Data Privacy Policy

Search Budget Document

BOFLEARNING Portal

elearning

BOF Help Desk

help desk

Citizens' Portal

citizen portal

1. General Policy Scope

Budget Office of the Federation sets forth how it shall manage the Personal Data collected in the normal course of business. Any data provided are handled in a confidential manner to ensure that the content and service being offered are tailored to specific requests, needs and interests. This Policy applies to:

  1. All investors, operators, individuals or employees who provide Personal Data using any channel;
  2. All functional areas and Budget Office of the Federation sites in scope of the NDPR
  3. All methods of contact, including in person, written, via the Internet, direct mail, telephone, or other data capturing channels/methods.

This Policy is designed also to inform all stakeholders about their obligation to protect the privacy of all stakeholders’ information and the security of Personal Data.
This document applies to the entire Nigerian Data Privacy Regulation scope.
2. Purpose and Users

Budget Office of the Federation software development needs to gather and process certain information about individuals with whom it has relationship for various purposes, but not limited to the recruitment and payment of staff, relationship management with Members, issuers, investors, collection of personal identifiable information on their platforms, etc. In light of the emerging data regulatory environment which requires higher transparency in how companies manage personal information, the Company must ensure that its business operations align with global best practices on protection of rights and privacy of individuals. This Policy is designed also to inform all stakeholders about their obligation to protect the privacy of all stakeholders’ information and the security of Personal Data.
This document applies to the entire Nigerian Data Privacy Regulation scope. Users of this document are all employees of Budget Office of the Federation and service providers.
3. Policy Statement

All data in custody of Budget Office of the Federation shall be handled with utmost privacy and protection Budget Office of the Federation shall comply with all legislations and regulations applicable to its business and operations regarding data protection and privacy. All personal data shall be classified in line with Budget Office of the Federation Information Classification Policy.
4. Description

This policy describes how we use and protect Your Information and the control you have over your Information. Budget Office of the Federation respects your privacy and will keep all your details confidential.
5. Terms and Definitions

  • Database Administrator/ Processor is a specialized computer systems administrator who maintains a successful database environment by directing or performing all related activities to keep the data secure. The top responsibility of a DBA professional is to maintain data integrity.
  • Data Controller means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.
  • Data Portability means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format ▪ Nigeria Information Technology Development Agency – NITDA
  • Data Protection Compliance Organization (DPCO) means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.
  • Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Data means facts and statistics collected together for reference or analysis.
  • Database refers to a structured set of data held in a computer, especially one that is accessible in various ways.
  • Data Subject/PII Principal means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
  • Personal Data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
  • Data breach is a security incident in which information is accessed without authorization.
  • Record a thing constituting a piece of evidence about the past, especially an account kept in writing or some other permanent form, means public record and reports in credible news media
  • Sensitive Personal Data means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.

6. Purpose

The purpose of this policy is to:

  • Protect the company from the risks of a data breach.
  • Disclose how Budget Office of the Federation stores and processes data of individuals.
  • Protect the rights of staff, members and stakeholders.
  • Comply with the regulation and follow international best practices.

7. Data Protection Regulation

The Regulation was established January 2019 which provides information on the gathering, storing and processing of personal data (regardless of whether data is stored electronically, on paper, in transit or on other materials), and protects the rights and privacy of all individuals. The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigeria descent.

7.1. Applicability

Controllers and processors
Customers and PII Principals are the controllers and Budget Office of the Federation is the processors of personal identifiable information/data. Other sub-processors are our service providers. Any update of this policy or changes in status will be communicated to all relevant stakeholders.
8. Governing Principles of Data Protection

The Regulation mandates every data processor to process any personal data in accordance with the governing principles of data protection. In order to comply with the obligations, undertakes to adhere to the following principles

8.1. Data processing

All forms of data processing will be done transparently. In-line with the European Union General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR), all policies have been updated to ensure that your data is being processed lawfully.
By using our service, you give your consent to process your data in accordance with these policies and our Terms of Services (ToS). All Information will be stored and easily accessible for as long as the purposes for which they were collected exist. However, retention of information may be done where there is a need for legal necessaries like invoices, audit logs, subscription information etc.

8.2. Lawful Processing

The Company shall process personal data of individuals if at least one (1) of the following applies:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which Budget Office of the Federation is a subject.
  4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

8.3. Procuring Consent

To fulfill the requirement of the Regulation, personal data will be processed in accordance with the rights of data subject. The Company’s business operations will be guided by the following:

  • The Company shall request for consent in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language, where the data subject’s consent is given in the context of a written declaration.
  • The Company shall inform the data subject his/her right and the ease to withdraw his/her consent at any time.
  • To operate and maintain your account, and to provide you with access to the Website and use of the Apps and Services that you may request from time to time. Your email address and password are used to identify you when you sign into the Platform. Your device-IDs are used to ensure that you are in control of the devices that have access to your subscription.
  • To seek your participation in surveys, to conduct and analyse the results of those surveys if you choose to participate.
  • To provide you with technical support.
  • To respond to you about any comment or enquiry you have submitted
  • To prevent or take action against activities that are, or may be in breach of our Terms of Service (ToS) or applicable law.
  • For identification and verification purposes.
  • For marketing, sales and promotional activities.
  • For product development, to build higher quality and more useful services.
  • For security purposes and other purposes stated in these policies.
  • The company shall request for consent of the data subject where data may be transferred to a third party for any reason.
  • Budget Office of the Federation shall only obtain personal information for the specific purpose of collection after which consent is sought from the data subject to processing of his or her personal data and the legal capacity to give consent, where processing is based on consent.

8.4. Due Diligence and Prohibition of Improper Motives

To align with these requirements, the Company shall:

  • Process and retain personal information for its stated and communicated purpose only.
  • Take reasonable measures to ensure that a party to any data processing contract does not have a record of violating the regulation and such party is accountable to NITDA or a reputable regulatory authority for data protection within or outside Nigeria.

8.5. Privacy Policy

A privacy policy shall be established to reflect changes in the law, business, or within your protocols. All users shall be notified of these updates, and include the effective date with your policy. Be transparent and remain true to your commitment to user privacy.
This policy will also be made available to the data subject regardless of the medium through which such personal data are being collected or processed. Seamfix’s privacy policy shall contain the following:

  • Purpose of collection of personal data.
  • Description of personal information that can be collated.
  • Constitution of data subjects’ consent.
  • Technical methods used to collect and store personal information, cookies, web tokens, etc.
  • Third parties’ access to personal data and purpose of access (if applicable).
  • A highlight of the principles governing data processing.
  • Available remedies in the event of violation of the privacy policy.
  • The timeframe for remediation of issues raised.
  • Any limitation clause, provided that the limitation clause does not absolve Budget Office of the Federation from breaches of the regulation.

8.6. Data Security

Budget Office of the Federation has established the necessary technical and security measures to prevent unauthorized or unlawful access to or accidental loss of or destruction or damage to personal Information. To ensure the safety of personal Information, secured web services have been configured to run within a virtual private connection and an SSL certificate to make sure that all communications are made over HTTPS, SFTP using TLS Development of security measures including but not limited to protecting systems from hackers, setting up firewalls and protection email systems, secure storage of data, employ data encryption technologies, Development of organizational policy for handling personal data and other sensitive or confidential data and Continuous capacity building for all staff are also strategies to ensure data privacy in-house.
8.7. Data Processing Contracts with interested/ third parties

To ensure compliance with the Regulation, being a data controller, the Company shall:

  • Establish a written contract which shall be signed by a third party that will process personal data of individuals.
  • Ensure that such third party process the data obtained from data subjects complies with the regulation

.
8.8. Data Subject’s Rights to information

As a user, you have certain rights/control over the information you submit to us. You have the right;

  • To access and confirm your Information.
  • To withdraw your consent from processing your Information (this does not affect already processed information).
  • To rectify or update any inaccurate or outdated information.
  • To know the purpose for processing your Information.
  • To restrict the processing of your Information.
  • To erase any information, we hold about you.
  • To request for a copy of the information we keep about you.
  • To object/refuse your Information for direct marketing.
  • For portability, if feasible.
  • The accuracy of the personal data is contested by the data subject for a period enabling Budget Office of the Federation to verify the accuracy of the personal data.
  • Provide personal data concerning data subjects, in a structured manner, commonly-used and machine-readable format to such data subjects.
  • Not hinder the data subject from transmitting those data in its database to another company where the processing is based on consent, on a contract and processing is carried out by automated means.
  • Execute data subjects’ requests on transmission of their personal data to another company, where technically feasible.
  • When you make a request to exercise any of the above rights, we shall provide you with your personal information and other necessary information as requested by you. However, we reserve the right to charge you or refuse your request where we notice that your request is repetitive or excessive. Your rights to an erasure of your Information does not apply to legal necessaries like invoices, audit logs, subscription information, and your Information archived on our backup systems which we shall securely isolate and protect the use of it from any further processing, to the extent required by applicable law etc.

8.9. Transfer of Information to a Foreign Country

The Company shall comply with the regulation and any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organization shall take place subject to the provisions of the Regulation.
9. Assigning Roles and Responsibilities

Budget Office of the Federation has identified roles and responsibilities of relevant stakeholders to enforce the privacy policy across the organization.
9.1. Board

Board must ensure that Budget Office of the Federation are nurturing public trust and complying with regulations as they take advantage data collected from customers. They must also enforce and ensure compliance with documented privacy policies in accordance with NDPR.

9.2. Executive Management Committee

  • The main role of the privacy committee should be to make strategic recommendations about data security across the company.
  • Ensure data protection objectives are established and aligned with the strategic direction of the Company.
  • Ensure the availability of resources needed for the protection of data.
  • Communicate the importance of effective data protection in the company and of conforming to its requirements.

9.3. Data Protection Officer

  • The primary role of the data protection officer (DPO) is to ensure that Budget Office of the Federation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
  • Keep Executive Management updated about data protection responsibilities, risks and issues.
  • Review all data protection procedures and related policies, in line with an agreed schedule.
  • Arrange data protection training and advice for the people covered by the policy.
  • Handle data protection questions from staff and anyone else covered by the policy.
  • Deal with requests from individuals to obtain the data Budget Office of the Federation holds about them.
  • Review and approve any contracts or agreements with third parties that may handle the company’s sensitive data.

9.4. Head, Information Technology.

  • Evaluate any third-party services Budget Office of the Federation is considering using to store or process data such as private cloud computing services.
  • Ensure all systems, services and equipment used for storing data meet acceptable security standards.
  • Perform regular checks and vulnerability scans to ensure adequate security of hardware and software used in data processing.

9.5. Quality Assurance

  • Provide reasonable assurance regarding the achievement of the operational objectives, such as the effectiveness and efficiency of the security controls.
  • Carry out internal audit and report findings to Executive Management Committee.
  • Recommend preventive and corrective action.

9.6. Human Resource

  • Must ensure everyone is informed and up to date when it comes to keeping information safe.
  • HR ensures that user’s data is only being used for what the original owner intended and agreed to. While the process is lengthy, it saves a lot of legal trouble and potential theft.
  • Ensure pillars of an exit strategy should be put in place as soon as the employee joins the company, ensuring as few misunderstandings as possible. In fact, keeping good communication and appropriate company culture can help breaches like this from ever happening.

10. Policy Review

This policy shall be reviewed at least every Two (2) years to ensure effectiveness and continual application and relevance to the Company’s business or as may be required.

11. Escalation
Anyone breaching information security policy may be subject to disciplinary action. If a criminal offence has been committed further action may be taken to assist in the prosecution of the offender(s). All policy breaches shall be escalated to the Information Technology department for action

12. Policy Exceptions & Retention

A policy exception represents a circumstance whereby an employee of Budget Office of the Federation knowingly deviates from a requirement of the Policy. All Policy exceptions must be approved by the Director General (DG) of Budget Office of the Federation.

All documentation shall be maintained in accordance with the Budget Office of the Federation policy for Retention of documents and records or as regulation require.

13. Contact Us
The website is owned and operated by Budget Office of the Federation, an agency of the Federal Government of Nigeria. If you have any questions or comments about this policy, or if you would like us to update information we have about you or your preferences, please email: – This email address is being protected from spambots. You need JavaScript enabled to view it.