Accountability is the backbone of true growth

1. EXECUTIVE SUMMARY

Africa Prudential is committed to conducting its business in accordance with the European Union (EU) General Data Protection Regulation (GDPR) and the Nigeria Data Protection Act 2023 (NDPA).

Africa Prudential as a data controller is responsible for ensuring compliance with the Data Protection requirements outlined in this policy. Non-compliance may expose Africa Prudential to complaints, regulatory actions, fines or/and reputational damage.

Africa Prudential sets forth how it shall manage personal data collected in the normal course of business. Any data provided are handled confidentially to ensure that the contents and services being offered are tailored to specific requests, needs, and interests. Effective implementation of this policy would ensure compliance with the EU GDPR and NDPA.

1.1 Purpose of Policy

The purpose of this policy is to inform all stakeholders about their obligation to protect the privacy and security of personal data when Africa Prudential collects and stores personal data that is needed to carry out its business while complying with the EU GDPR and NDPA.

1.2 Scope of Policy

The policy applies to all Africa Prudential’s employees, vendors and third parties

responsible for the processing of personal data on behalf of Africa Prudential.

1.3 Policy Statement

Africa Prudential is committed to compliance with all relevant EU and Nigerian laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information Africa Prudential collects and processes under the EU GDPR and the NDPA.

The EU GDPR/NDPA and this policy apply to all of Africa Prudential’s personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ data, and any other personal data the company processes from any source.

The Data Protection Officer is responsible for reviewing the processing register annually in the light of any changes to Africa Prudential’s activities and any additional requirements identified by means of data protection impact assessments. This register needs to be available on the supervisory authority’s request.

This policy applies to all employees/staff and third parties of Africa Prudential. Any breach of the EU GDPR/NDPA will be dealt with under Africa Prudential’s disciplinary procedure and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

Partners and any third parties working with or for Africa Prudential, and who have or may have access to personal data, will be expected to have read, understood and consented to comply with this policy. No third party may access personal data held by Africa Prudential without having first entered into a data confidentiality agreement, which imposes on the third-party obligations no less onerous than those to which Africa Prudential is committed, and which gives Africa Prudential the right to audit compliance with the agreement.

2. POLICY PROVISION

2.1 Data Protection Principles

Africa Prudential has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of personal data.

Principle 1: Lawfulness, Fairness and Transparency

a. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means Africa Prudential must tell the data subject what processing will occur in an intelligible form using clear and plain language. Placing emphasis on making privacy notices understandable and accessible (transparency), the processing must match the description given to the data subject (fairness) and identify a lawful basis before processing the personal data e.g. consent.

b. The specific information that must be provided to the data subject must, at a minimum, include:

i. the contact details of the Data Protection Officer;

ii. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

iii. the period for which the personal data will be stored;

iv. the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights;

v. the categories of personal data concerned;

vi. the recipients or categories of recipients of the personal data, where applicable;

vii. where applicable, that the controller intends to transfer personal data to a recipient in a foreign country and the level of protection afforded to the data;

viii. any further information necessary to guarantee fair processing.

Principle 2: Purpose Limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means Africa Prudential must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.

Principle 3: Data Minimisation

a. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that the Data Protection Officer is responsible for ensuring that Africa Prudential does not collect any information that is not strictly necessary for the purpose for which it was obtained.

b. All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a fair processing statement or link to privacy statement and approved by the Data Protection Officer.

c. The Data Protection Officer will ensure that, on an annual basis all data collection methods are reviewed by ensuring that collected data continues to be adequate, relevant and not excessive.

Principle 4: Accuracy

Personal Data shall be accurate and kept up to date. This means that personal data stored by Africa Prudential must be reviewed and updated

as necessary. No personal data shall be kept unless it is reasonable to assume that it is accurate.

a. The Data Protection Officer is responsible for ensuring that all staff are trained in the importance of collecting accurate personal data and maintaining it.

b. It is also the responsibility of the data subject to ensure that data held by Africa Prudential is accurate and up to date. Completion of a registration or application form by a data subject will include a statement that the data contained therein is accurate at the date of submission.

c. Employee/Staff, Customers, Suppliers, Others should be required to notify Africa Prudential of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of Africa Prudential to ensure that any notification regarding change of circumstances is recorded and acted upon.

d. The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

e. On at least an annual basis, the Data Protection Officer will review the retention dates of all the personal data processed by Africa Prudential and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the Secure Disposal of IT Equipment with the IT Risk Policy

The Data Protection Officer is responsible for responding to requests for rectification from data subjects within one month. This can be extended to a further two months for complex requests. If Africa Prudential decides not to comply with the request, the Data Protection Officer must respond to the data subject to explain its reason and inform them of their right to complain to the supervisory authority and seek judicial remedy.

f. The Data Protection Officer is responsible for making appropriate arrangements such that, where third party organisations may have been passed inaccurate or out-of-date personal data, he/she informs them that the information is inaccurate and/or out of date and is not to be used to make informed decisions about the individuals concerned; and he/she passes any correction of the personal data to the third party where this is required.

Principle 5: Storage Limitation

a. Personal data shall be stored in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed. This means that where personal data is retained beyond processing date, it will be encrypted in order to protect the identity of the data subject in the event of a data breach.

b. Personal data will be retained in line with the Retention of Records Procedure and, once its retention date is passed, it must be securely destroyed as set out in this procedure.

The Data Protection Officer must specifically approve any data retention that exceeds the retention periods defined in Retention of Records Procedure and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.

Principal 6: Integrity and Confidentiality

a. Personal data shall be processed in a manner that ensures appropriate security of personal data including protection against unauthorised and unlawful processing, against accidental loss, destruction or damage. Africa Prudential must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.

b. In determining appropriateness, the Data Protection Officer should also consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on Africa Prudential itself, and any likely reputational damage including the possible loss of customer trust.

c. When assessing appropriate technical measures, the Data Protection Officer will consider the following:

i. Password protection;

ii. Automatic locking of idle terminals;

iii. Removal of access rights for Universal Serial Bus (USB) and other memory media;

iv. Virus checking software and firewalls;

v. Role-based access rights including those assigned to temporary staff;

vi. Encryption of devices that leave the Company’s premises such as laptops;

vii. Security of local and wide area networks;

Privacy enhancing technologies such as pseudonymisation and anonymisation;

viii. Identifying appropriate international security standards relevant to Africa Prudential.

d. When assessing appropriate organisational measures the Data Protection Officer will consider the following:

i. The appropriate training levels throughout Africa Prudential;

ii. Measures that consider the reliability of employees (such as references, etc.);

iii. The inclusion of data protection in employment contracts;

iv. Identification of disciplinary action measures for data breaches;

v. Monitoring of staff for compliance with relevant security standards;

vi. Physical access controls to electronic and paper-based records;

vii. Adoption of a clear desk policy;

viii. Storing of paper-based data in lockable fire-proof cabinets;

ix. Restricting the use of portable electronic devices outside of the workplace;

x. Restricting the use of employee’s own personal devices in the

workplace;

xi. Adopting clear rules about passwords;

xii. Making regular backups of personal data and storing the media off-site;

xiii. The imposition of contractual obligations on the Company to take appropriate security measures when transferring data to foreign countries.

These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.

Principle 7: Accountability

Africa Prudential shall be responsible for, and be able to demonstrate compliance with the Data Protection principles by implementing data protection policies, adhering to codes of conducts, implementing technical and organisational measures as well as adopting techniques such as Data Protection by design, Data Protection Impact Assessments (DPIAs), breach notification procedures and incidence response plan.

2.2 Data Subjects’ Rights

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

g. To make subject access requests regarding the nature of information held and to whom it has been disclosed.

i. To prevent processing likely to cause damage or distress.

ii. To prevent processing for purposes of direct marketing.

iii. To be informed about the mechanics of automated decision-taking process that will significantly affect them.

iv. To not have significant decisions that will affect them taken solely by automated process.

v. To sue for compensation if they suffer damage by any contravention of the EU/NDPA.

vi. To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.

To request the supervisory authority to assess whether any provision of the EU GDPR/NDPA has been contravened.

vii. To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

viii. To object to any automated profiling that is occurring without consent. Africa Prudential ensures that data subjects may exercise these rights:

i. Data subjects may make data access requests as described in Subject Access Request Procedure; this procedure also describes how Africa Prudential will ensure that its response to the data access request complies with the requirements of the EU GDPR/NDPA.

ii. Data subjects have the right to complain to Africa Prudential relating to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the Complaints Procedure.

2.3 Consent

Africa Prudential understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.

Africa Prudential understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.

There must be some active communication between the parties to demonstrate active  consent.  Consent  cannot  be  inferred  from  non-response  to  a communication. Africa Prudential must be able to demonstrate that consent was obtained for the processing operation.

For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

In most instances, consent to process personal and sensitive data is obtained routinely by Africa Prudential using standard consent documents e.g. when a new client signs a contract, or during induction for participants on programmes. Where Africa Prudential provides online services to children, parental or custodial authorisation must be obtained. This requirement applies to children under the age of 16 in the case of EU GDPR and 18 in the case of NDPA.

2.4 Security of Data

a. All employees/staff are responsible for ensuring that any personal data that Africa Prudential holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by Africa Prudential to receive that information and has entered into a confidentiality agreement.

b. All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. All personal data should be treated with the highest security and must be kept:

i. in a lockable room with controlled access; and/or

ii. in a locked drawer or filing cabinet; and/or

iii. if computerised, password protected in line with corporate requirements in the Access Control Policy; and/or

stored on (removable) computer media which are encrypted in line with Secure Disposal of Storage Media.

Care must be taken to ensure that personal computer (PC) screens and terminals are not visible except to authorised employees/staff of Africa Prudential. All employees/staff are required to enter into an Acceptable Use Agreement before they are given access to organisational information of any sort, which details rules on screen time-outs.

Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation.

Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual records that have reached their retention dates are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed as required before disposal.

Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off-site.

2.5 Disclosure of Data

Africa Prudential must ensure that personal data is not disclosed to unauthorised third parties. All employees/staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Africa Prudential’s business.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.

2.6 Retention and Disposal of Data

Africa Prudential conforms to EU GDPR, NDPA and other local laws, standards and guidelines regulating the retention and destruction of personal data, documents and information.

Africa Prudential shall not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.

The retention period for each category of personal data is set out in the Retention of Records Schedule along with the criteria used to determine this period including any statutory obligations Africa Prudential has to retain the data.

Personal data must be disposed of securely in accordance with the principle of the EU GDPR/NDPA – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. Any disposal of data will be done in accordance with the Secure Disposal Procedure.

2.7 Data Transfer

Where it is intended that personal data will be transferred to a foreign country or international organisation, an affirmation of the Attorney General of the Federation, that the data protection levels in the foreign country or international organisation are adequate in accordance with the provision of EU GDPR/NDPA regulations must be obtained.

Africa Prudential will adopt approved model contract clause for the transfer of data to foreign countries.

In the absence of an adequacy decision or model contract clauses, a transfer of personal data to a foreign or international organisation shall only take place on one of the following conditions:

i. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

ii. The transfer is necessary for the performance of a contract between the data subject and Africa Prudential or the implementation of pre- contractual measures taken at the data subject's request;

iii. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

iv. The transfer is necessary for important reasons of public interest;

v. The transfer is necessary for the establishment, exercise or defence of legal claims; and/or

vi. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

2.8 Responsibility

1. Data Protection Officer:

i. Creates regular awareness to ensure that users are aware of this policy

ii. Ensures that this policy is published using approved channels

Ensures the effectiveness of this policy is adequate

iii. Ensures that this policy is regularly updated to reflect developments in the operating environment, EU GDPR and NDPA and any relevant laws in respect of personal data.

2. Employees: Ensures that this policy is adopted within their area of responsibility

3. POLICY REVIEW

This Policy shall be reviewed every two years by the policy owner to ensure that it is relevant, aligned with organisational changes and good practices as well as all relevant laws in respect of personal data. It may be amended, subject to approval, if deemed necessary