Privacy Policy

Sri Lanka CERT|CC has adopted the following policy for appropriate protection and use of Personal Information (hereinafter referred to as the “Privacy Policy”).

1. Sri Lanka CERT|CC will comply with the terms and conditions prescribed in this Privacy Policy as well as the relevant laws, regulations and orders, etc., for attaining the appropriate protection and use of Personal Information, make efforts to ensure that Personal Information will be protected and used appropriately and, in order to fully adapt to the development of information technology in the society at large, strive continuously to improve the system for protection of Personal Information and the practices under such system.

2. Sri Lanka CERT|CC will collect Personal Information, by means of adequate and lawful process, to the extent necessary to achieve the purposes of use specified in this Privacy Policy.

3. The purpose of use of Personal Information by Sri Lanka CERT|CC is as set forth below. If Sri Lanka CERT|CC intends to collect Personal Information for any purpose other than those described below, it will inform the individual of such specific purpose(s) of use while collecting it and obtain his or her consent.
• Retained Personal Data involving an Incident Report: It shall be used for the purpose of operational communication such as confirming, proceeding and terminating the process relating to the Incident Report after receiving the Incident Report from an individual;
• Retained Personal Data as defined by the Law for Coordinating Communication of Vulnerability Information: It shall be used for coordinating operational communication in light of disclosure of vulnerability-related information to product developers or vulnerability information response organizations, and for publicizing such information;
• Retained Personal Data relating to Subscribers of Sri Lanka CERT|CC: It shall be used for managing the mailing list which is operated to distribute the Sri Lanka CERT|CC Vulnerability Report to the subscribing individuals;
• Retained Personal Data of Event Participants: It shall be used for communicating with event participants, providing the relevant information regarding the event, etc. or otherwise conducting surveys or analyzing data on participants;
• Retained Personal Data in General: It shall be made available to partners of Sri Lanka CERT|CC or third parties to the extent necessary for any purpose of use set forth above; or
• For other purposes of use if specified and notified on case-by-case basis to the respective individual.

4. Sri Lanka CERT|CC will use Personal Information collected by it within the scope of the specified purpose of such collection, unless otherwise specifically stated. If Sri Lanka CERT|CC intends to use or provide to a third party, etc., Personal Information for any purpose other than prescribed above, Sri Lanka CERT|CC shall obtain the consent of the individual in advance.

5. Unless the description of the respective types of services provides that Personal Information may be provided to a third party, and excluding the cases enumerated below, Sri Lanka CERT|CC will not provide Personal Information to any third party without first obtaining consent of the individual:
• If required by laws, regulations or ordinances;
• If required to protect human life or bodily safety or property and where it is difficult to obtain consent of the individual;
• If required to cooperate with departments of national government or municipal governments or their delegated entities in the course of discharging their business prescribed under the laws, regulations or ordinances and where, if they were to be required to obtain consent of the individual, discharge of their business would be made difficult; and
• If convenient to outsource all or any part of processing or handling services of Personal Information, to the extent necessary to achieve the purpose of use stipulated in this Privacy Policy.

6. Sri Lanka CERT|CC will implement appropriate security and control measures to prevent loss, alteration or divulgence, etc. of Personal Information. In addition, it will provide training to all officers, staff members and employees who access to Personal Information to enhance their awareness of the importance of protection of Personal Information, and appropriately supervise contractors, if it outsources the processing or handling of Personal Information.

7. With respect to Personal Information collected by Sri Lanka CERT|CC, if a individual wants to make an inquiry or request correction or deletion thereof, and if he/she submits his/her request to the specified contact (as specified below), Sri Lanka CERT|CC will respond to such request as expeditiously as reasonably possible, after confirming the identity of the individual.

8. If this Privacy Policy is amended, the amended document will be posted and made public on the website (http://www.cert.gov.lk/). The amended Privacy Policy will take effect after thirty (30) days from the posting on the website.

9. Sri Lanka CERT|CC waives responsibility for the processing or handling of Personal Information carried out at any website operated by an entity or person other than Sri Lanka CERT|CC even if links to those sites are provided on the Website of Sri Lanka CERT|CC.

10. Sri Lanka CERT|CC will act responsively in an appropriate and prompt manner with respect to the procedure to the disclosure, etc. of information of an individual when requested by the individual, prescribed in the Law.

11. Sri Lanka CERT|CC will respond appropriately and promptly to any comments, requests or complaints, etc. with respect to the collection, use, processing or handling of Personal Information. Comments, requests or complaints, etc., with respect to the collection, use, processing, or handling of Personal Information or security and control measures of Personal Information by Sri Lanka CERT|CC should be directed by e-mail to slcert@cert.gov.lk. Sri Lanka CERT|CC will respond to such comments, request and complaints, etc. after reviewing their content.