AIPIL(Cosmopolitan) – YIN IDEAS GRANT Privacy Policy

Effective Date

Effective Date: 14th August, 2024 – 31st December, 2025

Introduction

The AIPIL(Cosmopolitan) – YIN IDEAS GRANT project (hereinafter referred to as “the Project”) is committed to ensuring the privacy and security of all personal data collected from trainees, staff, partners, and other stakeholders. This Data Privacy Policy outlines the principles and procedures that govern the collection, processing, use, storage, and protection of personal data within the Project, in compliance with The Nigeria Data Protection Commission (“NDPC”)

Purpose of the Policy

The purpose of this policy is to ensure that personal data is handled in a way that:

• Safeguards the integrity and confidentiality of personal data.
• Protects the rights of individuals.
• Ensures compliance with legal obligations.
• Promotes transparency in how personal data is managed.

Scope

This policy applies to:

• All personal data collected and processed by the Project.
• All staff, contractors, volunteers, and third-party service providers who handle personal data on behalf of the Project.
• All activities related to the collection, storage, and use of personal data, including application processing, program management, communication, reporting, and compliance.

Data Collection

Types of Data Collected

Types of Data Collected: The Project collects the following categories of personal data:

• Identification Data: National Identification Number (NIN), full name, date of birth, gender.
• Contact Data: Phone number, email address, mailing address.
• Educational and Professional Data: Educational background, employment status, qualifications.
• Program Data: Course enrollment details, attendance records, progress reports, and assessment results.
• Financial Data: Bank account details (if applicable), and payment history.
• Technical Data: IP addresses, login information, browser type, operating system.
• Emergency Contact Data: Names and contact details of emergency contacts.

Methods of Data Collection Personal data is collected through:

• Application Forms: Trainees submit their data when applying to the program.
• Surveys and Feedback Forms: Data collected during the program to assess trainee satisfaction and program effectiveness.
• Communication: Email, phone, and other communication channels are used to interact with trainees and staff.
• Automated Collection: Data collected through the Project’s website or software platforms, including cookies and similar technologies.

Legal Basis for Processing

Personal data is primarily processed based on the consent provided by trainees and other individuals during the application process. Consent is obtained for the collection, processing, and sharing of personal data as outlined in this policy.

Contractual Necessity

Data processing is necessary for the performance of a contract to which the trainee is a party, such as enrollment in the program and delivery of training services.

Legal Obligations

Processing is required to comply with legal obligations, such as identity verification, reporting to authorities, and maintaining accurate records.

Legitimate Interests

The Project processes personal data to further its legitimate interests, such as improving program delivery, ensuring security, and maintaining effective communication with stakeholders.

Use of Personal Data

Personal data is used strictly for the purposes for which it was collected, including:

• Application and Enrollment: Assessing eligibility, processing applications, and enrolling trainees in the program.
• Program Administration: Managing course schedules, monitoring trainee progress, and issuing certifications.
• Communication: Providing trainees with important updates, announcements, and feedback.
• Financial Management: Processing payments, managing financial records, and issuing receipts (if applicable).
• Compliance and Reporting: Meeting legal obligations and generating reports for internal and external stakeholders.

The Project ensures that the personal data collected is relevant, limited, and necessary for the purposes for which it is processed.

Data Sharing and Disclosure

Personal data may be shared internally within the Project team, including staff and contractors, strictly on a need-to-know basis.

Personal data may be shared with third parties under the following circumstances:

• Service Providers: Third-party providers engaged to perform services on behalf of the Project, such as IT services, data storage, and communication platforms. All service providers are contractually obligated to protect personal data in accordance with this policy and applicable laws.
• Legal and Regulatory Requirements: Personal data may be disclosed to regulatory authorities, law enforcement agencies, or other governmental bodies when required by law or to protect the rights, property, or safety of the Project and its stakeholders.
• Research and Analysis: Aggregate and anonymized data may be shared with researchers, analysts, and funding bodies for research, analysis, and reporting purposes. This data will not identify any individuals.

Data Security

The Project implements a comprehensive range of security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction, including:

• Access Controls: Strict access controls to ensure that only authorized personnel have access to personal data.
• Encryption: Use of encryption technologies for data in transit and at rest to protect data from unauthorized access.
• Firewalls and Antivirus: Deployment of firewalls, antivirus software, and intrusion detection systems to protect the Project’s IT infrastructure.
• Regular Audits: Conducting regular security audits and assessments to identify and address potential vulnerabilities.

In the event of a data breach or security incident, the Project will:

• Contain and Mitigate: Take immediate steps to contain and mitigate the breach.
• Notification: Notify affected individuals and relevant authorities as required by law.
• Investigation: Conduct a thorough investigation to determine the cause of the breach and implement measures to prevent future incidents.

Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specific retention periods are as follows:

• Application Data: Retained for the duration of the trainee’s involvement in the program plus 3 years for record-keeping and reporting purposes.
• Program Data: Retained for the duration of the program plus 3 years to facilitate program evaluation and future engagement.
• Financial Data: Retained for 7 years in compliance with financial regulations and auditing requirements.
• Communication Records: Retained for 2 years to ensure continuity and accountability in communication.

Upon the expiration of the retention period, personal data will be securely deleted or anonymized in a manner that ensures it cannot be reconstructed or identified.

Individuals have the right to request access to their personal data held by the Project. Requests will be processed within 30 days in accordance with applicable laws.

Right to Rectification

Individuals have the right to request the correction of inaccurate or incomplete personal data. The Project will take appropriate steps to rectify the data without undue delay.

Right to Erasure

Individuals have the right to request the deletion of their personal data, subject to legal obligations and the need to retain certain data for legitimate business purposes.

Right to Object

Individuals have the right to object to the processing of their personal data for specific purposes, including direct marketing and profiling. The Project will honor such objections unless there are compelling legal grounds to continue processing.

Right to Data Portability

Individuals have the right to request a copy of their personal data in a structured, commonly used, and machine-readable format. This right applies to data processed by automated means and based on consent or contractual necessity.

The Project may engage third-party processors to handle personal data on its behalf. All third-party processors are required to:

• Compliance: Comply with the Project’s data protection policies and applicable data protection laws.
• Data Security: Implement appropriate security measures to protect personal data.
• Confidentiality: Maintain the confidentiality of all personal data and not use it for purposes other than those specified by the Project.
• Sub-processing: Obtain prior approval from the Project before engaging sub-processors and ensure that any sub-processors are bound by the same data protection obligations.

Personal data may be transferred to and processed in countries outside Nigeria. In such cases, the Project will ensure that:

• Adequacy: The receiving country has been deemed to provide an adequate level of data protection by relevant authorities.
• Standard Contractual Clauses (SCCs): Appropriate safeguards, such as SCCs approved by data protection authorities, are in place to protect personal data during the transfer.
• Informed Consent: Where required, individuals are informed and provide explicit consent to the transfer of their personal data to third countries.

This Data Privacy Policy will be reviewed and updated periodically to reflect changes in laws, regulations, or the Project’s practices. Any changes will be communicated to relevant stakeholders, and updated versions of the policy will be made available through the Project’s official channels.

For any questions or concerns regarding this Data Privacy Policy or to exercise any of the rights mentioned above, please contact:

Data Protection Officer
AIPIL(Cosmopolitan) – YIN IDEAS GRANT
Plot 432, Yakubu J. Pam Street, 
Opposite National Hospital, 
Central Business District, 
Abuja Nigeria
ideasupport@cosmopolitan.edu.ng