- Policy Statement
1.1. Acumen4D (ACUMEN4D) and its governing body, the Board of Directors, are committed to promoting and maintaining good corporate governance. This Policy is intended to facilitate the protection of Personal Data by complying with Regulatory Requirements on Personal Data protection.
1.2. ACUMEN4D is committed to protecting the rights and freedoms of Data Subjects and safely and securely processing their data in accordance with all of applicable legal obligations. ACUMEN4D holds Personal Data about our employees, Partners, Board of Directors, for a variety of purposes as detailed in clause 3.3 of this Policy.
- Definitions
For the purpose of this Policy, the following definitions shall apply:
“Anonymize” means to Process Personal Data with the aim of irreversibly preventing the identification of the Data Subject to whom it relates by rendering it anonymous in such a manner that the Data Subject is not or no longer identifiable.
“Consent” means that the Data Subject or as appropriate parent or the legal guardian has been fully informed of the clear intended processing and has signified their agreement, while being in a fit state of mind to do so and without pressure being exerted upon them. The Data Subject, parent, or legal guardian, as the case may be, must give Consent freely of his or her own accord.
“Data Controller” refers to the Natural Person or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” refers to a Natural Person or legal person, public authority, agency or other bodies that process Personal Data on behalf of the Data Controller.
“Data Protection Advisory Committee” refers to an advisory committee comprising of the General Counsel, The Head of the Information and Communications Technology, the Director of Human Resources and Administration and the Head of the Monitoring and Evaluation functions.
“Data Protection Officer” for the purpose of this Policy, the Data Protection Officer is the General Counsel.
“Data Subject” refers to any Natural Person who is the subject of Personal Data Processed or held within ACUMEN4D systems.
“Regulatory Requirements” refer to all relevant national and international laws on data protection applicable to ACUMEN4D’s operations that shall be in force at the time.
“Natural Person” refers to an individual human being, as opposed to an organization.
“Partners” means grantees, consultants, suppliers, any parties we have a contractual relationship with and their respective subcontractors.
“Personal Data” means any information relating to a Natural Person from which that person can be identified. This includes but is not limited to name, other identifiers such as unique personal identifiers (e.g. national identification number, passport number, payroll numbers), address, location data or other online identifiers, as well as physical, physiological, genetic, mental, economic, cultural or social identity.
“Pseudonymize” refers to the Processing of Personal Data in such a way that the data can no longer be attributed to a specific Data Subject without the use of additional information by exchanging Personal Data with non-identifying data.
“Process” is defined very broadly and encompasses any action performed on or with Personal Data including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction (that is, the marking of stored data with the aim of limiting its processing in the future), erasure and destruction.
“Sensitive Personal Data” means Personal Data that reveals a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric and health data, and information relating to a Data Subject’s sex life or sexual orientation.
“Third Party” means any individual/organisation other than the Data Subject, ACUMEN4D or Partners.
- Scope
3.1. This Policy applies to all prospective, current and former employees, Partners, and all users of data held in ACUMEN4D’s systems. In addition, ACUMEN4D’s Partners, Board of Directors, temporary employees, interns and those undertaking work experience at ACUMEN4D are required to observe the data protection principles and to comply with the responsibilities set out in this Policy.
3.2. ACUMEN4D may supplement or amend this Policy by effecting guidelines and tools from time to time that shall be circulated to the persons covered by this Policy. This Policy shall be reviewed regularly but at the very least every two years.
3.3. ACUMEN4D Processes Personal Data for various purposes, including human resource, administrative, financial, regulatory, payroll and business development purposes, among others. These specific areas covered include (but are not limited to) the following:
- Compliance with our donor, legal, regulatory and corporate governance obligations and good practices.
- Provision of information to our donors when and to the extent necessary for the purposes of the legitimate interest pursued (such as seeking to ensure that the donors are working with appropriately qualified individuals).
- Gathering of information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
- Ensuring ACUMEN4D policies are adhered to (such as policies covering the use of ACUMEN4D’s information systems and resources, such as email and internet).
- Operational reasons such as recording transactions, training and quality control, and ensuring the confidentiality of sensitive information.
- Investigating complaints.
- Checking references, ensuring safe working practices, monitoring and managing employee access to systems and facilities and employee absences, administration and assessments.
- Monitoring employee conduct and disciplinary matters.
- Monitoring the utilization of ACUMEN4D’s information technology resources.
- Marketing our work.
- Improving services.
- Maintenance of employees’ and stakeholders’ information useful for delivery of ACUMEN4D’s strategy.
- Maintenance of complete, meaningful information repositories for organizational and stakeholder use
- Accountability, transparency and responsible use of ACUMEN4D’s resources.
- Cyber security surveillance.
- Policy Framework
4.1. ACUMEN4D’s Personal Data protection and privacy requirements are captured across various institutional policies and procedures. This Policy shall be used in conjunction with, referenced to and shall be referenced by other ACUMEN4D policies including but not limited to the following:
- Anti-Money Laundering Policy.
- Disciplinary Policy & Procedures.
- Ethics Policy.
- Human Resources Policies.
- ICT Policies and Procedures.
- Partners Code of Conduct.
- Policy on the Management of Intellectual Property Assets; and
- Safeguarding of Vulnerable Persons Policy.
4.2. We interpret our policies in consideration of the spirit of this Policy and shall appropriately apply the Data Protection principles in interpreting data protection issues under each of the other ACUMEN4D policies.
- Personal Data Protection Principles
5.1. ACUMEN4D commits to comply with the following principles when Processing Personal Data. Personal Data shall be:
- processed lawfully, fairly and in a transparent manner.
- collected for specified, clear and legitimate purposes and not Processed for other purposes other than those specified.
- processed adequately for the requirement, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- accurate and, as necessary, kept up to date.
- retained for the minimum period required to meet ACUMEN4D’s Regulatory Requirements for the successful undertaking of ACUMEN4D’s business objectives.
- in a manner that ensures its security, including protection against unauthorized or unlawful access and against accidental loss, destruction or damage.
- transferred only where there is adequate protection for the Personal Data.
- handled in respect of owners’ intellectual property rights and informed consent requirements.
5.2. ACUMEN4D shall inform Data Subjects of the reasons for Processing their Personal Data, how it uses such Personal Data, the legal basis for Processing and where required seek Consent from the Data Subject. It shall not process Personal Data of Data Subjects for other incompatible reasons.
5.3. Sensitive Personal Data shall be Processed with strict controls as set out in clause 7.4 of this Policy and within available technological constraints.
- Data Subject Rights
6.1. ACUMEN4D respects the rights of Data Subjects to access the Personal Data that ACUMEN4D processes about them.
6.2. Data Subjects have specific rights on the Processing of Personal Data Processed by ACUMEN4D:
- Right to information on what the Personal Data shall be used for.
- Right of access to Personal Data where such access does not violate the privacy of other Data Subjects’ Personal Data.
- Right to objection to processing of all Personal Data or part of the Personal Data.
- Right to erasure of false or misleading Personal Data.
- Right to correction of false or misleading Personal Data.
6.3. Rights in relation to automated decision making and profiling
The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
ACUMEN4D must respect the rights of Natural Persons in relation to automated decision making and profiling and can only carry out such type of decision-making or profiling where the decision or profile is:
- necessary for the entry into or performance of a contract;
- authorised by Regulatory Requirements;
- based on the Data Subject’s informed Consent;
- necessary for the assurance of the security of ACUMEN4D’s information assets;
- required for successful delivery of ACUMEN4D’s strategy; or
- for the benefit of the Data Subject without possible harm.
- Lawful Processing and Consent
7.1. All Processing undertaken by ACUMEN4D must be lawful. It is only lawful to undertake the Processing of Personal Data where the Processing is in accordance with Regulatory Requirements and on the following basis:
- With the informed Consent of the Data Subject;
- Processing is necessary for the performance of a contract with the Data Subject or to take steps to enter into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the vital interests of a Data Subject or another person;
- Processing is necessary to protect the confidentiality, integrity and availability of ACUMEN4D’s information assets.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; or
- Necessary for the purposes of legitimate interests pursued by the Data Controller or a Third Party, except where such interests are overridden by the interests, rights or freedoms of the Data Subject.
7.2. Where another basis for Processing Personal Data does not exist, Personal Data or Sensitive Personal Data can only be Processed with the informed Consent of the Data Subject.
7.3. Consent can be provided in a range of forms including verbal, electronic and written Consent. All Consent must require a positive selection or choice to opt in. Where verbal Consent is obtained then records of the Consent must be maintained.
7.4. For Sensitive Personal Data, clear written Consent of Data Subjects must be obtained unless an alternative lawful basis for processing exists. In addition, Sensitive Personal Data shall be processed where the following conditions exist:
- If the Data Subject has given Consent to the processing of Sensitive Personal Data for a specified purpose(s), (the Personal Data may be processed, but only for the purpose approved by the Data Subject).
- If the Data Subject is physically or legally incapable of giving a Consent and the processing is necessary to protect the vital interests of the Data Subject or any other Natural Person.
- Where the processing of the Sensitive Personal Data is necessary to carry out obligations and exercising specific rights of ACUMEN4D as a Data Controller or for the exercising of specific rights of a Data Subject.
- Where the processing of Sensitive Data is necessary for ACUMEN4D to establish, exercise or defend a legal claim.
- When the Data Subject manifestly has made the Sensitive Personal Data public,
- Where the exceptions are contained in supplementary data protection regulations.
- In the field of labor law, social security and social protection necessary for ACUMEN4D to fulfil its obligations and rights as an employer.
- Where the processing of the Sensitive Personal Data is necessary for an important public interest.
- For archiving purposes or research purposes where ACUMEN4D is obligated to archive documents for the need for administrative procedure and for research needs. Sensitive Personal Data may be processed if it is necessary to comply with such archiving purposes. If the sole purpose of processing Sensitive Personal Data is archiving, then that data may not be used for other purposes, unless there are particular reasons to do so with regard to the Data Subject’s vital interests. However, this use limitation does not apply to Personal Data contained in public documents.
- For statistical purposes where the processing of Sensitive Personal Data is in the public interest which clearly outweighs the risk of intrusion to the privacy of the Data Subject.
- Where it is deemed necessary for investigations relating to electronic fraud or related unauthorized systems access or any other actions that are in violation of ACUMEN4D’s ICT policies.
7.5. In most instances ACUMEN4D shall process Personal Data on a legal basis other than Consent. Where Consent is used as the legal basis of Processing then Consent shall be obtained before any processing is undertaken. Any ACUMEN4D forms (whether electronic or paper-based) that gather Personal Data on an individual should contain a statement explaining what the information is to be used for and to whom the information that is may be disclosed. Separate Consent is required for each separate processing activity and usage of the Personal Data where Consent is used as the legal basis of processing. If an individual does not consent to certain types of Processing, appropriate action must be taken to ensure that the Processing does not take place.
7.6. Where Consent has been obtained, it must be recorded. ACUMEN4D is responsible for recording and maintaining an up to date record of the Consent that has been obtained where it is the basis of Processing.
7.7. Consent can be withdrawn at any time. If Consent is withdrawn, then any Personal Data held on the basis of that Consent should be removed from ACUMEN4D records subject to the applicable Regulatory Requirements for retaining such information.
7.8. ACUMEN4D Reserves the right to disclose Personal Data if the Data Subject is involved in any form of electronic fraud and/or cyber espionage.
- Responsibilities
8.1. ACUMEN4D’s responsibilities
8.1.1. ACUMEN4D is a Data Controller and/or Data Processor under the data privacy regulations. Where ACUMEN4D engages a Third Party to process Personal Data (such as payroll), an agreement that is compliant with Regulatory Requirements shall be set up with the supplier/service provider. ACUMEN4D must require sufficient guarantees under data privacy laws from Data Processors including sufficient guarantees that the rights of Data Subjects shall be respected and protected.
8.1.2. Regularly review and only retain Personal Data relevant to the purpose it was provided for.
8.1.3. Documenting the type of Personal Data ACUMEN4D Processes, the Processing purposes and the lawful basis for Processing.
8.1.4. Comply with data protection principles as detailed in clause 5 of this Policy.
8.1.5. Enable the Data Subjects to exercise their rights as described in clause 6 of this Policy.
8.1.6. Ensure ACUMEN4D’s employees receive appropriate training on data protection requirements.
8.1.7. Implementing and reviewing procedures to detect, report and investigate Personal Data breaches.
8.1.8. Store Personal Data in safe and secure ways.
8.1.9. Assess the risk that could be posed to individual rights and freedoms should Personal Data be compromised.
8.2. Responsibilities of ACUMEN4D’s Employees and Partners
8.2.1. Line managers and their reports should ensure they are familiar with this Policy in the Processing of all Personal Data to which they have access to in the course of their duties.
8.2.2. Employees with access to and responsibility for Personal Data are expected to:
- Access only Personal Data that they have authority to access and only for authorized purposes;
- Use Personal Data responsibly and in accordance with the Data Protection Principles;
- Exercise caution before disclosing Personal Data both within and outside ACUMEN4D, or before using it in email, through the internet or intranet;
- Report any loss or compromise of their own or others’ Personal Data to the Data Protection Officer;
- Take all necessary action to keep Personal Data secure, no matter its form or format, including by the proper management of electronic devices, including mobile devices and computer access; implementing and complying with rules on access to ACUMEN4D premises and secure electronic and hard copy file storage and destruction, and in accordance with corporate policies and guidance.
- Where Personal Data is to be disposed of, the Data Protection Officer should ensure that it is destroyed securely subject to retention requirements. It must be remembered that the destruction of Personal Data is of itself Processing and must be carried out in accordance with the data protection principles;
- ACUMEN4D employees must not send other people’s Personal Data from an ACUMEN4D device including laptop, desktop, tablet or mobile phone to a personal email account such as an account not owned or controlled by ACUMEN4D, except where it is legally permitted to do so;
- Where employees’ Personal Data needs to be taken off site the responsible employee must ensure that appropriate steps are taken to protect it; be it in hard copy, stored on a laptop or other electronic device. For the removal of hard copy information, prior consent should be obtained from their line manager and unit head;
- Care must also be taken when observing Personal Data in hard copy or on-screen so that such information is not viewed by anyone who is not legitimately privy to it; and
- If an employee is in any doubt about what they may or may not do with Personal Data, they should seek advice from the Data Protection Officer before taking any action.
- Raise any concerns, notify any breaches or errors, and report anything suspicious or contradictory to this Policy or Regulatory Requirements without delay.
8.3. Responsibility for this Policy
8.3.1. The Data Protection Officer, who is the General Counsel for the purpose of this Policy, has overall responsibility for ACUMEN4D’s Personal Data protection compliance and the day-to-day implementation of this Policy.
8.3.2. A Data Protection Advisory Committee comprising the Director of Human Resources, Head of ICT, Head of Communications and Head of Monitoring and Evaluation shall support the Data Protection Officer in this role.
- Data Sharing
9.1. ACUMEN4D shall ensure that no Personal Data is transferred to a country or organization unless that country or organization ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data, unless such transfer is for compliance with ACUMEN4D’s data protection in accordance with ACUMEN4D’s ICT Policies and ACUMEN4D’s Business Continuity Plans.
9.2. ACUMEN4D shall use encryption and/or Pseudonymisation where it is appropriate to do so.
9.3. ACUMEN4D shall in some circumstances have to share Personal Data with Third Parties, including service providers and other statutory bodies. ACUMEN4D shall require Third Parties to fully comply with this Policy.
9.4. ACUMEN4D shall ensure that Personal Data held in organizational ICT resources that traverse national boundaries are shared across systems (such as websites, integrated information systems among others) in compliance with this Policy and/or applicable Regulatory Requirements.
- Data Protection Breaches
10.1. Failure to observe the Data Protection Principles within this Policy may result in the employee and Third Parties incurring personal criminal liability. It may also result in disciplinary action up to and including dismissal of an employee where there are significant or deliberate breaches of this Policy, such as accessing Personal Data without authorization or a legitimate reason to do so.
10.2. Employees must immediately report to the Data Protection Officer and the Data Protection Advisory Committee any actual or suspected data protection breaches.
10.3. If ACUMEN4D discovers that there has been a breach of employee-related Personal Data that poses a risk to the rights and freedoms of individuals, it shall inform affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken to address the breach.
10.4. Where ACUMEN4D engages Third Parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data.
10.5. ACUMEN4D shall not be held responsible for disclosure of Personal Data in its possession that is also held in other public or private systems.
- Impact Assessments / Risk Assessments
11.1. Decisions around the processing of Personal Data within ACUMEN4D shall be undertaken with suitable regard for the risk and impact to the privacy and rights of Data Subjects before processing for large volumes of Personal Data is undertaken.
11.2. Data Protection Impact Assessments will be undertaken when a new business process or processing activity is developed that involves the use of Personal Data.
- Procurement
12.1. Data protection issues must be considered at the point of procurement where the goods or services being procured have an impact on data protection and involve the handling of Personal Data.
12.2. Before a new supplier can be involved in the processing of Personal Data held by ACUMEN4D, a contract must exist on the obligations and requirements of the supplier to the processing of the Personal Data. The supplier must undergo appropriate due diligence in regard to their data protection practices.
12.3. ACUMEN4D shall maintain a register of organisations whose data protection practices have been verified and approved and a record of the contract that is in place.
- Security of Electronic Data
13.1. The ICT Information Security Policy sets out the requirements for the secure handling and management of electronic data and secure use of information technology systems; the policy plays a significant role in the effectiveness of Personal Data protection within ACUMEN4D. All ACUMEN4D employees and stakeholders are responsible for ensuring that they are familiar with and comply with the ICT Security Policy and other related ICT policies at all times.
13.2. Access to Personal Data should be limited to those who need to access it in undertaking their legitimate duties as part of ACUMEN4D.
- Retention and Disposal of Data
14.1. Personal Data should not be retained longer than is required for the lawful processing of the Personal Data. Once the Personal Data is no longer required for a specific purpose then it must be disposed of in a way that protects the rights and privacy of Data Subjects or Anonymized Personal Data and maintains a trail of activity on the Personal Data for compliance purposes.
14.2. There are a range of different legal and statutory obligations requiring the retention of information that impact ACUMEN4D’s activities as a Data Controller. Personal Data must be retained in accordance with all applicable Regulatory Requirements.
- Routine Publication of Information
15.1. ACUMEN4D publishes items that include Personal Data which includes but is not limited to:
- Names of all members of the Board of Directors and management.
- Names and job titles of employees including Internal telephone directory.
- Information in prospectuses (including photographs), brochures, newsletters, annual and other reports.
- Employee information on ACUMEN4D website including photographs.
- Information about stakeholders that interact with ACUMEN4D in its day to day activities.
15.2. It is recognised that there might be occasions when a Data Subject, requests that their Personal Data in some of these categories remain confidential or are restricted to internal access. The individuals should be offered an opportunity to opt-out of the publication of the above (and other) data. In such instances, ACUMEN4D should endeavour to comply with the request where possible and ensure that appropriate action is taken. However, where the Personal Data is published for regulatory reasons or where the Personal Data is published because of a legal, compliance or security obligation then the information shall continue to be published.
- Compliance
16.1. ACUMEN4D complies with all Regulatory Requirements. It is the responsibility of all ACUMEN4D employees and stakeholders to ensure, by taking legal advice, that they are aware of all laws, regulations and policies which may affect the area of work in which they are engaged.
16.2. Likewise, ACUMEN4D complies with obligations placed on us by our development partners. It is the responsibility of all ACUMEN4D employees to ensure that they understand and comply with requirements of Partners.
16.3. Where there is any doubt about compliance requirements related to Regulatory Requirements or obligations from Partners, further guidance should be sought from the office of the General Counsel.
- Queries, Privacy Complaints or Breaches
17.1 If an individual wishes to make an enquiry, access or change their personal information, or to lodge a complaint about a possible breach of privacy or has any query on how personal information is collected or handled, they should contact us through: info@Acumen4D.org