DATA PROTECTION AND PRIVACY POLICY

EFFECTIVE DATE: APRIL 2025

  1. INTRODUCTION
    1.1 Purpose
    Iphamar™ Care Foundation (“the Foundation,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal data collected from our beneficiaries, donors, employees, volunteers, and other stakeholders. This Data Protection and Privacy Policy (“Policy”) outlines our practices regarding the collection, use, storage, and disclosure of personal data in compliance with the Nigeria Data Protection Act 2023 (“NDPA”) and other applicable laws and regulations.
    1.2 Scope
    This Policy applies to all personal data processed by the Foundation, regardless of the format in which the information is stored or the means by which it is collected. This includes data collected through our website, mobile applications, paper forms, telephone conversations, and in-person interactions.
  1. LEGAL FRAMEWORK
    2.1 Compliance Statement
    The Foundation adheres to the Nigeria Data Protection Act 2023, signed into law on June 12, 2023, which establishes the legal framework for data protection in Nigeria. We are committed to complying with all applicable provisions of the NDPA and other relevant data protection laws.
    2.2 Data Protection Principles
    In accordance with the NDPA, the Foundation adheres to the following data protection principles:
    a) Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner.
    b) Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
    c) Data Minimisation: Personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
    d) Accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.
    e) Storage Limitation: Personal data shall be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data are processed.
    f) Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
    g) Accountability: The Foundation shall be responsible for, and be able to demonstrate compliance with, the above principles.
  2. DEFINITIONS
    For the purposes of this Policy, the following definitions apply:
    Personal Data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
    Sensitive Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation, or criminal convictions and offences.
    Data Subject: An identified or identifiable natural person to whom personal data relates.
    Data Controller: The Foundation, which determines the purposes and means of processing personal data.
    Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Foundation.
    Data Processing: Any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  3. DATA COLLECTION AND PROCESSING
    4.1 Types of Personal Data Collected
    The Foundation may collect and process the following types of personal data:
    a) Beneficiary Data: Name, contact information, demographic details, health information, financial status, family details, needs assessment information, and service provision records.
    b) Donor Data: Name, contact information, donation history, financial information, communication preferences, and tax-related information.
    c) Employee and Volunteer Data: Name, contact information, employment history, educational background, qualifications, performance evaluations, banking details, and other employment-related information.
    d) Website and Digital Platform Users: Name, contact information, IP address, browser type, device information, usage data, and cookies.
    4.2 Lawful Basis for Processing
    The Foundation processes personal data only on the following lawful grounds:
    a) Consent: The data subject has given clear consent for the processing of their personal data for a specific purpose.
    b) Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
    c) Legal Obligation: Processing is necessary for compliance with a legal obligation to which the Foundation is subject.
    d) Vital Interests: Processing is necessary to protect the vital interests of the data subject or of another natural person.
    e) Public Interest: Processing is necessary for the performance of a task carried out in the public interest.
    f) Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the Foundation or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
    4.3 Consent
    Where processing is based on consent, the Foundation shall:
    a) Ensure that consent is freely given, specific, informed, and unambiguous.
    b) Obtain consent through a clear affirmative action.
    c) Document and maintain records of all consents obtained.
    d) Ensure that consent can be easily withdrawn at any time.
    e) Not make services conditional on consent to processing that is not necessary for the provision of those services.
    4.4 Processing of Sensitive Personal Data
    The Foundation shall only process sensitive personal data where:
    a) The data subject has given explicit consent;
    b) Processing is necessary for carrying out obligations and exercising specific rights in the field of employment, social security, and social protection law;
    c) Processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent;
    d) Processing relates to personal data that are manifestly made public by the data subject;
    e) Processing is necessary for the establishment, exercise, or defence of legal claims;
    f) Processing is necessary for reasons of substantial public interest;
    g) Processing is necessary for purposes of preventive or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care; or
    h) Processing is necessary for reasons of public interest in the area of public health.
  4. DATA SUBJECT RIGHTS
    5.1 Rights of Data Subjects
    In accordance with the NDPA, the Foundation recognises and respects the following rights of data subjects:
    a) Right to Information: Data subjects have the right to be informed about the collection and use of their personal data.
    b) Right of Access: Data subjects have the right to request access to their personal data and to receive a copy of the personal data processed by the Foundation.
    c) Right to Rectification: Data subjects have the right to request the correction of inaccurate personal data or the completion of incomplete personal data.
    d) Right to Erasure (Right to be Forgotten): Data subjects have the right to request the erasure of their personal data in certain circumstances.
    e) Right to Restriction of Processing: Data subjects have the right to request the restriction of processing of their personal data in certain circumstances.
    f) Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
    g) Right to Object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
    h) Rights Related to Automated Decision-Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
    5.2 Exercising Data Subject Rights
    Data subjects may exercise their rights by contacting the Foundation’s Data Protection Officer using the contact information provided in Section 12 of this Policy. The Foundation shall respond to data subject requests without undue delay and at the latest within one month of receipt of the request, which may be extended by up to two additional months where necessary, taking into account the complexity and number of requests.
  1. DATA SECURITY
    6.1 Technical and Organisational Measures
    The Foundation implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    a) Encryption and Pseudonymisation: Personal data is encrypted during transmission and, where appropriate, pseudonymised or encrypted when stored.
    b) Confidentiality, Integrity, Availability, and Resilience: Systems and services processing personal data maintain confidentiality, integrity, availability, and resilience.
    c) Disaster Recovery: The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
    d) Regular Testing and Evaluation: Regular testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
    6.2 Access Controls
    The Foundation limits access to personal data to authorised personnel only, based on the principle of least privilege. Access controls include:
    a) User Authentication: Robust authentication mechanisms including strong passwords, multi-factor authentication where appropriate, and regular password changes.
    b) Access Logging and Monitoring: Logging and monitoring of access to systems containing personal data to detect unauthorised access attempts.
    c) Role-Based Access: Access rights assigned based on job responsibilities and necessity.
    d) Regular Review of Access Rights: Periodic review and audit of access rights to ensure they remain appropriate.
    6.3 Physical Security
    The Foundation implements physical security measures to protect premises, equipment, and physical records containing personal data, including:
    a) Secure Areas: Restricted access to areas where personal data is processed or stored.
    b) Visitor Management: Procedures for supervising visitors to the Foundation’s premises.
    c) Document Security: Secure storage of physical documents containing personal data, with controlled access.
    d) Equipment Security: Measures to protect equipment from unauthorised access, damage, or theft.
    6.4 Data Breach Response
    In the event of a data breach, the Foundation shall:
    a) Notification to the Data Protection Authority: Notify the Nigeria Data Protection Commission without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
    b) Notification to Data Subjects: Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
    c) Documentation: Document all data breaches, including the facts relating to the breach, its effects, and the remedial action taken.
    d) Investigation and Remediation: Promptly investigate the breach and take necessary steps to mitigate its effects and prevent recurrence.
  2. DATA RETENTION AND DISPOSAL
    7.1 Retention Periods
    The Foundation shall retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Specific retention periods for different categories of data shall be defined in the Foundation’s Data Retention Schedule, which shall be reviewed and updated regularly.
    7.2 Data Disposal
    When personal data is no longer necessary, the Foundation shall dispose of it securely using methods appropriate to the sensitivity of the data and the medium on which it is stored:
    a) Electronic Data: Secure deletion using appropriate software tools or physical destruction of storage media.
    b) Physical Documents: Shredding or other appropriate physical destruction methods.
    c) Third-Party Processors: Ensuring that third-party processors also implement secure data disposal methods.
  3. DATA SHARING AND TRANSFERS
    8.1 Sharing with Third Parties|
    The Foundation may share personal data with third parties only where:
    a) The data subject has given consent;
    b) It is necessary for the performance of a contract;
    c) It is necessary for compliance with a legal obligation;
    d) It is necessary to protect the vital interests of the data subject or another person;
    e) It is necessary for the performance of a task carried out in the public interest; or
    f) It is necessary for the purposes of the legitimate interests pursued by the Foundation or the third party.
    8.2 Data Processing Agreements
    When sharing personal data with data processors, the Foundation shall enter into a written data processing agreement requiring the processor to:
    a) Process the personal data only on documented instructions from the Foundation;
    b) Ensure that persons authorised to process the personal data have committed themselves to confidentiality;
    c) Implement appropriate technical and organisational security measures;
    d) Not engage another processor without prior authorisation from the Foundation;
    e) Assist the Foundation in responding to data subject requests;
    f) Assist the Foundation in ensuring compliance with security obligations;
    g) Delete or return all personal data to the Foundation after the end of service provision; and
    h) Make available to the Foundation all information necessary to demonstrate compliance with these obligations.
    8.3 International Data Transfers
    The Foundation shall transfer personal data to countries outside Nigeria only where:
    a) The Nigeria Data Protection Commission has determined that the third country ensures an adequate level of protection;
    b) Appropriate safeguards are in place, such as binding corporate rules, standard contractual clauses, or an approved code of conduct;
    c) The data subject has explicitly consented to the proposed transfer after being informed of the possible risks; or
    d) The transfer is necessary for reasons specified in the NDPA, including performance of a contract, important reasons of public interest, or the establishment, exercise, or defence of legal claims.
  4. DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)
    9.1 Requirement for DPIAs
    The Foundation shall carry out a Data Protection Impact Assessment (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of data subjects, including:
    a) Systematic and extensive evaluation of personal aspects based on automated processing, including profiling;
    b) Processing on a large scale of sensitive personal data; or
    c) Systematic monitoring of a publicly accessible area on a large scale.
    9.2 DPIA Process
    The DPIA process shall include:
    a) A systematic description of the processing operations and purposes;
    b) An assessment of the necessity and proportionality of the processing;
    c) An assessment of the risks to the rights and freedoms of data subjects; and
    d) Measures to address the risks, including safeguards, security measures, and mechanisms to ensure protection of personal data.
  5. ROLES AND RESPONSIBILITIES
    10.1 Board of Trustees
    The Board of Trustees is ultimately responsible for ensuring that the Foundation complies with data protection obligations. The Board shall:
    a) Approve this Policy and any subsequent amendments;
    b) Ensure sufficient resources are allocated for data protection compliance; and
    c) Receive and review regular reports on data protection compliance.
    10.2 Data Protection Officer (DPO)
    The Foundation shall designate a Data Protection Officer who shall be responsible for:
    a) Informing and advising the Foundation and its employees of their obligations under the NDPA and other data protection laws;
    b) Monitoring compliance, including internal data protection activities, DPIAs, staff training, and audits;
    c) Cooperating with the Nigeria Data Protection Commission and acting as the contact point;
    d) Being available to data subjects regarding the processing of their personal data and exercise of their rights; and
    e) Maintaining expert knowledge of data protection law and practices.
    10.3 Departmental Heads
    Department heads shall:
    a) Implement appropriate technical and organisational measures to ensure compliance;
    b) Ensure staff awareness and adherence to this Policy;
    c) Integrate data protection considerations into departmental processes; and
    d) Cooperate with the DPO in fulfilling data protection obligations.
    10.4 All Staff
    All staff members are responsible for:
    a) Complying with this Policy and related data protection guidelines;
    b) Reporting suspected data breaches immediately to the DPO or their department head;
    c) Completing required data protection training; and
    d) Seeking guidance from the DPO when uncertain about data protection requirements.
  6. TRAINING AND AWARENESS
    11.1 Staff Training
    The Foundation shall provide regular data protection training, including:
    a) Induction training for new employees;
    b) Regular refresher training for all staff;
    c) Specific training for staff handling sensitive personal data; and
    d) Updates on significant changes to data protection law or this Policy.
    11.2 Awareness Programmes
    The Foundation shall maintain ongoing awareness programmes, including:
    a) Regular communications on data protection topics;
    b) Visible leadership commitment to data protection; and
    c) Clear guidelines and procedures for handling personal data.
  7. CONTACT INFORMATIO
    12.1 Data Protection Officer
    For questions or concerns regarding this Policy or data protection practices, contact:
    Email: dpo@iphamarcare.org
    Telephone: +234 803 273 4733
    Address: Iphamar™ Care Foundation, 5B Command Road, Lagos
    12.2 Nigeria Data Protection Commission
    Complaints may also be directed to:
    Website: www.ndpc.gov.ng
    Email: info@ndpc.gov.ng
    Telephone: +234
    Address: Nigeria Data Protection Commission, Address Line 1, Address Line 2, Abuja, Nigeria
  8. POLICY REVIEW AND UPDATES
    13.1 Regular Review
    This Policy shall be reviewed at least annually or more frequently where required due to changes in law, organisational practices, or identified risks.
    13.2 Updates and Amendments
    All updates shall be approved by the Board of Trustees and communicated to staff and relevant stakeholders.
    13.3 Version Control
    This Policy is version 1.0, effective from April 2025.
  9. COMPLIANCE AND ENFORCEMENT
    14.1 Monitoring and Auditing
    The Foundation shall monitor and audit compliance through:
    a) Regular internal audits;
    b) Periodic reviews of data processing activities;
    c) Assessment of new systems or processes involving personal data; and
    d) Investigation of reported concerns or incidents.
    14.2 Non-Compliance
    Non-compliance may result in:
    a) Staff: Disciplinary action, including termination;
    b) Volunteers: Termination of volunteer relationship;
    c) Contractors/Third Parties: Contract termination and legal action;
    d) Foundation: Regulatory enforcement action, financial penalties, reputational damage, and legal liability.
Scroll to Top