Introduction

Infinity Global Health Technologies Limited is a health technology company duly incorporated under the Laws of the Federal Republic of Nigeria that provides top- notch solutions to improve the overall quality of healthcare through innovation and technology to local and international clients.

References in this Policy to “we”, “us”, “IGHT” or “the Company” are references to Infinity Global Health Technologies Limited.

Reference in this Policy to “personal data” means any information that identifies, or could reasonably be used to identify, a living individual, either on its own or together with other information.

By connecting to the Website, you acknowledge that you have read, understood and accepted this Personal Data Protection Policy (hereinafter referred to as the “Policy”) without limitation or reservation along with our General Terms and Conditions of Use.

Please note that other general terms and conditions and personal data protection policies apply to this website. It is recommended that you read them carefully.

This Policy is intended to inform you of the rights and freedoms that you can exercise with regard to our use of your personal data. It also describes the measures implemented to protect them.

Infinity Global Health Technologies Limited (referred to herein as the “Data Controller”) is responsible for processing personal data concerning the management of the Website. The processing is implemented in accordance with applicable laws.

How we protect your personal information

We are committed to protecting your personal information and implementing appropriate technical and organizational security measures to protect it against any unauthorized or unlawful processing and any accidental loss, destruction or damage.

Purpose of processing and types of data collected

When visiting the Website, you may provide us with personal data such as your surname and first name in order to benefit from the services offered.

We can in particular collect some of your personal data for external communication purposes, such as answering your requests for information and better understanding your expectations. In our online forms, compulsory fields are marked with an asterisk. If you do not answer the compulsory questions, the requested service(s) shall not be provided.

Your personal data are not subsequently processed in any manner that is incompatible with the purpose described above or in the collection forms. They are only stored for the requisite amount of time needed to fulfil these purposes.

Data recipients

Your personal data will be disclosed solely to our specific departments tasked with processing or subsidiaries directly or indirectly owned or to specific partners, independent distributors or sub-contractors for analysis and survey purposes.

Furthermore, if you submit a comment intended to be posted online, we may publish some of your personal data on the Website. Given the characteristics of the Internet, i.e., free capture of broadcast information and the difficulty, or even the impossibility, of monitoring usage by third parties, be informed that you can stop such distribution by contacting us, as indicated in article 5 below. The Data Controller transfers personal data in accordance with applicable laws.

Security and confidentiality of your data

The Data Controller implements the appropriate measures to ensure the security and confidentiality of your personal data and in particular to prevent them from being altered, damaged or accessed by unauthorized third parties.

Management of cookies

When you visit the Website, a “cookie” may be installed on your computer. A cookie is a file that records information concerning your browsing of the Website from that computer (e.g., visited pages, date and time of browsing, viewed links) and will facilitate your visits by making it easier and faster for you to identify yourself to access your target pages. You can delete cookies installed on your computer at any time and prevent new cookies from being saved and receive a notification before the installation of a new cookie by configuring your browser software. Please refer to the help section of your browser software for more information on how to activate and deactivate these functions and refer to the browser’s “cookie policy”. (Link to the banner and the cookie policy). Please note that you may not benefit from some of the services if you uninstall a cookie or prevent cookies from being installed on your machine.

Your rights

You have a right to access, query, modify, rectify or delete your personal data. You can obtain disclosure of your personal data. You can also object to the processing and circulation of your personal data. The Company reserves the right to reject any request it deems inappropriate. In accordance with the applicable law in force, you have a right of formal consent to sales canvassing via e-mail, fax or automatic caller.

If you wish to exercise these rights or obtain other information, please send your request by e-mail to afolabi.adedipe@infinityhealth.africa or by post to the following address:

The Data Protection Officer Apartment B2, Ocean Crest Haven, 4, Akiogun Road, Oniru Victoria Island, Lagos, Nigeria Attention: Afolabi Adedipe

INFORMATION SECURITY POLICY

PURPOSE

The purpose of our Information Security is to restrict access to confidential and sensitive data and to protect it from being lost or compromised regardless of whether these are held in manual or electronic form. This will help to safeguard the reputation of IGHT, to optimize the management of risk and to minimize the impact of Information Security incidents. Implementation of this Policy will assure stakeholders, partners and data subjects, that their information is held securely and used appropriately by IGHT, whilst complying with the Nigerian Data Protection Regulation (NDPR) and satisfying auditors.

It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.

POLICY DEFINITION

According to the NDPR, anyone involved in data processing or the control of data shall develop security measures to protect data. These measures will include ensuring that information is only available to those who are authorized to gain access, safeguarding the accuracy and completeness of information and processing methods, and assurance that authorized users have access to information and associated assets when this is required.

Information takes many forms. It may be processed and stored on computers or in other electronic forms, printed or written on paper, shared through voice or video communications, transmitted through post or electronic means such as e-mail or fax, or made available on corporate videos or websites. Whatever form the information may take, or means by which it is shared, stored or processed, it should always be appropriately classified and protected according to that classification.

Information systems, the information processed and stored are vital assets to IGHT. Any loss of computer systems or the information they contain could have serious repercussions for IGHT and/or its clients. A breach of security during the processing, storage or transfer of data could result in financial loss, personal injury to a member of staff, or client, serious inconvenience, embarrassment, or even legal proceedings against IGHT, and possibly the individuals involved. To ensure the confidentiality, integrity and availability of these systems an appropriate level of security must be achieved and maintained. The level of security implemented on each of the various systems will be consistent with the designated security classification of the information and the environment in which it operates.

Information on computer systems will be protected with anti-virus software, which will be updated regularly. Scans will be carried out regularly on all servers, workstations and laptops, and virus definitions will be updated each weekday. Updates and scans will be automatic for every machine and must not be turned off or bypassed.

IGHT shall take appropriate steps to prevent, detect, and recover from any loss or incident, whether accidental or malicious, including error, fraud, misuse, damage and disruption to, or loss of computing or communications facilities.

A security risk assessment is carried out on each information asset to identify the level of protection required. The security and control procedures required will take into account the sensitivity and value of the information.

POLICY DIRECTION

Information Security promotes trust both internally and externally in shared data and infrastructure. IGHT’s strategic direction for Information Security is to provide a strong forward-looking information management system that is aligned with its corporate vision and strategic priorities. This vision for Information Security reflects its growing role in maintaining trust and confidence both within the Firm and outside.

SCOPE OF DATA PROTECTION

IGHT’s Information Security Policy is applicable to:

1. The Company’s information, information owned by its clients and partners, and information about its clients.
2. The Company’s Directors, employees and subcontractors.
3. The Company’s systems, software, and information created, held, processed or used on those systems or related media, electronic, magnetic, or written/ printed output from the Company’s systems.
4. All means of communicating information, both within the Company and externally. For example, data and voice transmissions or recordings, posts, e-mail, SMS/text, cameras, whiteboards, memory sticks, disks, fax, telex, image/ sound processing, videoconferencing, photocopying, flip charts, general conversation etc.

Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy by the Company’s management based on specific business needs.

The Information Technology Manager (ITM) and the Data Protection Officer (DPO) are responsible for defining Information Security policies and standards. Department heads and service providers are responsible for implementing policies and standards in their area of jurisdiction. Furthermore, these policies and standards must be included in service-level agreements and contracts with IT service providers.

Non-compliance with this policy will be dealt with under the relevant Company procedures and may result in disciplinary action, termination of contract, or criminal prosecution in the most serious of cases.

This policy is a living document and thus frequently updated to reflect technological, legal and organizational changes. It should therefore be revisited regularly by all employees and subcontractors.

RESPONSIBILITIES

1. Data Protection Officer (DPO)-The Data Protection Officer is ultimately responsible for ensuring the implementation of this Security Policy. All employees and subcontractors must ensure that they conduct their business in accordance with this Policy.
   The duties of the DPO shall include:
   1. Specifying minimum training requirements and arranging its availability;
   2. Monitoring pre-employment reference checking and advising management to ensure compliance with the requirements of the role;
   3. Ensuring that system administrators receive prompt notification of employee role changes and departures;
   4. Ensure that procedures are in place reflecting the controls and access levels;
   5. Periodically review access to ensure that procedures are followed, especially in the event of process changes that affect the asset;
   6. Specifying the retention period for each asset and the manner in which it should be deleted or destroyed at the end of that period.
2. Information Security- The ITM will act as the focus for all Information security issues, suggesting policies to mitigate risk, and assisting with their interpretation into team procedures and standards, whilst implementing those aspects affecting the operational security of the Firm’s Information and IT infrastructure.
3. Management Supervising Senior Associates and Team Leads are responsible for:
   1. ensuring their team members are fully conversant with this Policy and all associated Policies, Standards, Procedures, Guidelines and relevant legislation, and are aware of the consequences of non–compliance;
   2. Developing compliant procedures, processes and practices for use in their practice groups;
   3. Ensuring that when requesting or authorising access for their team members, they comply with the standards and procedures defined by the Information Owners, with particular regard to segregation of duties, minimum access and any minimum training requirements;
   4. Notifying the IT Manager via the Firm’s Help Desk of any suspected or actual breaches or perceived weaknesses of information security;
   5. Taking disciplinary action supported in the event of misconduct, and non-compliance with Security Policies.

All Users

Users of systems and information must:

1. Access only systems and information, including reports and paper documents, to which they are authorized.
2. Use systems and information only for the purposes for which they have been authorized, and only from the Firm’s ICT-controlled or authorized secure equipment and approved software.
3. Comply with all appropriate legislation, and with the controls defined by the Information Owner, and all Firm Policies, Standards, Procedures and Guidelines.
4. Not disclose confidential information to anyone without the permission of the Information Owner.
5. Keep their passwords and other access credentials secret, and not allow anyone else to use their account, or equipment or media in their care, to gain access to any system or information.
6. Notify their immediate superior, or the DPO of any actual or suspected breach of Information Security, or of any perceived weakness in the Firm’s Security Policies, Procedures and Practices, Process or infrastructure.
7. Establish the identity and authority of anyone requesting information access or information system access e.g. for servicing or repairs.
8. Familiarize themselves with this Policy, and all applicable supporting Policies, Procedures, Standards and Guidelines. Compliance with this Policy is mandatory, and any employee failing to comply will be subject to disciplinary procedures, revoking of access and/or prosecution in serious cases.
9. If responsible for the management of third parties, you must ensure that those third parties are contractually obliged to comply with this Policy and are aware that their failure to comply may lead to contract termination and/or prosecution in serious cases.
10. Be aware that the Company monitors the content and usage of its systems and communications to check for Policy compliance.
11. Never leave computers logged into the network unattended unless password-protected screen locking is available and has been engaged <ctrl alt delete>.
12. Keep your desk clear of all confidential paper files and documents when you are not working on them. Maintain a clear desk policy when leaving your desk unattended for any period of time and out of office hours. Keep all confidential paper files and documents in a secured cabinet.
13. Not take confidential documents or materials home, if this is unavoidable, do consider the use of lockable bags or cases when it is necessary to carry paper files or documents in person.
14. Stand at public printers or have documents containing confidential information retrieved immediately so that unauthorized individuals have no opportunity to see the information.
15. Not to keep stored, confidential electronic files and documents on your individual computer’s local drive or mail to a personal email address. Exceptions can be made where the official email server is down or where the exigencies of delivering on client task demands remote work from an individual computer when the purpose is achieved and there is no reason to continue storing such client personal data on your personal computer, you shall delete same from your individual computer after transferring same to the official computer/database.
16. Not use standard USB data sticks or digital drives as portable temporary storage for electronic files and documents. USB sticks can be used for data transfer after which the data transferred must be deleted from the USB stick.
17. Make available to the ITM, newly purchased/acquired laptops, mobile phones, and any other hand-held devices capable of storing data, to allow encryption software to be installed or recommended for installation prior to being used by you. This ensures that the device is protected should it be lost or stolen. Any existing Firm owned laptops or portable devices should be returned to the ITM who will make appropriate arrangements to have the encryption software installed at a predetermined rate.
18. Lock all laptops away in a secure cabinet when not in use in the office or at home and never leave them on the back seat of a car.

Information Security Policy – Exceptions

It is not intended that any exceptions will be permitted even on a temporary basis but rather the Policy should be reviewed at the next opportunity. All changes to this policy will be approved by the Company’s Management

Associated Documentation

Further information security documents supporting this Policy will be developed over time.