1.1. This Data Protection Policy is the overarching policy for data security and protection for Bakery Initiatives Nigeria (hereafter referred to as "us", "we", or "our").
2.1. The purpose of the Data Protection Policy is to align with the Nigerian Data Protection Regulation (2019), the common law duty of confidentiality, and all other relevant national and sub-national legislations. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.
2.2. This policy covers:
2.2.1. Our data protection principles and commitment to common law and legislative compliance;
2.2.2. Procedures for data protection by design and by default.
3.1. This policy includes in its scope all data which we process either in hardcopy or digital copy. This includes special categories of data.
3.2. This policy applies to all staff, including temporary staff and consultants.
4.1. We are open and transparent with service users and those who lawfully act on their behalf in relation to their care and treatment. We will adhere to our duty of candour responsibilities as outlined in relevant legislations at both state and national levels.
4.2. We ensure transparency in how personal data is collected, used, stored, and shared, and provide individuals with clear information about their rights.
4.3. We establish and maintain policies to ensure compliance with the Nigerian Data Protection Regulation (2019), the common law duty of confidentiality, the General Data Protection Regulation, and all other relevant legislations.
4.4. We establish and maintain policies for the controlled and appropriate sharing of service user and staff information with other agencies, taking into account all relevant legislation and citizen consent.
4.5. Where consent is required for the processing of personal data, we will ensure that informed and explicit consent is obtained and documented in clear, accessible language and in an appropriate format. The individual can withdraw consent at any time through processes explained to them and outlined in our Record Keeping Policy: Withdrawal of Consent procedures. We ensure that it is as easy to withdraw as it is to give consent.
4.6. We undertake or commission (delete as appropriate) annual audits of our compliance with legal requirements.
4.7. We acknowledge our accountability in ensuring that personal data shall be:
4.7.1. Processed lawfully, fairly, and in a transparent manner;
4.7.2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
4.7.3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
4.7.4. Accurate and kept up to date;
4.7.5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation');
4.7.6. Processed in a manner that ensures appropriate security of the personal data.
4.8. We uphold the personal data rights outlined in the legislations:
4.8.1. The right to be informed;
4.8.2. The right of access;
4.8.3. The right to rectification;
4.8.4. The right to erasure;
4.8.5. The right to restrict processing;
4.8.6. The right to data portability;
4.8.7. The right to object;
4.8.8. Rights in relation to automated decision-making and profiling. Due to our size, we have determined that we are not required to have a Data Protection Officer (DPO), as we do not process special categories of data on a large scale. Nonetheless, to ensure that every individual's data rights are respected and that there are the highest levels of data security and protection in our organisation, we have appointed a member of staff to be our Data Security and Protection Lead. The Data Security and Protection Lead will report to the highest management level of the organisation. We will support the Lead with the necessary resources to carry out their tasks and ensure that they can maintain expertise.
5.1.1. This policy is underpinned by the following:
5.1.2. Data Quality Policy – outlines procedures to ensure the accuracy of records and the correction of errors;
5.1.3. Record Keeping Policy – details transparency procedures, the management of records from creation to disposal (inclusive of retention and disposal procedures), information handling procedures, procedures for subject access requests, right to erasure, right to restrict processing, right to object, and withdrawal of consent to share;
5.1.4. Data Security Policy – outlines procedures for ensuring the security of data including the reporting of any data security breach;
5.1.5. Network Security Policy – outlines procedures for securing our network;
5.1.6. Business Continuity Plan – outlines the procedures in the event of a security failure or disaster affecting digital systems or mass loss of hardcopy information necessary to the day to day running of our organisation;
5.1.7. Staff Data Security Code of Conduct – provides staff with clear guidance on the disclosure of personal information.
6.1. We implement appropriate organisational and technical measures to uphold the data protection principles outlined above. Safeguards are integrated into all data processing activities to meet regulatory requirements and protect individuals’ data rights. These measures are based on the nature, scope, context, and purposes of processing, as well as the potential risks to the rights and freedoms of individuals.
6.2. We apply the principles of data protection by design and by default from the outset of any data processing, including during the planning and implementation of new processes or systems.
6.3. All new systems used for data processing are designed with data protection measures integrated from the beginning of development or system changes.
6.4. All existing data processing activities are documented in our Record of Processing Activities (RoPA). Each activity is risk-assessed and reviewed annually.
6.5. We ensure that, by default, personal data is processed only when necessary and only for specified, legitimate purposes, thereby reducing unnecessary privacy risks.
6.6. We minimise the use of identifiable personal data, processing only the data that is strictly necessary for the intended purpose.
6.7. Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected or to meet legal or regulatory retention requirements.
6.8. Where feasible, we use pseudonymised data to enhance the privacy and confidentiality of our staff and the individuals we serve.
7.1. You have the right to request permanent deletion of your account and associated personal data.
7.2. To initiate account deletion, please first remove all data using the in-app "Delete All Data" feature.
7.3. Once your data is deleted, send a request to our support team at support@bakeryprofitmax.com from the email address linked to your account.
7.4. We will confirm and complete your account deletion request within 72 hours of receiving your email.
8.1. Our designated Data Security and Protection Lead is Omotola Akisanya. The key responsibilities of the lead are:
8.1.1. To ensure the rights of individuals in terms of their personal data are upheld in all instances and that data collection, sharing and storage is in line with the Caldicott Principles;
8.1.2. To define our data protection policy and procedures and all related policies, procedures and processes and to ensure that sufficient resources are provided to support the policy requirements.
8.1.3. To complete the Data Security & Protection Toolkit (DSPT) annually and to maintain compliance with the DSPT.
8.1.4. To monitor information handling to ensure compliance with law, guidance and the organisation’s procedures and liaising with senior management to fulfil this work.