DATA PROTECTION POLICY
Policy Statement
ICOSAHEDRON -SMC LTD trading as H.E.R Working Women recognizes that the privacy of personal data is a fundamental right. H.E.R WORKING WOMEN collects and processes sensitive personal of its members, employees, and partners.
This Policy demonstrates the H.E.R Working Women commitment to:
- Complying with the Data Protection and Privacy Act, Cap 97;
- Protecting the integrity, confidentiality, and security of personal data; and
- Building trust and accountability with members and stakeholders.
Objectives of the Policy
The objectives of this Policy are to:
- Establish a governance framework for the protection of personal data.
- Ensure all H.E.R WORKING WOMEN operations involving personal data are lawful, fair, transparent, and secure.
- Provide clear procedures for collecting, processing, storing, and disposing of personal data.
- Guide breach management, complaint handling.
Legal and Regulatory Framework
This Policy is anchored in:
- The Data Protection and Privacy Act, (Cap. 97)
- Regulations and guidelines issued by the Personal Data Protection Office (PDPO) under NITA-U.
- Other relevant Ugandan laws, including: o The Anti-Money Laundering Act;
o The Computer Misuse Act.
Guiding Principles of Data Protection
The H.E.R WORKING WOMEN adhere to the following principles:
- HER WORKING WOMEN is accountable to its members and regulators.
- Processing must have a lawful basis and be non-discriminatory.
- Only data strictly necessary for H.E.R WORKING WOMEN operations shall be collected.
- Data must be collected for a specific, explicit, lawful purpose.
- Data must be accurate, complete, up-to-date, and not misleading.
- Adequate technical and organizational safeguards shall be applied.
- Data shall not be retained longer than necessary.
- Data subjects shall be informed of their rights and consulted when required.
Categories of Personal Data Processed
The H.E.R. WORKING WOMEN processes the following:
- Identity information (name, NIN, passport, address).
- Data of service providers, agents, contractors, auditors, and insurers.
- Biometric identifiers, health details (for insurance), and financial status.
Legal Basis for Processing
Processing shall be lawful if it is:
- Based on the consent of the data subject;
- Necessary for execution of a contract with a member (loan/savings agreement);
- Required by law
- Necessary to protect vital interests
- Pursued for legitimate H.E.R WORKING WOMEN purposes, consistent with cooperative principles.
Rights of Data Subjects
Every member and data subject has the right to:
- Access their personal data upon written request;
- Rectification of incorrect or incomplete information;
- Erasure or blocking where data is unlawfully held;
- Object to processing that causes distress or is for direct marketing;
Obligations of the H.E.R WORKING WOMEN
The H.E.R WORKING WOMEN shall:
- Collect and process data in a lawful and transparent manner.
- Secure member data.
- Report data breaches to the PDPO promptly.
Regularly sensitize staff and members on data protection.
Data Collection and Processing Procedures
- Data shall be collected directly from the member except where permitted by law.
- Before collection, the H.E.R WORKING WOMEN shall inform the data subject of: purpose, mandatory/optional fields, consequences of refusal, rights of access, and retention period.
- Consent must be documented using standardized Consent Forms.
- Data collected shall be entered into secure systems with strict user authentication controls.
Data Security and Confidentiality Measures
The H.E.R WORKING WOMEN will implement:
- Firewalls, encryption, secure backups, and access restrictions.
- Staff confidentiality undertakings, role-based access.
- Secure filing rooms, CCTV in data storage areas, and visitor logs.
- Regular data protection compliance audits.
Data Retention and Disposal
- Member records shall be retained for at least 10 years after account closure (or as required by law).
- Employee records may be retained for the statutory period after termination of employment.
- After expiry of retention, data shall be securely destroyed or anonymized.
Data Sharing and Third-Party Processing
- Data may only be shared with third parties under a written agreement ensuring compliance with the Act.
- Data processors must sign Data Processing Agreements committing to confidentiality and security obligations.
Data Transfers Outside Uganda
Data shall not be transferred outside Uganda unless:
- The destination country provides equivalent protection; or
- The data subject has given explicit written consent.
Data Protection Officer (DPO)
The H.E.R WORKING WOMEN shall appoint a DPO who will:
- Monitor compliance and advise management.
- Serve as liaison with the PDPO.
- Handle data subject requests.
- Coordinate breach notifications and awareness programs.
Complaints Handling Mechanism
- Complaints may be submitted in writing to the DPO using the Data Subject Request Form.
- A response shall be provided within 30 days as per the Act.
- If unresolved, the matter shall be referred to the PDPO.
Breach Management and Notification
- Any suspected or actual breach must be reported immediately to the DPO.
- The DPO shall assess and notify the PDPO within the prescribed time.
- If required, affected members shall be informed through registered mail, email, or public notice.
Training, Awareness, and Capacity Building
- Regular training for staff on data protection obligations.
- Member sensitization through workshops, brochures, and digital platforms.
Monitoring, Evaluation, and Audit
- Annual compliance audits shall be conducted by the Supervisory Committee or an independent auditor.
- Audit reports shall be presented to the Board and corrective measures implemented.
Policy Review and Amendment
This Policy shall be reviewed every two (2) years or earlier if required by changes in law or H.E.R WORKING WOMEN operations.
Approval and Effective Date
This Policy was approved by the Board of ICOSAHEDRON -SMC LTD on 1ST OCTOBER 2025 and takes effect immediately.