Data Protection & Confidentiality Policy

1. Purpose

This policy establishes the framework for protecting personal, confidential, and business-sensitive data within the organization. It ensures compliance with applicable data protection laws, safeguards employee and client information, and promotes a culture of confidentiality across all levels.

Outcome:

Protects the company from data breaches, legal penalties, and reputational damage while building trust with employees, clients, and partners.

2. Scope

This policy applies to:

  • All employees, contractors, interns, and third parties with access to company data.
  • All types of data: employee records, client data, financial information, intellectual property, source code, and operational documentation.
  • All storage formats: physical (paper files), digital (servers, cloud, HRIS, email), and verbal communications.

3: Definitions

  • Personal Data – Any information relating to an identified or identifiable individual (e.g., name, ID, salary, health data).
  • Confidential Information – Non-public business information, including trade secrets, client data, contracts, code repositories, and financial details.
  • Data Breach – Any unauthorized access, disclosure, loss, or destruction of personal/confidential data.
  • Data Subject – The individual whose data is being collected and processed (employees, clients, candidates).
  • Processing – Any action performed on data (collection, storage, use, sharing, deletion).

4. Policy Statements

  1. Lawful Processing – Data must be collected and processed lawfully, fairly, and only for legitimate business purposes.
  2. Consent & Transparency – Employees and clients must be informed about the purpose of data collection, and consent obtained where required by law.
  3. Data Minimization – Only necessary data should be collected and retained.
  4. Access Controls – Access to confidential data will be restricted to authorized personnel only, based on business need and job role.
  5. Confidentiality Obligation – All employees must sign a confidentiality undertaking at the time of joining.
  6. Third-Party Sharing – Data may be shared with vendors/partners only under signed data protection agreements.
  7. Retention & Disposal – Data will be retained only as long as required by law or business need, then securely disposed (as per Records & Retention Policy).
  8. Incident Management – All data breaches must be reported immediately to HR/IT for containment, investigation, and escalation.

5. Roles & Responsibilities

  • Employees – Safeguard data they handle, follow access protocols, and report breaches immediately.
  • Managers – Ensure their teams comply with confidentiality requirements, monitor use of data, and enforce secure practices.
  • HR – Protect employee records, manage access to sensitive HR data, and train staff on data protection.
  • IT/Admin – Implement technical safeguards (encryption, firewalls, backups, role-based access).
  • Compliance/Legal Team – Ensure alignment with local and international data protection laws (e.g., GDPR, PDPB).

6. Data Classification & Handling

CategoryExamplesHandling Requirement
Public InformationCompany website content, press releasesFreely shareable with no restriction
Internal InformationInternal policies, meeting notesShare only within organization
Confidential InformationEmployee records, contracts, financial dataRestricted access; encryption for storage/sharing
Highly Confidential DataSource code, client IP, medical recordsStrict access control, encryption, NDA required

7. Storage & Security

  • Digital data stored in secure servers/cloud (with encryption and backup).
  • Physical records are stored in locked cabinets with limited access.
  • Access to systems is granted via unique user IDs, MFA, and regularly reviewed permissions.
  • Employees are prohibited from using personal devices/storage for company data unless authorized under the BYOD policy.

8. Breach Reporting & Disciplinary Action

  • Any suspected or actual data breach must be reported to HR/IT immediately.
  • Breach investigations will follow the company’s Incident Response SOP.
  • Employees found violating confidentiality may face disciplinary action up to termination, in addition to legal consequences where applicable.

9. Training & Awareness

  • Mandatory training on data protection and confidentiality during onboarding.
  • Refresher sessions are conducted annually.
  • Periodic communication campaigns (emails, posters, workshops) to reinforce secure data practices.

10. Review & Ownership

  • Policy Owner: HR in collaboration with IT & Compliance.
  • Review Cycle: Annual review, or earlier if laws/regulations change.
  • Approval Authority: Head of HR and Leadership Team.
  • The latest version to be published in the HR Policy Repository; employees must acknowledge awareness.