DATA PROTECTION POLICY
Invictus Africa, through its programs and projects, collects and processes data of individuals and organizations with whom we work or have relationship for various purposes such as recruitment of staff and volunteers, formal and informal events, engagements with beneficiaries, and communications with partners, funders, and stakeholders at international, national, and sub-national levels. Hence, this Data Protection Policy is imperative in view of the Nigeria Data Protection Regulation (NDPR), which is applicable in Nigeria from where we operate, and which requires accountability and transparency in how organizations like ours use and manage people’s data and information that we collect or access. To this end, this Policy describes the personal data Invictus Africa (‘we’ or ‘us’) collects, how we use such data and information, and the rights of data owners regarding their data.
This Data Protection Policy acknowledges Invictus Africa’s commitment to the protection and privacy of the data and information of individuals and organizations that we collect in accordance with the applicable laws and regulations in Nigeria, especially the Nigeria Data Protection Regulation, 2019. This means that the data and information we collect will be used for the purpose it was collected or consented to by the data subjects (owners of the data).
Scope of the Policy
This Data Protection Policy applies to all volunteers, staff, management, and Board members including individuals, stakeholders, and members of organizations that engage or work with Invictus Africa, who have access to personal data and information. It is also applicable to all data that Invictus Africa holds relating to identifiable individuals, even if such data or information technically falls outside of the NDPR. This includes, but not limited to, names of individuals, email addresses, phone numbers, and any other information relating to the individuals or organizations.
Purpose of the Policy
The purpose of this policy is to communicate how Invictus Africa protects data and information of individuals and organizations with a view to protecting the privacy rights of the owners of such data and information and protecting Invictus Africa from the risks of any data breach, while complying with international best practice on data privacy and protection, especially the NDPR.
Protecting Data and Information
Therefore, in accordance with the NDPR, Invictus Africa commits to the following data protection principles:
Data Processing: Personal data and information will be collected, processed, and stored in accordance with specific, legitimate, and lawful purposes consented to by the data subject. The personal data will be stored for such period within which it is reasonably needed; and such storage will be against allreasonably foreseeable hazards and breaches.
Lawful Processing: Personal data of individuals and organizations will be processed for the specific purpose(s) for which the data subject has authorized or given consent and where processing of data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Processing of data may also be necessary for compliance with a legal obligation to which Invictus Africa is subject; in order to protect the vital interests of the data subject or of another natural person; and/or for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in Invictus Africa.
Procuring Consent: Personal data will be processed in accordance with the rights of data subject. To this end, Invictus Africa shall not obtain personal data except the specific purpose of collection is madeknown to the data subject; and such consent will be obtained without fraud, coercion, or undue influence. Consent will be obtained in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language where the data subject’s consent is given in the context of a written declaration. Data subjects will be informed of their right to withdrawn their consent at any time; and if/where data is to be transferred to a third party, Invictus Africa shall inform the data subjects.
Due Diligence and Prohibition of Improper Motives: Invictus Africa shall not seek consent that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts, and anti-social conducts. Reasonable measures will also be taken to ensure that a party to any data processing contract does not have a record of violating the NDPR and such party is accountable to relevant reputable regulatory authority for data protection within or outside Nigeria.
Data Security: Invictus Africa recognises the importance of protecting data from unauthorised access and data corruption. Hence, we shall develop security measures including, but not limited to, protecting our systems from hackers; set up firewalls and protect email systems; store data securely with access to specific authorized individuals; utilize data encryption technologies; develop organisational policy for handling personal data and other sensitive or confidential data; and continuously build capacity of all staff and volunteers who may handle personal data in the organization.
Third Party Data Processing Contracts: Being a data controller, Invictus Africa shall ensure that a written contract is signed by a third party that will process personal data of individuals; and ensure that such third party that will process the data obtained from data subjects complies with the NDPR.
Objections by the Data Subject: Invictus Africa acknowledges that data subjects have the right to object to the processing of their data, as such we shall only process personal data in accordance with data subjects’ rights to object to the processing of personal data relating to the data subject which weintend to process for the purposes of marketing; and option to be expressly and manifestly offered the mechanism for objection to any form of data processing.
Transfer to a Foreign Country: Invictus Africa shall comply with the NDPR in ensuring that any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organisation shall take place subject to the provisions of and exceptions provided in the NDPR.
Rights of Data Subjects: Invictus Africa shall take appropriate measures to: provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child; provide such information in writing, or by other means, including, where appropriate, by electronic means; provide any information relating to processing of data obtained from the data subject orally, at the request of the data subject, provided that the identity of the data subject is proven by other means; inform the data subject without delay and at least within one (1) month of receipt of a request relating to the processing of his/her data and any relevant information to this effect; provide information, any form of communication or any actions taken to a data subject free of charge; and such other rights of the data subjects as contained in the NDPR.
Updating this Policy
Where necessary, this policy will be updated from time to time as required by best practices and laws – international or domestic – relating to data protection and privacy. Where updates are made, such will be communicated to the data subjects.
Violation of this Policy
If there is a violation of this policy by any volunteer, staff, management, or board members of Invictus Africa, such should be reported in writing to firstname.lastname@example.org. This will be handled through Invictus Africa’s internal administrative procedure.