Legal

Data Protection Policy

Data Protection Policy 2020

1.0 Introduction

Radius Identity Platform (or Radius), as a technology service, needs to gather and process certain information about individuals with whom it has relationship for various purposes such as, but not limited to the recruitment and payment of staff, relationship management with Members, issuers, investors, collection of relevant fees for services rendered, provision of post-technology services, etc. In light of the emerging data regulatory environment, which requires higher transparency and accountability in how companies manage and use personal data, Radius must ensure that its business operations align with global best practices on protection of rights and privacy of individuals.

2.0 Policy

The Data Protection Policy (the Policy) is a formal acknowledgment that Radius is committed to the protection of rights and privacy of individuals, in accordance with the Nigeria Data Protection Regulation, 2019 (the Regulation).

3.0 Description

The Policy describes how Radius shall collect, handle and store personal data of individuals to meet the data protection standards.

4.0 Definitions

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data means characters, symbols and binary on which operations are performed by a computer which may be stored or transmitted in the form of electronic signals stored in any format or any device.

Database means a collection of data organised in a manner that allows access, retrieval, deletion and procession of that data; it includes but is not limited to structured, unstructured, cached and file system type databases.

Data Administrator means a person(s) or organisation that processes data.

Data Controller means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.

Data Portability means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format.

Nigeria Information Technology Development Agency - NITDA

Data Protection Compliance Organisation (DPCO) means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.

Data Subject means an identifiable person; one who can be identified directly or indirectly, in particular by reference, to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Party means directors, shareholders, servants and privies of a contracting party.

Personal Data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether, or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Record means public record and reports in credible news media.

Sensitive Personal Data means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.

5.0 Purpose

The purpose of this policy is to:

  1. Protect Radius from the risks of a data breach.
  2. Disclose how Radius stores and processes individuals’ data.
  3. Protect the rights of staff, members and stakeholders.
  4. Comply with the Regulation and follow international best practices.

6.0 Nigeria Data Protection Regulation

The Regulation, which came into force on January 25, 2019, regulates the gathering, storing and processing of personal data (regardless of whether data is stored electronically, on paper or on other materials), and protects the rights and privacy of all living individuals (including children). The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigeria descent.

7.0 Applicability

Radius will be the data controller under the terms of the Regulation – this means it is ultimately responsible for controlling the use and processing of personal data. Radius shall appoint a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Regulation, relevant data privacy statements and data protection directives of Radius.

8.0 Governing Principles of Data Protection

The Regulation mandates every data controller to process any personal data in accordance with the governing principles of data protection. In order to comply with the obligations, Radius undertakes to adhere to the following principles.

8.1 Data Processing

The following statement shall guide compliance with the Regulation on data processing. Radius shall:

  • Collect and process personal data in accordance with specific, legitimate and lawful purpose consented to by the data subject
  • Take reasonable steps to ensure that any personal data is accurate
  • Store personal data about an individual that is sufficient for the purpose it is holding it for in relation to that individual
  • Store individuals’ personal data only for the period within which it is reasonably needed.
  • Secure personal data against all foreseeable hazards, breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements
  • Exercise duty of care of personal data in its possession
  • Be accountable for its acts and omissions in respect of data processing and in accordance with the Regulation

8.2 Lawful Processing

Radius shall process personal data of individuals if at least one (1) of the following applies:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which Radius is subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in Radius

8.3 Procuring Consent

To fulfil the requirement of the Regulation, personal data will be processed in accordance with the rights of data subject. Radius’s business operations will be guided by the following statements:

  • Radius shall not obtain personal data except the specific purpose of collection is made to the data subject
  • Radius shall ensure that consent of data subject has been obtained without fraud, coercion or undue influence
  • Radius shall ensure that the data subject has consented to processing of his or her personal data and the legal capacity to give consent, where processing is based on consent
  • Radius shall request for consent in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language, where the data subject’s consent is given in the context of a written declaration
  • Radius shall inform the data subject his/her right and the ease to withdraw his/her consent at any time
  • When Radius is assessing whether consent is freely given, Radius shall take utmost account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary or excessive for the performance of the contract
  • Radius shall request for consent of the data subject where data may be transferred to a third party for any reason

8.4 Due Diligence and Prohibition of Improper Motives

To align with these requirements, Radius shall:

  • Not seek consent that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts
  • Take reasonable measures to ensure that a party to any data processing contract does not have a record of violating the Regulation and such party is accountable to NITDA or a reputable regulatory authority for data protection within or outside Nigeria

8.5 Privacy Policy

Radius shall display a simple and conspicuous privacy policy that the class of data subjects being targeted can understand, irrespective of the medium through which such personal data are being collected or processed. Radius’s privacy policy shall contain the following:

  • Constitution of data subjects’ consent
  • Description of collectable personal information
  • Purpose of collection of personal data
  • Technical methods used to collect and store personal information, cookies, web tokens, etc.
  • Access, if any, of third parties to personal data and purpose of access
  • A highlight of the principles governing data processing
  • Available remedies in the event of violation of the privacy policy
  • The timeframe for remedy
  • Any limitation clause, provided that the limitation clause does not exonerate Radius from breaches of the Regulation.

8.6 Data Security

Radius recognises the importance of protecting data from unauthorised access and data corruption and Radius shall:

  • Develop security measures including but not limited to protecting systems from hackers
  • Set up firewalls and protect email systems
  • Store data securely with access to specific authorised individuals
  • Employ data encryption technologies
  • Develop organisational policy for handling personal data and other sensitive or confidential data
  • Continuously build capacity for all staff

8.7 Third Party Data Processing Contracts

To ensure compliance with the Regulation, being a data controller, Radius shall:

  • Ensure that a written contract is signed by a third party that will process personal data of individuals
  • Ensure that such third party that will process the data obtained from data subjects complies with the Regulation

8.8 Objections by the Data Subject

Radius acknowledges that individuals have the right to object to the processing of their data, as such Radius shall only process personal data in accordance with data subjects’ rights as listed below:

  • Option to object the processing of personal data relating to the data subject which Radius intends to process for the purposes of marketing
  • Option to be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge

8.9 Transfer to a Foreign Country

Radius shall comply with the Regulation and any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organisation shall take place subject to the provisions of the Regulation.

8.10 Exceptions in Respect of Transfer to a Foreign Country

In the absence of any decision made by NITDA or Honourable Attorney General of the Federation (HAGF) on the transfer of personal data to a foreign country, Radius shall initiate the transfer or set of transfers of personal data to such foreign country or an international organisation only when:

  • The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards and that there are no alternatives
  • The transfer is necessary for the performance of a contract between the data subject and Radius or the implementation of pre-contractual measures taken at the data subject's request
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Radius and another natural or legal person
  • The transfer is necessary for important reasons of public interest
  • The transfer is necessary for the establishment, exercise or defence of legal claims
  • The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent

Radius, in compliance with the Regulation, shall explicitly communicate through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of a transfer to a third country.

8.11 Rights of Data Subjects

To comply with this section under the Regulation, Radius shall:

  • Take appropriate measures to provide any information relating to processing, to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child
  • Provide such information in writing, or by other means, including, where appropriate, by electronic means.
  • Provide any information relating to processing of data obtained from the data subject orally, at the request of the data subject, provided that the identity of the data subject is proven by other means
  • Inform the data subject without delay and at least within one (1) month of receipt of a request relating to the processing of his/her data, the reasons for not providing the information and the possibility of lodging a complaint with the supervisory authority
  • Provide information, any form of communication or any actions taken to a data subject free of charge
  • Charge data subject if request for his/her data is manifestly unfounded or excessive, in particular because of his/her repetitive character. The charge shall be a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested
  • Write a letter to the data subject stating “refusal act” on the request and copy NITDA on every occasion through a dedicated channel which shall be provided for such purpose, provided that such request is excessive
  • Bear the burden of demonstrating the manifestly unfounded or excessive character of the request
  • Request for provision of additional information necessary to confirm the identity of the data subject where Radius has reasonable doubts concerning the identity of the requestor
  • Provide the information in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing and machine-readable format when presented electronically
  • Provide the data subject with all of the following information, prior to collecting personal data:
    • The identity and the contact details of Radius
    • The contact details of the Data Protection Officer
    • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
    • The legitimate interests pursued by Radius or by a third party
    • The recipients or categories of recipients of the personal data, if any
    • Where applicable, the fact that Radius intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by NITDA
    • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
    • The existence of the right to request from Radius, access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
    • The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
    • The right to lodge a complaint with a relevant authority
    • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
    • The existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
    • Where Radius intends to further process the personal data for a purpose other than that for which the personal data were collected, Radius shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information
    • Where applicable, that Radius intends to transfer personal data to a recipient in a foreign country or international organisation and the existence or absence of an adequacy decision by NITDA
  • Inform the data subject the appropriate safeguards for data protection in the foreign country
  • Rectify, without undue delay, inaccurate personal data concerning data subjects per their requests
  • Acknowledge the right of data subjects to have their incomplete data completed, including by means of providing a supplementary statement
  • Delete personal data without delay, upon request of the data subject
  • Delete personal data where one of the following grounds applies:
    • The personal data are no longer necessary in relation to the purposes for which they were collected or processed
    • The data subject withdraws consent on which the processing is based
    • The data subject objects to the processing and there are no overriding legitimate grounds for the processing
    • The personal data have been unlawfully processed.
    • The personal data have to be erased for compliance with a legal obligation in Nigeria
  • Take all reasonable steps to delete all the personal data made public and inform other companies processing the personal data of the data subject request
  • Acknowledge data subjects’ rights to obtain restriction of processing their personal data where one of the following applies:
  • The accuracy of the personal data is contested by the data subject for a period enabling Radius to verify the accuracy of the personal data
  • The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  • Radius no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defence of legal claims
  • The data subject has objected to processing pending the verification to confirm whether the legitimate grounds of Radius override those of the data subject
  • Process personal data with the data subject consent, where processing has been restricted
  • Communicate any rectification or erasure of personal data or restriction to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort
  • Provide personal data concerning data subjects, in a structured manner, commonly-used and machine-readable format to such data subjects
  • Not hinder the data subject from transmitting those data in its database to another company where the processing is based on consent, on a contract and processing is carried out by automated means
  • Execute data subjects’ requests on transmission of their personal data to another company, where technically feasible

9.0 Roles and Responsibilities

In compliance with the Regulation, Radius has identified key stakeholders and their responsibilities to drive the operationalisation of the Policy and implementation of necessary data protection controls.

9.1 Board

  • Set the tone at the top on data protection
  • Ultimately responsible for ensuring that Radius meets the obligations of the Regulation.

9.2 Executive Management Committee

  • Ensure data protection objectives are established and are aligned with the strategic direction of Radius
  • Ensure that the resources needed for the protection of data are available
  • Communicate the importance of effective data protection in Radius and of conforming to its requirements
  • Support other relevant Management roles to demonstrate their leadership as it applies to their areas of responsibility

9.3 Directorate Head, Corporate Development

  • Approve any data protection statements attached to communications such as emails and letters
  • Approve any data protection queries from journalist or media outlets such as newspaper
  • Provide directives that ensures marketing initiatives abide by data protection principles

9.4 Data Protection Officer

  • Keep Executive Management updated about data protection responsibilities, risks and issues
  • Review all data protection procedures and related policies, in line with an agreed schedule
  • Arrange data protection training and advice for the people covered by the Policy
  • Handle data protection questions from staff and anyone else covered by the Policy
  • Deal with requests from individuals to obtain the data Radius holds about them
  • Review and approve any contracts or agreements with third parties that may handle the
  • Company’s sensitive data

9.5 Divisional Head, Information Technology Division

  • Ensure all systems, services and equipment used for storing data meet acceptable security standards
  • Evaluate any third-party services Radius is considering using to store or process data such as private cloud computing services

9.6 Information Security Unit

  • Perform regular checks and vulnerability scans to ensure adequate security of hardware and software used in data processing

9.7 Internal Control Unit

  • Provide reasonable assurance regarding the achievement of the operational objectives, such as the effectiveness and efficiency of the security controls

9.8 Internal Audit Group

  • Carry out internal audit and report findings to Executive Management Committee
  • Recommend preventive and corrective action

10.0 Scope

This Policy applies to all staff, Management and Board of our company. As a matter of best practice, other companies (contractors, suppliers etc.), individuals working with Radius and its stakeholders who have access to personal information. It is also applicable to all data that Radius holds relating to identifiable individuals, even if that information technically falls outside of the Regulation. This includes, but not limited to:

  • Names of individuals
  • Email addresses
  • Contact phone numbers
  • Any other information relating to the individuals

11.0 Consequences

The consequence of not adhering to the Policy will be handled in line with our company's Disciplinary Policy.

12.0 References

Nigeria Data Protection Regulation, 2019.