Data Protection Policy

1. Introduction

Welcome to the Data Protection Policy of NINCard. This document serves as a guide to how we handle and safeguard user data on our platform. Our commitment to data protection is paramount, and we have implemented stringent measures to ensure the confidentiality and security of your information.

1.1 Overview of Data Protection Policy

This Data Protection Policy outlines the principles, procedures, and responsibilities governing the collection, processing, and protection of user data on the our platform. It provides a comprehensive framework to ensure compliance with data protection laws and regulations in Nigeria. 

1.2 Purpose and Scope

The purpose of this policy is to establish a structured approach to data protection, safeguarding user privacy, and ensuring the lawful processing of personal information. It applies to all aspects of data handling within our platform, encompassing user interactions, data processing activities, and security measures.

1.2.1. Reference to Terms and Policy

In addition to this Data Protection Policy, we have established two other key legal documents that govern the use of our platform:

• Privacy Policy: This document outlines how we handle and protect user data on our platform. It provides important information regarding the types of information we collect, how it is used, and the measures we have in place to protect your data.
• Terms of Service: These terms outline the rules and regulations for using our platform. It covers user responsibilities, prohibited activities, and the terms under which our services are provided.

We encourage you to review these documents to gain a comprehensive understanding of our practices and policies.

1.3 Legal Framework and Regulatory References

This section references key organizations and regulations that guide our data protection practices:

• 1.3.1 DPCO – Data Protection Compliance Organisation: This entity oversees compliance with data protection laws and regulations within the organization, ensuring adherence to best practices.
• 1.3.2 DPIA – Data Protection Impact Assessment: This process evaluates the potential impact of data processing activities on user privacy and ensures necessary safeguards are in place.
• 1.3.3 DPO – Data Protection Officer: The designated individual responsible for overseeing data protection matters and ensuring compliance with relevant laws and regulations.
• 1.3.4 GDPR – General Data Protection Regulation: A comprehensive EU regulation that sets the standard for data protection globally, influencing our approach to data handling.
• 1.3.5 NITDA – National Information Technology Development Agency: A regulatory body in Nigeria that provides guidelines and frameworks for data protection, influencing our compliance efforts.
• 1.3.6 NDPR – Nigeria Data Protection Regulation: A local regulation that outlines the requirements and standards for data protection in Nigeria, guiding our policies and practices.

2. Principles of Data Protection

2.1 Transparency and Openness: Transparency is a fundamental principle of our data protection approach. We are committed to providing clear and accessible information about how we collect, use, and process personal data. This ensures that individuals are fully informed about the handling of their information, empowering them to make informed decisions

2.2 Lawfulness, Fairness, and Purpose Limitation: All data processing activities carried out by us are grounded in lawful and fair practices. We strictly adhere to the legal framework and regulatory requirements governing data protection. Data is collected and processed for specific, legitimate purposes, ensuring that it is not used in a manner inconsistent with these purposes.

3. Roles and Responsibilities

3.1 Data Protection Officer (DPO): Our Data Protection Officer (DPO) plays a crucial role in ensuring compliance with data protection laws and regulations. The DPO is responsible for overseeing data protection matters, providing guidance, and acting as a point of contact for data subjects and regulatory authorities.

3.2 Data Controllers and Processors: As data controllers, we are responsible for determining the purposes and means of processing personal data. Data processors, on the other hand, act on our behalf and are bound by contractual obligations to process data only as instructed by us.

3.3 Employees' Roles: All employees, REP and Operator are integral to our data protection efforts. They are responsible for handling personal data in accordance with our policies and procedures. Regular training and awareness programs are conducted to ensure that employees understand their responsibilities and the importance of data protection.

4. Data Collection and Processing

4.1 Lawful Basis for Processing: All data processing activities carried out by us are founded on a lawful basis as defined by applicable data protection laws. These may include the necessity of processing for the performance of a contract, compliance with legal obligations, protection of vital interests, consent, and legitimate interests pursued by us or a third party.

4.2 Data Subjects' Rights: We acknowledge and respect the rights of data subjects as outlined in relevant data protection regulations. These rights may include the right to access, rectify, erase, restrict processing, object to processing, and data portability. Data subjects can exercise these rights by contacting our Data Protection Officer.

4.3 Consent and Withdrawal: Where applicable, we seek explicit consent from data subjects before processing their personal data. Consent is obtained for specific purposes and is kept separate from other terms and conditions. Data subjects have the right to withdraw their consent at any time, and such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

5. Security Measures

5.1 Technical and Organizational Measures: We employ a combination of technical and organizational measures to ensure the security and integrity of personal data. These measures are designed to protect against unauthorized access, alteration, disclosure, or destruction of data. They include regular security assessments, encryption protocols, access controls, and employee training.

5.2 Access Controls: Access to personal data is strictly controlled and limited to authorized individuals who require such access for the fulfillment of their roles. Access rights are assigned based on job responsibilities, and access permissions are reviewed regularly to prevent unauthorized access.

5.3 Encryption and Anonymization: Sensitive data is subject to encryption both in transit and at rest, utilizing industry-standard encryption protocols. Additionally, anonymization techniques are employed where appropriate to further protect the identity of data subjects.

6. Data Breach Response and Notification

6.1 Reporting and Escalation Procedure: In the event of a data breach, we have established a comprehensive reporting and escalation procedure. This includes immediate notification to the Data Protection Officer (DPO), who will lead the incident response team in conducting an assessment and taking necessary actions to contain and mitigate the breach.

6.2 Notifying Data Subjects and Authorities: If a data breach is likely to result in a high risk to the rights and freedoms of individuals, affected data subjects and relevant regulatory authorities will be promptly notified. The notification will include details of the breach, the potential impact, and the measures taken to address it.

7. Data Retention and Disposal

7.1 Retention Periods: We retain personal data for only as long as necessary to fulfill the purposes outlined in this Data Protection Policy. The specific retention periods may vary based on the type of data and legal requirements. Once data is no longer required, it is securely disposed of using approved methods.

7.2 Disposal Procedures: Data disposal procedures are implemented to ensure the secure and irreversible removal of personal data. These procedures include the use of shredding, electronic wiping, or other approved methods to prevent unauthorized access or retrieval.

8. Third-Party Data Processors

8.1 Due Diligence on Processors: Before engaging any third-party data processors, we conduct thorough due diligence to ensure they meet the required standards of data protection and security. This includes assessing their technical and organizational measures, compliance with relevant regulations, and their ability to provide adequate safeguards for personal data.

8.2 Contracts and Agreements: Contracts and agreements with third-party data processors include specific provisions addressing data protection obligations. These agreements outline the processor's responsibilities, including confidentiality, security measures, and compliance with applicable data protection laws. They also stipulate that the processor may only process data in accordance with our instructions.

9.Training and Awareness

9.1 Employee Training: All employees, REP and Operator undergo comprehensive training on data protection principles, best practices, and their specific responsibilities in safeguarding personal data. This training is conducted regularly to ensure that employees remain informed and updated on data protection requirements.

9.2 Data Protection Awareness Programs: We implement ongoing awareness programs to foster a culture of data protection among employees. These programs include regular communication, workshops, and awareness campaigns to reinforce the importance of data protection and compliance with policies and regulations.

10. Audit and Compliance

10.1 Internal Audits: We conduct regular internal audits to assess and evaluate compliance with this Data Protection Policy and relevant data protection laws and regulations. These audits are conducted by trained personnel independent from the processes being audited.

10.2 Regulatory Compliance: We are committed to full compliance with all applicable data protection laws and regulations in Nigeria. Our policies, procedures, and practices are continuously reviewed to ensure alignment with the legal requirements.

10.3 Continuous Improvement: We are dedicated to the ongoing enhancement of our data protection practices. Feedback from audits, incidents, and changes in regulations are used to identify areas for improvement. This includes updating processes, training programs, and implementing new technologies or practices as necessary.

11. Policy Review and Updates

11.1 Review Frequency: This Data Protection Policy is reviewed annually to ensure its continued effectiveness and relevance in light of evolving business practices, technology, and regulatory requirements.

11.2 Policy Amendments: Amendments to this policy may be made as necessary to reflect changes in data protection laws, business operations, or technology. Any amendments will be approved by DPO and communicated to relevant stakeholders.

11.3 Communication of Changes: Significant changes to this policy will be communicated to all relevant stakeholders through email, company-wide announcement via [email protected]. It is the responsibility of all employees to familiarize themselves with any amendments to this policy.

12. Appendix: Glossary of Terms

Definitions of Key Data Protection Terms. Below are definitions of key terms used throughout this Data Protection Policy:

• Personal Information: Refers to any information that can be used to identify an individual, directly or indirectly.
• Data Subject: An identifiable individual about whom we collect and process personal information.
• Data Controller: The entity responsible for determining the purposes and means of processing personal data.
• Data Processor: An entity that processes personal data on behalf of the data controller.
• Consent: Voluntary, specific, informed, and unambiguous agreement by a data subject to the processing of their personal data.
• Data Minimization: The practice of limiting the collection of personal data to only what is directly relevant and necessary for a specific purpose.
• Encryption: The process of converting data into a code to prevent unauthorized access.
• Data Breach: A security incident in which sensitive, protected, or confidential data is accessed, disclosed, or exposed in an unauthorized manner.
• Data Protection Officer (DPO): The individual designated to oversee data protection matters and ensure compliance with relevant laws and regulations.
• Privacy Impact Assessment (PIA): A systematic process to identify and mitigate privacy risks in data processing activities.
• Third-Party Processor: An external entity contracted to process personal data on behalf of the data controller.
• Information Security: The practice of protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction.
• Regulatory Authority: A government agency or body responsible for enforcing data protection laws and regulations.
• Data Subject Rights: The legal rights that individuals have over their personal data, including the right to access, correct, and delete their information.

These definitions are provided for clarity and understanding. If you have any further questions about the meaning of specific terms, please do not hesitate to contact our Data Protection Officer.