blog-banner-image
s

DATA PROTECTION POLICY

  1. Introduction

    Coure Software and Systems Limited, as a data collector/controller, is committed to conducting its business in accordance with the Nigeria Data Protection Regulation (NDPR), EU General Data Protection Regulation (GDPR), and other international instruments concerning the protection of personal data and privacy of individuals to ensure compliance with the Data Protection requirements. Non-compliance may expose Coure Software and Systems Limited to complaints, regulatory actions, fines or/and reputational damage.

  2. Purpose

    The purpose of this policy is to ensure that Coure Software and Systems Limited processes personal data in a way that is consistent with all data protection and privacy guidelines, to protect the “rights and freedoms” of individuals, and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent. The Coure Software and Systems Limited Data Protection Policy is also designed to inform all stakeholders about their obligation to protect the privacy and security of personal data when collecting, storing, using personal data that is needed in order to carry out our business while complying with Data Protection Regulations and standards.

  3. Rational/Scope

    By this policy, Coure Software and Systems Limited sets forth how it shall process and manage personal data collected in the normal course of business. Any data provided are handled in a confidential manner to ensure that the content and service being offered are tailored to specific requests, needs and interests. The Coure Software and Systems Limited policy applies to all employees, contractors, vendors and third parties that are responsible for processing of personal data on behalf of Coure Software and Systems Limited. This policy also applies to the whole or part processing of personal data by automated means (i.e. by laptop/computer) and non-automated means (i.e. paper records) that form part or intend to form part of Coure Software and Systems Limited filing system.

  4. Definition of Terms

    Personal Data – A name, identification number, location data, and/or online identifier, including one or more specific factors such as physical, physiological, genetic, mental, economic, cultural or social identifiers relating to a natural person directly or indirectly.

    Data Subject – Any living individual or natural person from whom personal data is collected.

    Consent - Any specific, informed, and unambiguous indication of the data subject's wishes that is freely given by a statement or by a clear affirmative action, which signifies agreement to the processing of his/her personal data.

    Third Party – A natural or legal person, public authority, agency, vendor, contractor, or entity other than the data subject, who, under Coure Software and Systems Limited’s authority, is authorised to process personal data.

    Data Administrator – Any persons or organisation that processes data

    Data Controller - Any person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.

    Processing - Any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Data Protection Impact Assessment - A tool and process for assessing the protection impacts on data subjects in processing their personal data and for identifying remedial actions as necessary in order to avoid or minimize such.

    Data Protection Officer Data Protection Officer – A Coure Software and Systems Limited staff who supervises, monitors and reports matters related to data protection and privacy in compliance with this Policy.

    Personal Data Breach - A breach of data security leading to the accidental or unlawful/illegitimate access, destruction, loss, alteration, unauthorized disclosure of personal data that is being transferred, stored or otherwise processed.

  5. Policy Statement & Applicability

    The entire Management Board of Coure Software and Systems Limited, located at The Waterside 5 Admiralty Road off Admiralty Way, Lekki Phase 1 Lagos is committed to maintaining compliance with all relevant GDPR/NDPR and local laws with respect to personal data collected, as well as protection of the “rights and freedoms” of the data subjects. This GDPR/NDPR compliance policy is also described by other relevant policies such as the information security policy, along with related Coure Software and Systems Limited processes and procedures.

    The GDPR/NDPR and Coure Software and Systems Limited data protection policy applies to all personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data that Coure Software and Systems Limited processes from any source. This policy also applies to all Employees/Staff and third parties of Coure Software and Systems Limited.

    Coure Software and Systems Limited Data Protection Officer; Modupe Aderibigbe is responsible for reviewing and updating the register of processing activities annually in the light of any changes to Coure Software and Systems Limited operations and activities, and to any additional requirements identified by means of data protection impact assessments. This register needs to be available on the supervisory authority’s request.

    Partners and any third parties working with or for Coure Software and Systems Limited, and who have or may have access to personal data, will be expected to have read, understood, and to comply with this policy. No third party may access personal data held by Coure Software and Systems Limited without having first entered into a data confidentiality agreement, which imposes on the third-party obligations no less onerous than those to which Coure Software and Systems Limited is committed, and which gives Coure Software and Systems Limited the right to audit compliance with the agreement.

    Any breach of the GDPR/NDPR will be dealt with under Coure Software and Systems Limited disciplinary procedure and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

  6. Roles & Responsibilities

    Roles Responsibilities
    Management, CEO, Supervisors
    • developing and encouraging good information handling practices within Coure Software and Systems Limited; responsibilities are set out in individual job descriptions.
    Data Protection Officer
    • is accountable to Coure Software and Systems Limited management board for the management of personal data within Coure Software and Systems Limited.
    • ensuring that compliance with data protection legislation and good practice can be demonstrated.
    • is accountable for development and implementation of the GDPR/NDPR as required by this policy
    • is accountable for security and risk management in relation to compliance with the policy
    Employees/Staff
    • ensuring that any personal data about them and supplied by them to Coure Software and Systems Limited is accurate and up-to-date.

    Under the GDPR/NDPR, Coure Software and Systems Limited is a [data controller and/or data processor]. Modupe Aderibigbe, who the Management Board considers to be suitably qualified and experienced, has been appointed to take the responsibility for Coure Software and Systems Limited compliance with this policy on a daily basis. In particular, Modupe Aderibigbe has direct responsibility for ensuring that Coure Software and Systems Limited complies with the GDPR/NDPR, as do Managers/Executive Directors in respect of data processing that takes place within their area of responsibility.

    The Data Protection Officer have specific responsibilities in respect of procedures such as the Subject Access Request Procedure and are the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.

    Compliance with the Nigerian data protection regulation is also the responsibility of all Employees/Staff of Coure Software and Systems Limited who use/process personal data. Coure Software and Systems Limited Training Policy sets out specific training and awareness requirements in relation to specific roles and Employees/Staff of Coure Software and Systems Limited generally.

  7. Data Protection Principles

    All personal data collection, processing, retention, transfer, disclosure and destruction are conducted in accordance with the GDPR/NDPR data protection principles. Coure Software and Systems Limited policies and procedures are also designed to ensure compliance the following principles, as listed below;

    • 7.1 Lawful, Fair, and Transparent Processing of Personal Data

      Processing of personal data may only be carried out on a legitimate basis and in a fair and transparent manner. In order to process data of individuals lawfully, fairly, and transparently, Coure Software and Systems Limited shall ensure to seek consent from data subjects as the primary condition for processing.

      Coure Software and Systems Limited processes personal data to ensure the safety and security of persons of concern or other individuals.

      Whether the data is obtained from the data subjects directly or indirectly, Coure Software and Systems Limited ensures that certain information are available to the data subjects as practicable, according to Coure Software and Systems Limited Transparency Requirement. Data subjects are also given an easily understandable and accessible privacy information notice, including other specific necessary information like;

      1. the contact details of the Data Protection Officer;
      2. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
      3. the period for which the personal data will be stored;
      4. the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights;
      5. the categories of personal data concerned;
      6. the recipients or categories of recipients of the personal data, where applicable;
      7. where applicable, that the controller intends to transfer personal data to a recipient in a foreign country and the level of protection afforded to the data;
      8. any further information necessary to guarantee fair processing.
    • 7.2 Collection of Personal Data Only for Specific, Explicit, and Legitimate Purposes

      Data obtained are for specified purposes, and will not be used for any purpose that differs from those formally notified to the data subject and supervisory authority as set out by Coure Software and Systems Limited GDPR/NDPR register of processing and privacy procedure.

    • 7.3 Necessity & Data Minimization

      Personal data collected by Coure Software and Systems Limited shall be adequate, relevant and limited to what is necessary for processing. This means that Coure Software and Systems Limited Data Protection Officer is responsible for ensuring that only information that is strictly necessary is obtained. All forms of data collection (electronic or paper-based), including data collection requirements in new information systems, will include a fair processing statement or link to privacy statement, and approved by the Data Protection Officer.

      The Data Protection Officer will ensure that all data collection methods are reviewed annually to ensure that collected data continues to be adequate, relevant and not excessive.

    • 7.4 Accurate, Easy Rectification, and Deletion

      Personal Data shall be accurate and kept up to date. All personal data stored by Coure Software and Systems Limited must be reviewed and updated as necessary to ensure that data is accurate and up-to-date. No personal data shall be kept unless it is reasonable to assume that it is accurate, and the Data Protection Officer is responsible for ensuring that all Coure Software and Systems Limited staff are trained in the importance of collecting accurate personal data and maintaining it.
      The data subject must ensure that any data held by Coure Software and Systems Limited is accurate and up-to-date. Completion of electronic or hard copy forms by a data subject will include a statement that the data contained therein is accurate at the date of submission.
      Employee/Staff/Customers/Clients and other data subjects are required to notify Coure Software and Systems Limited of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of Coure Software and Systems Limited to ensure that any notification regarding change of circumstances is recorded and acted upon.

      The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

      On at least an annual basis, the Data Protection Officer reviews the retention dates of all the personal data processed by Coure Software and Systems Limited and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the Secure Disposal of Storage Media Procedure.

      The Data Protection Officer is responsible for responding to requests for rectification from data subjects within one month (Subject Access Request Procedure). This can be extended to a further two months for complex requests. If Coure Software and Systems Limited decides not to comply with the request, the Data Protection Officer must respond to the data subject to explain its reason and inform them of their right to complain to the supervisory authority and seek judicial remedy.

      The Data Protection Officer is responsible for making appropriate arrangements that, where third-party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.

    • 7.5 Storage Limitation

      Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing. Where personal data is to be retained beyond the processing date, it will be [minimised/encrypted/pseudonymised] in order to protect the identity of the data subject in the event of a data breach.

      Personal data will be retained in line with the Retention of Records Procedure. Once this retention date is passed, it must be securely destroyed as set out in this procedure.

      The Data Protection Officer must, in written form, specifically approve any data retention that exceeds the retention periods defined in Retention of Records Procedure, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation.

    • 7.6 Integrity and Confidentiality

      Personal data shall be processed in a manner that ensures appropriate security of personal data including protection against unauthorized and unlawful processing, accidental loss, destruction, or damage. Coure Software and Systems Limited must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is maintained at all time.

      In determining appropriateness, the Data Protection Officer should also consider the extent of possible damage or loss that might be caused to individuals (staff/customers) if a security breach occurs, the effect of any security breach on Coure Software and Systems Limited itself, and any likely reputational damage including the possible loss of customer trust.

      When assessing appropriate technical measures, the Data Protection Officer will consider the following:

      1. Password protection;
      2. Automatic locking of idle terminals;
      3. Removal of access rights for USB and other memory media;
      4. Virus checking software and firewalls;
      5. Role-based access rights including those assigned to temporary staff;
      6. Encryption of devices that leave the organisations premises such as laptops;
      7. Security of local and wide area networks;
      8. Privacy enhancing technologies such as pseudonymisation and anonymisation;
      9. Identifying appropriate international security standards relevant to Coure Software and Systems Limited.

      When assessing appropriate organisational measures, the Data Protection Officer will consider the following:

      1. The appropriate training levels throughout Coure Software and Systems Limited;
      2. Measures that consider the reliability of employees (such as references etc.);
      3. The inclusion of data protection in employment contracts;
      4. Identification of disciplinary action measures for data breaches;
      5. Monitoring of staff for compliance with relevant security standards;
      6. Physical access controls to electronic and paper-based records;
      7. Adoption of a clear desk policy;
      8. Storing of paper-based data in lockable fire-proof cabinets;
      9. Restricting the use of portable electronic devices outside of the workplace;
      10. Restricting the use of employee’s own personal devices being used in the workplace;
      11. Adopting clear rules about passwords;
      12. Making regular backups of personal data and storing the media off-site;
      13. The imposition of contractual obligations on the organisation to take appropriate security measures when transferring data to foreign countries.
    • 7.7 Accountability

      Coure Software and Systems Limited must be able to explicitly demonstrate compliance with accountability and governance, as well as all other GDPR/NDPR data protection principles by implementing data protection policies, adhering to codes of conducts, implementing technical and organizational measures, and adopting techniques such as Data Protection by design, Data Protection Impact Assessments (DPIAs), breach notification procedures, and incidence response plan.

  8. Rights of the Data Subject

    In regards to data processing and recording, data subjects have the right to:

    1. Be informed of the specific purpose for which the personal data will be processed, and if the data will be transferred or disclosed to a third party.
    2. make subject access requests regarding the nature of information held and to whom it has been disclosed.
    3. prevent processing likely to cause damage or distress.
    4. prevent processing for purposes of direct marketing.
    5. be informed about the mechanics of automated decision-taking process that will significantly affect them.
    6. not have significant decisions that will affect them taken solely by automated process.
    7. sue for compensation if they suffer damage by any contravention of the GDPR/NDPR.
    8. take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.
    9. request the supervisory authority to assess whether any provision of the GDPR/NDPR has been contravened.
    10. have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
    11. object to any automated profiling that is occurring without consent.

    Coure Software and Systems Limited also ensures that:

    1. Data subjects may make data access requests as described in Subject Access Request Procedure; this procedure also describes how Coure Software and Systems Limited will ensure that its response to the data access request complies with the requirements of the GDPR/NDPR.
    2. Data subjects have the right to complain to Coure Software and Systems Limited relating to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the Complaints Procedure.
  9. Consent

    Coure Software and Systems Limited understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.

    Coure Software and Systems Limited understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.

    There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication. Coure Software and Systems Limited must be able to demonstrate that consent was obtained for the processing operation.

    For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

    In most instances, consent to process personal and sensitive data is obtained routinely by Coure Software and Systems Limited using standard consent documents e.g. when a new client signs a contract, or during induction for participants on programmes.

    Where Coure Software and Systems Limited provides online services to children, parental or custodial authorisation must be obtained. This requirement applies to children under the age of 16 in the case of GDPR and 18 in the case of NDPR.

  10. Data Security

    For security of personal data;

    • All Employees/Staff are responsible for ensuring that any personal data that Coure Software and Systems Limited holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by Coure Software and Systems Limited to receive that information and has entered into a confidentiality agreement.
    • All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. All personal data should be treated with the highest security and must be kept:
      1. in a lockable room with controlled access; and/or
      2. in a locked drawer or filing cabinet; and/or
      3. if computerised, password protected in line with corporate requirements in the Access Control Policy; and/or
      4. stored on (removable) computer media which are encrypted in line with Secure Disposal of Storage Media.

    Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of Coure Software and Systems Limited. All Employees/Staff are required to enter into an Acceptable Use Agreement before they are given access to organisational information of any sort, which details rules on screen time-outs.

    Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation.

    Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed as required by before disposal.

    Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data on-site.

  11. Data Disclosure

    Coure Software and Systems Limited must ensure that personal data is not disclosed to unauthorised third parties. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Coure Software and Systems Limited’s business processes.
    All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.

  12. Data Retention and Disposal

    Coure Software and Systems Limited complies with GDPR/NDPR and other relevant local laws, standards and guidelines regulating the retention and destruction of personal data, documents and information. As such, Coure Software and Systems Limited shall not keep personal data in a form that can identify data subjects for longer than is necessary, in relation to the purpose(s) for which the data was originally collected.

    The retention period for each category of personal data is set out in the Retention of Records Schedule along with the criteria used to determine this period including any statutory obligations Coure Software and Systems Limited has to retain the data.

    Personal data must be disposed of securely in accordance with the principle of the GDPR/NDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. Any disposal of data will be done in accordance with the Secure Disposal Procedure.

  13. Data Transfer

    Where it is intended that personal data will be transferred to a foreign country or international organisation, an affirmation of the Attorney General of the Federation, that the data protection levels in the foreign country or international organisation are adequate in accordance with the provision of GDPR/NDPR regulations must be obtained

    Coure Software and Systems Limited will adopt approved Model Contract Clause (MCC) for the transfer of data to foreign countries.

    In the absence of an adequacy decision, Model Contract Clauses, a transfer of personal data to a foreign or international organisation shall only take place on one of the following conditions:

    1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
    2. the transfer is necessary for the performance of a contract between the data subject and Coure Software and Systems Limited or the implementation of pre-contractual measures taken at the data subject's request;
    3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    4. the transfer is necessary for important reasons of public interest;
    5. the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
    6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.