Data Protection Policy

Our commitment to safeguarding your personal data

Last Updated: February 2026

1. Our Commitment to Data Protection

The National Healthcare Supply Chain Council ("NHSCC") is committed to protecting the personal data of all individuals who use the NHSCC Learning Management System at lms.nhscc.in ("Platform"). As an organization operating in the healthcare education sector, we recognize the sensitive nature of the data we process and uphold the highest standards of data protection.

This Data Protection Policy outlines the principles, measures, and procedures we follow to ensure the security, confidentiality, and integrity of personal data processed through the Platform.

2. Data Protection Principles

NHSCC adheres to the following core data protection principles in all data processing activities:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner. We clearly inform individuals about how their data is used.
  • Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes.
  • Data Minimization: We collect only the personal data that is necessary and relevant for the purposes for which it is processed.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date, and we enable users to correct inaccuracies.
  • Storage Limitation: Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, subject to legal and regulatory requirements.
  • Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Accountability: NHSCC takes responsibility for compliance with data protection principles and is able to demonstrate compliance.

3. Data We Process

3.1 Learner Data

  • Registration details: name, email, phone, organization, job title
  • Learning data: course enrollments, progress, assessment scores, completion records, certificates
  • Activity data: login times, session duration, content interactions

3.2 Instructor Data

  • Profile information: name, qualifications, expertise areas, biography
  • Course creation data: content uploads, assessment creation, student feedback

3.3 Organization Data

  • Corporate account details: organization name, contact persons, billing address
  • Enrollment management: employee enrollment records, progress reports, compliance tracking

3.4 Payment Data

  • Transaction records: order IDs, amounts, dates, payment status
  • Payment instrument data is processed exclusively by PCI-DSS compliant payment processors and is never stored on NHSCC servers

4. Security Measures

NHSCC implements comprehensive technical and organizational security measures to protect personal data:

4.1 Technical Measures

  • Encryption in Transit: All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption.
  • Access Controls: Role-based access control (RBAC) ensures that only authorized personnel can access specific categories of data.
  • Authentication: Multi-factor authentication is available for all accounts. Passwords are hashed using bcrypt.
  • Firewall & Intrusion Detection: Network firewalls, intrusion detection systems, and DDoS protection are deployed.
  • Regular Patching: Server software, frameworks, and dependencies are regularly updated to address security vulnerabilities.

4.2 Organizational Measures

  • Data protection training for all employees and contractors who handle personal data.
  • Strict access policies limiting data access to personnel with a legitimate business need.
  • Regular internal and external security audits.
  • Documented incident response procedures.

5. Data Breach Notification

In the event of a personal data breach, NHSCC follows a structured response protocol:

  • Detection & Containment: Immediately identify and contain the breach to prevent further unauthorized access.
  • Assessment: Evaluate the nature, scope, and potential impact of the breach on affected individuals.
  • Notification: If the breach is likely to result in a risk to the rights and freedoms of affected individuals, we will notify them without undue delay and within 72 hours of becoming aware of the breach.
  • Regulatory Reporting: Report the breach to relevant authorities, including the Data Protection Board of India (under DPDP Act, 2023), as required by law.
  • Remediation: Implement corrective actions to prevent similar breaches in the future and document lessons learned.

6. Data Protection Officer

NHSCC has designated a Data Protection Officer (DPO) responsible for overseeing data protection strategy and compliance. The DPO can be contacted for any data protection-related inquiries, concerns, or requests:

Email: lms@nhscc.in (Subject: "Data Protection Inquiry")

The DPO is responsible for monitoring compliance, conducting data protection impact assessments, training staff, and serving as the point of contact for regulatory authorities.

7. Employee & Contractor Obligations

All NHSCC employees, contractors, and third-party service providers who have access to personal data are required to:

  • Sign non-disclosure agreements (NDAs) and data protection agreements before accessing any personal data.
  • Complete mandatory data protection and information security training upon onboarding and annually thereafter.
  • Follow the principle of least privilege, accessing only the data necessary for their specific role.
  • Report any suspected data breaches or security incidents immediately to the Data Protection Officer.
  • Comply with all applicable data protection laws and NHSCC internal policies.

8. Third-Party Data Processing

When NHSCC engages third-party service providers to process personal data on our behalf, we ensure:

  • Data Processing Agreements (DPAs) are in place that define the scope, nature, and purpose of data processing.
  • Third parties implement adequate technical and organizational security measures.
  • Regular audits and assessments of third-party data handling practices.
  • Third parties process data only in accordance with NHSCC's documented instructions.
  • Sub-processors are engaged only with prior written authorization from NHSCC.

9. Cross-Border Data Transfers

NHSCC primarily stores and processes personal data on servers located within India. In cases where data may be transferred to or processed in jurisdictions outside India (for example, through international cloud service providers), we ensure:

  • Adequate safeguards are implemented, including standard contractual clauses and data protection agreements.
  • The receiving entity provides a comparable level of data protection.
  • Transfers comply with the provisions of the Digital Personal Data Protection Act, 2023 and any relevant notifications issued by the Government of India.

10. Your Data Protection Rights

As a user of the NHSCC LMS Platform, you have the following data protection rights:

  • Right to Access: Request information about the personal data we hold about you and obtain a copy.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Withdraw Consent: Withdraw your consent for data processing at any time.
  • Right to Grievance Redressal: Lodge a complaint with the Data Protection Board of India if you believe your data protection rights have been violated.

To exercise any of these rights, please contact us at lms@nhscc.in. We will respond to your request within 30 days.

11. Compliance Framework

NHSCC's data protection practices are designed to comply with:

  • Digital Personal Data Protection Act, 2023 (DPDP Act): India's comprehensive data protection legislation governing the processing of digital personal data.
  • Information Technology Act, 2000: Including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • ISO 27001: We align our information security management practices with ISO 27001 standards.
  • PCI-DSS: Payment data processing complies with Payment Card Industry Data Security Standards through our payment processor partners.

12. Changes to This Policy

NHSCC reserves the right to update this Data Protection Policy at any time. Material changes will be communicated through the Platform and, where appropriate, via email to registered users. The updated policy will be effective from the date of posting. Continued use of the Platform after any changes constitutes acceptance of the revised policy.

Contact Us

For data protection inquiries or to exercise your rights, contact:

NHSCC LMS — Data Protection Officer
Email: lms@nhscc.in
Website: nhscc.in