2. DATA PRIVACY
2.1 Collection, Use and Processing
CyberSOC Africa would collect sensitive and personal data for lawful purpose and only in connection with employment or the provision of managed security services
CyberSOC Africa shall use personal data after seeking Individual’s consent in accordance with ways that the Individual would reasonably expect, and not in a manner that would have unjustified adverse effects on him or her.
CyberSOC Africa shall endeavor to be compliant with the relevant laws and regulations while
giving effect to the Policy. However, CyberSOC Africa may process the personal data of any
person without the consent of the person concerned for any of the following purposes:
(a) the prevention or detection of crime
(b) the prosecution of offenders
2.2 Data Privacy Obligations for Personal Data
☖ Personal data shall be processed fairly and lawfully.
☖ Personal data shall be obtained only for specified and lawful purposes, and must not be processed in a manner which is incompatible with those purposes.
☖ Personal data must be adequate, relevant and not excessive in relation to the purposes for which it is processed.
☖ Providers of Personal data must, as and when requested, review the Personal data and ensure that the Personal data is accurate and, where necessary, kept up to date;
☖ Personal data processed for any purpose shall not be kept for longer than is necessary or is otherwise required under any other law for the time being in force.
☖ Appropriate measures shall be taken against unauthorized or unlawful processing of Personal data and against accidental loss or destruction of, or damage to, or theft of Personal data;
☖ Personal data shall be transferred only if it is necessary for the performance of a lawful contract between CyberSOC Africa and the transferee entity, subject to prior permission from the provider of Personal data.
2.3 Confidentiality and Security
CyberSOC Africa shall adopt reasonable security practices and procedures, to protect sensitive data and personally identifiable information (PII) from accidental loss, theft, destruction, damage, unauthorized or unlawful processing.
2.4 Data Breaches
This is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to sensitive and personal data transmitted, stored or otherwise processed”.
Where there is a claim and/or evidence of data breach the following notification regime below is applied:
☖ Sensitive data breach shall be reported to relevant authority not later than 24 hours after becoming aware of it.
☖ Personal data breach shall be reported to the relevant authority not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to rights and freedom.
INFORMATION SECURITY POLICY STATEMENT
It is the policy of CyberSOC Africa to ensure that:
- Information is made available with minimal disruption to stakeholders as required by the various business process
- The integrity of information is maintained.
- Confidentiality of information (infrastructure information, customer information, databases, employee information contracts and agreements, third party information, personal and electronic communications data, etc.) is preserved;
- Information security objectives are established.
Regulatory, legislative, and other applicable requirements are met including:
- All legislative and regulatory compliance requirements applicable to the business operations
- Contractual conditions that lay down the requirements for information security;
- Commitment to follow ISO 27001
- Commitment to achieve and maintain certification to ISO 27001
- Continual improvement of the information security management system
- Information security education, awareness, and training are made available to ALL stakeholders
- Policies, procedures, and guidelines, not limited to Information Security, are made available to relevant stakeholders in support of the ISMS Policy
- Breach of the policy or security mechanism may warrant disciplinary measures, up to and including termination of employment/contract as well as legal action