.

Consent Requirements:

Obtaining Consent: Consent obtained through clear, explicit, affirmative actions; consent forms clearly describe personal data, processing purposes, and recipients; consent is separate from other terms; bundling avoided; and consent obtained before or at time of collection.

Consent for Minors: Parent or legal guardian consent required for individuals below 18; and parental consent must be verifiable and documented.

Withdrawal of Consent: Data principals may withdraw consent at any time; withdrawal communicated to [contact email] or through online portal; upon withdrawal, new processing ceases; existing processed data handled per retention policies; and withdrawal does not affect pre-withdrawal processing lawfulness.

Non-Withdrawal of Consent: Refusal to consent does not deny essential services; public information access remains available; and program registration may require consent; non-consent does not result in punitive action.

Storage Infrastructure:

Secure Indian Servers: All personal data is stored exclusively on secure Indian servers operated by DISHAM Foundation-designated data centers; authorized partner organizations bound by data protection agreements; and government-approved hosting providers.

Server Specifications: Servers housed in secure, physically protected data centers; 24/7 surveillance, access controls, emergency response systems; redundant backup systems ensure data availability; and geographically distributed servers prevent single-point failure.

Encryption and Cryptographic Protection:

In-Transit Encryption: Personal data transmitted between devices and servers using SSL/TLS protocols (minimum 256-bit encryption); encrypted connections indicated by "HTTPS" protocol and padlock icon; and all forms transmit encrypted data.

At-Rest Encryption: Database-stored personal data encrypted using AES-256 encryption; encryption keys stored separately from encrypted data; and database backups also encrypted with identical standards.

Tokenization and Masking: Highly sensitive data processed through tokenization; tokens replace actual sensitive values; and data masking obscures sensitive portions.

Access Controls and Authorization:

Principle of Least Privilege: Personnel granted access only to data necessary for specific job functions.

Role-Based Access Control (RBAC): Different access levels assigned by job role; and access granted with documented authorization and regular review.

Authentication Mechanisms: All personnel use multi-factor authentication (MFA); strong passwords meeting complexity requirements enforced; and session timeouts after 15-30 minutes of inactivity.

Access Logging and Monitoring: All data access recorded with timestamp, user ID, and action; logs retained for minimum 1 year; regular audits identify unauthorized or anomalous access; and suspicious access triggers alerts for investigation.

Personnel Security Measures:

Background Checks: Conducted on all personnel accessing personal data.

Confidentiality Agreements: All employees and contractors sign binding non-disclosure agreements (NDAs).

Training and Awareness: Annual data security and privacy training covering cybersecurity, phishing prevention, secure data handling, and incident reporting.

Vendor and Third-Party Security:

Contracts and Agreements: Data processors and service providers sign Data Processing Agreements (DPAs) that prohibit use of data beyond contracted purposes; require adequate security measures; mandate breach notification and investigation cooperation; and establish liability for security failures.

Due Diligence: DISHAM conducts security assessments of vendors before engagement and periodically thereafter.

Audit Rights: Contracts reserve DISHAM's right to audit vendors' security practices.

Retention Principles: DISHAM Foundation retains personal data only for duration necessary to fulfill collection purposes, after which it is securely deleted or permanently de-identified.

Retention Periods by Data Category:

Beneficiary Personal Data: Retention Period: As long as active beneficiary plus 5 years post-program exit. Rationale: Enables outcome evaluation and alumni engagement. Extended Retention: May retain longer for impact studies or government compliance.

Partnership and Institutional Data: Retention Period: Duration of partnership agreement plus 7 years. Rationale: Meets statutory compliance and historical record-keeping.

Financial and Transaction Data: Retention Period: 7 years (per Income Tax Act, 1961). Rationale: Supports audit trails and legal compliance.

Website Analytics and Technical Data: Retention Period: 12-24 months. Rationale: Allows trend analysis while minimizing storage. De-identification: After 12 months, data aggregated and de-identified.

Educational Records: Retention Period: Duration of enrollment plus 5-7 years. Rationale: Supports educational continuity and verification.

Research and Academic Data: Retention Period: As per research protocols and ethics approval, typically 5-10 years. Rationale: Enables reproducibility and follow-up studies.

Log Files and Security Data: Retention Period: Minimum 1 year; extends to 3 years for incident investigation. Rationale: Supports cybersecurity incident investigation.

Deletion and De-identification Procedures:

Secure Deletion Methods: Cryptographic Erasure: Encryption keys deleted, rendering data permanently inaccessible. Overwriting: Data overwritten multiple times with randomized patterns. Physical Destruction: Storage media physically destroyed (crushing, incineration, degaussing). Procedures follow NIST SP 800-88 Guidelines for Media Sanitization.

De-identification: Data retained for research is de-identified by removing direct identifiers while retaining analytical variables.

Anonymization: Research datasets used for publication are fully anonymized such that individuals cannot be re-identified using reasonable means.

User Right to Deletion: Data principals may request deletion under the Digital Personal Data Protection Act, 2023. DISHAM honors deletion requests except where data is required for legal or contractual obligations; data necessary for government functions; or retention justified for ongoing purposes (with user notification).

Core Principle: DISHAM Foundation does not sell, rent, trade, or commercially exploit personal data. Data is shared only for legitimate purposes with authorized recipients.

Authorized Recipients of Personal Data:

Government Agencies and Departments: Relevant government agencies implementing education or development schemes; government auditors, inspectors, and regulatory authorities; and law enforcement agencies with valid legal authority.

Program Partners and Implementing Organizations: Registered NGOs with active partnership agreements; community-based organizations collaborating on programs; and all partners sign Data Processing Agreements.

Research and Academic Institutions: Universities conducting DISHAM-approved evaluations; researchers must obtain ethics approval and sign data use agreements; data shared in de-identified and anonymized form; and researchers commit to not re-identifying individuals.

Funding Agencies and Donors: Development banks and bilateral donors providing project funding; and data typically shared in aggregate or anonymized form.

Vendors and Service Providers: Data processors engaged for specific services (hosting, email delivery, analytics); vendors sign Data Processing Agreements restricting use to contracted purposes; and vendors have no independent use rights.

Legal Process and Law Enforcement: Valid court orders or judicial warrants; law enforcement agency requests for criminal investigations; national security directives from authorized authorities; and Right to Information (RTI) requests (subject to personal data exemptions).

Protection in Disclosures: When personal data is shared: sharing limited to minimally necessary data for specific purpose; recipients contractually bound to maintain confidentiality; recipients prohibited from re-sharing without consent; and recipients reminded of data protection obligations.

Cross-Border Data Transfers: Personal data of Indian users is not transferred outside India except when legally required for international coordination; with explicit user consent; and with Data Processing Agreements ensuring equivalent protection.

Restrictions on Internal Sharing: Within DISHAM Foundation: personal data shared only on need-to-know basis; staff members bound by confidentiality obligations; and access to sensitive data tracked and logged.

The Digital Personal Data Protection Act, 2023 grants data principals the following rights:

Right to Access Information: Entitlement: Data principals have the right to know what personal data DISHAM holds, how it is processed, and for what purposes. Exercise: Submit written request to [contact email] with subject "Data Access Request". Response Timeline: Response within 30 days (extendable by 30 additional days for complex requests). Form of Response: Provided in clear, understandable format. Scope: Includes data held, processing purposes, recipients, retention period, and data sources.

Right to Correction and Accuracy: Entitlement: Data principals may request correction of inaccurate, incomplete, or outdated personal data. Exercise: Submit written request with supporting evidence. Correction Obligation: DISHAM corrects inaccurate data and notifies third parties. Response Timeline: Corrections made within 15-30 days.

Right to Erasure and Data Deletion: Entitlement: Data principals may request deletion of personal data no longer necessary for original purpose. Exercise: Submit deletion request to [contact email]. Legitimate Reasons for Deletion: Data no longer necessary for stated purposes; retention period has expired; processing is unlawful; individual withdraws consent and no other legal basis exists. Exceptions to Deletion: Deletion conflicts with legal obligations; data required for government welfare functions; deletion compromises program integrity or beneficiary benefits; data retained for legal defense or dispute resolution. Response: DISHAM responds with reasons for deletion or implementation.

Right to Grievance Redressal: Entitlement: Data principals may lodge complaints regarding data protection violations. Exercise: Submit grievance to [contact email] with detailed description, evidence, and preferred resolution. First-Level Response: Acknowledgment within 3 business days; substantive reply within 30 days. Escalation: If unsatisfied, escalate to Data Protection Board of India (DPBI).

Right to Nominate Representative: Entitlement: Data principals may nominate a representative to exercise rights on their behalf. Exercise: Submit written notice specifying representative's identity and authorization. Limitation: Nomination valid for specific purposes only.

User Obligations: Truthfulness: Data principals must provide accurate information; false information may result in liability. No False Complaints: Filing false or vexatious complaints may result in fines up to Rs 10,000 under the DPDP Act. Cooperation: Users expected to cooperate with investigation.

Definition of Breach: Unauthorized or accidental processing event (including disclosure, acquisition, sharing, alteration, destruction, or loss) compromising confidentiality, integrity, or availability of personal data.

Breach Scenarios Include: Unauthorized database access or hacking; accidental disclosure to unintended recipients; loss of devices or storage media containing personal data; insider threats or intentional personnel misuse; third-party contractor security failures; and ransomware attacks.

Notification Obligations:

To Data Principals (Affected Individuals): Without Unreasonable Delay: Notification sent as soon as DISHAM becomes aware. Method: Via email, SMS, or phone; also published on website homepage. Information in Notification: Breach nature and affected data; affected individual categories; breach extent and scope; breach discovery timing; likely consequences for individuals; recommended protective measures; and DISHAM's response and remediation.

To Data Protection Board of India (DPBI): Reporting Timeline: Notification within 72 hours of breach awareness. Detailed Report Includes: Breach description and circumstances; number and categories of affected individuals; personal data categories involved; probable consequences for individuals; DISHAM's response measures; contact information for further inquiries; and measures to prevent future breaches.

To Law Enforcement (if applicable): Serious breaches involving criminal activity reported to local police, cybercrime units; reports to India Computer Emergency Response Team (CERT-In); and reports to Central Bureau of Investigation (CBI) for major incidents.

Incident Response Procedures:

Phase 1: Detection and Assessment (First 24-48 hours): Identify breach scope, affected data, and individuals; preserve evidence for investigation; assess severity and risk to data principals; and activate incident response team.

Phase 2: Containment (Ongoing): Isolate affected systems; implement emergency patches or fixes; disable compromised accounts; and revoke unauthorized access credentials.

Phase 3: Investigation and Root Cause Analysis (7-14 days): Conduct forensic analysis; determine breach cause and extent; document findings in incident report; and engage external cybersecurity experts if necessary.

Phase 4: Notification (Within 72 hours or prescribed timeline): Notify affected individuals and regulatory authorities; publish breach summary on website; and provide guidance on protective measures.

Phase 5: Remediation and Recovery (Ongoing): Repair or replace compromised systems; implement enhanced security controls; restore normal operations; and monitor for secondary breaches.

Phase 6: Learning and Prevention (Post-incident): Conduct comprehensive security audit; update security policies and procedures; provide additional training; and implement recommendations to prevent recurrence.

Definition of Child: Under Digital Personal Data Protection Act, 2023, any individual below 18 years of age.

General Prohibition on Children's Data Collection: DISHAM ordinarily does not collect personal data directly from children under 18. If children's data is collected (e.g., in household surveys), heightened protections apply.

Parental/Guardian Consent Requirements: Verifiable Consent: Documented, verifiable written consent from parent or legal guardian required. Informed Consent: Consent documentation clearly explains data collection purpose, use, protection, and rights. Consent Preservation: Documented consent retained in secure records.

Prohibited Processing for Children: Behavioral profiling or manipulation; targeted advertising or marketing; commercial exploitation; collection of sensitive data (health, financial, biometric) without compelling reason; and processing harmful to child welfare or development.

Special Protections: Children's data stored separately with enhanced access controls; data not shared with third parties except for documented legitimate purposes; data disclosed to government welfare agencies, authorized researchers, or law enforcement only; and children's data retention minimized; deletion upon program exit (not extended beyond 2-3 years).

Withdrawal by Guardian: Parents/guardians may withdraw consent and request deletion by submitting written request to [contact email].

Additional Safeguards for Sensitive Data:

Financial and Banking Information: Protection: Encrypted storage, restricted access. Disclosure: Only to government welfare agencies or authorized financial institutions. Retention: 7 years minimum for audit compliance.

Health and Medical Records: Protection: Stored separately with enhanced encryption. Disclosure: Only to healthcare providers with consent. Consent: Explicit prior consent required.

Caste, Religion, and Community Information: Protection: Vital for DISHAM's mission; handled with utmost confidentiality. Use: Limited to eligibility determination and targeted benefit delivery. Disclosure: Never shared with unauthorized parties.

Biometric Information: Protection: Highest level of encryption, tokenization, and access control. Use: Only for identity verification where legally necessary. Retention: Minimal; deleted once verification purposes fulfilled.

Educational and Career Information: Protection: Shared only within program team on need-to-know basis.

Third-Party Services on Website: DISHAM may integrate external services (e.g., Google Analytics, email platforms). These providers have separate privacy policies and practices.

User Responsibility: Review privacy policies of third-party services. DISHAM is not responsible for third-party data practices.

Third-Party Cookies and Tracking: External services may place cookies; users may disable in browser settings.

No Sale to Third Parties: DISHAM does not sell or share data with marketing companies or data brokers.

Multi-Layered Security Approach:

Network Security: Firewalls and intrusion detection systems; DDoS protection and attack mitigation; and secure network architecture with segmentation.

Application Security: Regular security code reviews and penetration testing; Web Application Firewall (WAF); and input validation and output encoding.

Physical Security: Restricted data center access; surveillance and monitoring; and personnel background checks.

Incident Response: 24/7 monitoring and alerting; incident response team with defined procedures; and forensic investigation capabilities.

Vulnerability Management: Regular security assessments; timely patch management; and bug bounty program for responsible disclosure.

Right to Modify: DISHAM Foundation may update this Privacy Policy to reflect changes in applicable laws; improvements in security practices; user feedback or regulatory authority recommendations; and evolution of DISHAM's data practices.

Notification of Changes: Material changes announced prominently on the website; "Last Updated" date modified to reflect revisions; and significant changes may be communicated via email.

Continued Use as Acceptance: Continued website use after changes constitutes acceptance of revised terms.

For Data Protection Inquiries, Requests, and Complaints:

📧 Email: info@dishamfoundation.org

📍 Address: 11, Padmanabhan Street, Kurinji Nagar, Chrompet, Tiruneermalai, Kanchipuram, Tambaram, Tamil Nadu, India, 600044

📞 Phone: +91 87544 71611

Grievance Process: Submit grievance in writing via email with detailed description; DISHAM acknowledges within 3 business days; investigation and substantive response within 30 days; if unsatisfied, escalate to Data Protection Board of India (DPBI); and legal remedies available through Indian courts.

DISHAM Foundation implements industry-standard security practices but makes no absolute guarantee that personal data will never be compromised. While accepting responsibility for negligence in security safeguards (per DPDP Act and IT Act), users acknowledge inherent internet-based data transmission risks.