PEOPLE’S PENSION DATA PRIVACY POLICY

PEOPLE’S PENSION DATA PRIVACY POLICY

1. INTRODUCTION

As part of our operations, People’s Pension Trust Ghana Limited (“People’s Pension” or “the Company”) collects and processes certain types of information such as name, telephone numbers, address, etc. (Personal Data) of individuals that make them easily identifiable. These individuals include current, past, and prospective employees, members, beneficiaries, and other individuals whom People’s Pension communicates or deals with, jointly and/or severally (“Data Subjects”).

Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer negative consequences/effects because of providing People’s Pension with their Personal Data. To this end, People’s Pension is firmly committed to complying with applicable data protection laws, regulations, rules, and principles to ensure the security of Personal Data handled by the Company. This Data Privacy & Protection Policy (the “Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, storage, use, and disclosure of Personal Data and indicates that People’s Pension is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security.

This Policy applies to all forms of systems, operations, and processes within the People’s Pension environment that involve the collection, storage, use, transmission, and disposal of Personal Data.

Failure to comply with the data protection rules and guiding principles set out in the Ghana Data Protection Act, 2012 (Act 843) (“Data Protection Act” or “DPA”) as well as those set out in this Policy is a material violation of People’s Pension’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.

2. SCOPE

This Policy applies to all employees of People’s Pension, as well as to any external business partners (such as developers, agents, and other service providers) who receive, send, collect, access, or process Personal Data in any way on behalf of People’s Pension, including processing wholly or partly by automated means. This Policy also applies to third-party Data Processors who process Personal Data received from People’s Pension.

3. GENERAL PRINCIPLES FOR PROCESSING OF PERSONAL DATA

People’s Pension is committed to maintaining the principles in the Data Protection Act regarding the processing of Personal Data.

To demonstrate this commitment, as well as our aim of creating a positive privacy culture within People’s Pension, People’s Pension adheres to the following basic principles relating to the processing of Personal Data:

1. Lawfulness, Fairness, and Transparency
   Personal Data must be processed lawfully, fairly, and transparently always. This implies that Personal Data collected and processed by or on behalf of People’s Pension must be per the specific, legitimate, and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the DPA.

2. Data Accuracy
   Personal Data must be accurate and kept up to date. In this regard, People’s Pension:

1. shall ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject.

2. will make efforts to keep Personal Data updated where reasonable and applicable; and

3. will make timely efforts to correct or erase Personal Data when inaccuracies are discovered.

3. Purpose Limitation

People’s Pension collects Personal Data only for the purposes identified in the appropriate People’s Pension Privacy Notice or any other relevant document or based on any other non – written communication (where applicable), provided to the Data Subject and for which consent of the Data Subject has been obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the original purpose, except a new Consent is obtained.

4. Data Minimization

1. People’s Pension limits Personal Data collection and usage to data that is relevant, adequate, and necessary for carrying out the purpose for which the data is processed.

2. People’s Pension will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.

5. Integrity and Confidentiality

1. People’s Pension shall establish adequate controls to protect the integrity and confidentiality of Personal Data, both in digital and physical format, and to prevent personal data from being accidentally or deliberately compromised.

2. Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct.

3. Any personal data processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is unauthorized.

4. Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.

5. The Human Resources Department of People’s Pension informs employees at the start of the employment relationship about the obligation to maintain Personal Data privacy. This obligation shall remain in force even after employment has ended.

6. Personal Data Retention

1. All personal information shall be retained, stored, and destroyed by People’s Pension in line with the Data Protection Act and other relevant Legislative and Regulatory Guidelines. For all Personal Data and records obtained, used, and stored within the Company, People’s Pension shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity, and requirement to retain.

2. To the extent permitted by applicable laws and without prejudice to People’s Pension’s Retention Policy, the length of storage of Personal Data shall, amongst other things, be determined by:

(a) the contract terms agreed between People’s Pension and the Data Subject or if it is needed for the purpose for which it was obtained; or (b) whether the transaction or relationship has statutory implication or a required retention period; or (c)  an express request for deletion by the Data Subject; except where such Data Subject is under investigation or under a subsisting contract which may require further processing or where the data relates to criminal records; or (d) whether People’s Pension has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

Notwithstanding the foregoing and according to the DPA, People’s Pension shall be entitled to retain and process Personal Data for archiving, scientific research, historical research, or statistical purposes for the public interest. People’s Pension shall ensure that Personal Data retained for this purpose shall be adequately protected against access or unauthorized use.

3. People’s Pension shall forthwith delete Personal Data in People’s Pension’s possession where such Personal Data is no longer required by People’s Pension or in line with People’s Pension’s Retention Policy, provided no law or regulation being in force requires People’s Pension to retain such Personal Data.

7. Accountability

1. People’s Pension demonstrates accountability in line with  DPA obligations by monitoring and continuously improving data privacy practices within People’s Pension.

2. Any individual or employee who breaches this policy shall be subject to internal disciplinary action (up to and including termination of their employment) and may also face civil or criminal liability if their action(s) violates the law.

8. Foreign Data Subject

People’s Pension shall, in respect of Data Subjects who are subject to laws other than Ghanaian law  (Foreign Data Subjects), ensure that Personal Data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where Personal Data originating from that jurisdiction is sent to Ghana for processing.

4. DATA PRIVACY NOTICE

1. People’s Pension considers Personal Data as confidential and as such must be adequately protected from unauthorized use and/or disclosure. People’s Pension will ensure that Data Subjects are provided with adequate information regarding the use of their Data as well as acquire their respective Consent, where necessary.

2. People’s Pension shall display a simple and conspicuous notice (Privacy Notice) on any medium through which Personal Data is being collected or processed. The following information must be considered for inclusion in the Privacy Notice, as appropriate in distinct circumstances to ensure fair and transparent processing:

• Description of collectible Personal Data

• Purposes for which Personal Data is collected, used, and disclosed

• What constitutes Data Subject’s Consent

• The purpose for the collection of Personal Data

• The technical methods used to collect and store the information

• Available remedies in the event of a violation of the Policy and the timeframe for remedy, and

• Adequate information to initiate the process of exercising their privacy rights, such as provision of access to, rectification, and deletion of Personal Data.

5. PURPOSE AND CATEGORY OF DATA COLLECTED AND PROCESSED

1. We will only collect and use Personal Data if we have obtained the prior consent of the Data Subject or have a lawful and legitimate interest to do so. A Data Subject is at liberty to withdraw their consent at any time by contacting the Data Protection Officer (DPO) at dataprotectionofficer@peoplespensiontrust.com. The following are data collected and processed by People’s Pension:

• Communication data (e.g., name, telephone, e-mail, address, date of birth).

• Employee and prospective employee data for recruitment and onboarding purposes.

2. The following are methods adopted by People’s Pension in the collection and storage of personal data –

• Online Forms

• Unstructured Supplementary Service Data (USSD)

• Paper Forms

6. LEGAL GROUNDS FOR PROCESSING OF PERSONAL DATA

In line with the provisions of the DPA, processing of Personal Data by People’s Pension shall be lawful if at least one of the following applies:

1. the Data Subject has given Consent to the processing of his/her Personal Data for one or more specific purposes.

2. the processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject before entering a contract.

3. processing is necessary for compliance with a legal obligation to which People’s Pension is subject.

4. Processing is necessary to protect the vital interests of the Data Subject or another natural person, including People’s Pension, and

5. processing is necessary for the performance of a task carried out in the public interest or exercise of an official public mandate vested in People’s Pension.

7. CONSENT

Where the processing of Personal Data is based on consent, People’s Pension shall obtain the requisite consent of Data Subjects at the time of collection of Personal Data. In this regard, People’s Pension will ensure:

1. that the specific purpose of collection is made known to the Data Subject and the Consent is requested in a clear and plain language;

2. that the Consent is freely given by the Data Subject and obtained without fraud, coercion, or undue influence;

3. that the Consent is sufficiently distinct from other matters to which the Data Subject has agreed;

4. that the Consent is explicitly provided affirmatively.

5. that the Consent is obtained for each purpose of Personal Data collection and processing; and

6. that it is communicated to, and understood by, the Data Subjects that they can update, manage, or withdraw their consent at any time.

1. Valid Consent

1. For Consent to be valid, it must be given voluntarily by an appropriately informed Data Subject. In line with regulatory requirements, Consent cannot be implied. Silence, pre-ticked boxes, or inactivity does not constitute Consent under the DPA.

2. Consent in respect of Sensitive Personal Data must be explicit. A tick of the box would not suffice.

2.  Consent of Minors

1. The Consent of minors (under the age of 18) will always be protected and obtained from the minor’s representatives per applicable regulatory requirements.

8.  DATA SUBJECT RIGHTS

1. Any individual whose Personal Data is held by People’s Pension is entitled to the following rights:

1. Right to request for and access their Personal Data collected and stored. Where data is held electronically in a structured form, such as in a database, the Data Subject has a right to receive that data in a common electronic format.

2. Right to information on their data collected and stored.

3. Right to objection or request for restriction.

4. Right to object to automated decision making based on gender, race, location and other relevant factors reasonably determined by People’s Pension.

5. Right to request rectification and modification of their data which People’s Pension keeps.

6. Right to request for deletion of their data, except as restricted by law or People’s Pension’s statutory obligations.

7. Right to request the movement of data from People’s Pension to a third party; this is the right to the portability of data; and

8. Right to object to the processing of their Personal Data (in accordance with applicable law) and to request that People’s Pension restricts the processing of their Personal Data except as required by law or People’s Pension’s statutory obligations

2. People’s Pension’s well-defined procedure regarding how to handle and answer Data Subject’s requests are contained in People’s Pension’s Data Subject Access Request Policy.

3. Data Subjects can exercise any of their rights by completing the People’s Pension’s Subject Access Request (SAR) Form and submitting it to the Company via dataprotectionofficer@peoplespensiontrust.com

9. TRANSFER OF PERSONAL DATA

1. Third-Party Processor within Ghana

1. People’s Pension may engage the services of third parties to process the Personal Data of Data Subjects collected by the Company. The processing by such third parties shall be governed by a written contract with People’s Pension to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy and the Data Protection Act.

2. Transfer of Personal Data out of Ghana would be in accordance with the provisions of the Data Protection Act.

10. DATA BREACH MANAGEMENT PROCEDURE

10.1. A data breach procedure is established and maintained to deal with incidents concerning Personal Data or privacy practices leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Company.

10.2. All employees must inform their designated line manager or the DPO of People’s Pension immediately about cases of violations of this Policy or other regulations on the protection of Personal Data, per People’s Pension’s Personal Data Breach Management Procedure in respect of any:

1. improper transmission of Personal Data across borders.

2. loss or theft of data or equipment on which data is stored.

3. accidental sharing of data with someone who does not have a right to know this information.

4. inappropriate access controls allowing unauthorized use.

5. equipment failure.

6. human error resulting in data being shared with someone who does not have a right to know; and

7. hacking or unauthorized cyber attack.

10.3. A data protection breach notification must be made immediately after any data breach to ensure that:

1. immediate remedial steps can be taken in respect of the breach.

2. any reporting duties to regulatory authorities can be complied with.

3. any affected Data Subject can be informed; and

4. any stakeholder communication can be managed.

10.4. When a potential breach has occurred, People’s Pension will investigate to determine if an actual breach has occurred, and the actions required to manage and investigate the breach are as follows:

1. Validate the Personal Data breach.

2. Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded.

3. Identify remediation requirements and track resolution.

4. Report findings to the top management.

5. Coordinate with appropriate authorities as needed.

6. Coordinate internal and external communications; and

7. Ensure that impacted Data Subjects are properly notified, if necessary.

10.5. You can find more information in the People’s Pension’s Personal Data Breach Management Procedure.

11. DATA SECURITY

1. All Personal Data must be kept securely and should not be stored any longer than necessary. People’s Pension will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage, and destruction to data. This includes the use of password-encrypted databases for digital storage and locked cabinets for those collected using paper forms.

11.2. To ensure the security of Personal Data, People’s Pension will, among other things, implement the following appropriate technical controls:

1. Industry-accepted hardening standards, for workstations, servers, and databases.

2. Full disk software encryption on all corporate workstation/laptop operating systems drives storing Personal and Personal/Sensitive Data.

3. Encryption at rest including key management of key databases.

4. Enable Security Audit Logging across all systems managing Personal Data.

5. Restrict the use of removable media such as USB flash and disk drives to access Personal Data.

6. Anonymization techniques on testing environments; and

7. Physical access control where Personal Data is stored in hardcopy.

13. DATA PROTECTION AUDIT

People’s Pension shall conduct an annual data protection audit to verify People’s Pension’s compliance with the provisions of the Data Protection Act and other applicable data protection laws.