1.0 POLICY BRIEF & PURPOSE
Access ARM Pensions Limited (“We”, “Access ARM Pensions” or “the Company”) is committed to ensuring compliance with emerging data protection regulations in Nigeria and the international community. This is in furtherance of emerging trends in our data regulatory environment, which requires higher transparency and accountability in how companies manage and use personal data.
To administer the pension contributions of our clients, we collect, process, store, share, and where necessary, delete personal data. Consequent to our mandate to decide how and why such data is processed, we are data controllers/administrators under the Nigeria Data Protection Act 2023 as amended and are subject to the provisions of the regulation. Pursuant to this and in consideration of our responsibility to foster safe conduct of transactions involving the exchange of personal data, we have outlined in this Policy a globally applicable data protection and security standard for our Company.
This Policy outlines strict requirements for the collection, processing, storage, and deletion of personal data pertaining to our Customers, Employees, and other individuals with whom we have relationships for various purposes, based on extant provisions of the Nigeria Data Protection Act 2023 and other globally accepted, basic principles on data protection.
2.0 DEFINITIONS
In this Policy, the following terms shall have the meanings referenced herein, unless the context requires otherwise.
“Collectible Personal Information” means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifiers such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIP and others.
“Computer” means Information Technology systems and devices, whether networked or not.
“Data Administrator” means a person or organization that processes data. Access ARM Pensions shall be the Data Administrator under the terms of this policy.
“Database” means a collection of data organised in a manner that allows for easy Access, retrieval, deletion, and processing; it includes but is not limited to structured, unstructured, cached and file system databases.
“Data Controller” means a person who either also, jointly with other persons, or in common with other persons or as a statutory body determines the purposes for and the way personal data is processed or is to be processed. For this Policy, Access ARM Pensions Limited is a Data Controller
“Data Subject” means an identifiable person: one who can be identified directly or indirectly. To this Policy, a Data Subject shall be a Retirement Savings Account (RSA) holder under the Pension Reform Act, 2014, an employee of the Company, or any individual with whom it has a relationship for various purposes.
“Data Protection Officer” means any person appointed by the Data Controller for the purpose of ensuring adherence to the Regulation, relevant data privacy instruments, and data protection directives of the Company. To this policy, the Data Protection Officer shall be the ICT Auditor while the Head, Internal Control & Audit shall undertake oversight/ supervisory functions.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means. such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
‘Regulation” means the Nigeria Data Protection Regulation 2019 and its subsequent amendments.
3.0 SCOPE
This policy applies to all staff (full or part-time), Management and Board of Access ARM Pensions. Accordingly, the following entities or users shall also be covered by the provisions of this policy:
Individuals working with Access ARM Pensions and its stakeholders have access to collectible personal information. Conversely, to collectible personal information. Converse this policy shall also be applicable to all data that Access ARM Pensions holds relating to identifiable individuals, even if that information technically falls outside the confines of the Regulation.
- Access ARM Pensions’ vendors or processors who have Access to its systems or personal information of data subjects.
- Other persons, entities, or organisations that have Access to Access ARM Pension systems or customer data.
4.0 GOVERNING PRINCIPLES
As part of our operations, we are entrusted with collecting and processing personal data of our Customers, Employees, and other relevant stakeholders. This information includes but is not limited to any offline or online data that makes a person identifiable such as names, addresses. employment records, signatures, digital footprints, photographs, means of identification (e.g.Bank Verification Number -BVN, National Identification Number-NIN), financial data, amongst others.
In furtherance of our obligations within enabling statutory and/ or regulatory framework, Access ARM Pensions shall collate and process personal data in a transparent manner and only with the full cooperation, knowledge, and consent of concerned data subjects. Further, Access ARM Pensions shall always ensure that data subjects are aware of the specific purpose of their data being collected before collection and processing
At all times, Access ARM Pensions shall:
- Exercise a duty of care in relation to personal data in its possession.
- Ensure collection and accurate processing of personal data in accordance with specific, legitimate and 1aMu1 purpose consented to by the Data Subject.
- Handle personal data with utmost confidentiality and ensure continuous implementation of suitable organisational and technical measures to safeguard same from unauthorized access, illegal processing, or distribution, as well as accidental loss, modification or destruction of any kind, damage by rain, fire, or exposure to other natural elements.
- Store personal data for the period within which it is required. This shall be at least 10 years in line with the National Archives Act 1992
- Be accountable for any acts and omissions in respect of data processing and in accordance with the provisions of the Regulation
5.0 LAWFUL PROCESSING
Processing of personal data by Access ARM Pensions shall be lawful, upon satisfaction of at least one (1) of the following conditions:
Data Subject has given consent to the processing of his or her personal data.
5.1 Processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.
5.2 Processing is necessary for compliance with a legal obligation to which Access ARM Pensions is a subject.
5.3 Processing is necessary to protect the vital interests of the Data Subject or of another natural person.
5.4 Processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official public mandate vested in the Company
6.0 CONSENT
Access ARM Pensions shall process personal information of Data Subjects in accordance with governing principles of data protection. To comply with these obligations as contained in the Regulation, we undertake to adhere to the following principles:
6.1 We shall not obtain personal data unless the specific purpose of collection is made known to the Data Subject.
6.2 We shall ensure that consent of Data Subject has been sought and obtained without fraud, coercion, or undue influence before processing his or her information.
6.3 Where processing personal data is based on consent, we shall confirm the Data Subject’s capacity to give consent and ensure that the Data Subject has consented to processing of their personal data.
6.4 Where the Data Subject’s consent is given in the context of a written declaration, we shall request for consent in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
6.5 Where the Data subject is unable to read, we Access ARM Pensions shall ensure that the declaration is read to the subject in a language that he understands.
6.6 Before obtaining consent, we shall inform the data subject of his/her rights in accordance with the provisions of the Regulation and the ease to withdraw his/her consent at any time.
6.7 When assessing whether consent is freely given, we shall take utmost account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary or excessive for the performance of the contract.
6.8 Where Data may be transferred to a third party for any reason, we shall request the consent of the data subject before transferring his/her information.
6.9 By Virtue of its regulatory oversight over your operations, the National Pension Commission shall have full Access to personal data of data subjects under the management of Access ARM Pensions Limited. For this purpose, we shall not require any consent from data subject before sharing information with our Regulators, Also, Access ARM Pensions may not require any consent from data subjects before sharing information with security operatives where necessary approvals are obtained
7.0 ACCESS OF THIRD PARTIES TO PERSONAL DATA
In furtherance of our commitment to ensure compliance with extant provisions of the Regulation with respect to processing of personal data by Third Parties, we shall:
I. Execute a non-disclosure or confidentiality Agreement, the terms of which shall not conflict with the Nigeria Data Protection Regulation 2019, with any third party engaged to undertake any project/contract which would expose such a party to our databank before granting access to the information of concerned data subjects.
II. Ensure full adherence with the provisions of the Regulation by the Third Party
in relation to processing of information received from Data Subject by putting in place adequate sanctions and penalties to deter the third parties from breaching the terms of the Non-Disclosure & Confidentiality Agreement.
8.0 DATA SECURITY
Access ARM Pensions being a Data Controller and taking into consideration the nature, scope, context, and purpose of processing as well as the risk of varying likelihood and the severity for the rights and freedom of natural persons, shall develop security measures to:
- Protect data and systems from hackers.
- Setup firewalls to protect our ICT infrastructure from malware, pharming, phishing, and other security attacks.
- Store data securely with Access to specific authorized individuals:
- Employ data encryption technologies.
- Undertake continuous development of our organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems; and
- Ensure continuous capacity building for staff in line with the requirements of the Regulation.
9.0 DATA PROTECTION CONTROL.
Compliance with this Data Protection Policy and the Regulation shall be reviewed periodically in line with data protection audit requirements and other controls. The ultimate performance of these controls is the responsibility of the Board of Directors through such officers of the Company as may be designated by the Board of Directors, from time to time.
10.0 BREACH OF THIS POLIC
A breach of this policy could have severe consequences on Access ARM Pensions, its ability to provide services, or maintain the integrity, confidentiality, or availability of services rendered to our esteemed customers. Intentional misuse resulting in a breach of any part of this policy will be disciplined in line with the provisions of the staff handbook.
Severe, deliberate, or repeated breaches of the policy may be considered grounds for instant dismissal, or in the case of an Access ARM Pensions’ vendor, termination of their contracted services. All employees and vendors are bound by these policies and are responsible for their strict enforcement.
11.0 IMPLEMENTATION
Consequent upon the need to ensure effective implementation of this Policy and other relevant data protection controls from time to time, the Company has identified key stakeholders and outlined their responsibilities in this regard, as follows:
A. Board of Directors
- Review and approval of this Policy and its subsequent editions,
- Review the implementation of this Policy through Management’s Report to the Audit Committee of the Board semi-annual.
B. Executive Management
- Designate a Data Protection Officer to ensure adherence to the Data Protection Regulation, relevant data privacy instruments and data protection directives of the Company
- Ensure data protection objectives are established and are aligned with the Company’s strategic direction.
- Ensure that resources required for the effective implementation of this Policy are made available, as and when due.
- Publish contact details of the data protection officer on the website.
- Ensure continuous capacity building (at least once annually) for the Data Protection Officers and the generality of personnel involved in any form data processing.
- Support other relevant Management roles to demonstrate their leadership as it applies to their areas of responsibility.
C. Data Protection Officer
The Data Protection Officer shall ensure adherence to the Data Protection Regulation, relevant data privacy instruments and data protection directives of the Company. Accordingly, he shall conduct a review of relevant processes to ensure adherence to the provisions of the Regulation on a semi-annual basis, and report to the Audit Committee of the Board of Directors through the report or the Internal Audit Department.
12.0 EFFECTIVE DATE
The effective date of this revised Policy is 19th July 2023.
13.0 AMENDMENT / REVIEW TO POLICY
This Policy shall be in force until it is updated by the Board of Directors.