Castlight Health’s Approach to Privacy

June 2021

Introduction

Castlight Health, Inc. (herein referred to as “Castlight” or “the Company”) is on a mission to make it as easy as humanly possible for individuals to navigate the healthcare system and live happier, healthier, more productive lives.

Our health navigation platform connects hundreds of health vendors, benefits resources, and plan designs into one comprehensive health and wellbeing experience.

Castlight transforms employee benefits into a deeply personalized, simple, and guided experience, empowering better-informed patient decisions to unlock better healthcare outcomes and maximizing return on healthcare investments.

Castlight delivers this offering to registered customers through our website and mobile application downloadable from the App Store and Google Play Store.

This guide is designed to provide interested parties with an understanding of our approach to privacy highlighting the practices, activities, and commitments we maintain to safeguard your data, provide users with choices regarding data privacy, and maintain visibility and transparency.

Castlight’s Data Classification (Privacy)

Castlight Health, Inc. (herein referred to as “Castlight” or “the Company”’) has established a framework for classifying and handling data received or created by Castlight (“Castlight Data”). The purpose of this document is to create standard data classification definitions that can be applied to Castlight Data.  Castlight employees and contractors are required to familiarize themselves with the definitions and classifications as established in the following framework.   

Castlight Data is classified in terms of the four main categories as designated by the General Data Protection Regulation (“GDPR”). These categories are an extension of the main categories and specifically aligned to the criticality of Castlight’s organization.  Castlight Data classification also aligns with the information security objectives of confidentiality, integrity, and availability. Categories of data that are not addressed below should be considered Restricted/Confidential until the CISO, or a CISO designee, creates a designation.

Public Data

Castlight classifies Public Data as information that is authorized for distribution to a public audience. 

Such data may be broadly distributed without impact to the Castlight, its employees, and stakeholders and is considered desirable or non-objectionable. 

Nonpublic Data

Castlight classifies Internal Data as proprietary company information related to the Company’s internal operations that is not public. Internal Data also includes company confidential information related to the management of secure communication and transmission of protected data. 

Unauthorized disclosure of Internal Data, particularly outside of the Castlight, is likely to cause damage to the organization, its employees, stakeholders, or customers.

Secret Data

Data which constitutes proprietary information belonging to the company or other company confidential information related to the management of secure communication and transmission of protected data. 

Restricted/Confidential Data 

Castlight classifies Restricted/Confidential data as non-public personal information. Restricted/Confidential Data is information received from our customers or end users and processed by Castlight to provide our services.  

Restricted/Confidential Data is information that if lost, compromised, or disclosed, could result in substantial harm to the Company, its stakeholders, customers or end users. As such, Castlight strictly restricts access to this classification of data to authorized company personnel based on their job responsibility. This classification of data is separated into subclassifications as detailed below.

Personal Information

Personal Information (PI) is general non-public personal information. This type of data includes an individual’s name, address, phone number or email address. PI also encompasses Sensitive Personal Information (SPI) which includes health plan eligibility, social security numbers (SSN), certain biometric data and user Protected Health Information (PHI) which is further defined below. 

Personally, Identifiable Information 

Personally, Identifiable Information (PII) is user information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Protected Health Information 

Protected Health Information (PHI) is information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

Non-personal Information 

Any information where data elements are used to identify the individual have been removed. Similar terms include de-identified, anonymized, or pseudonymized data. This data is not covered by the GDPR. 

Please reach out to Castlight’s Privacy Team for further details and expanded definitions at [email protected]

Castlight’s Privacy Culture

Castlight believes everyone plays a critical role in privacy stewardship. As such, we spearhead a deeply collaborative environment for privacy to be a focal point of employees’ interactions with user’s data. We advocate, promote, enforce, and refine the company’s protection of our customers and employee’s data privacy.

Privacy Training

Castlight employees and contractors undergo mandatory privacy training as part of the onboarding process and receive continuous training throughout their Castlight career. During orientation, new employees agree to our Employee Handbook, which highlights our commitment to uphold certain privacy-related standards and keep data secure. The privacy training, which is renewed on a regular basis, includes topics like HIPAA, CCPA, and GDPR, additional training around application security is also provided.

Access to Castlight internal systems is revoked for employees and contractors who are non-compliant with our privacy training requirements.

Our Dedicated Team

Castlight employs privacy, compliance, legal, and security professionals who are tasked with implementing, maintaining, and enforcing privacy-related policies.

The focus areas of Castlight’s dedicated Privacy Team include: 

  • standardizing the privacy framework based on Fair Information Privacy Practices, 
  • establishing a standard legal framework that aligns with regulations that most closely impact the Castlight business (HIPAA, GDPR, CCPA, Canadian PIPEDA), 
  • performing Data Impact Assessments to map Castlight data and perform risk analysis, 
  • creating comprehensive and repeatable metrics to ensure benchmarks are protectively met or exceeded, and;
  • implementing Privacy by Design Principles to strike the balance between technological innovation and compliance. 

The Privacy Team also engages in company-wide outreach and communication to cultivate our privacy-forward culture and leave a sustainable footprint across our organization.

Castlight’s compliance and privacy professionals work alongside the Security Team to further safeguard your data. The Compliance Team is responsible for maintaining compliance with regulations, in addition to determining key systems, processes and related controls (including controls that directly implicate privacy) supporting independent audits and assessments. Our Privacy Team is responsible for setting standards for privacy best practices, continuously reviewing changes to regulations and standards, and assessing the privacy practices of third-party vendors to ensure Castlight adheres to strong privacy standards.

Awareness within the Organization

Castlight is actively working to promote a culture of privacy-forward thinking by ensuring that members of our organization are equipped with the appropriate knowledge and resources. In addition to our formal training for all personnel, the Privacy Team works to continuously promote awareness within the organization.

The Privacy Team provides the company with important privacy news updates on a range of topics and relevant resources on a regular basis.

Privacy by Design Model 

Castlight’s products are designed and operated with privacy in mind.

To deliver our service with privacy embedded in our product, we incorporate Privacy by Design Principles into the development of our product. These principles include, utilizing privacy as a default, taking a proactive approach, incorporating end to end security, and fostering user choice and transparency.

The Privacy by Design framework is adopted by regulatory bodies and organizations across the globe.

Castlight’s Responsibility

Castlight aims to ensure the confidentiality, integrity, and availability of information throughout the entire data life cycle. Information security and privacy is inclusive of concepts of accountability and assurance. Castlight is an accountable entity that traces ownership for information security practices back to individuals responsible for such practices across our organization. Castlight provides assurance by ensuring data life cycle objectives are successfully met.

Your Rights

Castlight aims to ensure the confidentiality, integrity, and availability of information throughout the entire data life cycle. Information security and privacy is inclusive of concepts of accountability and assurance. Castlight promotes user choices and access to their personal information by upholding certain data subject access request rights. These rights include rectification, erasure, and access. For more details on user rights, please refer to the individual rights section of this whitepaper and/or  Castlight’s privacy statement.

Privacy Principles and Action Areas

We treat user data and decisions around its treatment with the same standard of care as we would our own company data. The following principles and values are upheld to the highest degree of conformity: 

  • Visibility and Transparency
    • Our work and our interactions are visible and transparent we provide teams and stakeholders with updates, details, and status of our work to establish trust and accountability.
  • Rights of Individuals
    • Castlight upholds individual data subject rights including: notice, choice and consent, and data subject access.
  • Controls on Information
    • Castlight values and upholds information security and information quality.
  • Information Lifecycle
    • Castlight’s practices are aligned to the information Lifecycle. We uphold principles of Collection, use and retention, and disclosure.
  • Management and Monitoring 
    • Castlight manages and monitors its data through administration, monitoring, and enforcement. 
  • Documenting Risks and Decisions
    • Castlight allows all stakeholders to see and add to our understanding, we document the reasons for our decisions.
  • Realizing Lessons Learned 
    • Castlight understands that privacy events and incidents will occur. As such, we examine our shortcomings and improvement points with transparency and willingness to grow.  

We are constantly working to improve the privacy landscape and ensure a meaningful but complaint experience for all end users of our product. The following are areas in which we strive to constantly improve process, operations, and experiences: 

  • CCPA/ GDPR DSAR’s (Data Subject Access Requests)
    • Supporting individual data rights by operationally improving processes related to DSAR’s.
  • Privacy by Design
    • Embedding privacy into product, projects, and services.
  • Training and Awareness
    • Implementing both training and awareness as part of the entire organization’s culture as it relates to privacy, to create a foundational understanding of the importance of privacy across all organizational teams.
  • Incident Response
    • Creating and implementing a clear response plans to address possible privacy and security incidents a by planning, understanding how breaches may occur, preparing and training, involving stakeholders (especially Legal and Security), defining roles and responsibilities during an incident, reviewing insurance coverage, aligning incident response obligations with vendors, streamlining communications to necessary parties, incorporating the plan into the organization’s business continuity plan, and creating post-breach “lessons learned” evaluation plans.

Secure Personnel Practices

Before Hiring

Castlight conducts a background investigation of all employees and contractors prior to employment. Castlight outsources our background checks to a service provider, which uses Fraud and Control Information System (FACIS) search.

Upon Hiring

Castlight employees and contractors undergo HIPAA, privacy, and security training as part of the onboarding process. During onboarding, new employees and contractors agree to our Castlight Health Employee Handbook, which highlights our commitment to keep customer information secure.

While Working at Castlight

Castlight staff (employees and contractors) use unique, dedicated credentials to access Castlight systems. These staff accounts are managed through an identity and access management system.

Data Life Cycle

Data Lifecycle Management at Castlight is a policy-based IT and information security systems strategy modeled after the data storage industry to address enterprise data mobility and storage issues that may arise based on the value of the data. 

Castlight’s Privacy Team promotes enterprise data growth by implementing effective methods to manage unstructured and structured data throughout its entire lifecycle. We actively work to combat limitations in relational data base management system performance, information access and security concerns, and lack of effective methods for classifying data. We seek to actively increase control over data by implementing regulatory compliance and thereby minimizing business risk, reducing costs, and eliminating redundancies in data storage.

Privacy Policies, Laws and Regulations

Castlight maintains a comprehensive privacy program to ensure the proper use and protection of personal information, preserve privacy fundamentals, and allow for meaningful choices in the way customer data is collected and used. We work to earn our customer’s trust by fostering privacy principles and best practices related to data protection.

Laws & Regulations

Castlight is compliant with regulatory requirements such as California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR).

The Privacy Team establishes privacy and data protection policies to standardize definitions for privacy and data, create minimum uniform safeguards for business activities and create processes for third parties that Castlight shares data with.

Individual Rights

Castlight has established and implemented processes for executing individual rights pursuant to applicable laws, including CCPA and GDPR which make us a market differentiator in the privacy space. Castlight end users are able to exercise their individual privacy rights to know, access, and delete, by contacting our teams directly.

To comply with the CCPA and GDPR, Castlight has created its own Rights Request Procedure. The objective of this Rights Request Procedure is to ensure that the Support Services team handles Rights Requests as described in our (user) Privacy Statement and in alignment with the CCPA and GDPR, including the deletion and access requests described in the CCPA and EEA section of the Privacy Statement. 

The Privacy Team works in conjunction with Castlight’s Support Team to actively respond to all individual rights to access to ensure complete and efficient responses. After an access request, Castlight will provide the user with data collected by Castlight based on individual activity on the Castlight platform. 

After a deletion request, Castlight will delete and remove all unique identifiers related to an individual user and disassociate all user data and activity contained within Castlight’s platform.

While these CCPA and GDPR “rights” are only legally applicable to California and certain European Economic Area residents respectively, Castlight has traditionally provided, and will continue to provide the deletion right (aka “right to be forgotten”) to all users, regardless of their state of residence.

Castlight also has made efficiency a priority for these requests, as the team has committed to responding to the initial request within 10 days, as well as send the complete response to the user within 45 days for most requests and 30 days for requests specifically related to GDPR.

Privacy Shield

The Privacy Shield Framework provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data in support of transatlantic commerce. While the future of Privacy Shield is unsure, the evaluation serves as a useful tool to measure maturity and support basic privacy principles.

For more information, please refer to Castlight Status.

Privacy Policy and Statement

Our Privacy Policy and Privacy Statement is regularly updated and available on our website.

Privacy and Compliance

Castlight maintains a robust compliance program built upon industry-standard certifications. We understand that privacy requirements are top priority for our customers, and as such, we work to ensure our services comply with recognized certifications and regulations to address privacy risk.

Privacy Audits and Assessments 

Castlight regularly undergoes independent verification of our security, compliance and privacy controls. While not a comprehensive list, the following certifications provide a robust view of our routine evaluation by independent external parties.

SOC 2 Type II

Annual attestation of Trust Service Criteria of Security, Availability and Confidentiality. Interested parties can request a copy of most recent report.

External Penetration Testing

An annual review that our applications are adequately protected from unauthorized access and are free of common security defects, such as those in the OWASP Top 10 and CWE/NIST Top 25 Most Dangerous Software Errors. Interested parties can request a copy of the most recent report.

Conclusion

Your privacy is important to Castlight and an integral part of the development and personnel operations. We hope this guide has provided a high-level understanding of our commitment to curating a robust privacy program and experience. For further documentation and requests, please reach out to your account representative or contact the privacy team