This policy establishes principles and procedures that ensure all personal and sensitive data is handled lawfully, transparently, and securely in compliance with applicable data protection laws.
Fekxir Limited is committed to protecting the rights and privacy of individuals whose personal data it collects, processes, or stores.
Fekxir Limited needs to gather and use certain information about individuals. These individuals are known as data subjects and may include customers, suppliers, business contracts, employees, directors, shareholders and other people whom the Company has a relationship with or may need to contact.
The information obtained from these data subjects is protected by law and the Company is obliged to ensure compliance. To this end, the Company is committed to:
Restricting and monitoring access to sensitive data;
Developing transparent data collection procedures;
Training employees in online privacy and security measures;
Building secure networks to protect online data from cyber-attacks;
Establishing clear procedures for reporting privacy breaches or data misuse;
Including contract clauses and communicating statements on how the Company handles data;
Establishing data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc;
Communicating its data protection provisions on its website;
Make sound judgement about the effectiveness, efficiency and responsiveness of services and in making complex decisions about priorities and the use of resources.
To the extent possible, the provisions of this policy shall apply to all information belonging to the company in whatever form (whether oral, written, pictorial or electronic media) containing, without limitation, material of technical, operational, administrative, economic, planning, business, finance, decision making, regulatory compliance or legal nature and any intellectual property of any kind.
This policy applies to persons authorised to use the Fekxir Limited network including its employees, contractors, consultants, partners, vendors, and any third-parties who access or use Fekxir’s systems, infrastructure, and information, it also applies to all personal data processed in any form - digital, paper, verbal or otherwise.
This includes but is not limited to:
Computer equipment(s)
Software
Operating systems
Storage media
Own equipment (such as home PCs, mobile and smart phones)
Network accounts providing electronic mail
World Wide Web (www; browsing)
File copying (e.g. using the File Transfer Protocol-FTP).
This policy is designed to ensure that the Company:
Complies with the data protection legislation and follow best practice;
Protects the rights of stakeholders and other interested parties, including but not limited to employees, customers and partners;
Has proper procedures in place for the safe storage, handling, and lawful processing of individuals’ data; and
Protects itself from the risk of data breach and data security risks, including:
Breaches of confidentiality: Where data is given out inappropriately; and
Reputational Damage: Where the Company could suffer if hackers successfully gained access to sensitive data.
The Data Protection Act, 2023 provides how the Company must collect, handle and store personal information. The Act requires that personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The rules apply regardless of whether the data is stored electronically, on paper or on other materials.
Personal Data is defined as information about an individual who can be identified from the data, or from data or other information in the possession of, or likely to come into the possession of the Company. Personal Data relating to identifiable individuals, will include:
a. Names of individuals
b. Postal addresses
c. Email addresses
d. Telephone numbers
e. Any other information relating to individuals
Generally, the Company shall collect Personal Data directly from the data subject. However, the Company may collect Personal Data indirectly where;
the data is contained in a public record;
the data subject has deliberately made the data public;
the data subject has consented to the collection of the information from another source;
the collection of the data from another source is not likely to prejudice a legitimate interest of the data subject;
compliance would prejudice a lawful purpose for the collection; or
compliance is not reasonably practicable.
the collection of the data from another source is necessary:
i. for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law;
ii. for the enforcement of a law which imposes a pecuniary penalty;
iii. for the enforcement of a law which concerns revenue collection;
iv. for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated;
v. for the protection of national security; or
vi.for the protection of the interests of a responsible or third party to whom the information is supplied
Fekxir Limited collects information in a transparent way and only with the full cooperation and knowledge of the data subject. The Company whilst processing data, shall take into account the privacy of the data subject by applying the following principles:
Accountability: Fekxir Limited shall ensure that Personal data is processed:
i. Without infringing the privacy rights of the data subject;
ii. In a lawful manner; and
iii. In a reasonable manner.
Where the data is in respect of foreign data subjects sent into Nigeria for processing, the Company shall ensure that the data is processed in compliance with data protection legislation of the country of the data subject. The Company shall not transfer data to organizations or countries that do not have adequate data protection guidelines.
Lawfulness of Processing: Personal Data must be processed only if the purpose for which it is processed is necessary, relevant and not excessive. The Company shall not process Personal Data without the prior consent of the data subject unless the processing is:
i. necessary for the purpose of the employment, insurance or other contract to which the data subject is a party;
ii. authorised or required by law;
iii. To protect a legitimate interest of the data subject;
iv. necessary for the proper performance of a statutory duty;
v. necessary to pursue the legitimate interests of the Company or a third party to whom the data is supplied.
Additionally, the Company shall not retain Personal Data for a period longer than is necessary to achieve the purpose for which it is collected and processed.
Personal Data shall only be processed by a third party upon the Company’s prior written authorization. The third party shall be obliged to treat the data as confidential. In this vein, the Company shall ensure that Non-Disclosure Agreements are executed or specific confidentiality/ data protection clauses are contained in contracts where third parties will be supplied with data.
Specification of Purpose: The Company shall collect data for a purpose which is specific, explicitly defined, lawful and related to its business activities. Hence, the data subject must at all times be informed of the purpose for which the data is collected.
Compatibility of further Processing with Purpose of Collection: The Company shall ensure that any further processing of Personal Data shall be for the original specific purpose for which it was obtained.
Quality of Information: The Company shall ensure at all times that data is accurate, complete, up-to-date and not misleading having regard to the purpose of collection or processing.
Openness: The Company shall ensure that the data subject is at all times informed of;
i. the nature of the data being collected;
ii. the name and address of the Company;
iii. the purpose for which the data is required;
iv. whether or not the supply of the data by the data subject is discretionary or mandatory;
v. the consequences of failure to provide the data;
vi. the authorized requirement for the collection of the information or the requirement by law for its collection;
vii. the recipients of the data, if any;
viii. the nature or category of the data; and
ix. the existence of the right of access to and the right to request rectification of the data collected before the collection
Where data is collected from a third party, the Company shall ensure the data subject is given the information specified above before or as soon as practicable after the collection of the data.
Data Security Safeguards: The Company shall take necessary steps to secure the integrity of Personal Data in its possession or control through the adoption of appropriate, reasonable, technical and organizational measures to prevent loss of, damage to or unauthorized destruction; an unlawful access to or unauthorized processing of Personal Data.
Where the Company engages a third party to process Personal Data, the Company shall ensure that the third party establishes and complies with the data protection requirements in this Policy and under law.
Where the Company has reasonable grounds to believe that the Personal Data has been accessed or acquired by an unauthorised person, the Company shall notify the Data Protection Commission and the data subject as soon as reasonably practicable. The Company shall then take steps to restore the integrity of the information system.
Data Subject Participation: The Company shall upon request by the data subject and upon proof of identity:
i.confirm whether or not it holds personal data about that data subject;
ii. provide details of the personal data it holds, including data about the identity of any third party who has or has had access to the information;
iii. correct data held on the data subject; and
iv. modify, erase, reduce or correct data in its custody.
The Company is mandated to notify the data subject of the action taken as a result of the request.
Personal data is exempt from the data protection principles if it consists of a reference given in confidence by the Company for the purposes of:
education, training or employment of data subject;
the appointment to an office of the data subject; or
The provision of any service by the data subject.
The Company shall not process special personal data unless the processing is necessary and the consent of the data subject has been obtained. Special Personal Data consists of information about an individual that relates to:
The race, color, ethnic or tribal origin;
the political opinion;
the religious beliefs or other beliefs of a similar nature;
the physical, medical, mental health or mental condition or deoxyribonucleic acid (DNA);
sexual orientation;
commission or alleged commission of an offence; or
proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings.
Employees and all third parties who deal with the Company have some responsibility for ensuring that data is collected, stored and handled appropriately and must therefore ensure that data is handled and processed in accordance with this Policy.
However, the following persons have key areas of responsibility:
The Board shall be ultimately responsible for ensuring that the Company meets its legal obligations as pertains to data protection.
They shall be responsible for:
Keeping the Board of Directors updated about data protection responsibilities, risks and issues;
Reviewing all data protection procedures and related issues;
Arranging data protection training for Employees and other stakeholders;
Addressing data protection concerns from data subjects such as Employees and Customers;
Dealing with requests from individuals to inspect the data the Company holds about them; and
Actively participating in reviewing and approving contracts or agreements with third parties that may handle the Company’s sensitive data.
They shall be responsible for:
Ensuring all systems, services and equipment used for storing data meet acceptable security standards;
Performing regular checks and scans to ensure security hardware and software is functioning properly;
Implementing appropriate remedial measures to restore the integrity of data which is lost, corrupted or compromised; and
Evaluating any third-party services which the Company intends to use for data storage or processing.
They shall be responsible for:
Approving any data protection statements attached to communications such as emails, advertisements, publications and letters;
Addressing any data protection queries from journalists or media outlets upon the prior approval of the Executive Management; and
Where necessary working with other Employees to ensure marketing initiatives comply with data protection principles.
Grant access to data covered under this Policy only on a “need to know” basis to enable Employees perform their work;
Provide training to all Employees to help them understand their responsibilities when handling data;
Ensure Employees keep all data secure, by taking precautions and following the guidelines contained in this Policy and such other guidelines pertaining to data handling that may be issued from time to time;
Use strong and encrypted passwords to secure data. Employees must never share Passwords;
Ensure that Personal Data is not disclosed to unauthorized persons, either within or outside the Company;
Ensure that Personal Data is regularly reviewed and updated and if found to be out of date and no longer required, deleted and disposed of.
7.2 The Company shall not share data informally. When access to confidential information is required, Employees, customers and other third parties shall request from the appropriate authority in writing.
7.3 Employees must request assistance from the Head, MIS/IT or Head, Data Management/Head, Legal or Risk Management & Compliance if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Responsibility for, and questions about data storage should be directed to the Head, MIS/IT or the Head, Data Management Unit.
When data is stored on paper, it must be stored in a secure place where unauthorized persons cannot access. Among others:
When not required, the paper or files should be kept in a locked drawer or filing cabinet.
Employees must make sure paper and print outs are not left where unauthorized persons can see them, for instance on a printer.
Data print outs should be shredded and disposed of securely when no longer required.
These guidelines apply to data that is usually stored electronically but has been printed for one reason or the other.
When data is stored electronically, it shall be protected from unauthorised access, accidental deletion and malicious hacking attempts. Among others:
Data shall be protected by strong passwords that are changed regularly and never shared between Employees.
If data is stored on removable media (like CD, DVD, External Drive, etc.), these shall be kept locked away securely when not in use.
Data shall only be stored on designated drives and servers, and shall only be uploaded to approve cloud computing services.
Servers containing Personal Data shall be sited in a secure location away from the general office space.
Data shall be backed up frequently and tested regularly, in line with the Company’s standard backup procedures.
Data shall not be saved directly to mobile devices such as tablets or smartphones.
All servers and computers containing data shall be protected by approved security software and firewalls.
Personal Data is of no value to the Company unless the Company can make use of it. However, it is when Personal Data is assessed and used that it can be at the greater risk of loss, corruption or theft.
When working with Personal Data, Employees shall ensure the screens of their computers are always locked when unattended. Also, Personal data shall not be shared informally and must be encrypted before being transferred electronically outside the Company.
The law requires the Company to take reasonable steps to ensure data is kept accurate and up-to-date. The Company shall therefore put in place appropriate measures to ensure that data is accurate at all times. It is the responsibility of all Employees to take reasonable steps to ensure that data is kept as accurate and up-to-date as possible.
Data should be held in a few places as necessary. Employees shall not create any unnecessary additional data sets. Further, Employees shall take every opportunity to ensure that data is updated. For instance, by confirming a customer’s details when they call or visit the office.
The Company shall also make it easy for data subjects to update the information which the Company holds about them. Data shall be updated as inaccuracies are discovered.
The Company shall disclose Personal Data to law enforcement agencies without the consent of the data subject upon satisfaction that the request is legitimate and upon prior approval of Executive Management and/ or the Board, if necessary.
The Company shall not provide, use, obtain, procure or provide information related to a data subject for the purposes of direct marketing without the prior written consent of the data subject. Direct marketing includes communication by whatever means of advertising or marketing material which is directed to particular individuals.
The Company shall comply with all written notices from a data subject precluding the Company from processing his/her Personal Data for the purposes of direct marketing.
The Company shall register, and keep renewed its registration with the Data Protection Commission.
The Company through the MIS Department shall keep the records of the Company for a period not less than six (6) years from the date of the last transaction or correspondence with a data subject.
The principles contained in this Policy shall be strictly complied with. Any breach of this Policy shall result in the following:
In the case of an Employee or Director, disciplinary action resulting in termination of employment or appointment and or legal action for damages; and
In any other case, termination of contract, legal action for breach of contract, if any and damages and regulatory redress where the third party is registered with the Data Protection Commission.
Staff of M.I.S or IT department have to access computer equipment on a yearly basis and advise management on the need to dispose them primarily because:
They are no longer in working order and repair is not a feasible or available option.
The computer is inadequate to serve the purpose required, usually because it is old and has become under-equipped to function with the upgraded software and increased processing demands.
The department has found itself with a surplus of computers, possibly due to its replacement policy or strategy.
Where the computer is in working order but inadequate for the designated purpose, it is expected that as far as is practicable the first consideration will be for internal re- assignment.
Thus, it will be assigned to other departmental functions for which the capacity is appropriate.
Secondly, reasonable effort must be made to see if there is any other department that may wish to make use of the equipment.
Equipment with residual value but which are inadequate for the business of the Company may be sold to members of the department or outside bodies, subject to the Company’s financial guidelines.
Where equipment has little resale value, consideration should be given to donating it to a charitable endeavour.
If the equipment cannot be used, it should be scrapped for parts or disposed of in accordance with the Company’s policy and procedures for disposal.
All movement of equipment must be recorded in the Asset Register record, which indicates the information to be recorded over the disposal process.
This Policy shall be reviewed as and when it becomes necessary but not less than once in every two (2) years to ensure that it is current and relevant. All Employees and Directors will be provided with the most recent version.
Additionally, the Head of Risk Management and Compliance shall deliver the amended Data Protection Policy to all other stakeholders indicating which section(s) have been amended.