This Policy is the code of practice for Data Privacy and Protection in U and
C Microfinance Bank Limited. In addition, it documents how data is
managed throughout U and C Microfinance Bank Ltd and outlines the
appropriate measures through which U and C Microfinance Bank Ltd will
facilitate the secure and reliable flow of data/information, both within and
externally.
U and C Microfinance Bank Ltd is a company licensed by the Central
Bank of Nigeria (CBN) to operate as a microfinance bank, hence it
collects and processes data of individuals that makes them easily
identifiable. These individuals known as 'Data Subjects' include: past,
current and prospective employees, vendors, customers/clients and their
representatives, next of kins and other entities that U and C Microfinance
Bank Ltd deals with.
Preserving the trust and confidence of the Data Subjects requires that the
Data Subjects do not suffer negative consequences/effects as a result of
providing U and C Microfinance Bank Ltd with their Personal Data. With
this in mind, U and C Microfinance Bank Ltd is firmly committed to
complying with applicable data protection laws, regulations, rules and
principles to ensure the security of Personal Data handled by the bank.
This Data Privacy and Protection Policy describes the minimum standards
that must be strictly adhered to regarding the collection, storage, use and
disclosure of Personal Data and indicates that U and C Microfinance
Bank Ltd is dedicated to processing the Personal Data it receives or
processes with absolute confidentiality and security.
This Policy applies to all forms of systems, operations and processes
within U and C Microfinance Bank Ltd work environment that involve the
collection, storage, use, transmission and disposal of Personal Data.
Failure to comply with the data protection rules and guiding principles set
out in the Nigeria Data Protection Regulations 2019 (NDPR) as well as
those set out in this Policy is a material violation of U and C Microfinance
Bank Ltd’s policies and may result in disciplinary action as required,
including suspension or termination of employment or business
relationship.
Scope
This Policy applies to all employees of U and C Microfinance Bank Ltd, as
well as to any external business partners (such as suppliers, contractors,
vendors and other service providers) who receive, send, collect, access,
or process Personal Data in any way on behalf of U and C Microfinance
Bank Ltd, including processing wholly or partly by automated means. This
Policy also applies to third party Data Processors who process Personal
Data received from U and C Microfinance Bank Ltd.
General Principles for Processing of Personal Data
U and C Microfinance Bank Ltd is committed to maintaining the principles
in the NDPR regarding the processing of Personal Data.
To demonstrate this commitment as well as our aim of creating a positive
privacy culture within U and C Microfinance Bank Ltd, the bank adheres
to the following basic principles relating to the processing of Personal
Data.
Lawfulness, Fairness and Transparency
Personal Data of Data Subjects must be processed lawfully, fairly and in a
transparent manner at all times. This implies that Personal Data collected
and processed by or on behalf of U and C Microfinance Bank Ltd must be
in accordance with the specific, legitimate and lawful purpose consented
to by the Data Subject, save where the processing is otherwise allowed
by law or within other legal grounds recognized in the NDPR.
Data Accuracy
Personal Data of Data Subjects must be accurate and kept up-to-date. In
this regard, U and C Microfinance Bank Ltd:
a) shall ensure that any data it collects and/or processes is accurate
and not misleading in a way that could be harmful to the Data
Subject;
b) will make efforts to keep Personal Data updated where reasonable
and applicable; and
c) will make timely efforts to correct or erase Personal Data when
inaccuracies are discovered.
Limitation of Purpose
U and C Microfinance Bank Ltd collects Personal Data only for the
purposes identified in the appropriate U and C Microfinance Bank Ltd
Privacy Notice or any other relevant document or based on any other
non-written communication (where applicable), provided to the Data
Subject and for which consent has been obtained. Such Personal Data
cannot be reused for another purpose that is incompatible with the
original purpose, except a new consent is obtained.
Data Minimization
i) U and C Microfinance Bank Ltd limits Personal Data collection and
usage to data that is relevant, adequate, and absolutely necessary
for carrying out the purpose for which the data is processed.
ii) U and C Microfinance Bank Ltd will evaluate whether and to what
extent the processing of personal data is necessary and where the
purpose allows, anonymised data will be used.
Integrity and Confidentiality
i) U and C Microfinance Bank Ltd shall establish adequate controls in
order to protect the integrity and confidentiality of Personal Data of
Data Subjects, both in digital and physical format and to prevent
personal data from being accidentally or deliberately compromised.
ii) Personal data of Data Subjects must be protected from unauthorized
viewing or access and from unauthorized changes to ensure that it is
reliable and correct.
iii) Any personal data processing undertaken by an employee who has
not been authorized to do so as part of their legitimate duties is un-
authorized.
iv) Employees may have access to Personal Data only as is appropriate
for the type and scope of the task in question and are forbidden to
use Personal Data for their own private or commercial purposes or to
disclose them to unauthorized persons, or to make them available in
any other way.
v) Human Resources Department must inform employees at the start of
the employment relationship about the obligation to maintain
personal data privacy. This obligation shall remain in force even after
employment has ended.
Personal Data Retention
i) All personal information shall be retained, stored and destroyed by U
and C Microfinance Bank Ltd in line with relevant Legislative and
Regulatory Guidelines. For all Personal Data and records obtained,
used and stored within the bank, U and C Microfinance Bank Ltd
shall perform periodical reviews of the data retained to confirm the
accuracy, purpose, validity and requirement to retain.
ii) U and C Microfinance Bank Ltd would forthwith delete Personal Data
in U and C Microfinance Bank Ltd's possession where such Personal
Data is no longer required by U and C Microfinance Bank Ltd
provided no law or regulation being in force requires U and C
Microfinance Bank Ltd to retain such Personal Data.
Accountability
i) U and C Microfinance Bank Ltd demonstrates accountability in-line
with the NDPR obligations by monitoring and continuously improving
data privacy practices within U and C Microfinance Bank Ltd.
ii) Any individual or employee who breaches this Policy may be subject
to internal disciplinary action (up to and including termination of their
employment); and may also face civil or criminal liability if their
action violates the law.
Data Privacy Notice
i) U and C Microfinance Bank Ltd considers Personal Data as
confidential and as such must be adequately protected from
unauthorized use and/or disclosure. U and C Microfinance Bank Ltd
will ensure that the Data Subjects are provided with adequate
information regarding the use of their Personal Data as well as
acquire their respective consent, where necessary.
ii) U and C Microfinance Bank Ltd shall display a simple and
conspicuous notice (Privacy Notice) on any medium through which
Personal Data is being collected or processed.
Legal Grounds for Processing of Personal Data
In-line with the provisions of the NDPR, processing of Personal Data by U
and C Microfinance Bank Ltd shall be lawful if at least one of the following
applies:
a) the Data Subject has given consent to the processing of his/her
Personal Data for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which
the Data Subject is party or in order to take steps at the request of the
Data Subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to
which U and C Microfinance Bank Ltd is subject;
d) processing is necessary in order to protect the vital interests of the
Data Subject or of another natural person, and
e) processing is necessary for the performance of a task carried out in
the public interest or in exercise of official public mandate vested in U
and C Microfinance Bank Ltd.
Consent
Where processing of Personal Data is based on consent, U and C
Microfinance Bank Ltd shall obtain the requisite consent of Data Subjects
at the time of collection of Personal Data. In this regard, U and C
Microfinance Bank Ltd will ensure:
a) that the specific purpose of collection is made known to the Data
Subject and the consent is requested in a clear and plain language;
b) that the consent is freely given by the Data Subject and obtained
without fraud, coercion or undue influence;
c) that the consent is sufficiently distinct from other matters to which the
Data Subject has agreed;
d) that the consent is explicitly provided in an affirmative manner;
e) that consent is obtained for each purpose of Personal Data collection
and processing; and
f) that it is clearly communicated to and understood by Data Subjects
that they can update, manage or withdraw their consent at any time.
Valid Consent
i) For Consent to be valid, it must be given voluntarily by an
appropriately informed Data Subject. In line with regulatory
requirements, consent cannot be implied. Silence, pre-ticked boxes
or inactivity does not constitute consent under the NDPR.
ii) Consent in respect of Sensitive Personal Data must be explicit. A
tick of the box would not suffice.
iii) Consent of Minors – The Consents of minors (under the age of 18)
will always be protected and obtained from minor’s representatives in
accordance with applicable regulatory requirements.
Data Subject Rights
i) All individuals who are the subject of Personal Data held by U and C
Microfinance Bank Ltd are entitled to the following rights:
a) Right to request for and access their Personal Data collected and
stored. Where data is held electronically in a structured form,
such as in a Database, the Data Subject has a right to receive
that data in a common electronic format;
b) Right to information on their personal data collected and stored;
c) Right to objection or request for restriction;
d) Right to object to automated decision making;
e) Right to request rectification and modification of their data which
U and C Microfinance Bank Ltd keeps;
f) Right to request for deletion of their data, except as restricted by
law or U and C Microfinance Bank Ltd's statutory obligations;
g) Right to object to, and to request that U and C Microfinance Bank
Ltd restricts the processing of their information except as
required by law or U and C Microfinance Bank Ltd's statutory
obligations
ii) U and C Microfinance Bank Ltd's well-defined procedure regarding
how to handle and answer Data Subject’s requests are contained in
U and C Microfinance Bank Ltd's Data Subject Access Request
Policy.
iii) Data Subjects can exercise any of their rights by completing the U
and C Microfinance Bank Ltd's Subject Access Request (SAR) Form
and submitting to the bank via mails@uandcmfb.com
Third Party Processor
U and C Microfinance Bank Ltd may engage the services of third parties
in order to process the Personal Data of Data Subjects collected by the
bank. The processing by such third parties shall be governed by a written
contract with U and C Microfinance Bank Ltd to ensure adequate
protection and security measures are put in place by the third party for the
protection of Personal Data in accordance with the terms of this Policy
and the NDPR.
Data Breach Management Procedure
i) A data breach procedure is established and maintained in order to
deal with incidents concerning Personal Data or privacy practices
leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, Personal Data transmitted,
stored or otherwise processed.
ii) All employees must inform their designated line manager or the DPO
of U and C Microfinance Bank Ltd immediately about cases of
violations of this Policy or other regulations on the protection of
Personal Data, in accordance with U and C Microfinance Bank Ltd's
Personal Data Breach Management Procedure in respect of any:
a) improper transmission of Personal Data across borders;
b) loss or theft of data or equipment on which data is stored;
c) accidental sharing of data with someone who does not have a
right to know this information;
d) inappropriate access controls allowing unauthorized use;
e) equipment failure;
f) human error resulting in data being shared with someone who
does not have a right to know; and
g) hacking attack.
iii) A data protection breach notification must be made immediately after
any data breach to ensure that:
a) immediate remedial steps can be taken in respect of the breach;
b) any affected Data Subject can be informed; and
c) any stakeholder communication can be managed.
iv) When a potential breach has occurred, U and C Microfinance Bank
Ltd will investigate to determine if an actual breach has occurred and
the actions required to manage and investigate the breach as
follows:
a) Validate the Personal Data breach;
b) Ensure proper and impartial investigation is initiated, conducted,
documented, and concluded;
c) Identify remediation requirements and track resolution;
d) Report findings to the top management;
e) Coordinate with appropriate authorities as needed;
f) Coordinate internal and external communications; and
g) Ensure that impacted Data Subjects are properly notified, if
necessary.
Data Protection Impact Assessment
U and C Microfinance Bank Ltd shall carry out a Data Protection Impact
Assessment (DPIA) in respect of any new project or IT system involving
the processing of Personal Data to determine whenever a type of
processing is likely to result in any risk to the rights and freedoms of the
Data Subject.
Data Security
i) All Personal Data must be kept securely. U and C Microfinance
Bank Ltd will ensure that appropriate measures are employed
against unauthorized access, accidental loss, damage and
destruction to data. This includes the use of password-protected
databases for digital storage and locked cabinets for those using
paper form.
ii) To ensure security of Personal Data, U and C Microfinance Bank Ltd
will, among other things, implement the following appropriate
technical controls:
a) Industry-accepted hardening standards, for workstations, servers,
and databases;
b) Enable Security Audit Logging across all systems managing
Personal Data;
c) Restrict the use of removable media such as USB flash, disk
drives;
d) Physical access control where Personal Data are stored in
hardcopy.
Training
U and C Microfinance Bank Ltd shall ensure that employees who collect,
access and process Personal Data receive adequate data privacy and
protection training in order to develop the necessary knowledge, skills
and competence required to effectively manage the compliance
framework under this Policy and the NDPR with regard to the protection
of Personal Data.
Data Protection Audit
U and C Microfinance Bank Ltd shall conduct an annual data protection
audit through a licensed Data Protection Compliance Organization
(DPCOs) to verify U and C Microfinance Bank Ltd's compliance with the
provisions of the NDPR and other applicable data protection laws.
The audit report will be certified and filed by the DPCO to NITDA as
required under the NDPR.
Changes to the Policy
U and C Microfinance Bank Ltd reserves the right to change, amend or
alter this Policy at any point in time.