Introduction
Infinity Global Health Technologies Limited is a health technology
company duly incorporated under the Laws of the Federal Republic
of Nigeria that provides top- notch solutions to improve the
overall quality of healthcare through innovation and technology to
local and international clients.
References in this Policy to “we”, “us”, “IGHT” or “the Company”
are references to Infinity Global Health Technologies Limited.
Reference in this Policy to “personal data” means any information
that identifies, or could reasonably be used to identify, a living
individual, either on its own or together with other information.
By connecting to the Website, you acknowledge that you have read,
understood and accepted this Personal Data Protection Policy
(hereinafter referred to as the “Policy”) without limitation or
reservation along with our General Terms and Conditions of Use.
Please note that other general terms and conditions and personal
data protection policies apply to this website. It is recommended
that you read them carefully.
This Policy is intended to inform you of the rights and freedoms
that you can exercise with regard to our use of your personal
data. It also describes the measures implemented to protect them.
Infinity Global Health Technologies Limited (referred to herein as
the “Data Controller”) is responsible for processing personal data
concerning the management of the Website. The processing is
implemented in accordance with applicable laws.
How we protect your personal information
We are committed to protecting your personal information and
implementing appropriate technical and organizational security
measures to protect it against any unauthorized or unlawful
processing and any accidental loss, destruction or damage.
Purpose of processing and types of data collected
When visiting the Website, you may provide us with personal data
such as your surname and first name in order to benefit from the
services offered.
We can in particular collect some of your personal data for
external communication purposes, such as answering your requests
for information and better understanding your expectations. In our
online forms, compulsory fields are marked with an asterisk. If
you do not answer the compulsory questions, the requested
service(s) shall not be provided.
Your personal data are not subsequently processed in any manner
that is incompatible with the purpose described above or in the
collection forms. They are only stored for the requisite amount of
time needed to fulfil these purposes.
Data recipients
Your personal data will be disclosed solely to our specific
departments tasked with processing or subsidiaries directly or
indirectly owned or to specific partners, independent distributors
or sub-contractors for analysis and survey purposes.
Furthermore, if you submit a comment intended to be posted online,
we may publish some of your personal data on the Website. Given
the characteristics of the Internet, i.e., free capture of
broadcast information and the difficulty, or even the
impossibility, of monitoring usage by third parties, be informed
that you can stop such distribution by contacting us, as indicated
in article 5 below. The Data Controller transfers personal data in
accordance with applicable laws.
Security and confidentiality of your data
The Data Controller implements the appropriate measures to ensure
the security and confidentiality of your personal data and in
particular to prevent them from being altered, damaged or accessed
by unauthorized third parties.
Management of cookies
When you visit the Website, a “cookie” may be installed on your
computer. A cookie is a file that records information concerning
your browsing of the Website from that computer (e.g., visited
pages, date and time of browsing, viewed links) and will
facilitate your visits by making it easier and faster for you to
identify yourself to access your target pages. You can delete
cookies installed on your computer at any time and prevent new
cookies from being saved and receive a notification before the
installation of a new cookie by configuring your browser software.
Please refer to the help section of your browser software for more
information on how to activate and deactivate these functions and
refer to the browser’s “cookie policy”. (Link to the banner and
the cookie policy). Please note that you may not benefit from some
of the services if you uninstall a cookie or prevent cookies from
being installed on your machine.
Your rights
You have a right to access, query, modify, rectify or delete your
personal data. You can obtain disclosure of your personal data.
You can also object to the processing and circulation of your
personal data. The Company reserves the right to reject any
request it deems inappropriate. In accordance with the applicable
law in force, you have a right of formal consent to sales
canvassing via e-mail, fax or automatic caller.
If you wish to exercise these rights or obtain other information,
please send your request by e-mail to
afolabi.adedipe@infinityhealth.africa or
by post to the following address:
The Data Protection Officer Apartment B2, Ocean Crest Haven, 4,
Akiogun Road, Oniru Victoria Island, Lagos, Nigeria Attention:
Afolabi Adedipe
INFORMATION SECURITY POLICY
PURPOSE
The purpose of our Information Security is to restrict access to
confidential and sensitive data and to protect it from being lost
or compromised regardless of whether these are held in manual or
electronic form. This will help to safeguard the reputation of
IGHT, to optimize the management of risk and to minimize the
impact of Information Security incidents. Implementation of this
Policy will assure stakeholders, partners and data subjects, that
their information is held securely and used appropriately by IGHT,
whilst complying with the Nigerian Data Protection Regulation
(NDPR) and satisfying auditors.
It is not anticipated that this policy can eliminate all malicious
data theft. Rather, its primary objective is to increase user
awareness and avoid accidental loss scenarios, so it outlines the
requirements for data breach prevention.
POLICY DEFINITION
According to the NDPR, anyone involved in data processing or the
control of data shall develop security measures to protect data.
These measures will include ensuring that information is only
available to those who are authorized to gain access, safeguarding
the accuracy and completeness of information and processing
methods, and assurance that authorized users have access to
information and associated assets when this is required.
Information takes many forms. It may be processed and stored on
computers or in other electronic forms, printed or written on
paper, shared through voice or video communications, transmitted
through post or electronic means such as e-mail or fax, or made
available on corporate videos or websites. Whatever form the
information may take, or means by which it is shared, stored or
processed, it should always be appropriately classified and
protected according to that classification.
Information systems, the information processed and stored are
vital assets to IGHT. Any loss of computer systems or the
information they contain could have serious repercussions for IGHT
and/or its clients. A breach of security during the processing,
storage or transfer of data could result in financial loss,
personal injury to a member of staff, or client, serious
inconvenience, embarrassment, or even legal proceedings against
IGHT, and possibly the individuals involved. To ensure the
confidentiality, integrity and availability of these systems an
appropriate level of security must be achieved and maintained. The
level of security implemented on each of the various systems will
be consistent with the designated security classification of the
information and the environment in which it operates.
Information on computer systems will be protected with anti-virus
software, which will be updated regularly. Scans will be carried
out regularly on all servers, workstations and laptops, and virus
definitions will be updated each weekday. Updates and scans will
be automatic for every machine and must not be turned off or
bypassed.
IGHT shall take appropriate steps to prevent, detect, and recover
from any loss or incident, whether accidental or malicious,
including error, fraud, misuse, damage and disruption to, or loss
of computing or communications facilities.
A security risk assessment is carried out on each information
asset to identify the level of protection required. The security
and control procedures required will take into account the
sensitivity and value of the information.
POLICY DIRECTION
Information Security promotes trust both internally and externally
in shared data and infrastructure. IGHT’s strategic direction for
Information Security is to provide a strong forward-looking
information management system that is aligned with its corporate
vision and strategic priorities. This vision for Information
Security reflects its growing role in maintaining trust and
confidence both within the Firm and outside.
SCOPE OF DATA PROTECTION
IGHT’s Information Security Policy is applicable to:
-
The Company’s information, information owned by its clients and
partners, and information about its clients.
- The Company’s Directors, employees and subcontractors.
-
The Company’s systems, software, and information created, held,
processed or used on those systems or related media, electronic,
magnetic, or written/ printed output from the Company’s systems.
-
All means of communicating information, both within the Company
and externally. For example, data and voice transmissions or
recordings, posts, e-mail, SMS/text, cameras, whiteboards,
memory sticks, disks, fax, telex, image/ sound processing,
videoconferencing, photocopying, flip charts, general
conversation etc.
Information that is classified as Public is not subject to this
policy. Other data can be excluded from the policy by the
Company’s management based on specific business needs.
The Information Technology Manager (ITM) and the Data Protection
Officer (DPO) are responsible for defining Information Security
policies and standards. Department heads and service providers are
responsible for implementing policies and standards in their area
of jurisdiction. Furthermore, these policies and standards must be
included in service-level agreements and contracts with IT service
providers.
Non-compliance with this policy will be dealt with under the
relevant Company procedures and may result in disciplinary action,
termination of contract, or criminal prosecution in the most
serious of cases.
This policy is a living document and thus frequently updated to
reflect technological, legal and organizational changes. It should
therefore be revisited regularly by all employees and
subcontractors.
RESPONSIBILITIES
-
Data Protection Officer (DPO)-The Data Protection Officer
is ultimately responsible for
ensuring the implementation of this Security Policy. All
employees and subcontractors must ensure that they conduct their
business in accordance with this Policy.
The duties of the DPO shall include:
-
Specifying minimum training requirements and arranging its
availability;
-
Monitoring pre-employment reference checking and advising
management to ensure compliance with the requirements of the
role;
-
Ensuring that system administrators receive prompt
notification of employee role changes and departures;
-
Ensure that procedures are in place reflecting the controls
and access levels;
-
Periodically review access to ensure that procedures are
followed, especially in the event of process changes that
affect the asset;
-
Specifying the retention period for each asset and the
manner in which it should be deleted or destroyed at the end
of that period.
-
Information Security- The
ITM will act as the focus for all Information security issues,
suggesting policies to mitigate risk, and assisting with their
interpretation into team procedures and standards, whilst
implementing those aspects affecting the operational security of
the Firm’s Information and IT infrastructure.
-
Management
Supervising Senior Associates and Team Leads are responsible
for:
-
ensuring their team members are fully conversant with this
Policy and all associated Policies, Standards, Procedures,
Guidelines and relevant legislation, and are aware of the
consequences of non–compliance;
-
Developing compliant procedures, processes and practices for
use in their practice groups;
-
Ensuring that when requesting or authorising access for
their team members, they comply with the standards and
procedures defined by the Information Owners, with
particular regard to segregation of duties, minimum access
and any minimum training requirements;
-
Notifying the IT Manager via the Firm’s Help Desk of any
suspected or actual breaches or perceived weaknesses of
information security;
-
Taking disciplinary action supported in the event of
misconduct, and non-compliance with Security Policies.
All Users
Users of systems and information must:
-
Access only systems and information, including reports and paper
documents, to which they are authorized.
-
Use systems and information only for the purposes for which they
have been authorized, and only from the Firm’s ICT-controlled or
authorized secure equipment and approved software.
-
Comply with all appropriate legislation, and with the controls
defined by the Information Owner, and all Firm Policies,
Standards, Procedures and Guidelines.
-
Not disclose confidential information to anyone without the
permission of the Information Owner.
-
Keep their passwords and other access credentials secret, and
not allow anyone else to use their account, or equipment or
media in their care, to gain access to any system or
information.
-
Notify their immediate superior, or the DPO of any actual or
suspected breach of Information Security, or of any perceived
weakness in the Firm’s Security Policies, Procedures and
Practices, Process or infrastructure.
-
Establish the identity and authority of anyone requesting
information access or information system access e.g. for
servicing or repairs.
-
Familiarize themselves with this Policy, and all applicable
supporting Policies, Procedures, Standards and Guidelines.
Compliance with this Policy is mandatory, and any employee
failing to comply will be subject to disciplinary procedures,
revoking of access and/or prosecution in serious cases.
-
If responsible for the management of third parties, you must
ensure that those third parties are contractually obliged to
comply with this Policy and are aware that their failure to
comply may lead to contract termination and/or prosecution in
serious cases.
-
Be aware that the Company monitors the content and usage of its
systems and communications to check for Policy compliance.
-
Never leave computers logged into the network unattended unless
password-protected screen locking is available and has been
engaged <ctrl alt delete>.
-
Keep your desk clear of all confidential paper files and
documents when you are not working on them. Maintain a clear
desk policy when leaving your desk unattended for any period of
time and out of office hours. Keep all confidential paper files
and documents in a secured cabinet.
-
Not take confidential documents or materials home, if this is
unavoidable, do consider the use of lockable bags or cases when
it is necessary to carry paper files or documents in person.
-
Stand at public printers or have documents containing
confidential information retrieved immediately so that
unauthorized individuals have no opportunity to see the
information.
-
Not to keep stored, confidential electronic files and documents
on your individual computer’s local drive or mail to a personal
email address. Exceptions can be made where the official email
server is down or where the exigencies of delivering on client
task demands remote work from an individual computer when the
purpose is achieved and there is no reason to continue storing
such client personal data on your personal computer, you shall
delete same from your individual computer after transferring
same to the official computer/database.
-
Not use standard USB data sticks or digital drives as portable
temporary storage for electronic files and documents. USB sticks
can be used for data transfer after which the data transferred
must be deleted from the USB stick.
-
Make available to the ITM, newly purchased/acquired laptops,
mobile phones, and any other hand-held devices capable of
storing data, to allow encryption software to be installed or
recommended for installation prior to being used by you. This
ensures that the device is protected should it be lost or
stolen. Any existing Firm owned laptops or portable devices
should be returned to the ITM who will make appropriate
arrangements to have the encryption software installed at a
predetermined rate.
-
Lock all laptops away in a secure cabinet when not in use in the
office or at home and never leave them on the back seat of a
car.
Information Security Policy – Exceptions
It is not intended that any exceptions will be permitted even on a
temporary basis but rather the Policy should be reviewed at the
next opportunity. All changes to this policy will be approved by
the Company’s Management
Associated Documentation
Further information security documents supporting this Policy will
be developed over time.