www.
houseofchi.com
houseofchi.com
houseofchi.com

Disclaimer & Privacy Policy

DATA PROTECTION AND PRIVACY POLICY

This Data Protection and Privacy Policy (the “Privacy Policy”) explains the types of personal information, also referred to as Personal Data, CHI Limited may collect about its employees, job applicants, and vendors and how this may be used in accordance with the Nigerian Data Protection Regulation 2019 (NDPR), governed by the National Information Technology Development Agency (NITDA). It governs the handling of all personal information received from CHI Limited’s employees and third parties (as well as its Vendors) and sets the standard as to how such data is to be used and protected. By the provisions of the NDPR it is mandatory that certain guards are in place to protect and keep data confidential. The penalty for non-compliance by companies carries a huge consequence and thus CHI Limited requires that its employees (and third party handlers of data) cooperate with the company to ensure strict adherence to this privacy policy and abide by the provisions of the regulation in the way and manner of handling electronic data.

This Privacy Policy focuses mainly on the following;

• What data do we collect?

• What constitutes collectable personal information?

• How do we collect your data?

• Why do we collect your data?

• How will we use your data?

• What constitutes your consent?

• How do we store your data?

• Security measures adopted to protect data.

• Third Party use of Personal Data

• The Data Protection Officer.

• What are your data protection rights?

• Complaints?

• Contact Us.

The Privacy Policy shall be maintained in an orderly format and shall be accessible to employees, Vendors and Third Parties who have dealings with the company. All employees and non-employee workers, interns, vendors, and other third parties who are in a contractual arrangement with the Company (“Third Parties”) are required to abide by this Privacy Policy. The management of each team/vendor shall ensure the individuals within their assigned area of control understand, adhere to and comply with this Privacy Policy.

The Company strives to keep the data fully updated and as such, where there are changes to the Privacy Policy following a regular review, such updates will be circulated through the medium for circulating information to all employees.

OBJECTIVES OF THE PRIVACY POLICY.

1. To conform with the NDPR and adapt same into our internal processes and procedures.

2. To foster safe conduct for transactions involving the exchange of personal data.

3. To implement effective processes and procedures of handling personal data.

4. To ensure Data Handlers adhere strictly to policy and procedures of personal data.

5. To make sure employees personal rights are not denied.

6. To set examples of best practices.

KEY PRINCIPLES OF THE PRIVACY POLICY.

1. Respect for laws and regulations.

2. Safeguard of personal data as a responsibility for all.

3. Prohibition of thefts, cyber-attacks and viral attacks.

4. Safety as apriority and responsibility for all.

DEFINITIONS

a) “Computer’ ’means Information Technology systems and devices, networked or not.

b) “Data’’ means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.

c) “Data Protection Officer’’ means a person or organization that process data.

d) “Data Subject” means employees or owners of data.

e) “DPCO” means ’Data Protection Compliance Organization “NITDA’’ means Nigeria Information Technology Development Agency.

f) “NDPR: Nigeria Data Protection Regulation.

g) “Personal Data” is defined in accordance with the NDPR to mean any information relating to an identified or identifiable natural person (“Data Subject”). It includes information relating to an individual, whether it relates to his or her private professional or public life. It can be anything from a name, address, a photo, e-mail address, phone number, bank details, posts on social networking websites, medical information, and other unique identifiers such as, but not limited to, a MAC address, IP address, IMEI number, IMSI number, SIM and others.

h) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to.

i) “Personal Information” means any information that (i) directly and clearly identifies an individual, or (ii) can be used in combination with other information to identify an individual for the purpose of Privacy Policy.

j) “Privacy Policy” means this Data Protection and Privacy Policy.

k) “Processing’’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

l) “Regulation” means this regulation and its subsequent amendments, and where circumstance requires it shall also mean any other regulations on the processing of information relating to identifiable individual’s, including the obtaining, holding, use or disclosure of such information to protect such information from inappropriate access, use, or disclosure.

m) “The Agency’’ means the National Information Technology Development Agency.

n) “Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process Personal Data.

1. What data do we collect?

Personal Information is information that is peculiar to an individual; no form of anonymity is involved. Such information is collected by CHI limited for various reasons, such as instances where:

a. processing is necessary for the performance of a contract to which the person is party or in order to take steps at the request of the person prior to entering into a contract;

b. processing is necessary for compliance with a legal obligation to which the Data Controller (being the person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed) is subject;

c. processing is necessary in order to protect the vital interests of the person or of another natural person;

d. processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller; etc.

For operational efficiency and reasons above stated, the various forms of data CHI Limited collects include:

a. Name, gender, home address and telephone number, date of birth, marital status, employee identification number, and emergency contacts.

b. Nationality and passport information.

c. Payroll information, banking details.

d. Wage and benefit information.

e. Retirement account information.

f. Sick pay, Paid Time Off (“PTO”), retirement accounts, pensions, insurance and other benefits information (including the gender, age, nationality and passport information for any spouse, minor children or other eligible dependents and beneficiaries).

g. Information from interviews and phone-screenings you may have had, if any.

h. Date of hire, date(s) of promotions(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, and training records.

i. Beneficiary and emergency contact information.

j. Employee stock information.

k. Forms and information relating to the application for, or in respect of changes to, employee health and welfare benefits; including, short and long term disability, medical and dental care, etc.

l. Height, weight and photograph, physical limitations and special needs.

m. Records of work absences, vacation/paid time off, entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures (including monitoring compliance with and enforcing our policies.

n. Acknowledgements regarding our policies, including employee handbooks, ethics and/or conflicts of interest policies and computer and other corporate resource usage policies.

o. Voicemails, e-mails, correspondence, documents, and other work communication created, stored or transmitted using company networks, applications, devices, computers or communications equipment.

p. Letters of offer and acceptance of employment.

q. Resume or CV, cover letter, previous and/or relevant work experience or other experience, education, transcripts, or other information provided in support of an application and/or recruitment process.

r. References and interview notes.

s. Information relating to any previous applications made to CHI Limited and/or any previous employment history with CHI LIMITED.

2. How do we collect your data?

All data is directly provided by the Data Subject to the Company upon request; the medium through which Personal Data is being collected or processed must display a simple and conspicuous privacy agreement that the class of Data Subject being targeted can understand. The Company collects and processes data when employees apply for a job and are subsequently recruited by the company or when prospective vendors are interested in working for the company.

Other ways personal data is collected include:

a. Submission of applications for open positions.

b. On-line Applications

c. Hard Copy Applications.

3. How will we use your data?

CHI LIMITED may disclose your personal information to any member of the CHI LIMITED group of companies. This may include our holding company and/or its subsidiaries, or any subsidiaries or affiliate companies of CHI LIMITED or its parent company.

CHI LIMITED may use the information internationally in connection with processing requests by potential customers or potential employers of contract workers or temporary employees. CHI LIMITED may also disclose personal data about you to potential employers (direct placements) or potential customers if you are a contract worker we are seeking to assign to a customer.

CHI LIMITED may respond to subpoenas, court orders, or legal process by disclosing your personal data and other related information, if necessary. CHI LIMITED may also disclose your personal data where we are to establish or exercise our legal rights or defend against legal claims.

CHI LIMITED will only provide data to the extent required, and in the case of third parties, to the minimum amount of personal data necessary to provide the services on our behalf. These third parties are not permitted to use your personal data except for the limited purpose of completing the requested service or transaction.

CHI LIMITED may collect and possibly share personal data and any other additional information available to it in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person.

As a part of providing services to our customers, we may share personal data from our customers with other third parties as instructed by the customer. We may share the personal data with others solely for the purposes of managing the work we are contracted to manage and will abide by any contractual obligations contained in any customer agreement related to the sharing of personal data we actually receive in writing from the customer. Be rest assured that your personal data is never sold or leased to any external company, unless you have granted us permission to do so.

CHI LIMITED does not disclose personal information about its employees without specific authorization from or notice to the employee, as provided in this statement, or as required by law. Should you withdraw consent, in writing, to the use of your information for any of the above-identified purposes, we will stop using your information for such purposes as soon as it is reasonably possible to do so. CHI LIMITED will also notify you if withdrawing consent affects our ability to service you or retain your services.

4. How do we store your data?

Data is collected from varying sources and each source utilizes a mode of storage for such data. The Company securely stores the data of employee and vendor and will keep it for the period necessary to complete the purpose for which it was collected; thereafter, data is immediately deleted. C.H.I Limited stores data in the following manner:

a. Secured File Cabinet for the storage files of junior staff which is accessed only by two staff i.e File Clerk and HR Director.

b. Secured File Cabinet for the storage of Management and Senior Staff accessed only by the HR Director. This Cabinet is kept in the HR Director’s office.

c. Encrypted Security.

d. Secured Passwords.

e. Cabinet and Company Storage of Vendors data

At no time is a third party (Recruitment and/or Medical Agency) permitted to access or make use of employees’ information without prior management permission and consent of the affected employee. In such an instance where permission is granted, third party(ies) shall use employees’ information solely for the primary purpose for which it was intended/permitted. Where Third party(ies) is/are found to have contravened the privacy policy, penalties shall be imposed where necessary, in accordance with contractual stipulations and applicable regulations.

A. Information Technology Security.

Personal data may not be of value to CHI Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. The Information Technology Department is therefore responsible to ensure that all employees and Vendors data are guided from unauthorized use. Some steps to ensure this include:

• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.

• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.

• Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorized external contacts.

• Personal data should never be transferred outside of the European Economic Area.

• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.

• Company data should only be uploaded to and shared via approved services. The IT department can advise on appropriate tools for sending and sharing large amounts of data.

• Employees must not steal, use, or disclose someone else’s login or password without authorization.

Where the internet is used unwisely, the internet can be a source of security problems that can do significant damage to the company’s data and reputation. Users are required therefore to ensure they must not knowingly introduce any form of computer virus, Trojan, spyware or other malware into the company. Employees must also not gain access to websites or systems for which they do not have authorization, either within the business or outside it.

Employees should be aware of the security and data protection issues that can arise from using social networks. Staff members must also always consider the security of the company’s systems and data when using the internet. If required, help and guidance is available from line managers and the company IT department Security and data protection.

B. Maintain Confidentiality

Availability and Integrity of both the Company’s Data and Personal information is a requirement on all of us, from the most junior employee in the most distant part of our business to the senior executives at its head. Employees are therefore required to treat information entrusted to them respectfully and professionally taking account of Confidentiality, Integrity and Availability of the information as if it were our own. Employees must ensure that any information they process is done so legally and for legitimate business reasons.

C. Access Control

Access to all Systems where Personal information is stored shall be granted in a controlled manner driven by business requirements. Individuals shall be explicitly granted access to information or systems. there is no implicit right of access. Access is denied unless explicitly permitted. Access to all personal data shall be granted upon permission from employees to the use of such information. Consent from employees must be free, unambiguous, uninfluenced and devoid of any form of coercion.

The Company Information Security Policy provides for an Access Control Policy which all employees must be aware of. The policy in this regard includes:

• Users shall obtain permission from the business owner, or designated business steward, to access Company Systems. Business owners shall approve or disapprove access on a need to know basis.

• Applicable laws and contractual restrictions shall be complied with when creating or issuing access to Systems.

D. User Registration and De-registration

User registration and de-registration procedures shall be documented and followed when granting access rights for all systems. These procedures shall include steps to:

• Obtain approval for access from business owners;

• Verify that access granted is the same as the access approved;

• Maintain logs for registration activity to track who requested, approved, granted, verified, and revoked access.

For more information on this Section, please refer to the Company’s Information Security Policy.

5. Security measures adopted to protect data.

The Company understands that, according to the NDPR, anyone who is entrusted with or who is in possession of Personal Data owes a duty of care to the Data Subject and as such, is accountable for its acts and omissions in respect of data processing. As such, the Company has created security measures which protect data and its systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, and employing data encryption technologies. These processes include:

A. Protecting against external and environmental threats on Personal Information

All Company information assets shall be stored in a manner or location to minimize the risk of loss of availability due to:

• Theft or vandalism

• Fire, explosion, smoke, water, humidity, or chemical agents

• Power interruption

• Natural disasters such as earthquake or flood.

• Loss of services such as power, communications, or water.

• Other identifiable physical threats.

Physical security measures and environmental controls shall be in place to ensure the physical security, integrity and availability of Company information assets. Protection measures shall be appropriate to the classification level of the information asset.

B. Network security management

This section defines the requirements to assure the protection of Company information in networks and connected services by reducing the risk of unauthorized access. It applies to all Employees and Third Parties, focusing on those with information technology (IT) network and communications responsibilities. Network controls include:

• Network managers shall implement controls to ensure the security of data in networks and the protection of connected services from unauthorized access.

• The Company’s internal network can be logically extended over non-Company networks if the following controls are in place and effective:

• The information is transmitted through a Company Secure Access Zone (SAZ) or other related protection technology approved by the information protection organization;

• Encryption is used to protect Company information during transmission in accordance with the Company Information Classification Standard and Protection Measures;

• The recipient (User or system) of the Company information is identified and authenticated as an authorized User or system;

• The transmitted information is stored on a Company-owned or authorized system when received.

Management shall ensure that any network services agreements identify and include security requirements, service levels, monitoring, and management requirements for all provided network services. All remote access points shall be protected by a Company approved Secure Access Zone (SAZ) or other related protection technology and approved by the information protection organization. The use of unauthorized or remote access solutions including wireless LAN access is not permitted.

C. User access provisioning

All access to Systems shall be controlled by an authentication method involving a minimum of a unique user ID and secret authentication information including, but not limited to, strong password, passcode, PIN, passphrase, biometrics, or information derived from an encryption key. All Users shall be supplied with a Existing user IDs and access shall be reviewed at least once within a 12-month period.

D. Supplier and Third Party Relationships

There is a requirement by the Company for all third parties, individuals and/or other companies to maintain the security of Company information and information assets, where such data or information is exposed in the course of their operation. This involvement may occur, but is not limited to, the following circumstances:

• Where Third Parties are involved in the design, development or operation of Company Systems;

• Where access to Company Systems or information is granted from Third Party locations where computers and network facilities are under the control of the Third Party;

• When Users who are not Employees of the Company are given access to Company information;

Employees who liaise with such third parties are responsible for the protection of Company information collected, transmitted, stored, or processed by Third Parties. Requirements for protecting Company information shall be included in all agreements with Third Parties that are provided Company information and Company information assets. Furthermore:

• Management must ensure that adequate controls are in place and operationally effective to ensure protection of Company classified information that is stored, processed, or transmitted by Third Parties.

• Classified information provided to Third Parties shall be protected in accordance with the Information Classification Standard and Protection Measures. Management shall ensure all Third Parties understand their obligation to protect Company information.

• A risk assessment shall be completed to identify security requirements to administer Third Party access to Company Systems and classified information. These security requirements are subject to review and approval by the information protection organization.

• Access granted to Third Parties to Company Systems and information shall follow established procedures for user access. Access shall be granted on a need to know basis and approved by the business owner.

• Third Parties that will be exposed to Company classified information shall sign a non- disclosure agreement (NDA). The agreement shall address legally enforceable requirements to protect Company classified information. Any non-disclosure agreement shall be reviewed by the Company’s legal counsel, or designees, prior to signature.

• Third Parties that require a direct network connection to access Company Systems and resources must sign the Company Network Access Agreement (NAA). Third Parties shall use Company Systems in accordance with the Third Party Acceptable Use Policy. Third Parties that only require access to Company Systems through public web resources must accept the Company Web Access Agreement (WAA).

Where there is a need for CHI Limited to transfer personal data to a third party to process, such data processing shall be governed by a written contract between the third party and the Company. By so doing such written contract in the form of a non-disclosure agreement protects employees ’personal information from unauthorized use. This could be, for example, a third-party who the company has outsourced part of its recruitment to. Third Party shall ensure that information supplied is confidential and shall not be shared with the public except information that has already been made public.

In such instances, reasonable measures will be taken to ensure that all parties to the data processing contract (except the employee) do not have a record of violating this Privacy Policy, ensure adherence to the regulatory policies and are accountable to NITDA or a regulatory authority for data protection within or outside Nigeria; and the Data Protection Officer shall be liable for the actions or inactions of third parties who handle the Personal Data of employees.

Please refer to the Company’s Information Security Policy for more information on this Section and for information on the SUPPLIER AND THIRD PARTY RELATIONSHIP POLICY.

6. The Data Protection Officer.

In accordance with legal requirements, CHI Limited shall ensure the appointment of a Data Protection Officer(s). The DPO shall ensure adherence to the Privacy Policy, and may work with competent third parties to ensure the Company’s adherence with applicable data protection laws and regulations.

The Data Protection Officer (DPO) is responsible for maintaining the policy and investigating non-compliance issues. Other duties of the Data Protection Officer include:

A. Collection and processing of personal data: Data must be collected and process in accordance with specific, legitimate and lawful purpose and also consented to by the employee/vendor. Where it is provided that a further processing may be done only for archiving, scientific research, historical research or statistical purpose for public interest; and any person or entity carrying out or purporting to carry out data processing shall not transfer any personal data to any person.

B. Data must be adequate, accurate and without prejudice to the dignity of human person, stored only for the period within which it is reasonably needed and secured against all foreseeable hazards and breaches.

C. Where a personal data is being collected or processed, the medium must display a simple and conspicuous privacy policy that the employee being targeted can understand. The Data Protection Officer must take appropriate measures to provide any information relating to processing to the employee in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

D. Ensure trainings are conducted with respect to data protection;

E. Work with Internal Audit to ensure filling of a detailed audit report comprising of its privacy and data protection practices with at least each audit stating:

i. The type of information collected.

ii. Purpose of collection of data.

iii. Notice obtained from persons before collection.

iv. Access used in collection.

v. Personal consent before collection.

vi. Policies and practices of the organization for the security of personally identifiable information.

F. Ensure that the policies of Privacy Policy, practices and procedures are met and well recorded for the purpose of each audit.

The DPO shall ensure continuous capacity building of persons protecting/processing such data and shall guide against unauthorized use at all time of personal data by putting certain measures in place for the purpose of security.

7. What are your data protection rights?

Each employee has a right to:

A. Request that data is deleted,

B. Reasonably withdraw consent,

C. Be informed of parameters of safe guards in foreign countries where the data is being transferred to,

D. Restrict processing on a number of reasonable grounds,

E. Seek redress where aggrieved with the handling of data.

8. Complaints?

You agree that any unauthorized use of Personal Information or its contents may cause CHI LIMITED immediate and irreparable harm for which money damages may not constitute an adequate remedy. Where an employee/vendor personal information has been used without authorization or for other unlawful purposes, we encourage individuals that are affected by these acts to immediately report to their line manager/local ethics officer where it will be taken up and investigated.

A. Breach/Remedies/Penalties

In the event that the privacy policy is breached or violated, the employee shall be able to take advantage of any of the below available remedies to seek redress, within the stipulated timeframe.

9. Reference

• Nigerian Data Protection Regulation 2019

• CHI Limited Information Security Policy

10. Appendix

Policy Revision History July 12th, 2019.

11. Contact Us.

If you have any questions about this Privacy Policy, the manner your data is processed or simply wish to exercise any of your data protection rights, kindly contact the Human Resource Department or the Information Technology Department, by email of the below persons:

Human Resource Department

Name: Mr. Adam Zubair

Email: adam.zubair@chilimited.com

Data Protection Officer

Name: Mr. Damola Akinade

Email: damola.akinade@chilimited.com