As a registered data controller determining the purposes and means of processing personal data, MyTalu takes the confidentiality and integrity of its customer data very seriously. As stewards of customer information, MyTalu strive to assure all data is protected from unauthorized access whilst also ensuring that relevant data is available when needed.
MyTalu are also committed to ensuring that all personal data is handled in accordance with the Data Protection Laws, its principles, and any additional regulations and/or guidance laid out by the Zambia government or the Bank of Zambia.
As part of its business operations, MyTalu ensures the safe, secure, ethical, and fair use of all personal data and always upholds the highest standards of data handling. MyTalu ensures that all employees understand, have access to, and can easily interpret this Data Protection Policy and its procedures.
The Data Protection Act (DPA) regulates the processing of personal data, which includes organisation, altering, adapting, retrieving, consulting on, storing, using, disclosing, transmitting, disseminating, or destroying any such data. As such MyTalu have put into place robust measures, policies, procedures, and controls concerning all aspects of personal data handling.
David Elliot Johnson is the Data Protection Officer (DPO) responsible for ensuring customer information is processed and protected correctly.
Last Updated 31st July 2023.
As MyTalu processes personal information regarding individuals, MyTalu are obligated under DPA to protect such information, and to obtain, use, process, store and destroy it, only in compliance with DPA and its principles.
For clarity, information protected under DPA is known as “Personal Data” and is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
MyTalu ensures that even greater care and attention is given to personal data falling within PDA’s special categories, which includes data concerning racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual.
In relation to the Special Categories of Personal Data, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Greater care is given due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to. Personal data relating to criminal convictions and offenses are not included in the special categories, but similar extra safeguards apply to its processing.
Data Protection Principles
MyTalu follows the Data Protection Principals of:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.
- Kept in a form which permits identification of data subjects (e.g. an individual, customer, employee etc.) for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
DPA requires that data controllers are responsible for, and be able to demonstrate, compliance with the principles. Data controllers are required to show how they comply with these principles, detailing and summarising the measures and controls that they have in place to protect personal information and mitigate the risks of breaching these principles.
Privacy and Electronic Communications Regulations
MyTalu confirms that it complies with all regulations and laws made under the Privacy and Electronic Communications Regulations acts in respect to any related business activity.
MyTalu confirms that where individuals are concerned, only direct marketing media (emails, calls or postal) will be sent when solicited (given direct prior consent; being indication, freely given, which signifies agreement to their personal data being processed) and will retain proof of all such consent.
No marketing material is delivered using an automated calling system and no unsolicited tele-sales or marketing calls will be made.
Any calls made by MyTalu will be in accordance with the below requirements:
- Employee will identify themselves and the firm form which they are calling from.
- Employee will disclose the nature and purpose of the call.
- If asked, the employee will provide a valid business address and contact telephone number.
Any sales or marketing emails will:
- Identify the name of the firm, their trading address, and a valid contact number.
- Contain an opt-out request for the individual to unsubscribe to any further emails.
Employees are aware that there are no second chances to prevent a data security breaches and that when handling private information, MyTalu has a corporate and ethical duty to always ensure information security and privacy.
Employees are fully aware of the threats to personal information and know that they can come from a variety of different sources and for different reasons.
MyTalu has defined that the following categories of what pose a risk to information security:
- Internal, one that arises from inside of MyTalu itself. Internal threats can be accidental (human and/or technical) or can be deliberate such as a malicious or disgruntled employee.
- External, threats that come from outside of MyTalu and is the direct opposite of an internal threat. Again, they can be intentional or accidental.
- Deliberate, one that has been caused intentionally to purposefully harm MyTalu and its security. Examples can be employees deliberately deleting files before they have been backed up or hackers breaching systems to steal or corrupt files.
- Accidental, damage or loss to secure information that has not been done on purpose. Again, this can be from both internal and external sources, examples being an employee who accidentally emails confidential information to the wrong person or loss of back-up systems due to a technological fault.
MyTalu carries out annual audits on all processes relating to information security, access measures and controls. In such audits, a complete gap analysis is drawn out and an action plan put in place where improvements are identified.
In instances where information must be shared with third-party service providers (e.g. customer due diligence), an overview of the company policy and contractual arrangements have been put in place to ensure the customer data is managed in line with the regulations applicable to this policy.
Customer Data Protection Rights
Under data protection law, MyTalu customers have rights including:
- Right of access, where customers have the right to ask MyTalu for copies of their personal information.
- Right to rectification, where customer have the right to ask MyTalu to rectify personal information that customers consider inaccurate.
- Right to erasure, where customers have the right to ask MyTalu to erase any stored personal information in certain circumstances.
- Right to restriction of processing, where customers have the right to ask MyTalu to restrict the processing of personal information in certain circumstances.
- Right to object to processing, customers have the right to ask MyTalu to stop the processing of personal information in certain circumstances.
- Right to object to automated decision making, customers have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the customer or similarly significantly affects the customer. This process is prohibited unless explicit consent is obtained, authorized by law or is necessary for performance of a contract.
- Right to data portability, where customers have the right to ask that MyTalu transfer the personal information held on file to another organisation, or direct to the customer, in certain circumstances.
MyTalu will not charge customers for exercising their rights, but customers will be required to provide additional information for MyTalu to confirm the requestor’s identity and ensure the right to access personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
MyTalu is required to respond to the customer within one month of the request being made.
Privacy by Design
As part of the implementation of data protection, mytalu’s data controller will implement:
- Privacy by Design, a technical and organisational measure, such as pseudonymisation, to minimise personal data processing.
- Privacy by Default, where only data that is necessary is processed to an extent that is necessary and must only store data if necessary.
MyTalu carries out privacy impact assessments on an annual basis to ensure the data is appropriately secure as well only storing what is considered necessary.
Data Collection and Storage
In order to effectively provide customers with services regarding the MyTalu products, MyTalu collect and process the following information:
- Personal identifiers, such as first name, last name, marital status/title, date of birth, photo, and gender.
- Contact information, including home address, email address and telephone number.
- Copies of any Government ID and documentation customers submit during the application process.
- Transaction data, relating to the funds passed through MyTalu products.
MyTalu does not process any Special Category Data that relates to a customer’s race or ethnicity, religious or philosophical beliefs, sexual orientation, political views, health, and medical records.
Therefore, in relation to the data collected, MyTalu ensures that:
- Data is handled and protected according to its classification requirements.
- Sensitive and non-sensitive data is not mixed in the same repository.
- Security controls, including authentication, authorization, data encryption, and auditing, are applied according to the highest classification of data in any given repository.
- Unless essential for their role within MyTalu, employees do not have direct administrative access to production data.
- All processing of data has disable options, unless they are essential to achieve the business purpose of the data stored.
- All access to production data is logged.
- All production data has security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.
Purpose and Minimisation
MyTalu shall ensure that all collected personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
MyTalu has a legal and legitimate interest in in collecting customer data. This means MyTalu require it for risk mitigation to conduct business and provide product and services in the most efficient, legal, and secure way.
MyTalu only uses customer data when the law allows/requires it to and to provide products and services. MyTalu use it to maintain regulation as well as protect its customers from illegal activities like money laundering and fraud.
Only when expressly required, MyTalu shares customer data with:
- Anyone who works for MyTalu when needed for their role.
- Any third-party organisation who supports MyTalu’s products and services.
- Regulators, fraud prevention authorities and other law enforcement agencies where needed to protect against fraud, comply with anti-money laundering laws, or to confirm customer eligibility to use MyTalu services.
To make sure the customer data held is up to date, MyTalu will review and update the information every three years unless the customer in question is flagged for enhanced due diligence, where it will be done every twelve months.
Suspicious Activity Reports (SARs) raised against a customer may also trigger an update request for update customer information, as will events that change the personal details stored against the account such as name and address. Politically exposed persons and sanction assessment results will also be collected.
During this process, updated customer data will be requested directly from the customer and/or via third-party Know Your Customer (KYC) providers.
As part of is governance procedures, MyTalu ensures preservation of personal information, data, and documentation in compliance with the statutory confidentiality and data protection requirements.
Records relating to MyTalu’s compliance, legal and regulatory responsibilities will be retained for a minimum period of five years. This period begins after the specific business relationship pertaining to the data has ended. Once the minimum period has elapsed, any customer information concerning personal data will be destroyed in line with relevant data protection rights.
A further period of retention may be permitted, if after a thorough assessment, MyTalu believe this is justified for the prevention, detection or investigation of money laundering or terrorist financing, or the customer has given consent to the retention of their data.
After which, MyTalu shall destroy any customer information concerning personal data retained.
Information will be made available to law enforcement on request.
Data Protection Standards and Processes
All MyTalu employees, systems, and resources adhere to the following standards and processes to reduce the risk of data compromise events:
- Implement and review controls designed to protect data from improper alteration or destruction.
- Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
- Ensure MyTalu customer data is segmented and only accessible to those authorized to access data.
- All data is stored on encrypted platforms.
- Encryption keys and machines that generate encryption keys are protected from unauthorized access, only accessible by privileged employees.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, MyTalu shall promptly assess the risk to people’s rights and freedoms, and if appropriate, report the breach to the relevant Data Protection Authority as well as RailsBank.
Any breach will be reported to the Data Protection Authorities within seventy-two hours of the event occurring.
Regarding MyTalu’s approach to data breaches, MyTalu confirm that:
- It is possible for MyTalu to internally recognise or detect a data breach.
- The severity of a data breach is not only about loss of theft of personal data, but the possibility of the breach itself.
- There is a response plan in place if any data breaches occur.
- There is allocated responsibility for the DPO to manage the resolution of any data breaches.
- There is allocated responsibility for the DPO to minimise the risk of any data breaches.
- Employees know how to identify and escalate data breaches to the DPO.
In the event of a data breach MyTalu will:
- Inform any affected customers that a breach has occurred within seventy-two hours of it being discovered.
- Notify the Data Protection Authority and inform them of the details.
- Document the details of the breach and put measures in place to reduce the risk of repeat events.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a process MyTalu implements to identify and minimise the data protection risks it faces.
MyTalu will perform a DPIA for any change in a process in which involves the processing of personal customer data.
The DPIA involves:
- The nature, scope, context, and purposes of the processing.
- An assessment of the necessity, proportionality, and compliance measures.
- Identification and assessment of the risks to individuals.
- Identification of any additional measures to mitigate risks.
To assess the level of risk, MyTalu considers the likelihood and the severity of any impact to customers. If MyTalu identifies a risk that it cannot mitigate, it will consult the relevant Data Protection Authority before starting the new processing methods.