Data Protection Policy for Heroes & Heroines Multi-purpose Cooperative Society Limited (henceforth “the cooperative”)
1. Why the policy
Data Protection Policy elucidates the basic principles on data protection which is the bedrock for sustained business relationship and projects the reputation of The cooperative as an attractive employer. It certifies the adequate level of data protection prescribed by the European Union General Data Protection Regulation (GDPR) and the Nigerian Data Protection Regulation (NDPR) 2019 ear marked for cross-border data transmission, and countries not complaint with data protection laws.
Furthermore, when, why and how personal data involving shareholders, investors and staff are to be collected, secured, used and stored are also indicated.
2. Principles of data management
The cooperative is committed to processing data in accordance with its responsibilities under the Nigerian Data Protection Regulation.
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, not in conformity with the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods as long as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The cooperative will ensure that:
- Data must be recorded as accurately and completely as possible using the most informed source, considering point of creation and secured in electronic form.
- Data should only be collected for a specific and documented purpose which will be made available to those with a legitimate business need.
- Data capture, validation and processing should be automated wherever possible
- Data should be recorded and managed over time in an auditable and traceable manner.
- Data must not be duplicated unless duplication is absolutely essential and has the approval of the relevant Data Steward. In such cases, one source must be clearly identified as the master, while copies will be kept intact. Copies must not be modified (i.e., ensuring that data in the source system is the same as that in other databases).
- Every data source must have a defined Custodian in a business leadership role who has overall responsibility for the accuracy, integrity and security of those data.
- Wherever possible, data must be simple to enter and clearly defined. They must also be in a usable form for both input and output.
- Processes that update a given data element must be standard across the information system.
- Personal data is stored securely using up to date modern software and access to personal data limited to personnel who need it and appropriate security should be in place to avoid unauthorized sharing of information. When personal data is deleted this should be done safely such that the data is irrecoverable. Appropriate backup and disaster recovery solutions shall also be put in place.
- Data breach resulting to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, an assessment of risk to people’s rights and freedoms will be done and where appropriate, report this breach to the National Information Technology Development Agency (NITDA) via email@example.com
NATURE OF DATA COLLECTED:
- Biodata, means of identification, utility bill for address verification, passport photographs, contact details, clearing house number. These will be used for service rendition, in compliance with regulatory requirements and will be kept as necessary.
- Biodata, academic qualifications, professional qualifications, passport photographs, referees/guarantor, account details, PFA and RSA details.
- CAC documents, Tax identification number, Account details, CAC documents, Service Level Agreement (SLA).
Should you require further clarifications or details, do not hesitate to address your questions, comments and requests regarding our data processing practices to our Data Protection Officer via firstname.lastname@example.org or the under listed contact details:
12. Our Contact:
3 Atabara Street