Inclusive Money Technology Limited
Trading as ‘Digmo’
Republic of Zambia Registration Number: 120230060434
Registered Office: Suite FF 08, Lusaka, Zambia
The Policy is developed to describe the fundamental principles that all Employees, Directors, Contractors, and Customers of Inclusive Money Technology Limited must fully comply with regarding the protection and privacy of personal/sensitive data in line with relevant regulations.
This document is the property of Inclusive Money Solutions Limited (“the Company”) of Lusaka, Zambia and is for the sole use of individuals working for the Company or on its behalf. The Company is committed to protecting the privacy and personal information of its customers, employees, contractors and third parties. We fully subscribe to the letter and spirit of the Data Protection Regulation in Zambia, applicable international convents, and other policy statements in this direction. We are committed to reviewing our Data Protection & Privacy strategies and objectives on an on-going basis and to maintain effective compliance framework.
This policy manual is binding and should be used in conjunction with every other existing policy of the company. Every member of staff is enjoined to study the manual thoroughly for effective understanding of its contents and actualization of the company’s objective to comply with the guidance in the manual. We must all work together to safeguard the Personal Data of our customers and colleagues from unsolicited exposure and leaks.
Inclusive Money Technology Limited is committed to treating personal information of employees, customers, and other stakeholders with paramount care and confidentiality. In line with our commitment and compliance with the Data Protection Regulation (DPR) Act No. 3 of 2021, we have developed our Data Protection & Privacy Policy (DPPP). The Policy emphasises our resolve to ensure that we gather, store and handle data fairly, transparently and with respect towards Data subject’s rights.
Means any freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Means an identifiable person, one who can be identified directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
A data breach is a security incident in which information is accessed without authorisation.
Data Protection Impact Assessment
Data Protection & Privacy Policy
Data Protection Regulation Act
Means information that can be associated with an identified or directly or indirectly identifiable natural person.
In compliance with the DPPP, the Company has identified key stakeholders and their responsibilities to drive the operationalisation of the Policy and implementation of necessary data protection controls.
When personal data is collected and processed from our data subjects, such data is used in accordance with the extent to which data protection regulation in Zambia allows. Personal Data is handled with the greatest care and is used only for legitimate and specified business purposes.
The Company will be guided by the following principles when handling Personal Data:
Lawfulness, Fairness and Transparency
The company processes personal data of Data Subjects based on consent, contract, legal obligation, vital interests, public task, or legitimate interest. Where data is processed based on the Data Subject’s consent, evidence of opt-in consent are kept with the Personal Data.
Purpose Limitation
We collect Personal Data of Data Subjects for specified explicit and legitimate purposes.
Data Minimization
We only process adequate data for relevant purposes and in a limited capacity.
Accuracy
We maintain accurate data that is continually kept up to date. Similarly, inaccurate Personal Data is either erased or promptly rectified.
Storage Limitation
We keep Personal Data of our Data Subjects in a form that permits identification of Data Subjects for no longer than is necessary and for the purposes in which the Personal Data are being processed.
Integrity and Confidentiality
We protect Personal Data by implementing appropriate technical and organisational measures to ensure appropriate security, in order to safeguard the rights and freedom of Data Subjects.
Accountability
We hold ourselves accountable to demonstrate compliance with applicable legal and regulatory requirements and understand our roles and responsibilities for efficient data protection.
Ultimately, our policy is implemented in order to abide by the DPR and to assist the government in fostering safe conduct of transactions involving the exchange of Personal Data by customers/clients of both public and private organisations in Zambia.
To safeguard Personal Data of Data Subjects, we apply the following information security measures:
To prevent unauthorised access that may lead to data breach through our network, only devices on our access control lists have the permission to utilise our networks.
To protect Personal Data and sensitive information, we have implemented an Intrusion Prevention System in the form of a firewall solution. Our firewall solution protects our network and connected systems from malicious attacks and hacking from cybercriminals by filtering and blocking unwanted data packets from accessing our computer network.
Our Next-Gen firewall solution has a pre-emptive approach to network security as it can identify potential threats and respond to them swiftly. When a threat is detected, the firewall solution deploys a lateral movement protection defence response, which isolates the threat from spreading, and system from communicating with other systems or returns the threat back to the host.
We have installed an endpoint protection system that combines antimalware, Data Loss Prevention (DLP), firewall, application, and device control as well as a host-based intrusion prevention system.
This also offers website browsing protection and filtering, email protection (such as anti-spam) and patch assessment.
Our endpoint protection system offers protection from zero-day attacks and drive-by downloads, includes root cause analysis and anti-exploit technology to minimise damage from breaches, and incorporates Crypto-Guard to protect against ransomware.
Backups in our organisation are daily and done automatically. Backups are encrypted with industry standard solutions and backed up data can only be accessed by authorised personnel for control purposes.
Our devices are also protected for offsite use, as we support our staff working remotely. Our endpoint security system extends to registered devices which can communicate over the internet only through our Virtual Private Network (VPN). This means that our staff can work from any location with their provided devices and are still under the security controls applicable to those within the organisation premises.
Our computers and other mobile devices are encrypted to prevent their storage drives from being accessible in the event of loss or theft.
To mitigate the threat of data loss that could arise from a physical breach at our premises, we have, apart from human security services deployed, the use of CCTV and round the clock surveillance systems in strategic locations.
Our entry points are secured with biometric scanners for access authorization. Fire alarm systems are also present in the case of arson or accidental fire outbreak. Documents stored in hard copies are secured in a code-enabled cabinet and accessible to only authorised personnel who keep logs of collected and returned documents.
Our information security policies and practices apply to all personal information in our custody.
Employees have access to, and process Personal Data based upon a “need to know” basis to do their job. We regularly check who has access to our systems and data.
We may disclose Data Subject’s Personal Data to these categories of third parties some of which may be subject to the Data Subject’s consent.
The above disclosures to the third party shall be made only to the extent necessary for the specific purpose for which the data is provided. The third party shall be informed of the confidential nature of such information and shall be directed to keep the Data Subject’s information strictly confidential.
Staff members are obligated to bring to Management’s notice any data breach occurrence within 24 hours which shall in turn be reported to Bank of Zambia within 72 hours of knowledge of the breach.
The report details shall include;
All employees are enjoined to ensure that they do not indulge in activities that can result in the compromise or breach of data. In addition, it is the responsibility of everyone to adhere to the dictates of this policy.
Failure to comply with this policy, whether or not intentional, will lead to disciplinary action (up to and including dismissal).
Data Subjects’ personal information may be transferred to a third party in a foreign country which has adequate data protection laws for data transfer, as will be determined by the Bank of Zambia and/or subject to the Data’s subject’s consent. Data Subjects are informed of the appropriate safeguards for data protection in the foreign country.
Where the Bank of Zambia has not determined the third-party country, the Data Subject’s personal information may be transferred to a third party in a foreign country in the following circumstances:
Ultimately, our employees are the most important element of our commitment to the protection of our Data Subjects’ Personal Data. Our employees are involved in every step of the data lifecycle, including sourcing, and receiving Personal Data, processing it in compliance with laws and regulations, employing safeguards, and establishing the means and schedules of retention and deletion. It is therefore imperative that employees understand their role and be committed to safeguarding Personal Data.
Our data protection training programme is designed to be relevant and focused on concrete risks. More importantly, we conduct data protection trainings for employees and management bi-annually; and run regular data protection and information security awareness campaigns. We also share, with employees, other knowledge resources on data protection and privacy, including guidance on ways they can better protect and safeguard Personal Data.
It is imperative that employees understand the significance of protecting Personal Data and respecting privacy rights, with the ability to relate this back to the risks and consequences from an individual perspective.
We remain committed to our goal of ensuring that employees and other stakeholders understand their respective roles and responsibilities for compliance with the DPR.
At the advent of any project that would involve processing sensitive/high risk data, a data protection impact assessment is conducted. This is to identify possible areas where breaches may occur, and device means of minimising the data protection risks. We also conduct periodic DPIA on our processes, services, and technology to ensure continuous compliance with the DPR.
Our DPIA takes the following form:
The level of risk is accessed by considering both the likelihood and the severity of any impact on our Data Subjects. The Risk and Compliance department is responsible for conducting DPIA.
The company shall conduct regular internal audits of our privacy and data protection practices to ensure compliance.
The privacy of our Data Subjects’ Personal Data is of utmost importance to us. In line with our resolution, we have developed this Privacy Policy to explain your privacy rights regarding our collection, use, sharing and protection of your Personal Data when you visit our website, premises or use our digital platforms.
This privacy policy between the Company and you constitute our commitment to your privacy on all our platforms. It is designed to provide information regarding our privacy practices and help you understand how we handle your data.
You accept this privacy policy when you give consent upon access to our platforms, use the services offered on our website and digital platforms or visit any of our offices for official or non-official purposes.
What Personal Data do we collect?
We collect Personal Data about you when you use the services offered on our website and digital platform, including the following:
We may also carry out screening checks (including reference, background, and criminal record checks). We may exchange your Personal Data with academic institutions, recruiters, health maintenance organisations, law enforcement agencies, referees, and your previous employers. Without your Personal Data, we may not be able to process your application for positions with us. We do not collect the information of minors. If you are under the age of 18, you are not eligible to use the service offered on our digital platform.
How Do We Retain Personal Data?
We retain Personal Data in an identifiable format for our business purposes and to fulfil our legal or regulatory obligations. We may retain Personal Data for longer periods if it is in our legitimate business interests and required to comply with applicable laws. We will continue to use and disclose such Personal Data in accordance with this Privacy Policy.
What do we do with your Personal Data?
We collect your personal data to provide you an efficient and secure customer experience.
We process your information to:
With your consent:
We may share your Personal Data or other information about you with others for the following reasons:
With other third parties for our business purposes or as permitted or required by law: We may share information about you with other parties for business purposes or as permitted or required by law, including:
With your consent: We also will share your Personal Data and other information with your consent or direction.
Cookies are small files placed on your device’s browser that enables the website to identify your device as you view different pages. Like most interactive websites, our website uses cookies to enable the tracking of your activity for the duration of a session. Our website uses only encrypted session cookies which are erased either after a predefined timeout period or once the user logs out of the platform and closes the browser. Session cookies do not collect information from your device. They will typically store data in the form of a session identification that does not personally identify you. Certain aspects of our website are only available through the use of cookies, so your use of our website may be limited or not possible if you choose to disable or decline cookies.
Requests to Access, Rectify or Erase
Access Request
You have the right to ask us whether we hold any Personal Data relating to you and, if we do, to be provided with a copy of that Personal Data in electronic form, unless you want to receive it in another way (for example, a paper copy). In addition, you can ask us for information on how we use your Personal Data, who we share it with, how long we keep it, where it is stored, and other information to help you understand how we use it.
Rectification Request
You have the right to ask us to correct your Personal Data (including by means of providing a supplementary statement) if it is inaccurate and to have incomplete Personal Data updated without undue delay. If we cannot correct the Personal Data, we include a note on our files regarding your request to correct your Personal Data.
Erasure Request
You have the right to ask us to erase your Personal Data if:
If we have made the Personal Data concerned public, we will also take reasonable steps to inform other data controllers processing the data so they can seek to erase links to or copies of your Personal Data.
We may refuse to act on your request to erase your Personal Data if the processing of your Personal Data is necessary:
In these cases, we can restrict the processing instead of erasing your Personal Data if requested to do so by you.
Requests to Object
You have the right to object at any time to the processing of your Personal Data if we process it based on our legitimate interests. This includes any purported “profiling”. Our privacy notice informs you when we rely on legitimate interests to process your Personal Data. In these cases, we will stop processing your Personal Data unless we can demonstrate compelling legitimate reasons for continuing the processing. We may reject your request if the processing of your Personal Data is needed to establish, exercise, or defend legal claims. You have the right to object at any time if we process your Personal Data for direct marketing purposes. You may also object at any time to profiling supporting our direct marketing. In such cases, we will stop processing your Personal Data when we receive your objection.
Requests to Restrict
You have the right to ask us to restrict the processing of your Personal Data if:
If processing is restricted, we may process your Personal Data (excepting for storage purposes), only:
Once processing is restricted following your request, we will inform you before we lift the restriction.
Requests for Portability
If our processing is performed by computer and is necessary to fulfil a contract with you, or is based on your consent, you have the right to:
Requests to Object to Automated Decisions
Generally, you have the right to object to any decision producing a legal effect concerning you or which otherwise significantly affects you if this is based solely on the automated processing of your Personal Data. This includes automated decisions based on profiling.
We may refuse your request if the decision in question is:
We will only make decisions relying solely on automated processing that involve your sensitive Personal Data if you have given your explicit consent or the processing is necessary for reasons of substantial public interest, based on the DPR and relevant laws.
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorised access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our premises, CCTV cameras for public safety and quality control as well as information access authorisation controls. While we are dedicated to securing our systems and services, you are responsible for securing and maintaining the privacy of your password(s) and account/wallet/profile registration information and verifying that the Personal Data we maintain about you is accurate and current.
We will inform you of any breaches which may affect your Personal Data.
In the event of violation of this policy, we shall within Seven (7) days redress the violation. Where the violation pertains to the disclosure of your Personal Data without your consent, such information shall be retracted immediately, and confirmation of the retraction sent to you within 48 hours of the redress.
This Privacy Policy is made according to the Data Protection Regulation Act No.3 of 2021 and other relevant Zambia laws, regulations, or international conventions applicable to Zambia.