Data Protection Policy
Conditions of Use
No part of this document may be copied, transmitted, reproduced, or stored in any way or by any means whether digital, electronic, mechanical or otherwise, without the express prior written permission of Union Systems Limited. The use of this document is subject to the terms and conditions of the Licence & Commercial Agreements under which it is supplied.
NOTICE
Union Systems Limited is referred to as “the organization”.
1.0 Introduction
Union Systems Limited (hereinafter referred to as ‘USL’, ‘our’, ‘we’) data protection and privacy policy describes how information is collected, stored and used by our solutions/platforms. It is important that you understand what information is collected and how it is used. Your use of our Services constitutes acceptance of our Data Protection and Privacy Policy. This policy between USL and you, constitutes our commitment to your privacy on our applications, administrative records, websites, social media platforms and premises.
2.0 Purpose
2.1 This policy and its supporting procedures and guidance support USL compliance with its obligations as a Data Controller and where applicable, a Data Processor under Data Protection Act. USL is responsible for, and must be able to demonstrate, compliance with the following Data Protection Principles (“accountability”).
In summary, these state that personal and business data shall be:
- Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”),
- Collected or created for specified, explicit and lawful purposes and not be further processed in a manner that is incompatible with those purposes (“purpose limitation”),
- Adequate, relevant and limited to what is necessary for those purposes (“data minimization”),
- Accurate and kept up to date (“accuracy”),
- Retained in a form that can identify individuals and businesses for no longer than is necessary for that purpose (“storage limitation”),
- Kept safe from unauthorized access, processing, accidental or deliberate loss or destruction (“integrity and confidentiality”),
Processing for issues/bugs resolution, simulation, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is compatible with the purpose and storage limitation principles, subject to appropriate safeguards for the rights and freedoms of the data subjects.
Under Data Protection Regulation Union Systems Limited must also:
- Proactively inform data subjects about its data processing activities and their rights under the law,
- Meet its legal obligations as a data controller or processor, including data protection by design and default, data protection impact assessment, maintaining records of processing activities, measures to ensure the security of processing, handling of data breaches; designation and role of the Data Protection Officer,
- Allow personal and business data to be transferred to other countries only if appropriate safeguards are in place to maintain the same level of protection for the privacy rights of the data subjects concerned.
2.2 This policy sets out a framework of governance and accountability for data protection compliance across USL. It forms part of USL Information Security Management System (ISMS) and Nigeria Data Protection Act, 2023 (NDPA). This incorporates all policies and procedures that are required to protect USL information by maintaining:
- Confidentiality: protecting information from unauthorized access and disclosure,
- Integrity: safeguarding the accuracy and completeness of the information and preventing its unauthorized amendment or deletion,
- Availability: ensuring that information and associated services are available to authorized users whenever and wherever required,
- Resilience: the ability to restore the availability and access to information, processing systems, and services in a timely manner in the event of a physical or technical incident.
3.0 Scope
3.1 What information is included in the Policy
This policy applies to all personal and business data created or received in the course of USL business in all formats, of any age. Business data and personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversations or over the telephone.
3.2 Who is affected by the Policy
Data subjects
These include, but are not confined to prospective employees, employees, prospective clients, clients to our products’ implementation and post-implementation, current and former employees, family members where emergency or next of kin contacts are held, casual and other contingent workers, workers employed through temp agencies, research subjects, external researchers, visitors and volunteers, potential and actual vendors, clients, conference delegates, people making requests for information or enquiries, complainants, professional contacts and representatives of funders, partners and contractors.
Users of personal data
The policy applies to anyone who obtains, records and can access, store or use personal and business data in the course of their work for USL. Users of personal and business data include employees and trainees of USL, contractors, suppliers, agents, USL partners, and external researchers and visitors.
3.3 Where the Policy applies
This policy applies to all locations from which USL personal and business data is accessed including home and mobile use. As USL operates internationally, through its affiliates, and through arrangements with partners in other jurisdictions, the remit of the policy shall include such overseas offices and international activities and shall pay due regard to applicable legislation in each relevant country.
4.0 Definitions
- Policy: The Data Protection and Privacy Policy
- Data: Refers to personal data, business data, database dump from USL client’s environment, and data collected from USL websites.
- Platforms: Our website, product applications, support portal, services, social media, and premises.
- NDPA: Nigeria Data Protection Act.
- ISMS: Information Security Management System.
5.0 Lines of Responsibility
5.1 All internal users of USL information are responsible for
- Completing relevant training and awareness activities provided by USL to support compliance with this Policy,
- Taking all necessary steps to ensure that no breach of information security results from their actions,
- Reporting all suspected information security breaches or incidents promptly to dataprotectionoffice@unionsystems.com so that appropriate action can be taken to minimize harm
- Informing USL of any changes to the information that they have provided to us in connection with their employment or transactions, for instance, changes of address or bank account details.
5.2 The Managing Director, as the Chief Executive Officer of USL, has ultimate accountability for our compliance with Data Protection Act.
5.3 The Head of Human Resources has senior management accountability for information governance and for ensuring that the Data Protection Officer is given sufficient autonomy and resources to carry out their tasks effectively. The Head of Human Resources is also responsible for maintaining relevant human resources policies and procedures, to support compliance with Data Protection Act.
5.4 The Director of Commercial Operations and Legal Services has senior management responsibility for information governance within USL.
5.5 The Head of Information Governance, as Data Protection Officer is responsible for:
- Informing and advising senior managers and all staff of USL of their obligations under Data Protection Act,
- Promoting a culture of data protection, e.g. through training and awareness activities,
- Reviewing and recommending policies, procedures, standards, and controls to maintain and demonstrate compliance with Data Protection Act and embed privacy by design and default across USL,
- Advising on data protection impact assessment and monitoring its performance,
- Monitoring and reporting on compliance to the Executive Management of USL, the Audit and Risk Committee, and other relevant committees and boards,
- Maintaining Records of Processing Activities,
- Providing a point of contact for data subjects regarding all issues related to their rights under the Data Protection Act,
- Investigating personal data breaches, recommending actions to reduce their impact and likelihood of recurrence,
- Acting as the contact point for and cooperating with NITDA and other applicable supervisory authorities on issues relating to processing.
5.6 Heads of Departments are responsible for implementing the policy within their business areas, and for adherence by their staff. This includes:
- Assigning generic and specific responsibilities for data protection management,
- Managing access rights for information assets and systems to ensure that staff, contractors, and agents have access only to such data as necessary for them to fulfil their duties,
- Ensuring that all staff in their areas of responsibility undertake relevant training provided by USL and are aware of their responsibilities for data protection,
- Ensuring that staff responsible for any internally managed technology services liaise with the System Administrator to put in place equivalent IT security controls,
- Assisting the Data Protection Officer in maintaining accurate and up-to-date records of data processing activities.
5.7 The System Administrator is responsible for ensuring that centrally managed IT systems and services embed privacy by design and default and for promoting good practices in IT security among staff.
5.8 The Vice President Operations, is responsible for ensuring that data protection and wider Information Security controls are integrated within project, operations, risk, and business continuity management to ensure that ISMS & NDPA meets requirements. He is responsible for ensuring that supply chain due diligence and procurement processes embed information risk and data protection impact assessment and privacy by design.
5.9 The Information Governance and Data Protection Committee are responsible for reviewing the effectiveness of data protection policies and procedures as part of its wider oversight of information security management, as set out in the Information Security Policy Framework.
5.10 The Chief Finance Officer must ensure that our annual data protection audit reports are filed as at when due in line with statutory requirements.
6.0 Risks Assessment
6.1 The Organization where appropriate, will carry out a security risk assessment(s) in relation to all the business processes covered by this Policy. These risk assessments will cover all aspects of the data subjects that are used to support those business processes. The risk mitigation measures will be proposed based on the risk assessment.
7.0 Policy
Your Privacy Rights
This Policy describes your privacy rights regarding the collection, use, storage, sharing, and protection of your Data. It applies to the Platforms with us regardless of how you access or use them.
If you have created a username, identification code, password, or any other piece of information as part of our access security measures, you must treat such information as confidential, and you must not disclose it to any third party. We reserve the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our opinion you have failed to comply with any of the provisions of these Conditions. If you know or suspect that anyone other than you know your security details, you must promptly notify us at dataprotectionoffice@unionsystems.com
- Consent
By accessing our platforms, using our services, content, features, technologies, or functions offered on our Platforms, or visiting any of our offices for official or non-official purposes, you agree to the terms of this Policy. We may occasionally update this Data Protection and Privacy Policy and encourage you to periodically review it. If we change our data protection and privacy policy, we will post the changes on this page. Your continued use of our platforms constitutes your agreement to this Policy and any updates. Our Terms of Use take precedence over any conflicting provision of this Policy.
- Your Personal Information
When you use USL platforms/solutions deployed on your premise – onsite and/or cloud, the information is obtained via your computer, mobile phone, or other electronic access devices. The information that is automatically collected includes but is not limited to – data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the platforms, referral URL, ad data, standard web log data, still and moving images.
Other information may also include but not limited to – information on the web form, survey responses, account update information, email, phone number, the organization you represent, official position, correspondence with USL support services, and telecommunication with USL. Our solution may also collect information about your transactions, enquiries, your activities and information provided by third parties like social media sites.
Information about you provided by other sites is not controlled by USL and we are therefore not liable for how they use it.
- Use of Information
The purpose of the collection of your personal information is to give you efficient, enjoyable, and secure service. We may use your information to:
- Provide USL services and support;
- Process applications and send notices about your transactions to requisite parties;
- Verify your identity;
- Resolve disputes, collect fees, and troubleshoot problems;
- Manage risk, or to detect, prevent, and/or remediate fraud or other potentially prohibited or illegal activities;
- Detect, prevent or remediate a violation of Laws, Regulations, Standards, Guidelines, and Frameworks;
- Improve USL Services by implementing aggregate customer or user preferences;
- Measure the performance of the USL Services and improve content, technology, and layout;
- Track information breaches and remediate such identified breaches;
- Manage and protect our information technology and physical infrastructure;
- contact you at any time through your provided telephone number, email address, or other contact details;
- Cookies
We may send you a temporary cookie when you access our Platforms. A cookie is a text-only string of information that we place in your computer’s/mobile phones cookie file so that we can remember who you are when you revisit our Platforms. We may use the data generated from cookies to compile statistical data on your use of our Platforms. You are not obliged to accept the cookie from us and you have the ability to accept or decline cookies by modifying the settings in your browser.
- Security of your Information
Our platforms/solutions store and process your personal information on computers in Nigeria. We will use technical and organizational measures to safeguard your personal and business data. We will ensure at all times that those with whom it is shared, process it in an appropriate manner and take all necessary technical and organizational measures in order to protect it. Whilst we will use all reasonable efforts to safeguard your personal and business data, you acknowledge that the use of the internet is not entirely secure and for this reason, we cannot guarantee the security or integrity of any personal and business data which are transferred via the internet.
- Sharing your Data with others
We will not sell or lease your data to third parties without your consent. We may disclose your information to categories of USL recipients. Some of the USL recipients include but are not limited to the following:
- USL Marketing Team;
- USL Business Team; and
- USL Research and Development Team
We may disclose your information to USL affiliates and other business partners. We may disclose your information to other entities in the event USL considers or goes through a business transition, such as a merger, acquisition, reorganization, or sale of all or a portion of its assets, as your data might be among the data and assets affected. We may also disclose your information when we believe in good faith that disclosure is necessary to protect our rights or the integrity of our Platforms, prevent harm to other visitors or protect your safety, investigate fraud or breaches of a contract or a law, or respond to a legal process or a request from a public authority.
- Security
We will always hold your information securely. To prevent unauthorized access to your information, we have implemented strong controls and security safeguards at the technical and operational levels. Our Platforms use Secure Sockets Layer/Transport Layer Security (SSL/TLS) to ensure secure transmission of your Data. You should see the padlock symbol in your URL address bar once you are successfully logged into the platform. The URL address will also start with https:// depicting a secure webpage. SSL applies encryption between two points such as your PC and the connecting server. Any data transmitted during the session will be encrypted before transmission and decrypted at the receiving end. This is to ensure that Data cannot be read during transmission.
USL has also taken measures to comply with global Information Security Management Systems (ISMS) standards and Nigeria Data Protection Act and we, therefore, have put in place digital and physical security measures to limit or eliminate possibilities of data privacy breach incidents.
8.0 Governing Law
This Policy is made pursuant to the Nigeria Data Protection Act (NDPA) 2023 and other relevant Nigerian Laws, Regulations, or International Conventions applicable to Nigeria. Where any provision of this Policy is deemed inconsistent with the applicable Law, Regulation or Convention, such provision shall be subject to the overriding Law, Regulation or Convention.