Phone: +23412950826 | Phone: +2349050096593 | Email: info@ipigroupng.com
Back
 

Privacy Policy

IPI SOLUTIONS (NIG) LTD Corporate Privacy Policy

Our policy consists of the following ten privacy principles, which are summarized from the complete principles included in the body of the policy below:

1. Accountability: We establish policy and accountability over personal information, not only within IPI SOLUTIONS (NIG) LTD but also with our Clients.

 2. Notice: We provide individuals with notice about how we collect, use, retain, and disclose personal information about them.

 3. Collection: We collect personal information from individuals only for the purposes identified in the privacy notice we provided and only to provide the product or service the individual has requested or authorized.

 4. Choice and Consent: We give individuals choices and get their consent regarding how we collect, use, and disclose personal information about them.

 5. Use and Retention: We use the personal information that we collect for the purposes we identify in the privacy notice and in accordance with the consent that the individual provided.  We do not retain personal information longer than is necessary to fulfill the purposes for which it was collected and to maintain reasonable business records.

 6. Disclosure or Onward Transfer: When we disclose personal information to third parties, it is only for purposes that are identified in the privacy notice.  We disclose personal information in a secure manner, with assurances of protection by those parties, according to contracts, laws and other agreements, and, where needed, with the consent of the individual.

 7. Quality: We take steps to ensure that personal information in our records is accurate and relevant to the purposes for which it was collected.

 8. Access: We allow individuals a way to make inquiries regarding the information about them that we hold and, when appropriate, to access their personal information for review and update.

 9. Security: We protect personal information from unauthorized access and use.

 10. Monitoring and Enforcement: We monitor compliance with our privacy policies, both internally and with our vendors, and we establish processes to address inquiries, complaints, and disputes.

It is your responsibility to review, understand and adhere to this corporate privacy policy.  All ACA&S’s employees are expected to support our privacy policy and principles when they design products and services, collect and handle personal information, or in the process of maintaining or disposing of personal information.  This policy, supported by more detailed standards and guidelines for specific roles and activities, provides the information to successfully meet our commitments.  Privacy procedures, which may relate to how a particular standard is to be made operational and include additional requirements, are created to implement this privacy policy and the standards.

 

Introduction

Applying responsible privacy practices to personal information (also referred to as “personal data” or “personally identifiable information”) is at the forefront of IPI SOLUTIONS (NIG) LTD’s commitments. Several aspects of privacy make it central to our operations.  Privacy is one of the four pillars of IPI SOLUTIONS (NIG) LTD’s Safe Operations Initiative, along with security, reliability, and business integrity. Privacy has been, and still is, an area of individual concern, and the individuals we interact with expect us to handle personal information with the utmost care. In fact, privacy is a key driver in the level of trust that people have in us.

The scope of “personal information” is quite broad and encompasses virtually any information about an individual that could be traced back to that individual. When there is doubt, for example whether the data refers or relates to an individual or an organization, or whether the data can be tied to an individual or is anonymous, we must treat the data as personal information. Note also that even with respect to data about an organization, there may be separate contractual or other obligations regarding the confidentiality of such data.

Our commitments to Services and Support in general and to privacy specifically are socially responsible as well as good business policy. In order to remain consistent with global legal requirements and to our privacy policy, IPI SOLUTIONS (NIG) LTD needs to make sure that it keeps its promises with respect to the management of personal information, whether it be for customers or partners. We must be certain that what we say is what we actually do with respect to how personal information is collected, handled, used, and managed.

There is nothing in this privacy policy that should interfere with your business operations. To the contrary, sound privacy practices will permit IPI SOLUTIONS (NIG) LTD to grow its business and continue to lead in the IT industry.

The foundation that guides our policy around privacy and data protection is that individuals are to be empowered to control the collection, use, and distribution of their personal information. To remain true to this core tenet, IPI SOLUTIONS (NIG) LTD adopted ten privacy principles that must be implemented across our operations, products, and services. These ten principles guide us in everything we do that involves or partner personal information, and they constitute IPI SOLUTIONS (NIG) LTD’s overall privacy policy. The policy document explains these principles and provides links to other resources that will help you apply the principles to your work. IPI SOLUTIONS (NIG) LTD’s departments are required to follow the ten principles as a minimum baseline and to conform to any higher legal requirement when applicable.

 

Understanding the hierarchy of policies, standards, and procedures

 At IPI SOLUTIONS (NIG) LTD, there are various privacy related policies, standards, and procedures.  Understanding how these different types of documents relate to one another is key for effective implementation of privacy practices.  At the top of the pyramid is this corporate privacy policy, which consists of ten privacy principles and spells out our privacy commitment.  This policy is the global foundation for all other IPI SOLUTIONS (NIG) LTD privacy commitments, which may expand, but will always be in line with this document.  Under the privacy policy are various privacy standards, which are guides, explanations, and applied interpretation of the policy aimed to assist the various IPI SOLUTIONS (NIG) LTD departments to effectively implement this policy in their unique environments. Privacy procedures, which relate to how a particular standard is to be made operational, may include additional requirements and are created by departments to implement this privacy policy and the standards.

How to use this policy

It is important that you understand and follow this policy since it is the foundation of our commitment to privacy.  It is also important to review the 10 principles of our overall global privacy policy as they relate to each other. In other words, these principles work together. The next level of privacy requirements that you must comply with are specific to your department’s products and services. Whatever your operational area within IPI SOLUTIONS (NIG) LTD might be, you are responsible for implementing and integrating this policy and other relevant privacy standards and guidelines by creating and following procedures that are specific to your function and location.

Our privacy policy is composed of the following ten privacy principles, which should be viewed together:

 

Accountability

At IPI SOLUTIONS (NIG) LTD, the IT Privacy Group (ITPG), partnering with the Legal Resource Group (LRG) and other departments, is responsible for the development of privacy policies and standards, and for developing internal processes and programs that enhance the integration of privacy management into the fabric of IPI SOLUTIONS (NIG) LTD business operations.  For internal IT systems and processes, the Chief Information Officer (CIO) and CISO share this responsibility. Supporting ITPG is the IT Privacy Management Committee (ITPMC), which serves as the coordinating body for developing and implementing IPI SOLUTIONS (NIG) LTD’s approach to privacy management through the development and review of policies, practices, and business processes.

Other groups, such as Security and Internal Audit, play a role in helping to ensure that the organization meets its privacy commitments. However, the ultimate responsibility for privacy protection rests with each departmental head. Each department within IPI SOLUTIONS (NIG) LTD is responsible for putting procedures in place that uphold this global policy and its related standards, and for assigning day-to-day responsibilities for privacy protection to specific staff members for enforcement and monitoring.

In the departments, specific privacy procedures must be defined, documented, communicated, and updated as needed. The design, acquisition, implementation, configuration, and management of our business process, infrastructure, systems, products, and services must be reviewed for consistency with the global privacy policies, standards and procedures. The activities of our vendors must also be managed to ensure compliance with our policies and standards.

Notice

Where possible, notice must be provided to individuals at or before the collection of personal information. Otherwise, notice must be provided as soon as practical thereafter. Notice must be provided in all data collection vehicles, including online and offline channels, and must be clearly and conspicuously displayed to the user. Furthermore, in describing what a product or service does with personal information, the notice must be complete, accurate, and easy to understand. Notice is most often provided through a detailed privacy statement, supplemented by a “short notice” where appropriate.  All Web sites, and any product or service that collects personal information, must have a privacy statement.

All privacy notices must include, as applicable, descriptions of:

  • Who is collecting the personal information, including contact information
  • What information is collected and why
  • How the information is collected
  • How the personal information is used, including any onward transfer to third parties
  • Any choices the individuals have regarding the use or disclosure of the information
  • The ability to access and change the information
  • How the information is protected from unauthorized access or use
  • How users will be notified of any changes made to the privacy statement
  • A description of the complaint channels available to individuals
Collection

Personal information can be collected online such as by using forms on Web sites, or offline such as by using registration cards and sweepstakes entry forms. Regardless of the collection method, the same privacy protections apply to all personal information.

Individuals should not be required to provide more personal information than is necessary for the provision of the product or service that the individual has requested or authorized. If any data is requested that is not needed for providing a service or product, such fields must be clearly labeled as optional.

When resorting to the collection of personal information through the use of a third party (not directly from the individual), it must be confirmed that the third party collected the information fairly and lawfully, and that the individual consented to have their information shared with IPI SOLUTIONS (NIG) LTD. When using vendors to collect personal information on our behalf, we must ensure that the vendors comply with our vendor privacy requirements.

Sensitive personal information is a sub-category of personal information that includes, but is not necessarily limited to, information regarding an individual’s:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Physical or mental health
  • Sexual life
  • Commission or alleged commission of offenses
  • Court proceedings

 

Other categories of personal information are often treated as sensitive as well, including:

  • Financial information (such as account numbers and balances)
  • Government-issued identification numbers (such as Social Security and Social Insurance numbers)
  • Other data that raise heightened concerns in a given market or customer group

The collection of such sensitive information should be avoided unless it is strictly necessary to provide a service that the individual has requested, or unless IPI SOLUTIONS (NIG) LTD is required by law to do so. In any case, sensitive personal information must not be collected or used without legal advice and the explicit consent of the individual if required by law.

Consult LRG before collecting personal information from children. This includes situations where we collect information through a product or service that is targeted to children, or where we ask for age and may get information that indicates that a given user is a child.

Choice and Consent

Choice refers to the options we offer individuals regarding the collection and use of their personal information. Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.

Individuals must be informed about the choices available to them with respect to the collection, use, and disclosure of personal information. Consent must be obtained from the individual at or before the time when personal information is collected or as soon as practical thereafter. Individual choices must be implemented and respected. If personal information is to be used for purposes not identified in the privacy notice at the time of collection, the new purpose must be documented, the individual notified, and consent must be obtained prior to such new use or purpose.

When personal information is provided for one purpose (known as the primary purpose), individual consent is implicit for uses necessary to carry out that purpose. However, if the personal information is to be used or shared for any secondary purpose (any use beyond that necessary to provide the service or product that the user has requested), then there must be a choice mechanism presented to the user. The two main mechanisms for gaining the consent of an individual for secondary use or for sharing of personal information are known as “opt in” and “opt out.”

Opt in is an option that requires IPI SOLUTIONS (NIG) LTD to obtain the explicit consent of an individual before his or her personal information can be used or disclosed for secondary purposes. It is an active decision by an individual to consent to the secondary use(s). For example, an unchecked check box may be presented and the user must check the box to opt in. Opt in is IPI SOLUTIONS (NIG) LTD’s preferred method of offering choice or obtaining consent from individuals and is a legal requirement in some jurisdictions.

Opt out is an option that allows IPI SOLUTIONS (NIG) LTD to use or disclose personal information unless the individual requests otherwise. The individual must be given a clear and conspicuous opportunity to opt out of any secondary uses of personal information. For example, a check box may be presented already checked and the individual must uncheck it to opt out.

Opt in is strongly encouraged, but not necessarily required in all cases. However, there are several cases in which opt in is required:

  • Before sharing personal information with third parties for secondary uses
  • Before using sensitive personal information
  • For any secondary use of data about individuals residing in countries that require opt-in
Use and Retention

Unless a contract, law, or regulation specifically requires otherwise, personal information must only be used for the purposes identified in the privacy notice and only if the individual has provided consent, and it must be retained for no longer than necessary to fulfill the stated purposes and support our business operations and reporting requirements.

Primary uses of personal information are generally permissible. Primary uses of data are those for which the personal information was originally collected or provided. For example, if an individual provides shipping information when ordering a product, using that information to send the order is a primary use. Primary uses of data can also be defined as the use of personal information to operate the service that the user has chosen. Analysis of personal information that is necessary to maintain the operations of the service—and use of data to enable better customer service—can be considered a primary use of data if identified as such in the privacy notice.

The line between a primary use and a secondary use is not always clear. However, the best guidance is to look at the situation from the perspective of the individual. When the individual provides the data, is it reasonably clear that a given use would have been part of the purpose for which the data is provided? If not, it is unlikely that it may be considered a primary use.

Individuals must be given additional notice and choice regarding secondary uses or transfers of personal information, and those choices must be respected. This principle allows the individual to provide personal information for a specific purpose without the fear that it may later be used for an unrelated purpose without the individual’s knowledge or consent.

Personal information should be kept only as long as necessary for business purposes identified at the time of collection or subsequently authorized by the individual. This includes meeting legal requirements for maintaining customer information enabling effective customer service and supporting our business records. Data collected for specific purposes should have a specific lifetime and expiration.

In many instances, there are regulations and laws that require customer and transaction records (that may contain personal information) to be maintained for certain durations. Depending on where the information is collected and stored, there may be various national and local laws that must guide the retention practices associated with personal information.

When the use of the personal information is no longer necessary for business purposes, a method must be in place to ensure that the information is destroyed in a manner sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable. Reasonable steps must be taken to ensure that personal information is handled and disposed of in a manner consistent with the nature of the information.

Disclosure & Onward Transfer

Individuals must be informed in the privacy notice if personal information is to be disclosed to third parties, and personal information must be disclosed only for the purposes described in the privacy notice and for purposes for which the individual has provided consent, unless a contract, law, or regulation specifically allows or requires otherwise.

Information may be shared with two kinds of entities:

  • Independent third parties
  • Agents and vendors acting on behalf of IPI SOLUTIONS (NIG) LTD

Independent third parties are entities that may use, with consent, individuals’ information for their own purposes (that is, secondary purposes beyond that necessary to fulfill a service on behalf of IPI SOLUTIONS (NIG) LTD), such as marketing. Vendors and other agents are entities who receive personal information in order to perform some function on behalf of IPI SOLUTIONS (NIG) LTD, and they do not have any independent right to use that data for their own purposes.

When IPI SOLUTIONS (NIG) LTD wants to transfer personal information to a vendor or other third party acting as its agent, this action must be included in the privacy notice. In addition, IPI SOLUTIONS (NIG) LTD must enter into a written agreement with the vendor requiring that the vendor provide at least the same level of privacy protection as is required by Woodgrove’s policies and procedures. See the requirements of the Vendor Privacy Program for more details.

By contrast, some of the necessary steps for sharing personal information with independent third parties include:

  • Providing clear and conspicuous notice to customers about how information may be shared with third parties getting the customer to opt in before the sharing occurs
  • Identifying the type and amount of information that will be shared (and only sharing that which is necessary to accomplish the purpose)
  • Providing the customer the ongoing ability to opt out of further sharing even if they originally agreed to the sharing
  • Ensuring that appropriate security measures are used whenever transmitting personal information to or from a third party
  • Ensuring that a contract containing a privacy clause with the third party exists
  • Assigning responsibilities for IPI SOLUTIONS (NIG) LTD and the third party before information is shared
Quality

Maintaining data integrity and quality requires that, as appropriate for the intended purpose, the data is reliable, accurate, complete, and current. Where appropriate, processes must be established to validate and update personal information as it is collected, created, and maintained. Steps must be taken to ensure that personal information used on an ongoing basis is sufficiently accurate and complete to make decisions, unless there are clear limits to the need for accuracy. Additionally, because personal information may be stored in multiple systems and databases, those systems must be designed to ensure that personal information (including individual preferences) remains accurate when data is merged or replicated from one system to another.

Part of the effort to maintain the reliability of data includes providing reasonable access mechanisms for individuals to view, edit, or update information that may be inaccurate.  Another aspect of this effort is keeping the data secure from unauthorized modification or deletion. The Access and Security principles are addressed in greater detail below.

Access

An important element of transparency and accurate processing of personal information is allowing individuals to be able to find out whether personal information is held about them, to be able to understand the specific nature of that information, and to be able to ensure that the information is accurate and up to date. Individuals will be informed of how they may review or update their personal information as appropriate.

To protect the privacy of individuals, the identity of the individual requesting access must first be verified before any access to review or update is provided. IPI SOLUTIONS (NIG) LTD should inquire about the purpose for the access request so that it can furnish the individual with relevant information, and it should suitably authenticate the identity of the requestor. When IPI SOLUTIONS (NIG) LTD is clear on the purpose of the access request and the identity of the requestor, it must respond within a reasonable time, generally within 30 days, and at minimal or no cost to the individual. The information supplied to the individual must be provided or made available in a form that is generally understandable. For example, where we use abbreviations or codes to record information, an explanation must be provided. If we are unable to meet the 30-day timeframe, the individual must be advised in written or electronic communication of the expected date that the information requested will become available.

After reviewing the information, individuals may be permitted to update, correct, or amend the personal information as warranted. Controls must be established to help ensure that the updated information is not erroneous and that the access right is not otherwise misused to detract from the quality of the information we use. When practical, economically feasible, and where warranted, updates and corrections to personal information will be communicated to third parties that previously received the individual’s information.

Nonetheless, there may be circumstances in which the individual’s access or correction request will be limited or denied. In those circumstances, the individual will be informed in written or electronic communication of the reason for the denial, and if applicable, of the individual’s right to challenge the denial as permitted or required by law or regulation.

Security

Information security is one of many components required to build and maintain a Services and Support environment. Security is a fundamental means to achieving IPI SOLUTIONS (NIG) LTD’s privacy objectives. It is critical that the information security practices mandated by IPI SOLUTIONS (NIG) LTD’s security guidelines, IPI SOLUTIONS (NIG) LTD IT, and other departments be implemented for all products, services, and systems.

Security controls must be developed, documented, approved, and implemented and must include administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Such controls must be based on the Services and Support Security Program (SBSP). It must be each group’s responsibility to ensure compliance with the SBSP and its policies. More restrictive security controls must be applied to the protection of sensitive personal information.

Monitoring and Enforcement

Controls over the use and protection of personal information must be reviewed for their effectiveness. Monitoring involving Internal Audit and the BPG may take place; however, the ultimate responsibility for monitoring compliance to ensure the continued compliance of our operations with privacy policies, standards, and procedures lies with department heads who must assign this day-to-day responsibility to specific staff.

Individuals must be informed about how to raise privacy complaints, both directly with IPI SOLUTIONS (NIG) LTD and through applicable third-party dispute resolution programs sanctioned by the BPG, for example, TRUSTe. Privacy complaints must be addressed following an established process, and their resolution must be documented and communicated to the individual.

Effective complaint response and escalation processes regarding the handling of privacy-related issues must be implemented, because a complaint may escalate and become a privacy incident. Privacy incident reporting may come from a number of sources. Incidents may be reported outside of IPI SOLUTIONS (NIG) LTD from customers or other individuals, law enforcement officials, security incident response organizations, privacy advocacy groups, or the media.

Privacy policies must be enforced through:

  • Integration of the privacy policies in the development, maintenance, and service of products and services
  • Reliance on the requirements of internal dispute resolution processes
  • Human Resources guidelines
Exceptions :
Every employee is expected to adhere to the IPI SOLUTIONS (NIG) LTD Corporate Privacy Policy. There are no exceptions to the expectations set forth in the IPI SOLUTIONS (NIG) LTD Corporate Privacy Policy unless explicitly granted and documented by IT Privacy Policies and Guidelines.
Enforcement:
Any employee who fails to follow this privacy policy may be subject to disciplinary action, up to and including immediate termination. In some cases, a breach of company privacy policies may also violate an international, federal, state, or local law. In such cases, the individual could also be subject to criminal prosecution.
SOX Treatment:
Not Applicable
Reporting Treatment:
Everyone involved with IPI SOLUTIONS (NIG) LTD products and services or in collecting, handling, or accessing customer or partner personal information.