Introduction
Coure Software and Systems Limited, as a data collector/controller, is committed to conducting its business in accordance with the Nigeria Data Protection Regulation (NDPR), EU General Data Protection Regulation (GDPR), and other international instruments concerning the protection of personal data and privacy of individuals to ensure compliance with the Data Protection requirements. Non-compliance may expose Coure Software and Systems Limited to complaints, regulatory actions, fines or/and reputational damage.
Purpose
The purpose of this policy is to ensure that Coure Software and Systems Limited processes personal data in a way that is consistent with all data protection and privacy guidelines, to protect the “rights and freedoms” of individuals, and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent. The Coure Software and Systems Limited Data Protection Policy is also designed to inform all stakeholders about their obligation to protect the privacy and security of personal data when collecting, storing, using personal data that is needed in order to carry out our business while complying with Data Protection Regulations and standards.
Rational/Scope
By this policy, Coure Software and Systems Limited sets forth how it shall process and manage personal data collected in the normal course of business. Any data provided are handled in a confidential manner to ensure that the content and service being offered are tailored to specific requests, needs and interests. The Coure Software and Systems Limited policy applies to all employees, contractors, vendors and third parties that are responsible for processing of personal data on behalf of Coure Software and Systems Limited. This policy also applies to the whole or part processing of personal data by automated means (i.e. by laptop/computer) and non-automated means (i.e. paper records) that form part or intend to form part of Coure Software and Systems Limited filing system.
Definition of Terms
Personal Data – A name, identification number, location data, and/or online identifier, including one or more specific factors such as physical, physiological, genetic, mental, economic, cultural or social identifiers relating to a natural person directly or indirectly.
Data Subject – Any living individual or natural person from whom personal data is collected.
Consent - Any specific, informed, and unambiguous indication of the data subject's wishes that is freely given by a statement or by a clear affirmative action, which signifies agreement to the processing of his/her personal data.
Third Party – A natural or legal person, public authority, agency, vendor, contractor, or entity other than the data subject, who, under Coure Software and Systems Limited’s authority, is authorised to process personal data.
Data Administrator – Any persons or organisation that processes data
Data Controller - Any person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.
Processing - Any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Impact Assessment - A tool and process for assessing the protection impacts on data subjects in processing their personal data and for identifying remedial actions as necessary in order to avoid or minimize such.
Data Protection Officer Data Protection Officer – A Coure Software and Systems Limited staff who supervises, monitors and reports matters related to data protection and privacy in compliance with this Policy.
Personal Data Breach - A breach of data security leading to the accidental or unlawful/illegitimate access, destruction, loss, alteration, unauthorized disclosure of personal data that is being transferred, stored or otherwise processed.
Policy Statement & Applicability
The entire Management Board of Coure Software and Systems Limited, located at The Waterside 5 Admiralty Road off Admiralty Way, Lekki Phase 1 Lagos is committed to maintaining compliance with all relevant GDPR/NDPR and local laws with respect to personal data collected, as well as protection of the “rights and freedoms” of the data subjects. This GDPR/NDPR compliance policy is also described by other relevant policies such as the information security policy, along with related Coure Software and Systems Limited processes and procedures.
The GDPR/NDPR and Coure Software and Systems Limited data protection policy applies to all personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data that Coure Software and Systems Limited processes from any source. This policy also applies to all Employees/Staff and third parties of Coure Software and Systems Limited.
Coure Software and Systems Limited Data Protection Officer; Modupe Aderibigbe is responsible for reviewing and updating the register of processing activities annually in the light of any changes to Coure Software and Systems Limited operations and activities, and to any additional requirements identified by means of data protection impact assessments. This register needs to be available on the supervisory authority’s request.
Partners and any third parties working with or for Coure Software and Systems Limited, and who have or may have access to personal data, will be expected to have read, understood, and to comply with this policy. No third party may access personal data held by Coure Software and Systems Limited without having first entered into a data confidentiality agreement, which imposes on the third-party obligations no less onerous than those to which Coure Software and Systems Limited is committed, and which gives Coure Software and Systems Limited the right to audit compliance with the agreement.
Any breach of the GDPR/NDPR will be dealt with under Coure Software and Systems Limited disciplinary procedure and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
Roles & Responsibilities
Roles | Responsibilities |
Management, CEO, Supervisors |
|
Data Protection Officer |
|
Employees/Staff |
|
Under the GDPR/NDPR, Coure Software and Systems Limited is a [data controller and/or data processor].
Modupe Aderibigbe, who the Management Board considers to be suitably qualified and experienced, has been
appointed to take the responsibility for Coure Software and Systems Limited compliance with this policy on a daily basis.
In particular, Modupe Aderibigbe has direct responsibility for ensuring that Coure Software and Systems Limited complies with the GDPR/NDPR, as do Managers/Executive Directors
in respect of data processing that takes place within their area of responsibility.
The Data Protection Officer have specific responsibilities in respect of procedures such as the Subject Access Request Procedure and are the first point of call for
Employees/Staff seeking clarification on any aspect of data protection compliance.
Compliance with the Nigerian data protection regulation is also the responsibility of all
Employees/Staff of Coure Software and Systems Limited who use/process personal data.
Coure Software and Systems Limited Training Policy sets out specific training and awareness requirements in
relation to specific roles and Employees/Staff of Coure Software and Systems Limited generally.
Data Protection Principles
All personal data collection, processing, retention, transfer, disclosure and destruction are conducted in accordance with the GDPR/NDPR data protection principles. Coure Software and Systems Limited policies and procedures are also designed to ensure compliance the following principles, as listed below;
7.1 Lawful, Fair, and Transparent Processing of Personal Data
Processing of personal data may only be carried out on a legitimate basis and in a
fair and transparent manner. In order to process data of individuals lawfully, fairly, and transparently, Coure Software and Systems
Limited shall ensure to seek consent from data subjects as the primary condition for processing.
Coure Software and Systems Limited processes personal data to ensure the safety and security of persons of concern or other individuals.
Whether the data is obtained from the data subjects directly or indirectly,
Coure Software and Systems Limited ensures that certain information are available to the data subjects as practicable,
according to Coure Software and Systems Limited Transparency Requirement. Data subjects are also given an easily understandable and
accessible privacy information notice, including other specific necessary information like;
7.2 Collection of Personal Data Only for Specific, Explicit, and Legitimate Purposes
Data obtained are for specified purposes, and will not be used for any purpose that differs from those formally notified to the data subject and supervisory authority as set out by Coure Software and Systems Limited GDPR/NDPR register of processing and privacy procedure.
7.3 Necessity & Data Minimization
Personal data collected by Coure Software and Systems Limited shall be adequate, relevant and limited to what is necessary for processing.
This means that Coure Software and Systems Limited Data Protection Officer is responsible for ensuring that only information that is
strictly necessary is obtained. All forms of data collection (electronic or paper-based), including data collection requirements in new information systems,
will include a fair processing statement or link to privacy statement, and approved by the Data Protection Officer.
The Data Protection Officer will ensure that all data collection methods are reviewed annually to ensure that collected data continues to be adequate, relevant and not excessive.
7.4 Accurate, Easy Rectification, and Deletion
Personal Data shall be accurate and kept up to date. All personal data stored by Coure Software and Systems Limited must be reviewed and updated as necessary to ensure that data is accurate and up-to-date. No personal data shall be kept unless it is reasonable to assume that it is accurate, and the Data Protection Officer is responsible for ensuring that all Coure Software and Systems Limited staff are trained in the importance of collecting accurate personal data and maintaining it.
The data subject must ensure that any data held by Coure Software and Systems Limited is accurate and up-to-date. Completion of electronic or hard copy forms by a data subject will include a statement that the data contained therein is accurate at the date of submission.
Employee/Staff/Customers/Clients and other data subjects are required to notify Coure Software and Systems Limited of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of Coure Software and Systems Limited to ensure that any notification regarding change of circumstances is recorded and acted upon.
The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
On at least an annual basis, the Data Protection Officer reviews the retention dates of all the personal data processed by Coure Software and Systems Limited and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the Secure Disposal of Storage Media Procedure.
The Data Protection Officer is responsible for responding to requests for rectification from data subjects within one month (Subject Access Request Procedure). This can be extended to a further two months for complex requests. If Coure Software and Systems Limited decides not to comply with the request, the Data Protection Officer must respond to the data subject to explain its reason and inform them of their right to complain to the supervisory authority and seek judicial remedy.
The Data Protection Officer is responsible for making appropriate arrangements that, where third-party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
7.5 Storage Limitation
Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing. Where personal data is to be retained beyond the processing date, it will be [minimised/encrypted/pseudonymised] in order to protect the identity of the data subject in the event of a data breach.
Personal data will be retained in line with the Retention of Records Procedure. Once this retention date is passed, it must be securely destroyed as set out in this procedure.
The Data Protection Officer must, in written form, specifically approve any data retention that exceeds the retention periods defined in Retention of Records Procedure, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation.
7.6 Integrity and Confidentiality
Personal data shall be processed in a manner that ensures appropriate security of personal data
including protection against unauthorized and unlawful processing, accidental loss, destruction, or damage.
Coure Software and Systems Limited must use appropriate technical and organizational measures to ensure the integrity and
confidentiality of personal data is maintained at all time.
In determining appropriateness, the Data Protection Officer should also consider the extent of possible damage or loss that might be caused to individuals
(staff/customers) if a security breach occurs, the effect of any security breach on
Coure Software and Systems Limited itself, and any likely reputational damage including the possible loss of customer trust.
When assessing appropriate technical measures, the Data Protection Officer will consider the following:
When assessing appropriate organisational measures, the Data Protection Officer will consider the following:
7.7 Accountability
Coure Software and Systems Limited must be able to explicitly demonstrate compliance with accountability and governance, as well as all other GDPR/NDPR data protection principles by implementing data protection policies, adhering to codes of conducts, implementing technical and organizational measures, and adopting techniques such as Data Protection by design, Data Protection Impact Assessments (DPIAs), breach notification procedures, and incidence response plan.
Rights of the Data Subject
In regards to data processing and recording, data subjects have the right to:
Coure Software and Systems Limited also ensures that:
Consent
Coure Software and Systems Limited understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.
Coure Software and Systems Limited understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication. Coure Software and Systems Limited must be able to demonstrate that consent was obtained for the processing operation.
For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
In most instances, consent to process personal and sensitive data is obtained routinely by Coure Software and Systems Limited using standard consent documents e.g. when a new client signs a contract, or during induction for participants on programmes.
Where Coure Software and Systems Limited provides online services to children, parental or custodial authorisation must be obtained. This requirement applies to children under the age of 16 in the case of GDPR and 18 in the case of NDPR.
Data Security
For security of personal data;
Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of Coure Software and Systems Limited. All Employees/Staff are required to enter into an Acceptable Use Agreement before they are given access to organisational information of any sort, which details rules on screen time-outs.
Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation.
Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed as required by before disposal.
Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data on-site.
Data Disclosure
Coure Software and Systems Limited must ensure that personal data is not disclosed to unauthorised third parties. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Coure Software and Systems Limited’s business processes.
All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.
Data Retention and Disposal
Coure Software and Systems Limited complies with GDPR/NDPR and other relevant local laws, standards and guidelines regulating the retention and destruction of personal data, documents and information. As such, Coure Software and Systems Limited shall not keep personal data in a form that can identify data subjects for longer than is necessary, in relation to the purpose(s) for which the data was originally collected.
The retention period for each category of personal data is set out in the Retention of Records Schedule along with the criteria used to determine this period including any statutory obligations Coure Software and Systems Limited has to retain the data.
Personal data must be disposed of securely in accordance with the principle of the GDPR/NDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. Any disposal of data will be done in accordance with the Secure Disposal Procedure.
Data Transfer
Where it is intended that personal data will be transferred to a foreign country or international organisation, an affirmation of the Attorney General of the Federation, that the data protection levels in the foreign country or international organisation are adequate in accordance with the provision of GDPR/NDPR regulations must be obtained
Coure Software and Systems Limited will adopt approved Model Contract Clause (MCC) for the transfer of data to foreign countries.
In the absence of an adequacy decision, Model Contract Clauses, a transfer of personal data to a foreign or international organisation shall only take place on one of the following conditions: