DATA PROTECTION AND PRIVACY POLICY
Computerlabs Ghana LBG, also operating under the tradename RecellGhana
Computerlabs (“the Company”) is a social enterprise set up to provide services in the digital economy. The Company prioritizes the security of Personal Data. The Company’s data protection and privacy policy is to ensure that the following are incorporated into its operation and are carried out in compliance with Ghana’s Data Protection Act 2012, (Act 843):
A. Secure Network Infrastructure: The Company’s information systems are built on secure networks with robust firewalls and encryption protocols. This ensures that Personal Data is protected from unauthorized access or interception.
B. Access Control: The Company strictly controls access to Personal Data, allowing only authorized staff to access the data. Access rights are granted based on the principle of least privilege, ensuring that individuals can only access, process and use the data necessary for their roles.
C. Employee Training: The Company provides comprehensive training to its staff on data protection practices and the importance of maintaining data security. This ensures that all employees understand their responsibilities and follow best practices when handling Personal Data.
D. Regular Audits and Assessments: The Company conducts regular audits and assessments of its data protection practices to identify any vulnerabilities or areas for improvement. This allows us to proactively address any potential risks and ensure ongoing compliance with data protection regulations.
E. The Company is committed to protecting the privacy and security of Personal Data. This policy is to ensure that Data Protection Principles are implemented under robust security measures to safeguard Personal Data. By prioritizing data protection, the Company aims to maintain the trust and confidence of its customers, employees, and other Data Subjects
1. DATA PROTECTION LAWS
Act 843 provides comprehensive guidelines for organizations regarding the collection, processing, usage and retention of Personal Data. These regulations are applicable irrespective of the medium of data storage, including electronic, paper, or other materials.
The Company acknowledges the importance of legal compliance in handling Personal Data. The Company is committed to a policy of minimal Personal Data collection, ensuring that such data is only gathered and retained when necessary for the efficient management of client engagement and service delivery. The Company is fully dedicated to upholding all privacy principles delineated in the Act 843.
Act 843 sets out the 8 privacy principles under Section 17 which have been duly adhered to and incorporated in the Company’s policy below:
a. Accountability: The Company takes full responsibility for the lawful and compliant processing of Personal Data. Appropriate measures are regularly implemented to demonstrate accountability and ensure adherence to applicable data protection laws and regulations.
b. Lawfulness Of Processing: The Company processes Personal Data in a lawful, fair, and transparent manner. Individuals shall be provided with clear information about the purposes, legal basis, and processing activities related to their Personal Data.
c. Specification Of Purpose: Personal Data is collected and processed for specified, explicit, and legitimate purposes.
d. Compatibility Of Further Processing with Purpose of Collection: The Company ensures that further processing of data is compatible with the original purpose for which the data was collected.
e. Quality Of Information: The Company ensures that Personal Data is accurate, kept up to date, and rectified without delay when inaccurate or incomplete.
f. Openness: The Company is committed to ensuring transparency and openness in the processing of Personal Data. Individuals shall be provided with clear and easily accessible information regarding the purposes, legal basis, and processing activities related to their Personal Data.
g. Data Security Safeguards: The Company implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure. Regular assessments and conducts reviews to ensure the ongoing security of Personal Data.
h. Data Subject Participation: Data Subjects have the right to participate in the processing of their Personal Data as provided by applicable laws and regulations. The Company accordingly respects and facilitates the exercise of these rights.
2. HOW WE COLLECT AND USE PERSONAL DATA
a. Monitoring: collecting data from equipment and software relevant for their
security, maintenance and our 95% uptime guarantee. This data is collected by monitoring software installed on the server of every Computerlab and sent via a secure internet connection to the central database (My1A) in the Netherlands. The collected data cannot be connected to users of the equipment and software.
b. Maintenance Monitoring: review forms filled 3-4 times per year that indicate the security, cleanliness and maintenance state of our Computerlabs. This is done to improve the maintenance culture at the school and have insights on the maintenance needs of our Computerlabs (maintain, repair, replace, recycle). The forms are stored in the secure filesystem, linked to the client’s Service Level Agreement.
c. Communication with the public, leads and prospects: we collect contact data from interactions with selected people. This can be through our website and social media or physical contact at events and meetings. We collect relevant contact information on prospects for developing a relationship to make them partners/clients. We store the contact details in a central database (CRM-system).
d. Information on clients: we collect client data via surveys, contracts signed with clients, maintenance monitoring and impact analysis. The survey is done to be able to offer advice and a quotation. The contract captures the rights and obligations that rule the relationship and service delivery. The monitoring is done to manage the uptime guarantee of 95% and the impact analysis is to inform the schools of the progress made with digital literacy.
e. Information on teachers: we keep a register of all the teachers that participate and are certified in our training.
f. Internet use: The Company registers all websites that are visited by each
Computerlab. We monitor the use of internet data from the data-plan, so that we can manage the ceiling of 25 Gb per month. If needed, we can block a single Computerlab temporary access to popular video site to save bandwidth. We have an aggregated view only of the internet view, which is not traceable to an individual.
3. DATA PROTECTION POLICY ON CHILDREN IN SCHOOLS WE WORK WITH
a. The Company’s Data Protection and Privacy Policy on children is in accordance with the Requirements and the underpinning good practice principles of data protection under Act 843 and the Cyber Security Act, 2020 (Act 1038).
b. Collection of Personal data of children is the preserve of the school authorities, as such, we do not directly collect the data of children. As far as reasonably practicable we insist that the schools we work with have a policy for safeguarding the data of children who use our devices. We advise and educate them on how data of children is kept confidential and not shared with 3rd parties. We insist that child information may only be shared with outside agencies on a need-to-know basis and with consent from parent and except in cases relating to safeguarding children, criminal activity or if required by legally authorised bodies such as the police.
c. To protect the child users, we work with a parental control system (FASEC, MESD and UT blacklists of SquidGuard) that blocks unsafe and child-unfriendly web domains. The internet use cannot be related to individual users, we have the aggregated view on the internet use of our Computerlab.
Security safeguards are of utmost importance to us, and therefore, we believe we have appropriate technical and organizational security measures and controls in place to protect personal data
3.1 How We Protect Data
The Company stores data at the secure data center of 1A First Alternative in Delft, the Netherlands, holding company of 1A Computerlabs which is one of the two partners in Computerlabs Ghana LBG. 1A First Alternative is GDPR (EU) compliant and ISO27001 certified company which has a ISAE3401 Type 2 registration. Data stored with 1A First Alternative is therefore highly safe and secure. Data is stored in two systems:
a. My1A: management database (configuration and performance data of our
Computerlabs) of 1A First Alternative,
b. Nextcloud: central filesystem (documents) hosted in the private data center of 1A First Alternative in Delft, the Netherlands.
4. PRIVACY
Any data we collect on prospects and clients is stored securely and is only accessible by our authorized staff.
We do not share data with third parties outside the group of 1A First Alternative – 1A Computerlabs – Computerlabs Ghana.
Our data and privacy policy is compliant with GDPR (EU), Ghana Act 843 and the Cyber Security Act, 2020 (Act 1038).
5. RIGHTS AS A DATA SUBJECT
Per Act 843, a person whose data or information is in the hands of another person is entitled to these rights
5.1 Right to be informed
Users of the Computerlabs whose data is processed have the right to be informed about the processing of their Personal Data that we have. This privacy notice is a way of ensuring
5.2 Right to Access Personal Data
Data Subjects have the right to access the Personal Data that the Company holds about them. This is sometimes termed a ‘Data Subject Access Request’. We will ask for proof of identity and sufficient information about Data Subjects interactions with us so that we can locate the Data Subject’s Personal Data when such requests are made. If a Data Subject wants to exercise this right, they can contact us
5.3 Right to rectification, blocking, erasure, and destruction
Where information we hold about a Data Subject is inaccurate, incomplete, or out of date, the Data Subject may ask us to correct or update it at any given time. Data Subjects have the right to block us from further processing of their Personal Data where we do not have any legitimate or legal basis for processing such Personal Data. In certain circumstances, Data Subjects may instruct us to delete their Personal Data. The right of erasure or destruction is not absolute and only applies in certain cases and in line with applicable law. If the Data Subject would like to exercise this right, they may contact us
5.4 Right to prevent processing
Under this right, a Data Subject can give us notice in writing to cease or not to start processing their Personal Data for a specific purpose or manner which will cause or is likely to cause any unwarranted damage or distress. Data Subjects can also prevent us from processing their information for direct marketing purposes and selling to 3rd parties
5.5 Right to give and withdraw consent
Where we rely on the consent of a Data Subject to process Personal Data, the Data Subject has the right to withdraw it at any time by contacting us or using any details provided in our communication with them.
5.6 Right to complain
As with all the other rights above, Data Subjects may write to complain to us if they believe any of our obligations as a Data Controller is in breach of Act 843
5.7 Other Rights under different jurisdictions Across Africa and beyond
We will ensure the various rights of Data Subjects where we operate are respected and take our obligations seriously. Where we process Personal Data of other jurisdictions, we undertake a privacy assessment to identify any potential risk of noncompliance.
6. GENERAL STAFF GUIDELINES
a. The only people able to access data covered by this policy are those who require it for their work.
b. Data cannot be shared informally. When access to confidential information is required, employees can request it from their line managers.
c. The Company will provide training to all employees to help them understand their responsibilities when handling data.
d. Employees should keep all data secure, by taking sensible precautions and
following the guidelines below.
e. In particular, strong passwords must be used and they should never be shared.
f. Personal Data should not be disclosed to unauthorised people, either within the Company or externally.
g. Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
h. Employees should request help from their line manager if they are unsure about any aspect of data protection.
7. CHANGES IN DATA PROTECTION POLICY
The Company recognizes that data protection and privacy is an ongoing responsibility, therefore, The Company reserves the right to make changes to this Data Protection and Privacy Policy from time to time as it undertakes new Personal Data practices or adopt new privacy policies, etc. If such changes are substantial, the Company will notify our clients/users via email or any of the consented mode of communication with the Company
8. RETENTION OF DATA
The Company will keep different types of information for differing lengths of time, depending on legal, regulatory and operational requirements and in accordance with Act 843
9. SUSPECTED BREACH OF DATA PRIVACY RIGHTS OF DATA SUBJECTS
Where the Company has reasonable grounds to believe that there has been an unauthorized access to the information of a data subject, the data controller shall as soon as practicable inform the data subject of the compromise and take steps to mitigate the risk by implementing security measures
10. CONFIDENTIALITY
The Company shall not disclose any information that comes into its possession in the collection, processing and usage of data of Data Subjects unless such disclosure is made with the consent of the Data Subject or where such disclosure is required by law.
11. DEFINITION OF TERMS
I. Data Subject means an individual who is subject of Personal Data.
II. Data Controller means a person who either alone or jointly with other persons or in common with other persons or as a statutory duty determines the purposes and the manner in which Personal Data is processed or is to be processed.
III. GDPR (EU) means – General Data Protection Regulation of the European Union.
IV. PERSONAL DATA means data about an individual who can be identified, (a) from the data, or (b) from the data or other information in the possession of, or likely to come into the possession of the Data Controller