• What data do we collect?
• What constitutes collectable personal information?
• How do we collect your data?
• Why do we collect your data?
• How will we use your data?
• What constitutes your consent?
• How do we store your data?
• Security measures adopted to protect data.
• Third Party use of Personal Data
• The Data Protection Officer.
• What are your data protection rights?
• Contact Us.
1. To conform with the NDPR and adapt same into our internal processes and procedures.
2. To foster safe conduct for transactions involving the exchange of personal data.
3. To implement effective processes and procedures of handling personal data.
4. To ensure Data Handlers adhere strictly to policy and procedures of personal data.
5. To make sure employees personal rights are not denied.
6. To set examples of best practices.
1. Respect for laws and regulations.
2. Safeguard of personal data as a responsibility for all.
3. Prohibition of thefts, cyber-attacks and viral attacks.
4. Safety as apriority and responsibility for all.
a) “Computer’ ’means Information Technology systems and devices, networked or not.
b) “Data’’ means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.
c) “Data Protection Officer’’ means a person or organization that process data.
d) “Data Subject” means employees or owners of data.
e) “DPCO” means ’Data Protection Compliance Organization “NITDA’’ means Nigeria Information Technology Development Agency.
f) “NDPR: Nigeria Data Protection Regulation.
g) “Personal Data” is defined in accordance with the NDPR to mean any information relating to an identified or identifiable natural person (“Data Subject”). It includes information relating to an individual, whether it relates to his or her private professional or public life. It can be anything from a name, address, a photo, e-mail address, phone number, bank details, posts on social networking websites, medical information, and other unique identifiers such as, but not limited to, a MAC address, IP address, IMEI number, IMSI number, SIM and others.
h) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to.
k) “Processing’’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
l) “Regulation” means this regulation and its subsequent amendments, and where circumstance requires it shall also mean any other regulations on the processing of information relating to identifiable individual’s, including the obtaining, holding, use or disclosure of such information to protect such information from inappropriate access, use, or disclosure.
m) “The Agency’’ means the National Information Technology Development Agency.
n) “Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process Personal Data.
1. What data do we collect?
Personal Information is information that is peculiar to an individual; no form of anonymity is involved. Such information is collected by CHI limited for various reasons, such as instances where:a. processing is necessary for the performance of a contract to which the person is party or in order to take steps at the request of the person prior to entering into a contract;
b. processing is necessary for compliance with a legal obligation to which the Data Controller (being the person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed) is subject;
c. processing is necessary in order to protect the vital interests of the person or of another natural person;
d. processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller; etc.
For operational efficiency and reasons above stated, the various forms of data CHI Limited collects include:
a. Name, gender, home address and telephone number, date of birth, marital status, employee identification number, and emergency contacts.
b. Nationality and passport information.
c. Payroll information, banking details.
d. Wage and benefit information.
e. Retirement account information.
f. Sick pay, Paid Time Off (“PTO”), retirement accounts, pensions, insurance and other benefits information (including the gender, age, nationality and passport information for any spouse, minor children or other eligible dependents and beneficiaries).
g. Information from interviews and phone-screenings you may have had, if any.
h. Date of hire, date(s) of promotions(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, and training records.
i. Beneficiary and emergency contact information.
j. Employee stock information.
k. Forms and information relating to the application for, or in respect of changes to, employee health and welfare benefits; including, short and long term disability, medical and dental care, etc.
l. Height, weight and photograph, physical limitations and special needs.
m. Records of work absences, vacation/paid time off, entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures (including monitoring compliance with and enforcing our policies.
n. Acknowledgements regarding our policies, including employee handbooks, ethics and/or conflicts of interest policies and computer and other corporate resource usage policies.
o. Voicemails, e-mails, correspondence, documents, and other work communication created, stored or transmitted using company networks, applications, devices, computers or communications equipment.
p. Letters of offer and acceptance of employment.
q. Resume or CV, cover letter, previous and/or relevant work experience or other experience, education, transcripts, or other information provided in support of an application and/or recruitment process.
r. References and interview notes.
s. Information relating to any previous applications made to CHI Limited and/or any previous employment history with CHI LIMITED.
2. How do we collect your data?
All data is directly provided by the Data Subject to the Company upon request; the medium through which Personal Data is being collected or processed must display a simple and conspicuous privacy agreement that the class of Data Subject being targeted can understand. The Company collects and processes data when employees apply for a job and are subsequently recruited by the company or when prospective vendors are interested in working for the company.
Other ways personal data is collected include:
a. Submission of applications for open positions.
b. On-line Applications
c. Hard Copy Applications.
3. How will we use your data?
CHI LIMITED may disclose your personal information to any member of the CHI LIMITED group of companies. This may include our holding company and/or its subsidiaries, or any subsidiaries or affiliate companies of CHI LIMITED or its parent company.
CHI LIMITED may use the information internationally in connection with processing requests by potential customers or potential employers of contract workers or temporary employees. CHI LIMITED may also disclose personal data about you to potential employers (direct placements) or potential customers if you are a contract worker we are seeking to assign to a customer.
CHI LIMITED may respond to subpoenas, court orders, or legal process by disclosing your personal data and other related information, if necessary. CHI LIMITED may also disclose your personal data where we are to establish or exercise our legal rights or defend against legal claims.
CHI LIMITED will only provide data to the extent required, and in the case of third parties, to the minimum amount of personal data necessary to provide the services on our behalf. These third parties are not permitted to use your personal data except for the limited purpose of completing the requested service or transaction.
CHI LIMITED may collect and possibly share personal data and any other additional information available to it in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person.
As a part of providing services to our customers, we may share personal data from our customers with other third parties as instructed by the customer. We may share the personal data with others solely for the purposes of managing the work we are contracted to manage and will abide by any contractual obligations contained in any customer agreement related to the sharing of personal data we actually receive in writing from the customer. Be rest assured that your personal data is never sold or leased to any external company, unless you have granted us permission to do so.
CHI LIMITED does not disclose personal information about its employees without specific authorization from or notice to the employee, as provided in this statement, or as required by law. Should you withdraw consent, in writing, to the use of your information for any of the above-identified purposes, we will stop using your information for such purposes as soon as it is reasonably possible to do so. CHI LIMITED will also notify you if withdrawing consent affects our ability to service you or retain your services.
4. How do we store your data?
Data is collected from varying sources and each source utilizes a mode of storage for such data. The Company securely stores the data of employee and vendor and will keep it for the period necessary to complete the purpose for which it was collected; thereafter, data is immediately deleted. C.H.I Limited stores data in the following manner:
a. Secured File Cabinet for the storage files of junior staff which is accessed only by two staff i.e File Clerk and HR Director.
b. Secured File Cabinet for the storage of Management and Senior Staff accessed only by the HR Director. This Cabinet is kept in the HR Director’s office.
c. Encrypted Security.
d. Secured Passwords.
e. Cabinet and Company Storage of Vendors data
A. Information Technology Security.
Personal data may not be of value to CHI Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. The Information Technology Department is therefore responsible to ensure that all employees and Vendors data are guided from unauthorized use. Some steps to ensure this include:
• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorized external contacts.
• Personal data should never be transferred outside of the European Economic Area.
• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
• Company data should only be uploaded to and shared via approved services. The IT department can advise on appropriate tools for sending and sharing large amounts of data.
• Employees must not steal, use, or disclose someone else’s login or password without authorization.
Where the internet is used unwisely, the internet can be a source of security problems that can do significant damage to the company’s data and reputation. Users are required therefore to ensure they must not knowingly introduce any form of computer virus, Trojan, spyware or other malware into the company. Employees must also not gain access to websites or systems for which they do not have authorization, either within the business or outside it.
Employees should be aware of the security and data protection issues that can arise from using social networks. Staff members must also always consider the security of the company’s systems and data when using the internet. If required, help and guidance is available from line managers and the company IT department Security and data protection.
B. Maintain Confidentiality
Availability and Integrity of both the Company’s Data and Personal information is a requirement on all of us, from the most junior employee in the most distant part of our business to the senior executives at its head. Employees are therefore required to treat information entrusted to them respectfully and professionally taking account of Confidentiality, Integrity and Availability of the information as if it were our own. Employees must ensure that any information they process is done so legally and for legitimate business reasons.
C. Access Control
Access to all Systems where Personal information is stored shall be granted in a controlled manner driven by business requirements. Individuals shall be explicitly granted access to information or systems. there is no implicit right of access. Access is denied unless explicitly permitted. Access to all personal data shall be granted upon permission from employees to the use of such information. Consent from employees must be free, unambiguous, uninfluenced and devoid of any form of coercion.
The Company Information Security Policy provides for an Access Control Policy which all employees must be aware of. The policy in this regard includes:
• Users shall obtain permission from the business owner, or designated business steward, to access Company Systems. Business owners shall approve or disapprove access on a need to know basis.
• Applicable laws and contractual restrictions shall be complied with when creating or issuing access to Systems.
D. User Registration and De-registration
User registration and de-registration procedures shall be documented and followed when granting access rights for all systems. These procedures shall include steps to:
• Obtain approval for access from business owners;
• Verify that access granted is the same as the access approved;
• Maintain logs for registration activity to track who requested, approved, granted, verified, and revoked access.
For more information on this Section, please refer to the Company’s Information Security Policy.
5. Security measures adopted to protect data.
The Company understands that, according to the NDPR, anyone who is entrusted with or who is in possession of Personal Data owes a duty of care to the Data Subject and as such, is accountable for its acts and omissions in respect of data processing. As such, the Company has created security measures which protect data and its systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, and employing data encryption technologies. These processes include:
A. Protecting against external and environmental threats on Personal Information
All Company information assets shall be stored in a manner or location to minimize the risk of loss of availability due to:
• Theft or vandalism
• Fire, explosion, smoke, water, humidity, or chemical agents
• Power interruption
• Natural disasters such as earthquake or flood.
• Loss of services such as power, communications, or water.
• Other identifiable physical threats.
Physical security measures and environmental controls shall be in place to ensure the physical security, integrity and availability of Company information assets. Protection measures shall be appropriate to the classification level of the information asset.
B. Network security management
This section defines the requirements to assure the protection of Company information in networks and connected services by reducing the risk of unauthorized access. It applies to all Employees and Third Parties, focusing on those with information technology (IT) network and communications responsibilities. Network controls include:
• Network managers shall implement controls to ensure the security of data in networks and the protection of connected services from unauthorized access.
• The Company’s internal network can be logically extended over non-Company networks if the following controls are in place and effective:
• The information is transmitted through a Company Secure Access Zone (SAZ) or other related protection technology approved by the information protection organization;
• Encryption is used to protect Company information during transmission in accordance with the Company Information Classification Standard and Protection Measures;
• The recipient (User or system) of the Company information is identified and authenticated as an authorized User or system;
• The transmitted information is stored on a Company-owned or authorized system when received.
Management shall ensure that any network services agreements identify and include security requirements, service levels, monitoring, and management requirements for all provided network services. All remote access points shall be protected by a Company approved Secure Access Zone (SAZ) or other related protection technology and approved by the information protection organization. The use of unauthorized or remote access solutions including wireless LAN access is not permitted.
C. User access provisioning
All access to Systems shall be controlled by an authentication method involving a minimum of a unique user ID and secret authentication information including, but not limited to, strong password, passcode, PIN, passphrase, biometrics, or information derived from an encryption key. All Users shall be supplied with a Existing user IDs and access shall be reviewed at least once within a 12-month period.
D. Supplier and Third Party Relationships
There is a requirement by the Company for all third parties, individuals and/or other companies to maintain the security of Company information and information assets, where such data or information is exposed in the course of their operation. This involvement may occur, but is not limited to, the following circumstances:
• Where Third Parties are involved in the design, development or operation of Company Systems;
• Where access to Company Systems or information is granted from Third Party locations where computers and network facilities are under the control of the Third Party;
• When Users who are not Employees of the Company are given access to Company information;
Employees who liaise with such third parties are responsible for the protection of Company information collected, transmitted, stored, or processed by Third Parties. Requirements for protecting Company information shall be included in all agreements with Third Parties that are provided Company information and Company information assets. Furthermore:
• Management must ensure that adequate controls are in place and operationally effective to ensure protection of Company classified information that is stored, processed, or transmitted by Third Parties.
• Classified information provided to Third Parties shall be protected in accordance with the Information Classification Standard and Protection Measures. Management shall ensure all Third Parties understand their obligation to protect Company information.
• A risk assessment shall be completed to identify security requirements to administer Third Party access to Company Systems and classified information. These security requirements are subject to review and approval by the information protection organization.
• Access granted to Third Parties to Company Systems and information shall follow established procedures for user access. Access shall be granted on a need to know basis and approved by the business owner.
• Third Parties that will be exposed to Company classified information shall sign a non- disclosure agreement (NDA). The agreement shall address legally enforceable requirements to protect Company classified information. Any non-disclosure agreement shall be reviewed by the Company’s legal counsel, or designees, prior to signature.
• Third Parties that require a direct network connection to access Company Systems and resources must sign the Company Network Access Agreement (NAA). Third Parties shall use Company Systems in accordance with the Third Party Acceptable Use Policy. Third Parties that only require access to Company Systems through public web resources must accept the Company Web Access Agreement (WAA).
Where there is a need for CHI Limited to transfer personal data to a third party to process, such data processing shall be governed by a written contract between the third party and the Company. By so doing such written contract in the form of a non-disclosure agreement protects employees ’personal information from unauthorized use. This could be, for example, a third-party who the company has outsourced part of its recruitment to. Third Party shall ensure that information supplied is confidential and shall not be shared with the public except information that has already been made public.
Please refer to the Company’s Information Security Policy for more information on this Section and for information on the SUPPLIER AND THIRD PARTY RELATIONSHIP POLICY.
6. The Data Protection Officer.
The Data Protection Officer (DPO) is responsible for maintaining the policy and investigating non-compliance issues. Other duties of the Data Protection Officer include:
A. Collection and processing of personal data: Data must be collected and process in accordance with specific, legitimate and lawful purpose and also consented to by the employee/vendor. Where it is provided that a further processing may be done only for archiving, scientific research, historical research or statistical purpose for public interest; and any person or entity carrying out or purporting to carry out data processing shall not transfer any personal data to any person.
B. Data must be adequate, accurate and without prejudice to the dignity of human person, stored only for the period within which it is reasonably needed and secured against all foreseeable hazards and breaches.
D. Ensure trainings are conducted with respect to data protection;
E. Work with Internal Audit to ensure filling of a detailed audit report comprising of its privacy and data protection practices with at least each audit stating:
i. The type of information collected.
ii. Purpose of collection of data.
iii. Notice obtained from persons before collection.
iv. Access used in collection.
v. Personal consent before collection.
vi. Policies and practices of the organization for the security of personally identifiable information.
The DPO shall ensure continuous capacity building of persons protecting/processing such data and shall guide against unauthorized use at all time of personal data by putting certain measures in place for the purpose of security.
7. What are your data protection rights?
Each employee has a right to:
A. Request that data is deleted,
B. Reasonably withdraw consent,
C. Be informed of parameters of safe guards in foreign countries where the data is being transferred to,
D. Restrict processing on a number of reasonable grounds,
E. Seek redress where aggrieved with the handling of data.
You agree that any unauthorized use of Personal Information or its contents may cause CHI LIMITED immediate and irreparable harm for which money damages may not constitute an adequate remedy. Where an employee/vendor personal information has been used without authorization or for other unlawful purposes, we encourage individuals that are affected by these acts to immediately report to their line manager/local ethics officer where it will be taken up and investigated.
• Nigerian Data Protection Regulation 2019
• CHI Limited Information Security Policy
Policy Revision History July 12th, 2019.
11. Contact Us.
Human Resource Department
Name: Mr. Adam Zubair
Data Protection Officer
Name: Mr. Damola Akinade