ion Data Protection & Security - NHSCC
Policy · Data Security

Data Protection & Security

Our commitment to safeguarding member data and maintaining robust security practices across all NHSCC systems and operations.

Effective: January 1, 2024·Last Updated: February 20, 2026

1. Commitment to Data Protection

The National Health Supply Chain Council (“NHSCC”) is committed to protecting the privacy and security of all personal data we collect, process, and store. As a not-for-profit healthcare supply chain organization serving India’s industry stakeholders, we recognize that trust is foundational to our mission.

NHSCC’s data protection commitment includes:

  • A pledge to handle member data, event participant information, and website visitor data with the highest standards of care and confidentiality.
  • Compliance with the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • Alignment with the Digital Personal Data Protection Act, 2023 (DPDPA) as it comes into effect and as applicable to our operations.
  • Regular review and update of our security policies, procedures, and technical controls to reflect evolving threats and regulatory requirements.

2. Data Classification

We classify data into categories to ensure appropriate handling and protection levels. Each category receives safeguards commensurate with its sensitivity and regulatory requirements.

  • Public Information: Website content, published reports, event announcements, and resources intended for general access. No special handling beyond normal content management.
  • Member Data: Registration details, profile information, contact data, and membership status. Protected with access controls, encryption, and confidentiality obligations.
  • Sensitive Data: Passwords (hashed), authentication tokens, payment-related information (if applicable), and any health or financial data volunteered by members. Subject to the strongest technical and procedural safeguards.
  • Internal Operations Data: Administrative logs, audit trails, internal communications, and strategic planning documents. Access restricted to authorized personnel on a need-to-know basis.

3. Technical Safeguards

NHSCC implements industry-standard technical measures to protect data integrity, confidentiality, and availability.

Encryption:

  • All data in transit is protected using TLS 1.2 or higher (HTTPS) for website traffic, APIs, and email communications.
  • Data at rest is encrypted using appropriate algorithms for databases and backup storage.

Authentication & Password Security:

  • Passwords are stored using bcrypt one-way hashing with appropriate cost factors. We never store or transmit plaintext passwords.
  • Multi-factor authentication (MFA) or OTP verification is used for sensitive operations where applicable.

Infrastructure Security:

  • Firewalls and network segmentation to restrict unauthorized access to internal systems.
  • Intrusion detection and monitoring to identify and respond to suspicious activity.
  • Regular security patching of operating systems, applications, and dependencies to address known vulnerabilities.
  • Restricted administrative access with audit logging for privileged actions.

4. Organizational Safeguards

Beyond technical controls, we maintain organizational practices that support data protection.

  • Access Controls: Role-based access ensures that only authorized staff can access member data and sensitive systems. Access is granted on a need-to-know basis and reviewed periodically.
  • Administrator Training: Personnel with access to personal data receive training on data protection principles, secure handling practices, and incident reporting procedures.
  • NDAs with Service Providers: Third-party service providers (hosting, email, analytics) that process data on our behalf sign non-disclosure agreements and data processing agreements that require appropriate security measures.
  • Incident Response Team: A designated incident response team is responsible for detecting, containing, and remediating security incidents and coordinating breach notification where required.
  • Policy Documentation: Data protection and security policies are documented, communicated to staff, and periodically reviewed and updated.

5. Data Processing Principles

NHSCC processes personal data in accordance with established data protection principles:

  • Lawfulness: Data is processed only where we have a lawful basis: consent, contractual necessity, legal obligation, or legitimate interest, as applicable under Indian law.
  • Purpose Limitation: Data is collected for specified, legitimate purposes and not used in ways incompatible with those purposes without additional consent or legal basis.
  • Data Minimization: We collect only the data necessary to achieve our stated purposes and avoid unnecessary or excessive data collection.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and up to date. Members can update their profiles and request corrections.
  • Storage Limitation: Data is retained only for as long as necessary to fulfill the purposes for which it was collected, subject to legal retention requirements.
  • Integrity and Confidentiality: We implement technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction.

6. Cross-Border Data Transfers

NHSCC is committed to keeping data within India wherever feasible, consistent with Indian data localization expectations and regulatory guidance.

  • Primary Storage in India: Member data, event registrations, and other personal data are primarily stored on servers located within India.
  • No International Transfers Without Consent: We do not transfer personal data outside India unless we have obtained your explicit consent or such transfer is necessary for a lawful purpose and permitted under applicable law.
  • Service Providers: Where we engage service providers that may process data outside India, we will disclose this in our privacy notice and seek consent where required by law.

7. Breach Notification

In the event of a data breach that affects personal data, NHSCC follows a structured response and notification process.

  • 72-Hour Notification to Authorities: Where required by applicable law (including the DPDPA and related regulations), we will notify the relevant data protection authority within 72 hours of becoming aware of a breach that poses a risk to individuals.
  • Member Notification for High-Risk Breaches: When a breach is likely to result in harm to members or other data subjects, we will notify affected individuals without undue delay, providing information about the nature of the breach and steps they can take to protect themselves.
  • Incident Documentation: All breaches and security incidents are documented, including the nature of the incident, affected data, remediation steps, and notifications made. Documentation is retained for regulatory and internal review purposes.
  • Continuous Improvement: Post-incident reviews are conducted to identify root causes and implement additional safeguards to prevent recurrence.

8. Contact

For questions, concerns, or requests related to data protection and security at NHSCC, please contact our Data Protection Office:

NHSCC Data Protection Office
National Health Supply Chain Council
Email: dpo@nhscc.in

We aim to respond to data protection inquiries within 15 business days. For urgent security-related matters, please include “URGENT: Data Security” in your subject line.