866-889-1906
mobile menu icon
866-889-1906

Stay Connected

Get marketing insights straight to your inbox.

Are you looking for a new agency?

866-889-1906
Skip to main content

Data Management and Handling Policy

1.0 Policy Overview and Purpose

1.1 Overview

Client and Corporate data are considered essential for Metric Marketing’s operations, and its quality and security must be insured to comply with applicable laws, regulations, and administrative requirements. 

This policy establishes guidelines and procedures for the appropriate collection, storage, processing, and disposal of data irrespective of the medium on which the data resides (electronic, paper, or other physical form). 

This policy applies to all employees of Metric Marketing, contractors, and third-party business partners who handle data on behalf of Metric Marketing. 

This policy will be reviewed on an annual basis by the respective owners of this policy.

1.2 Purpose 

The implementation of this policy is to serve the following purposes:

  • To ensure the confidentiality, integrity, and availability of data: Metric Marketing aims to protect data from unauthorized access, alteration, or loss through the implementation of security measures such as access controls and data handling procedures. 
  • To protect personal and sensitive information: This policy sets guidelines for the secure collection, storage, processing, and disposal of such data to prevent unauthorized access, disclosure, alteration, or destruction. The implementation of robust security measures, access controls, encryption protocols, and regular data audits ensures that personal and sensitive information is safeguarded against potential threats and breaches.
  • To comply with legal and regulatory requirements: Data management and handling practices must comply and align with applicable laws and regulations and industry standards. This policy provides a framework to ensure compliance with data protection and privacy laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA), the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR), as well as other relevant regulatory requirements.
  • To mitigate data related risks: By defining data classification levels, implementing access controls, and establishing incident response procedures, Metric Marketing intends to identify and mitigate risks related with data handling and management. This policy also outlines measures for data backup, retention, and disposal to minimize the risk of data loss and unauthorized disclosure. 
  • Govern third party data handling: This policy addresses data handling in relation with business partners and third-party vendors, emphasizing the importance of due diligence, contractual agreements and monitoring to ensure that data is handled securely and in compliance with Metric Marketing’s policies.

2.0 Scope

This policy applies to all data collected, stored, processed, and transmitted by Metric Marketing regardless of format or medium (electronic, paper or any other physical form). The policy applies to all employees, contractors and third-party vendors or business partners who handle data on behalf of Metric Marketing. 

3.0 Data Collection and Use

3.1 Data collection

Individuals will only collect the minimum data required to perform Metric Marketing’s business. Managers must ensure that all decisions regarding the collection and use of data are in compliance with the law and with Metric Marketing’s policies and procedures. 

3.2 Data accuracy

Data user/collectors are expected to collect data with accuracy in mind. Data must be collected with completeness in mind and in a timely manner. Data users are responsible for regularly reviewing and updating data to maintain its integrity. 

3.3 Limitations on collection

Data collected by Metric Marketing is to be used only for the explicit purposes communicated and agreed upon to the individuals (clients or businesses) during data collection. Any additional data collected must be justified and be consented to by the individuals (clients or businesses).

3.4 Data minimization 

Data users and collectors are only to retain the minimum amount of data to achieve Metric Marketing’s business objectives or defined purpose.  Metric Marketing’s business units are required to regularly review any data collected and purge any unnecessary or outdated data as defined in this policy.

4.0 Data Classification 

Data classification is the responsibility of the business manager that owns the specific data (Data Owner).

It is the responsibility of the Chief Operating Officer to identify internal data. Data owned, used, created, or maintained by Metric Marketing is classified into the following categories:

ClassificationDefinition
Public DataData intended for public disclosure that has no sensitivity or confidentiality requirements.
Public data is commonly available data and still should be handled with care. Examples of public data includes but not limited to: 
1) Government databases and data sets that are available to the public.
2) Information appearing in telephone, professional or business directories.
3) Information published in magazines, books, or newspapers that is available to the public and where the individual has provided the information.
Client Data (Confidential)-ExternalInformation being handled by Metric Marketing on behalf of a client. This data can contain sensitive information such as “Personal information” that must not be disclosed by Metric Marketing.
“Personal Information” which is defined under PIPEDA as information that includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: age, name, ID numbers, income, ethnic origin, or blood type, opinions, evaluations, comments, social status, or disciplinary actions, employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services, or change jobs).
In addition to the sensitive information mentioned earlier, the definition of client confidential data at Metric Marketing includes client proprietary information. This proprietary information may encompass client-owned source code, database information, and any deliverables produced during our engagement with the client. Metric Marketing is committed to safeguarding this proprietary data with the same level of confidentiality and care as other forms of sensitive information, in accordance with the relevant data protection and privacy regulations.
Internal Data (Confidential)Information that is created and owned by Metric Marketing to directly support business operations and all employees’ personal information; Disclosure of this information could impact the security of strategic and operational data. 
Examples of Internal Data include, but not limited to: 
1) Strategic business plans, financial statements, budgets, data pertaining to mergers or acquisitions.
2) Employees “Personal information” 
3) Information technology data such as network diagrams, internal addressing schemes, results from penetration tests, firewall rules, IDS/IPS configuration, etc. 
4) Other Information deemed confidential by Chief Operating Officer 

5.0 Data Handling

There are no formal restrictions on the handling of public data. However, it should still be handled with care and appropriately stored.  Confidential data (both Client and Internal) must adhere to the following guidelines below:

  • Only authorized users may access, or attempt to access, confidential information. 
  • Data must be kept confidential to prevent loss, theft, unauthorized access and/or unauthorized disclosure.

6.0 Data Storage and Security 

6.1 Data Storage 

All data is required to be stored in secure and controlled environments with appropriate access controls to prevent unauthorized access, loss and or damage.

6.1.1 Confidential Physical Data storage

Confidential physical data must be stored in a secure storage system (such as a file cabinet, closed office or department where physical controls are in place to prevent disclosure) when not in use. 

6.1.2 Confidential Electronic Data storage 

Confidential electronic data is securely stored with trusted third-party providers, ensuring strict access controls to prevent unauthorized entry. Regular assessments maintain compliance with security standards and data protection regulations, safeguarding sensitive information. 

Confidential electronic data must be stored utilizing encryption techniques to safeguard the data at rest. 

6.2 Access Controls

All data is required to be secured through the use of access controls to prevent the unauthorized access of data. 

6.2.1 Confidential Physical Data Access Controls 

Confidential physical data is to only be accessed by authorized individuals and must be kept in secure storage system that restricts access.

6.2.2 Confidential Electronic Data Access Controls 

Confidential electronic data must be secured through the use of logical access controls. Authorized users must employ passwords, encryption, and inactivity lockouts to protect the data from unauthorized access, viewing and modification. Physical access to servers housing the data is not accessible, as everything is stored with third-party service providers employing stringent physical safeguards.

6.3 Data Transmission 

All data that has been collected and created by Metric Marketing must be transferred in a secure format. 

6.3.1 Confidential Physical Data Transmission 

Confidential physical data transmission must be secured in transit using a bonded courier with full tracking of the package enabled. The receipt must be confirmed.

6.3.2 Confidential Electronic Data Transmission 

Confidential electronic data during transmission over public networks or insecure channels must be encrypted using SSL encryption to prevent unauthorized interception or tampering. Media storage devices must also be encrypted to prevent unauthorized access and tampering. A strong password, based on best practices, is required for the media storage device to ensure additional protection against unauthorized access and tampering.

6.4 Data Backup

All data stored by Metric Marketing is to be backed up to prevent loss in the event of hardware failure, natural disasters, or any other unforeseen incidents. Backups are performed daily and follow an incremental approach, ensuring that only new or modified data is backed up, optimizing storage efficiency. Additionally, backups are securely transferred to an offsite location, reducing the risk of data loss due to on-site incidents. Access to the backups is restricted to authorized users only, and they are stored in a secure location, protected from unauthorized access and potential breaches. 

6.5 Incident Response 

All employees and or contractors must report any suspicious or security related incidents to the System Administrator to minimize potential damages to the organization from data breaches. 

7.0 Data Retention and Disposal 

7.1 Data Retention Period

Data owners are responsible for the classifying of the data according to its sensitivity levels and assign appropriate retention periods based on Metric Marketing’s business needs and applicable laws and regulations. Metric Marketing’s standard retention is to process the data provided by clients. As a general practice, Metric Marketing processes the data provided by clients and retains it for a specific period based on the classification and business requirements. After the data has served its purpose and deliverables are developed, Metric Marketing ensures the timely destruction of client data to prioritize data security and privacy while maintaining compliance with relevant laws and regulations. 

7.2 Data Disposal

When data reaches the end of its retention period it’s required to be securely disposed of through the prescribed measures outlined in the policy below. Business managers are responsible for the initiation and oversight of the secure disposal of confidential client documents. Any confidential internal documentation deemed for disposal is the responsibility of the Chief Operating Officer. Data is only to be disposed of by the approved methods prescribed below to prevent unauthorized access or recovery: 

  • Physical data (paper) – Paper documents containing sensitive or confidential information must be properly shredded using cross-cut or micro-cut shredders before disposal. Shredding bins or designated secure collection containers are to be used for the secure disposal of paper documents.
  • Electronic data (digital)- Digital data stored on servers, databases, or other electronic platforms must be securely deleted or overwritten using approved data erasure methods.
  • Electronic data (media)- Physical media, such as hard drives, tapes, or other storage devices, shall be securely wiped or destroyed using approved techniques.

All data disposal activities must be recorded and maintained for auditing and compliance requirements. The records must include dates of disposal and approvals from the Data Owners.

7.3 Archival and long-term preservation 

In certain instances, data created or collected by Metric-Marketing will be required to be archived for long term retention to comply with applicable laws and regulations, and administrative requirements of the business. Data Owners will be responsible for the identification and classification of archivable data based on its value, significance, and legal/regulatory requirements.

Examples of data that require archival include, but not limited to, the following:

  • Legal and Regulatory Records: Data such as contracts, agreements, court documents, compliance records, permits, licenses, and other legal or regulatory documents that may need to be retained for a specific period as mandated by law or regulations.
  • Financial Records: Financial statements, tax records, audit reports, invoices, receipts, and other financial documents that need to be retained for a specified period for accounting, tax, or auditing purposes.
  • Intellectual Property: Intellectual property records, including patents, trademarks, copyrights, and trade secrets documentation that requires long-term preservation to protect the organization’s intellectual assets.
  • Business and Organizational Records: Corporate governance documents, board meeting minutes, strategic plans, policy documents, intellectual property records, and other organizational records that need to be retained for legal, historical, or administrative purposes.

8.0 Third-Party Data Handling

8.1 Third-Party Due Diligence

All third-party vendors and business partners must go through the prescribed client onboarding processes and be approved by Metric Marketing management to ensure that the vendor or business partner has the appropriate controls in place to safeguard Metric Marketing’s data.

8.2 Contracts and Agreements

All agreements and contracts made by Metric Marketing with third party vendors, business partners and clients, must include clearly defined data protection obligations, confidentiality requirements and data handling restrictions. Contracts will also have terms to terminate if vendors or business partners breach- any data protection and confidentiality agreements.

8.3 Monitoring and Compliance 

Chief Operating Officer is required to regularly monitor third party vendors and business partners to ensure the compliance with the contracts and agreements made with Metric Marketing. Any vendor or business partner found in non-compliance in adherence to confidentiality agreements made shall be terminated.

9.0 Responsibility

Every Metric Marketing employee whose job responsibility includes the maintenance or use of Confidential data is responsible for implementing and ensuring compliance with this policy and initiating corrective action if needed.

9.1 Managers’ Responsibilities 

In implementing this policy, each manager is responsible for the following:

  • Communicating this policy to personnel under their supervision and ensuring that the policy is acknowledged annually. 
  • Ensuring that appropriate security practices consistent in the data management and handling requirements in this policy are used to protect Metric Marketing’s data.
  • Providing education and training in data management and handling principles to employees under their supervision.

9.2 User Responsibilities

Users who are authorized to obtain or create data must ensure that it is protected to the extent required by law or policy after they obtain or create it.  All data users are expected to:

  • Access corporate/confidential/sensitive data only in their conduct of Metric Marketing’s business.
  • Request only the minimum necessary confidential information necessary to perform Metric Marketing’s business.
  • Respect the confidentiality and privacy of individuals and businesses whose records they may access. 
  • Observe any ethical restrictions that apply to data to which they have access.
  • Know and abide by applicable laws or policies with respect to access, use or disclosure of information.

10.0 Compliance

Compliance with this data management and handling policy is the responsibility of all members of Metric Marketing.

Non-compliance with this policy will result in disciplinary actions up to an including termination of employment or contractual relationships. Users suspected of violation of this policy may be temporarily denied access to Metric Marketing Information technology resources during the investigation of an alleged abuse.

11.0 Reporting Incidents

All members of Metric Marketing must notify management of improper or unauthorized access, collection, use, disclosure, disposal loss or theft of any data. Management must report incidents to Metric Marketing’s Privacy Officer immediately upon discovery as per the Privacy Policy.

12.0 Policy Review

This Policy is to be reviewed annually to ensure its effectiveness and alignment with legal, regulatory, and best practices. Any necessary updates or amendments will be communicated to all relevant stakeholders.