1. Introduction

In a changing technical world, majority of jurisdictions values the Privacy and the Protection of Personal Data. All theactors involved in the management of Personal Data are expected to respect the requirements of safeguarding Personal Data. Through the various legislations passed into law the world over is committed to protecting the privacy of individuals. Governments recognize that this protection is an essential element in maintaining public trust in entities managing Personal Data and essential for the social-economic development of jurisdictions in the fourth revolution. Recent development in jurisprudence internationally has strengthened the recognition of Privacy as a fundamental human right, thereby, making the protection of Personal Data a key pillar in the respect for human dignity. In this light, and in order to harness the benefits of the digital economy and mitigate the harms consequent to it, formulating a Data Protection policy is critical for All jurisdictions. The aim of the policy is to protect personal data in order to guard against misuse and to eliminate the unwarranted invasion of privacy. The fundamental principles of the policy have been largely informed by global practices and the need to bridge the gaps that exist in contextualizing privacy and data protection in technological environment in All jurisdictions.

2. Policy Statement

Onfon Mobile Limited is committed to complying with all relevant jurisdictions, legislation and applicable global legislations. Onfon Mobile recognises that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right. Onfon Mobile will ensure that it protects the rights of data subjects and that the data it collects, and processes is done in line with the required legislation. Onfon mobile staff must comply with this policy, breach of which could result in disciplinary action.

3. PURPOSE

The policy provides guidance on how Onfon Mobile staff will handle the data it collects. It helps the company comply with the data protection law, protect the rights of the data subjects and protects Onfon Mobile from risks related to breaches of data protection. Handling data is a critical responsibility for Onfon Mobile as an organization, and staff members play a key role in ensuring the proper collection, storage, and usage of data. Here are some guidelines for how staff should handle the data they collect:

• Understand Data Privacy Laws and Regulations: Staff members should be aware of and knowledgeable about data privacy laws and regulations that apply to their organization and the data they handle. This includes laws like GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), and more.
• Data Collection:
  a. Only collect data that is necessary for the organization's legitimate business purposes.
  b. Inform individuals about the purpose of data collection and obtain their consent when required.
  c. Ensure data is collected securely and accurately.
• Data Storage and Security:
  a. Store data in a secure and controlled environment, with appropriate access controls.
  b. Use encryption to protect sensitive data, both in transit and at rest.
  c. Regularly update and patch software and systems to protect against security vulnerabilities.
  d. Implement strong password policies and multi-factor authentication (MFA) for accessing sensitive data.
• Data Retention:
  a. Establish clear data retention policies and adhere to them.
  b. Delete or anonymize data that is no longer needed for its original purpose.
• Access Control:
  a. Limit access to data on a need-to-know basis.
  b. Implement access controls and role-based permissions to ensure only authorized personnel can access certain data.
• Data Handling Procedures:
  a. Have clear guidelines and procedures for handling data, including data entry, data processing, and data sharing.
  b. Train staff on these procedures and regularly review and update them.
• Data Sharing:
  a. Share data only with authorized individuals or entities.
  b. Use secure methods for sharing data, such as encrypted file transfers and secure communication channels
• Data Disposal:
  a. Dispose of data securely when it's no longer needed, through methods like data shredding or secure data erasure.
• Incident Response:
  a. Develop and communicate an incident response plan for data breaches or security incidents.
  b. Encourage staff to report any suspicious activities or potential breaches promptly.
• Data Ethics:
  a. Uphold ethical standards when handling data, respecting individuals' privacy and confidentiality.
  b. Avoid using data for personal gain or unethical purposes.
• Data Training and Awareness:
  a. Provide ongoing data privacy and security training for staff.
  b. Keep employees informed about the latest threats and best practices in data handling.
• Regular Audits and Compliance Checks:
  Conduct regular audits and compliance checks to ensure data handling practices align with regulations and organizational policies.
• Reporting and Accountability:
  Encourage a culture of accountability, where staff members are responsible for their actions related to data handling and reporting any breaches or incidents.

4. SCOPE

The policy applies to:

• Employees of Onfon Mobile and all associated parties, Trustees, implementing partners, vendors, contractors and any other third party who handle and use Onfon Mobile information (where Onfon Mobile) is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems for Onfon Mobile;
• This policy shall be the overarching guiding policy in relation to matters of privacy and Data Protection.
• The policy applies to all data subjects, whether resident in any jurisdictions or not, whosedata is or has been collected or processed by a data controller in All jurisdictions.
• All formats, e.g., printed and digital information, text and images, documents and records, data and audio recordings.

5. Definitions

Data Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Data subject means an identified or identifiable natural person who is the subject of personal data.
Personal data means any information relating to an identified or identifiable natural person
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed
Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject.
Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as (a) collection, recording, organization, structuring; (b) storage, adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.

6. Principles

Onfon Mobile will ensure that data is:

• Processed lawfully, fairly and in a transparent manner and in line with the right to privacy
• Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that purpose.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.
• Accurate and where necessary kept up to date.
• Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
• Processed in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and accidental loss, destruction, or damage.
• Not transferred out of All jurisdictions unless there is proof of adequate data safeguards/ measures or consent from the data subject.

7. Legal Grounds for Processing

8. Duty to Notify

Onfon Mobile has a duty to notify data subjects of their rights before processing data. Onfon Mobile will therefore inform the data subjects of their right

• To be informed of the use to which their personal data is to be put
• To access their personal data in Onfon Mobile custody.
• To object to the processing of all or part of their personal data.
• To the correction of false or misleading data.
• To deletion of false or misleading data about them.

9. Lawful and fair processing of data

Onfon Mobile will only process data where they have a lawful basis to do so. Processing personal data will only be lawful where the data subject has given their consent for one or more specific purposes or where the processing is deemed necessary:

• For the performance of a contract to which the data subject is a party (for instance a contract of employment).
• To comply with the Onfon mobile legal obligations.
• To perform tasks carried out in the public interest or the exercise of official authority.
• To protect the vital interests of the data subject or another person.
• To pursue Onfon Mobile legitimate interests where those interests are not outweighed by the interests and rights of data subjects.
• For historical, statistical, journalistic, literature and art or scientific research.

11. Accuracy of Data

Onfon Mobile must ensure that the personal data it collects and processes is accurate, kept up to date, corrected or deleted without delay. All relevant records must be updated should staff be notified of inaccuracies. Inaccurate or out of date records must be deleted or destroyed.

12. Safeguards and security of data

Onfon Mobile has instituted data security measures which are laid out in the Information security policy and procedures. These measures serve to safeguard personal data and must be complied with accordingly.

13. Consent

Where necessary, Onfon Mobile will maintain adequate records to show that consent was obtained before personal processing data. Data will not be processed after the withdrawal of consent by a data subject.

14. Processing data relating to a child

Onfon Mobile will not process data relating to a child unless consent is given by the child’s guardian or parent and the processing is in such a manner that protects and advances the rights and best interests of the child in line with Onfon Mobile Safeguarding policy. Onfon Mobile will institute adequate mechanisms to verify the age and obtain consent before processing the data.

15. Data protection impact assessment

Onfon Mobile will undertake a data protection impact assessment whenever they identify that the processing operation will likely result in a high risk to the rights and freedoms of any data subject. The data protection impact assessment will be done before processing the data. It is the responsibility of the DPO to carry out the impact assessment.

16. Processing sensitive personal data

Onfon Mobile will process sensitive personal data only when:

• The processing is carried out in the course of legitimate activities with appropriate safeguards and that the processing relates solely to the staff or to persons who have regular contact with Onfon Mobile, and the personal data is not disclosed outside that Onfon mobile without the consent of the data subject.
• The processing relates to personal data that has been made public by the data subject.
• Processing is necessary for:
  • The establishment, exercise or defense of a legal claim.
  • The purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject.
  • Protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consen

17. Transferring personal data out of any jurisdictions

Onfon Mobile will transfer personal data out of any jurisdiction only when they have:

• Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Officer in accordance with any jurisdictional laws, such measures include that data is transferred to jurisdictions with commensurate data protection laws.
• The transfer is necessary for the performance of a contract, implementation of pre-contractual measures such as:
  • For the conclusion or performance of a contract to which the data subject is part of.
  • For matters of public interest.
  • For legal claims.
  • To protect the vital interests of data subjects.
  • For compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.

Onfon Mobile will process sensitive personal data out of All jurisdictions only after obtainingthe consent of a data subject and on receiving confirmation of appropriate safeguards.

18. Onward reporting

In line with regulatory requirements, Onfon Mobile will report to the Data Protection Officer any data breach within 72 hours of being aware. Onfon Mobile will also communicate the data breach to the data subject as soon as is practical unless the identity of the data subject cannot be established.

19. Training and awareness

Onfon Mobile will train staff on the contents and implementation of this policy. Staff who join Onfon Mobile will be required to go through an induction process that entails familiarization with this policy. Onfon Mobile will ensure that the requirements of this policy form part of its agreement with its grantees, contractors and third parties who process Onfon mobile’s data.

20. Grantees or partners

Grantees and partners of Onfon Mobile must report breaches of Onfon Mobile’s data in their custody within 48 hours using the emails provided above. Grantees and partners must also abide by this policy and institute adequate mechanisms to safeguard the privacy of individual’s data.

21. Roles and Responsibilities all staff must;

Read, understand and comply with the contents of this policy
Report suspicions of breaches promptly
The Chief Executive Officer (CEO) and Chief Operations Officer (COO) are responsible for ensuring employees, Programme Investment Committee (PIC) members, consultants, vendors, and partner organizations are aware of the policy and are supported to implement and work by it, as well as creating a management culture that encourages a focus on data protection.
The PIC will provide governance oversight of activities under this policy.
The Trustees will ensure that there are adequate and effective systems and process in place to safeguard data.

22. Independent assurance

The adequacy and effectiveness of FSD any jurisdictions’ data protection procedures is subjectto the regular internal audit reviews where necessary FSD All jurisdictions may call an external review provide assurance over the integrity.

23. Data retention

The Data retention period in FSD jurisdictions is determined by legitimate needs. Adequate records of decision making will be maintained to show cause.

24. Review of this policy

The Chief Operating Officer is responsible for ensuring that this policy is reviewed on a timely basis. This policy will be reviewed after every two years and accordingly approved by the PIC and the Trustees.

25. Related policies

This policy should be read in conjunction with:

• Code of conduct
• Misconduct, disciplinary and grievance policy.
• Information security policy.