Policies

 Data Protection and Privacy Policy

1.0 INTRODUCTION 

1.1SCIDaR collects and processes certain types of information (such as names, telephone numbers,  address, sex etc.) of individuals that make them easily identifiable. These individuals include  current, past and prospective employees, suppliers/vendors, Sub-contractors, respondents and  other individuals (“Data Subjects”) whom SCIDaR deals with, jointly and/or severally. SCIDaR  is committed to conducting her activities in accordance with laws and regulations guiding data  protection in Nigeria and globally in order to safeguard the rights of natural persons to data  privacy, to foster safe conduct for activities involving the exchange of Personal Data and to  prevent the manipulation or breach of Personal Data. SCIDaR equally expects all employees to  be intentional about safeguarding sensitive materials and data that comes in their possession in  the course of employment with SCIDaR. 

Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer  negative consequences/effects as a result of providing SCIDaR or SCIDaR employees with their  Personal Data. To this end, SCIDaR is firmly committed to complying with applicable data  protection laws, regulations, rules and principles to ensure security of Personal Data handled by  Information Technology and other data by its Staff in different forms. This Data Protection &  Privacy Policy (“Policy”) describes the substantive minimum standards that must be strictly  adhered to regarding the collection, use and disclosure of Personal Data and indicates that  SCIDaR is dedicated to processing the Personal Data it receives or processes with absolute  confidentiality and security.  

1.2 “Personal Data” means any information relating to an identified or identifiable natural person  (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly,  in particular by reference to an identifier such as a name, an identification number, location data,  an online identifier or to one or more factors specific to the physical, physiological, genetic,  mental, economic, cultural or social identity of that natural person; It can be anything from a  name, address, a photograph, an email address, bank details, posts on social networking websites,  medical information, and other unique identifier such as but not limited to MAC address, IP  address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others. Personal data in this policy also refers to other forms of data kept or processed by SCIDaR. 

1.3 Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data or other forms of data  transmitted, stored or otherwise processed. Data is not limited to characters, symbols and binary  on which operations are performed by a computer, which may be stored or transmitted in an  electronic form, but also includes personal data as defined in this policy in accordance with the  Nigerian Data Protection Act and Regulation. 

2.0 Scope 

 2.1 In the digital era we live in, data is essential to any business or activity and, if properly managed,  unlocks new sources of growth. However, all forms of data responsible management are vital for  business sustainability and SCIDaR does not engage in any behaviour that would damage her reputation, business or the communities in which it operates. We fully recognize the fundamental  right of individuals to privacy and their right to the safeguard of Personal Data. We equally  recognize the responsibility of individuals to ensure that all forms of data in their possession are  safeguarded in the interest of SCIDaR. The protection of employees, other individuals and  organisational privacy right is the primary aim of this Data Protection and Privacy Policy, a key  part of SCIDaR’s commitment to meet global standards for Personal and Organisational Data  privacy. Local privacy law may vary; where there is a difference between a legal requirement and  this Policy, we must always apply the higher standard. 

2.2 This Policy applies to all employees of SCIDaR, as well as to any external business partners (such  as suppliers, contractors, vendors and other service providers) who receive, send, collect, access, 

Data Protection and Privacy Policy  3 | P a g e 

or process Personal Data in any way on behalf of SCIDaR, including processing wholly or partly  by automated means. This Policy applies to all forms of systems, operations and processes within  SCIDaR that involve the collection, storage, usage, transmission and disposal of Personal and  Organizational Data. This Policy also applies to third party Data Processors who process Personal  Data received from SCIDaR.  

2.3 By the provisions of the Nigeria Data Protection Act 2023, SCIDaR controls and processes data.  A data controller is a person who either alone, jointly with other persons or in common with  other persons or a statutory body determines the purposes for and the manner in which personal  data is processed or is to be processed. 

2.4 Processing means any operation or set of operations which is performed on Personal Data or on  sets of Personal Data, whether or not by automated means, such as collection, recording,  organization, structuring, storage, adaptation or alteration etc. 

3.0 Risks associated with violations of Data Privacy 

 Failure to comply with data protection and privacy law can result in civil and criminal penalties  and/or imprisonment. Furthermore, privacy law violations can cause significant reputational  damage for SCIDaR. Non-compliance with this Policy (or other Compliance Policies) will not be  tolerated by SCIDaR and may result in disciplinary action. The disciplinary action will vary  according to the severity of the non-compliance but could include termination of employment or  being reported to relevant authorities and law enforcement agencies. 

4.0 Principles of Personal Data Processing 

SCIDaR is committed towards aligning with the governing principles of data protection and  creating a positive privacy culture within the Organisation and will adhere to the basic principles  relating to personal data and other forms of data. At SCIDaR, Personal Data processing is  permitted only when it is fair and lawful, compliant with the principles listed in the following pages  and managed through appropriate technical and organizational measures, allowing us to  demonstrate that we respect any applicable law. To help in ensuring this, every new activity on  Personal Data (e.g. new category of Personal Data processed, new Processing platform or new  Processing purpose) has to be reviewed by Management or its representatives. “Processing”  means any operation or set of operations which is performed on Personal Data or on sets of  Personal Data, whether or not by automated means, such as collection, recording, organization,  structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by  transmission, dissemination or otherwise making available, alignment or combination, restriction,  erasure or destruction. 

 The following principles of processing Personal Data shall apply. Personal Data shall be: 

1. processed in a fair, lawful and transparent manner 
2. collected for specified, explicit and legitimate purposes and not to be further processed in a  way incompatible with these purposes 
3. adequate, relevant and limited to the minimum necessary for the purposes for which the  personal data was collected or further processed 
4. retained for not longer than is necessary to achieve the lawful basis for which the personal  data was collected or further processed 
5. accurate, complete, not misleading and where necessary, kept up to date having regard to the  purposes for which the personal data is collected or is further processed; and  f. processed in a manner that ensures appropriate security of personal data, including  protection against unauthorized or unlawful processing, access, loss, destruction, damage or  any form of data breach 

The principles are explained below: 

4.1 Lawfulness, Fairness and Transparency

Data Protection and Privacy Policy  4 | P a g e 

4.1.1 Personal Data must be processed lawfully, fairly and in a transparent manner at all times. This  implies that Personal Data collected and processed by or on behalf of SCIDaR must be in  accordance with the specific, legitimate and lawful purpose consented to by the Data Subject,  except where the processing is otherwise allowed by law or within other legal grounds recognized  by law. Data processing shall be lawful where: 

 (a) the data subject has given and not withdrawn consent for the specific purpose or purposes  for which personal data is to be processed: or 

 (b) the processing is necessary – 

 (i) For the performance of a contract to which the data subject is a party or to take steps  at the request of the data subject prior to entering into a contract, 

 (ii) For compliance with a legal obligation to which SCIDaR is subject  (iii) To protect the vital interest of the data subject or another person 

 (iv) For the performance of a task carried out in the public interest or in the exercise of  official authority vested in SCIDaR, or 

 (v) For the purposes of the legitimate interests pursued by SCIDaR or by a third  party to whom the data is disclosed. 

 4.1.2Interests in personal data processing shall not be legitimate for the purposes of subsection 4.1.1 (b)(v), where- 

 (a) they override the fundamental rights, freedoms and the interests of the data subject; 

 (b) they are incompatible with other lawful basis of processing under subsection sub section 4.1.1(b)(i)-(v)  

 (c) the data subject would not have a reasonable expectation that the personal data would  be processed in the manner envisaged. 

4.1.3 Anyone who is entrusted with Personal Data or who is in possession of Personal Data owes a  duty of care to the data owner; anyone who is entrusted with Personal Data or who is in  possession of the Personal Data shall be accountable for his acts and omissions in respect of data  processing, and in accordance with the principles contained in relevant laws and regulations. 

4.2 Data Accuracy 

Personal data must be accurate, complete, not misleading and where necessary, kept up to date  having regard to the purposes for which the personal data is collected or is further processed; Hence, Personal Data must be accurate and kept up-to-date. In this regard, SCIDaR:  

1. a) shall ensure that any data it collects and/or processes is accurate and not misleading in a way  that could be harmful to the Data Subject;  
2. b) make efforts to keep Personal Data updated where reasonable and applicable; and c) make timely efforts to correct or erase Personal Data when inaccuracies are discovered. 

4.3 Purpose Limitation 

Personal data shall be collected for specified, explicit and legitimate purposes and not to be further  processed in a way incompatible with these purposes. 

SCIDaR collects Personal Data only for the purposes identified in the appropriate SCIDaR Privacy  Notice or any other document provided to the Data Subject and for which consent has been 

Data Protection and Privacy Policy  5 | P a g e 

obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the  original purpose, except a new Consent is obtained.  

4.4 Data Minimization 

Personal Data shall be collected only if it is adequate, relevant and limited to the minimum necessary  for the purposes for which the personal data was collected or further processed 

4.4.1 SCIDaR limits Personal Data collection and usage to data that is relevant, adequate, and  absolutely necessary for carrying out the purpose for which the data is processed. 

4.4.2 SCIDaR will evaluate whether and to what extent the processing of personal data is  necessary and where the purpose allows, anonymized data must be used. 

4.5 Integrity and Confidentiality 

Personal data shall be processed in a manner that ensures appropriate security of personal data,  including protection against unauthorized or unlawful processing, access, loss, destruction, damage  or any form of data breach 

4.5.1 SCIDaR shall establish adequate controls in order to protect the integrity and confidentiality  of Personal Data, both in digital and physical format and to prevent personal data from being  accidentally or deliberately compromised. 

4.5.2 Personal data of Data Subjects must be protected from unauthorized viewing or access and  from unauthorized changes to ensure that it is reliable and correct.  

4.5.3 Any Personal Data processing undertaken by an employee who has not been authorized to  carry such out as part of their legitimate duties is un-authorized. 

4.5.4 Employees may have access to Personal Data only as is appropriate for the type and scope of  the task in question and are forbidden to use Personal Data for their own private or  commercial purposes or to disclose them to unauthorized persons, or to make them available  in any other way. 

4.5.5 Talent Management team or the team responsible for human resources must ensure that  employees at the start of the employment relationship undertake an obligation to maintain  personal data privacy and return or securely delete all such personal data in their possession  before their last working day of their employment. This obligation to maintain personal data  privacy by employees shall remain in force even after employment has ended.  

4.6 Personal Data Retention 

Personal data shall be retained for not longer than is necessary to achieve the lawful basis for  which the personal data was collected or further processed 

4.6.1 All personal information shall be retained, stored and destroyed by SCIDaR in line with  legislative, regulatory guidelines and internal policies. For all Personal Data and records  obtained, used and stored within SCIDaR, SCIDaR shall perform periodical reviews of the data  retained to confirm the accuracy, purpose, validity and requirement to retain.  

4.6.2 To the extent permitted by applicable laws and without prejudice to SCIDaR’s Document  Retention Policy and other relevant retention documents, the length of storage of  Personal Data shall, amongst other things, be determined by:  

(a) the contract terms agreed between SCIDaR and the Data Subject or as  long as it is needed for the purpose for which it was obtained; or

Data Protection and Privacy Policy  6 | P a g e 

(b) whether the transaction or relationship has statutory implications or a  required retention period; or 

(c) whether there is an express request for deletion of Personal Data by the  Data Subject, provided that such request will only be treated where the  

Data Subject is not under any investigation which may require SCIDaR to  

retain such Personal Data or there is no subsisting contractual  

arrangement with the Data Subject that would require the processing of  

the Personal Data; or 

(d) whether SCIDaR has another lawful basis for retaining that information  beyond the period for which it is necessary to serve the original purpose. 

Notwithstanding the foregoing and pursuant to the Data Protection Act and Regulation in  force, SCIDaR shall be entitled to retain and process Personal Data for archiving, scientific  research, historical research or statistical purposes for public interest.  

4.6.3 SCIDaR would forthwith delete Personal Data in SCIDaR’s possession where such Personal  Data is no longer required by SCIDaR or in line with SCIDaR’s Retention Policy, provided no  law or regulation being in force requires SCIDaR to retain such Personal Data.  

5.0 First time data processing 

When collecting Personal Data, or at the latest when processing it for the first time, SCIDaR is  expected to provide proper and sufficient information to the Data Subject, about, as a minimum: 

1. the Processing purposes; 
2. the identity and the contact details of the Personal Data Controller (“Data Controller”), or the Personal Data Processors (“Data Processor”); 

iii. for how long the Personal Data will be kept; 

1. his/her rights and the means to exercise them; 
2. the compulsory or voluntary nature of the disclosure of the Personal Data. 

SCIDaR will inform the Data Subject using a clear and plain language, through concise, intelligible  and easily accessible forms, either digital or in hard copy, an e-mail acknowledging receipt of a  request or a complaint, a newsletter e-mail or internal rules with regard to the processing of  employees’ Personal Data. 

6.0 Data Subject’s consent 

In respect to local applicable law or regulation, an unambiguous consent to Personal Data  Processing given by the Data Subject should always be collected. We consider the Data Subject as  having consented to Personal Data Processing when he has provided Personal Data voluntarily,  has received proper information and, having been offered the right to object to Data Processing,  has not exercised it. 

Consent is generally not necessary when Personal Data is processed to perform a contract to  which the Data Subject is a party, to comply with a legal obligation, to protect the vital interests  of the Data Subject or of another person, or for the purposes of a legitimate interest pursued by  SCIDaR or a third party, when not overridden by the interests, rights and freedoms of the Data  Subject. 

We have to always clearly distinguish our consent request from other pieces of information,  present it in a manner appropriate to the age and capacity of the Data Subject and to the particular

Data Protection and Privacy Policy  7 | P a g e 

circumstances of the case. Furthermore, we should review whether the consents we have  collected remain appropriate as the relationship with a Data Subject evolves. 

7.0 Principles governing Consent 

The following principles shall govern the giving and obtaining of consent: 

1. a) Transparency: There must be an explicit privacy policy stating the type of Personal Data  collected, how the Personal Data is processed, who processes the Personal Data, the security  standard implemented etc. 
2. b) No implied consent: silence, pre-ticked boxes or inactivity do not constitute consent; and 
3. c) No bundled consent: consent request from general terms and conditions should be separated  from consent request. There must be consent for different types of data uses. 

7.1 When Consent is required 

Consent is required: 

1. a) for the Processing of Sensitive Personal Data; 
2. b) for further processing; 
3. c) for the processing of the personal data of a minor; 
4. d) for the use of pictures, video and audio-visual recordings of persons 

7.2 Consent of Minors 

The Consent of minors (under the age of 18) will always be protected and obtained from minor’s  representatives in accordance with applicable regulatory requirements.  

8.0 Data Subject’s information 

At SCIDaR, the confidentiality and security of the Personal Data entrusted to us is essential. Therefore we: 

1. always keep Personal Data confidential and if we need to disclose it to third parties, irrespective of the relationship, we cover with a contract all relevant aspects of such disclosure; 
2. implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration or unauthorized disclosure or access; 

III. ask whoever is authorized to access SCIDaR’s Electronic Communication Resources  (including Information Technology Team members and/or SCIDaR’s system administrators, in the performance of their duties) to: 

1. not use the grant of access to obtain records other than those for which the access has been authorized. 
2. limit the access to the minimum level of content and the least action possible, limiting the number of persons involved to only those required to initiate and conduct the access. 
3. not seek out, use, or disclose electronic communication resources content except when authorized by the Chief Operating Officer. 

8.1 Standard Protocol for use of Artificial Intelligence Recording during meetings 1. Transparency and Consent  

• Official approval: Only the officially approved form of Artificial Intelligence (AI) meeting  recording may be used at any meeting. 
• Notify Participants: All meeting participants should be informed in advance that the meeting  will be recorded using AI. This should be mentioned in the meeting invitation and at the start  of the meeting. State the reason for use of using AI. e.g. note-taking or archiving purposes

Data Protection and Privacy Policy  8 | P a g e 

• Obtain Consent: Explicit consent from all participants should be obtained before proceeding  with the recording. This can be done verbally at the beginning of the meeting or in writing  beforehand. For external meetings, this should be in writing. 
• Documentation: Keep records of consent and the reasons for recording to demonstrate  compliance if needed. 
• Limit Use: Ensure that the recordings and transcriptions are used only for the stated purpose  and not for any unintended uses without further consent. 
• Respect Privacy: Avoid recording sensitive discussions unless absolutely necessary and with  full consent. 

2. Confidentiality and Security 

• Secure Storage: It is your responsibility as the user to store AI-generated recordings and  transcriptions securely. You may request the assistance of the IT team in using encryption and  access controls to protect sensitive information.  
• Access Control: Limit access to the recordings to authorized personnel only. 

3. Data Retention and Deletion 

• Retention Policy: Ensure that recordings are retained in line with SCIDaR’s data retention  policy.  
• Deletion: Ensure that recordings are deleted after they are no longer needed, in accordance  with the retention policy. 

9.0 Data Subject Rights 

1.1 All individuals who are the subject of Personal Data held by SCIDaR are entitled to the  following rights: 

1. a) Right to request for and access their Personal Data collected and stored. Where data  is held electronically in a structured form, such as in a Database, the Data Subject has a  right to receive that data in a common electronic format; 
2. b) Right to information on their personal data collected and stored; 
3. c) Right to objection or request for restriction; 
4. d) Right to object to automated decision making; 
5. e) Right to request rectification and modification of their data which SCIDaR keeps;  f) Right to request for deletion of their data, except as restricted by law or SCIDaR’s  statutory obligations; 
6. g) Right to request the movement of data from SCIDaR to a third party; this is the right  to the portability of data; and  
7. h) Right to object to, and to request that SCIDaR restricts the processing of their  information except as required by law or SCIDaR’s statutory obligations.  

1.2 SCIDaR’s well-defined procedure regarding how to handle and answer Data Subject’s  access requests are contained in SCIDaR’s Data Protection and Privacy Procedure..  

1.3 Data Subjects can exercise any of their rights by completing the SCIDaR’s Subject Access  Request (SAR) Form. 

10.0 Transfer of Personal data  

10.1 Third Party Processor within Nigeria  

SCIDaR may engage the services of third parties in order to process the Personal Data of Data  Subjects collected by SCIDaR. The processing by such third parties shall be governed by a  written contract with SCIDaR to ensure adequate protection and security measures are put in  place by the third party for the protection of Personal Data in accordance with the terms of this  Policy and the Data Protection Act and Regulation in force.

Data Protection and Privacy Policy  9 | P a g e 

10.2 Transfer of Personal Data to Foreign Country 

Where Personal Data is to be transferred to a country outside Nigeria, SCIDaR shall put adequate  measures in place to ensure the security of such Personal Data. Specifically, SCIDaR shall: 

– Establish a justification and keep record of the legal basis for transferring personal data outside  Nigeria 

– Confirm that the recipients have similar legal framework as the Data Protection Act that  affords an adequate level of protection 

– Prepare and execute data transfer consent form informing the data subject of the possible risk  of such transfers for the data subject due to absence of adequate protections 

 10.3Transfer of Personal Data out of Nigeria would be in accordance with the provisions of the Data  Protection Act. SCIDaR will therefore only transfer Personal Data out of Nigeria on one of the  following conditions:  

1. The consent of the Data Subject has been obtained; 
2. The transfer is necessary for the performance of a contract between SCIDaR and the Data  Subject or implementation of pre-contractual measures taken at the Data Subject’s request; c. The transfer is necessary to conclude a contract between SCIDaR and a third party in the  interest of the Data Subject; 
3. The transfer is necessary for reason of public interest; 
4. The transfer is for the establishment, exercise or defense of legal claims; 
5. The transfer is necessary in order to protect the vital interests of the Data Subjects or other  persons, where the Data Subject is physically or legally incapable of giving consent. 

10.4 Provided, in all circumstances, that the Data Subject has been manifestly made to understand  through clear warnings of the specific principle(s) of data protection that are likely to be violated  in the event of transfer to a foreign country, this provision shall not apply to any instance where  the Data Subject is answerable in duly established legal action for any civil or criminal claim in a  foreign country. 

10.5 SCIDaR will take all necessary steps to ensure that the Personal Data is transmitted in a safe and  secure manner. Details of the protection given to a data subject’s information when it is  transferred outside Nigeria shall be provided upon request. 

11.0 Data Breach Management  

11.1 All employees must inform their designated line manager or the Data Protection Officer  immediately about cases of breach or violations of this Policy or other regulations on the protection  of Personal Data, in accordance with SCIDaR’s Data Protection and Privacy Procedure in respect of  any:  

1. a) improper transmission of Personal Data across borders;  
2. b) loss or theft of data or equipment on which data is stored; 
3. c) accidental sharing of data with someone who does not have a right to know this information; 
4. d) inappropriate access controls allowing unauthorized use; 
5. e) equipment failure which results in a security breach; 
6. f) human error resulting in data being shared with someone who does not have a right to know;  and 
7. g) hacking attack. 

11.2 A data protection breach disclosure must be made immediately after any data breach to ensure that: a) immediate remedial steps can be taken in respect of the breach; 

1. b) any reporting duties to any regulatory authority can be complied with; 
2. c) any affected Data Subject can be informed and;

Data Protection and Privacy Policy  10 | P a g e 

1. d) any stakeholder communication can be managed.  

11.3 When a potential breach has occurred, SCIDaR will investigate to determine if an actual breach has  occurred and the actions required to manage and investigate the breach as follows: 

1. a) Validate the Personal Data breach.  
2. b) Ensure proper and impartial investigation (including digital forensics if necessary) is initiated,  conducted, documented, and concluded. 
3. c) Identify remediation requirements and track resolution. 
4. d) Report findings to the top management.  
5. e) Coordinate with appropriate authorities as needed.  
6. f) Coordinate internal and external communications.  
7. g) Ensure that impacted Data Subjects are properly notified, if necessary. 

12.0 Data Protection Impact Assessment 

SCIDaR shall carry out a Data Protection Impact Assessment (DPIA) in respect of any new project  or IT system involving the processing of Personal Data to determine whenever a type of processing  is likely to result in any risk to the rights and freedoms of the Data Subject. 

SCIDaR shall carry out the DPIA in line with the procedures laid down in the SCIDaR Data  Protection and Privacy Procedure  

13.0 Data Security 

All Personal Data must be kept securely and should not be stored longer than necessary. SCIDaR  will ensure that appropriate measures are employed against unauthorized access, accidental loss,  damage and destruction to data. This includes the use of password encrypted databases for digital  storage and ensure cabinets are locked for those using paper form. 

To ensure security of Personal Data, SCIDaR will, among other things, implement the following  appropriate technical controls:  

1. a) Industry-accepted hardening standards, for workstations, servers, and  databases. 
2. b) Full disk software encryption on all corporate workstation/laptops operating  systems drives storing Personal and Personal/Sensitive Data.  
3. c) Encryption at rest including key management of key databases.  
4. d) Enable Security Audit Logging across all systems managing Personal Data. e) Anonymization techniques on testing environments.  
5. f) Physical access control where Personal Data are stored in hardcopy.  

14.0 Data Protection Officer 

SCIDaR shall appoint or designate a person as the Data Protection Officer (DPO) responsible for  overseeing the Company’s data protection strategy and its implementation to ensure compliance  with the Data Protection Act and Regulation. The DPO shall be a knowledgeable person on data  privacy and protection principles and shall be familiar with the provisions of the law.  

 The main tasks of the DPO include: 

1. a) administering data protection policies and practices of SCIDaR; 
2. b) monitoring compliance with data protection laws, data protection policies, creating  awareness-, training, and audits; 
3. c) advice management, employees and third parties who carry on processing activities of  their obligations under the Act;  
4. d) acts as a contact point for SCIDaR;

Data Protection and Privacy Policy  11 | P a g e 

1. e) monitor and update the implementation of the data protection policies and practices  of SCIDaR and ensure compliance. 
2. f) ensure that SCIDaR undertakes a Data Protection Impact Assessment and curb  potential risk in SCIDaR data processing operations; and 

15.0 Training 

Employees who collect, access and process Personal Data will receive periodic data privacy and  protection training in order to develop the necessary knowledge, skills and competence required  to effectively comply under this Policy and the Data Protection Act with regard to  the protection of Personal Data.  

16.0 Data Protection Audit 

SCIDaR may conduct an annual data protection audit through a licensed Data Protection  Compliance Organization (DPCO) to verify SCIDaR’s compliance with the provisions of the  Data Protection Act and other applicable data protection laws. The audit report may be certified  and filed by the DPCO as required by law. 

17.0 Data Security 

Anyone who is involved in data processing or the control of data as a Staff of SCIDaR shall develop  security measures to protect data; such measures include but not limited to protecting systems  from hackers, setting up firewalls, storing data securely with access to specific authorized  individuals, employing data encryption technologies, developing organizational policy for handling  Personal Data (and other sensitive or confidential data) and protection of emailing systems. 

18.0 Clean Desk 

 All employees must plan, protect and pick up all materials containing any form of data by taking  the following steps: 

1. All sensitive/confidential materials must be removed from your workspace and locked away  when the items are not in use or when you leave your workstation. In case of paper files, you  should work with a document shredder 
2. Laptops and other hardware devices must be locked when leaving the desk and shut down at  the end of the working day. Paper files must be stored in lockable cabinets; digital personnel  files must be protected by secure passwords.  

iii. All waste paper that contains sensitive or confidential information and data must be shredded by the user. 

1. Keys for accessing drawers or filing cabinets should not be left unattended at a desk. 
2. Printers and fax machines should be treated with utmost care. This means: • any print jobs containing sensitive and confidential paperwork should be retrieved  immediately. 

• No paperwork should be left over at the end of the working day and any paperwork  left over will be shredded. 

Any affected employee in breach of this clause may be subject to disciplinary action. 19.0 Compliance and responsibilities 

1. All members of staff are responsible for ensuring adherence to this policy and other  relevant  

 Policies. 

1. Project Directors and Managers– shall ensure that all data collated by their project  teams comply with the provisions of this policy and shall make all data available to the  Data Protection Officer and Information Technology Manager.

Data Protection and Privacy Policy  12 | P a g e 

iii. Talent Management Manager – are accountable for the implementation and execution  of some processes set out in this Policy, and for compliance with it. 

1. Legal and Compliance Advisor and DPO – provides guidance concerning general  questions on the application of this Policy; may advise on cases or steer investigations that  have a substantial impact on the compliance risk exposure of the company; advise and  support on all functions in the application of this Policy and retain external counsel where  necessary; 
2. The Chief Execution Officer and Chief Operating Officer – will have oversight  over compliance with SCIDaR’s Data Protection and Privacy policies. 

20.0 Policy Review 

 This policy shall be subject to periodic review by Management, in line with changes in statutory  regulations and requirements. SCIDaR reserves the right to change, amend or alter this Policy at  any point in time.  

21.0 Policy Custodian 

The Legal and Compliance Advisor shall be responsible for the ownership of SCIDaR’s Data  Protection Policy.  

22.0 Related Policies and Procedures 

 This Policy shall be read in conjunction with other relevant SCIDaR policies. Approval 

This Data Protection and Privacy Policy was reviewed by SCIDaR’s Management and approved in  November 2024 

 Anti-Fraud, Bribery and Corruption Policy

1. Introduction  

1.1 SCIDaR hereinafter referred to as “The Company” is committed to conducting her Non Government Organization activities with utmost level of integrity, transparency, and  compliance with legal, ethical and regulatory standards. Our reputation and success as  a firm is built upon this foundation.  

1.2 The Company adopts a zero-tolerance approach to bribery and corruption and is  committed to upholding related laws in our business dealings and relationships.  Accordingly, the Company recognizes the anti-corruption laws in Nigeria, which include:  

1. Criminal Code (Cap 38, Laws of the Federation of Nigeria (LFN) 2004);  b. Penal Code (Cap P3, LFN 2004);  
2. Corrupt Practices and other Related Offences Act, 2000;  
3. Economic and Financial Crimes Commission Act (Cap E1, LFN 2004);  e. Code of Conduct Bureau and Tribunal Act (Cap C15, LFN 2004); and  f. The Constitution of the Federal Republic of Nigeria (Cap C23 LFN 2004).  

1.3 The Company also acknowledges the extra territorial implications of the United  Kingdom’s Bribery Act 2010 and other related international legislations.  

1.4 The Company’s Anti-Bribery and Corruption Policy (“the Policy” or “this Policy”)  therefore reflects not only its cultural and ethical commitment to preventing bribery  and corruption but also compliance with specific legal requirements of various  jurisdictions in which it operates or relates with.  

1.5 The sanctions for violating these laws can be severe, including significant fines,  imprisonment and reputational damage. The Company therefore aims to establish a  strong culture against bribery and corruption by implementing and enforcing effective  systems to counter such activities.  

2. Purpose  

2.1 This Policy outlines the expectations of all employees and stakeholders in observing and  upholding the Company’s position against bribery and corruption. It covers bribes, gifts  and hospitality, facilitation payments, reciprocal agreements, donations and  contributions.  

2.2 The Policy is intended to ensure compliance with all anti-bribery and corruption laws and  regulations across the Company’s activities particularly as enforcement of these laws 

Anti-Fraud, Bribery and Corruption Policy 3 

become more stringent and expectations of its funders’ and donors in this regard  increases.  

2.3 Therefore, the Company’s Anti-Fraud, Bribery and Corruption Policy is designed to  comply with applicable statutory and regulatory obligations, while ensuring that:  a. Fraud, Bribery and corruption is prevented;  

1. An anti-fraud, bribery and corruption culture is maintained;  
2. Any suspicion of fraud, bribery or corruption is reported and investigated and, where  necessary, appropriate assistance is provided to relevant external authorities;  
3. The Company and its employees are protected from reputational damage and  administrative penalties that may be imposed by various stakeholders (donors,  funders, regulatory and legislative authorities) in relation to fraud, bribery and  corruption.  
4. Policy statement  

3.1 The Company values its reputation and is committed to combating fraud, bribery and  corruption, and as such, will not condone any act of fraud, bribery and corruption, and  in those rare instances where it arises, The Company will take timely and appropriate  action to correct the problem within its agreed disciplinary framework.  

3.2 The Company has a zero tolerance towards fraud, bribery and corruption, regardless of  the identity or position of the originator or recipient of the bribe. This applies to third  parties with whom there is a business engagement or who are retained by the firm to  perform services or deliver business for and on its behalf.  

3.3 The firm also prohibits the offering, giving, solicitation or the acceptance of any bribe or  corrupt inducement, whether in cash or in any other form:  

1. To or from any person or company wherever located, whether a public official or  public body, or a private person or company;  
2. By any individual employee, irrespective of the relationship be it an agent, consultant,  contractor or other person or body acting on behalf of the Company; and  c. In order to gain any commercial, contractual, or regulatory advantage for the Company  in any way which is unethical or to gain any personal advantage, pecuniary or  otherwise, for the individual or anyone connected with the individual.  

3.4 This policy is not intended to prohibit the following practices provided they are  appropriate, proportionate and are properly recorded:  

1. Normal hospitality provided that it complies with the Company’s policy in respect of  gift; and  
2. Fast tracking a process which is available to all on the payment of a fee. 

Anti-Fraud, Bribery and Corruption Policy 4 

3.5 All staff are expected to be adequately informed on the contents of this policy and  would form part of the Company’s on-boarding process for all new employees. The  policy would be also uploaded on the corporate intranet (portal) and website.  

3.6 However, given that, it may not always be clear to determine whether a possible line of  action is appropriate, particularly where such is not expressly covered in this policy,  anything that would breach the spirit of the policy or guiding principles should be  avoided.  

3.7 If in any doubt as to whether a possible act might be in breach of this policy or the law,  the individual should be referred to respective Heads of Department for clarification. If  necessary, further guidance should be sought from the Audit and Compliance  department.  

3.8 The Company’s internal audit and compliance department shall thoroughly investigate  any actual or suspected breach of this policy and employees found to be in breach would  be subjected to disciplinary action which may ultimately result in dismissal.  

3.9 An important element of trust and integrity is ensuring that the Company conducts its  operational activities in accordance with the values and code of conduct and ethics it  has adopted, and in compliance with applicable laws, rules and standards.  

  

4. Applicability  

4.1 This Policy applies to all employees, independent consultants, interns, secondees, agents,  contractors, vendors, suppliers and to any other person, body or entity associated with  The Company, within all states, regions, areas and functions.  

4.2 This policy reflects the minimum requirements for the Company.  

5. Understanding bribery & corruption  

5.1 Acts of bribery or corruption are designed to influence an individual in the performance  of their duty and incline them to act in a way that a reasonable person would consider  to be dishonest in the circumstances.  

5.2 Bribery can be defined as offering, promising or giving a financial (or other) advantage  to another person with the intention of inducing or rewarding that person to act, or  for haven acted in a way which a reasonable person would consider improper in the  circumstances.  

5.3 Corruption is any form of abuse of entrusted power for private gain and may include, but  is not Limited to, bribery. 

Anti-Fraud, Bribery and Corruption Policy 5 

5.4 Depending on the circumstances, bribes can take on many different forms and are not  always a matter of handing over cash. Gifts, hospitality and entertainment can be  categorized as bribes if they are intended to influence a decision. It can also take place  where the offer or payment is made indirectly by or through a third party, such as family  members, an agent or business partner.  

5.5 If given or received as an inducement or reward for an improper act, the following could  be bribes:  

1. Cash payments;  
2. Gifts (including gifts of cash or cash equivalents);  
3. Hospitality (such as meals, hotel stays, travel tickets or invitations to sporting and  cultural events);  
4. Other promotional expenses (such as travel and accommodation expenses);  e. Free use of company services, facilities or property; or  
5. Political contributions or charitable donations.  

5.6 Employees who are offered or asked for a bribe are expected to:  a. Reject demands for, or offers of bribes;  

1. Be guided by the Company’s Conflicts of Interest Policy (CIP) and rules relating to gifts  and entertainment;  
2. Communicate anti-bribery stance to the offering person;  
3. Record the details of any bribery or request or attempted bribery, immediately after  the occurrence of the event; and  
4. Report the incident to the Head Internal Audit and Compliance as a whistleblowing  activity.  
5. Gifts, Entertainment and Hospitality  

6.1 The Company’s policies on gifts, entertainment and hospitality are clearly enumerated  under the appropriate sections in the Conflicts of Interest Policy. Without prejudice to  these provisions, the following additional guidelines are important.  

6.2 Excessive gifts, entertainment and hospitality could be used to exert improper influence  on decision makers thus the Company prohibits strongly its employees from receiving  gratification in cash or in-kind including gifts of value from existing or potential  customers to provide legitimate services, influence decisions or for preferential  treatments.  

6.3 It is not acceptable and therefore prohibited for any employee (or someone on their  behalf) to: 

Anti-Fraud, Bribery and Corruption Policy 6 

1. Offer to pay, promise to pay or pay a bribe or corrupt inducement to another person,  body or entity;  
2. Request, agree to receive or accept a bribe or corrupt inducement from another  person, body or entity;  
3. Bribe or offer corrupt inducement to a public official (foreign or domestic);  d. Fail to prevent bribery and/or corruption through an act of willful blindness;  
4. Give, promise to give or offer a payment, gift or hospitality with expectation or hope  that a business advantage will be received; reward the provision or retention of  business or business advantage in exchange for favors or benefits;  
5. Give, promise to give, offer a payment, gift or hospitality to a government official, agent  or representative to “facilitate” or expedite a routine procedure;  
6. Accept payment or gift from a third party that you know or suspect is offered with  the expectation that it will obtain an advantage for them;  
7. Threaten or retaliate against another worker who has refused to commit a bribery  offence or who has raised concerns under this policy; and  
8. Engage in activities that might lead to a breach of this Policy or damage the reputation  of the Company.  

6.4 The following factors should be considered when accepting gifts, benefits or hospitality:  

1. Whether the gift is an appreciation for good services  
2. Whether the gift places the employee under a kind of obligation  
3. Whether there is an expectation as a result of accepting the gift  
4. Whether the gift was offered openly or covertly  
5. Frequency of the party giving the gifts  

6.5 Employees should actively, but thoughtfully, discourage clients from offering personal  benefits of any kind (including favors, services, loans or fees, or things of monetary  value).  

6.6 All gifts and hospitality must be budgeted for and requisite approvals in place before  they are offered to clients and third parties. Each program and operations team leads  must draw up a list of gifts to be given at the beginning of each financial year in  collaboration with the Corporate Communication Department, which must be  approved as part of the Company’s annual budget process.  

6.7 All accounts, invoices, memoranda and other documents and records relating to  dealings with third parties such as customers, clients, suppliers and business contacts  should be prepared and maintained with strict accuracy and completeness.  

6.8 Employees should avoid dealing with any third party known or reasonably suspected to  be paying bribes. 

Anti-Fraud, Bribery and Corruption Policy 7 

6.9 The Company shall require its suppliers and vendors (e.g contractors, consultants) to  comply strictly with all applicable laws. All contracts with third parties must be  authorized and documented.  

7. Facilitation Payments  

7.1 Facilitation payments are used by businesses or individuals to secure or expedite the  performance of a routine or necessary action to which the payer has an entitlement as  of right. Acknowledging that facilitation payments are bribes, this policy expressly  prohibits such payments. Thus, stakeholders are not allowed to solicit, make or receive  facilitation payments on behalf of the Company. They are also not allowed to solicit,  make or receive such payments for themselves or any other person in the course of  business.  

8. Reciprocal Agreements  

8.1 Reciprocal agreements or any other forms of ‘quid pro quo’ (an exchange of goods or  services, where one transfer is contingent upon the other) are prohibited unless they  are legitimate business arrangements which are properly documented and approved by  Management.  

8.2 Improper payments to obtain new business; retain existing business or secure any  improper advantage should never be accepted or made.  

8.3 Actions by third parties for which the organization may be held responsible include agents,  contractors and consultants, acting on behalf of the Company. Appropriate due diligence  should therefore be undertaken before a third party is engaged. Third parties should  only be engaged where there is a clear business rationale for doing so, with an  appropriate contract. Any payments to third parties should be properly authorized and  recorded.  

9. Donations  

9.1 Donations and contributions to political parties, organizations or their representatives are  strictly prohibited by the Company.  

9.2 Whilst charitable donations are acceptable, management and employees must ensure that  these contributions and sponsorships are not used as a ploy to facilitate a bribe; and are  in line with the Company’s policy. 

Anti-Fraud, Bribery and Corruption Policy 8 

10. Exemptions  

10.1 The Company’s Anti-bribery and corruption policy shall not intend to prohibit the  following practices provided they are appropriate, proportionate and are properly  recorded:  

  

1. Gifts that are exempted under the gifts and entertainment section of the Company’s  Ethics policy, provided they are reasonable and justifiable. The intention behind the  gift shall also be considered. The onus is on employees to familiarize themselves with  the relevant policies of the Company;  
2. Normal hospitality, provided it complies with the gifts and entertainment section of  the Ethics policy;  
3. Fast tracking a process which is available to all on the payment of a fee; and/or  d. Providing resources to assist a person, body or entity to make a decision more  efficiently, provided that it is for this purpose only.  

10.2 It may not always be a simple matter to determine whether a possible course of action  is appropriate. Any employee who is in any doubt as to whether a possible act might be  in breach of this policy or the law, can refer to section 3.7.  

11. Key Risk Areas  

11.1 The Company has assessed the key areas prone to the risk of bribery and corruption:  

1. Dealings with clients, particularly those involving lending and granting of loan facilities,  and third parties;  
2. Gifts and entertainment;  
3. Procurements as well as vendor, supplier, contractor and consultant engagements; d. Facilitation payments; and  
4. Dealings involving counterparties from high-risk countries.  

11.2 Procurement and Vendor Management  

1. Purchasing and supply as well as vendor and consultant engagements are areas that are  vulnerable to bribery and kick-backs. These are potential bribery and corruption risk  areas and counterparties rendering services, or providing goods to the Company can  potentially be a risk. The following scenarios may act as examples:  
2. A vendor pays a bribe/kickback to an employee to influence the appointment  of that vendor;  
3. An employee bribes a representative of a supplier, to secure preferential  terms on behalf of the Company; or 

Anti-Fraud, Bribery and Corruption Policy 9 

iii. A vendor bribes a third party in order to secure a benefit for the Company.  The above is not an exhaustive list.  

1. All employees involved in vendor, supplier, consultant, contractor engagements, as  well as procurement of goods and services must take care to ensure that they only  accept gifts and entertainment (and offer gifts and entertainment) in accordance with  the Company’s gifts and entertainment section of the Ethics policy.  
2. Special care must be taken, and, if necessary, advice sought from the Head, Internal  Audit and Compliance in relation to the receipt of gifts and entertainment during  negotiation with a potential supplier, vendor, contractor or consultant.  
3. The Company shall not enter into a business relationship with a supplier, vendor,  contractor or consultant whom it reasonably believes to operate contrary to the code  of conduct and ethics or this policy.  

11.3 Dealings with Third Parties  

1. Dealings with third parties may subject the Company to legal liability, in  particular, in instances where they engage in corrupt activities on behalf of  the Company and therefore requires a higher level of oversight under this  policy to ensure that bribery risks are identified and managed. Examples  include:  
2. Third parties acting on behalf of the Company (e.g Consultants, Contractors or project  partners); ii. Third parties with whom the Company contracts (e.g. vendors); and iii. Third  parties over whom the Company exercises or intends exercising (will exercise) a degree of  ownership or control (e.g. project partners).  
3. Particular vigilance is required where third parties engage in contracts with government  officials or quasi-government officers in the course of dealing with the Company or  where they operate in high-risk jurisdictions.  
4. Employees’ Responsibility  

12.1 Every individual shall be responsible for ensuring that they act in compliance with this  policy. Failure to comply with this policy may ultimately result in disciplinary action, in  line with the human resources policy.  

12.2 It is pertinent to note that the duty of employee shall not be confined to official working  hours and continues when project partners, prospective customers are entertained,  attend professional events or travel on official trips and when representing the  Company. 

Anti-Fraud, Bribery and Corruption Policy 10 

12.3 In this regard, the principles outlined in this policy shall also apply to those and similar  activities and requires adherence to the same compliance standards that operate in  the workplace. It is expected that employees will, at all times, exercise good judgment  and avoid any appearance of impropriety.  

13. Raising concerns & seeking guidance  

13.1 The prevention, detection and reporting of fraud, bribery or corruption is the  responsibility of all employees throughout the organization. Staff are expected to report,  upon awareness/discovery, or suspected bribery or corrupt conduct. Any such incident  should be reported in accordance with the whistle blowing policy.  

13.2 Concerns should be raised promptly about any issue or suspicion of malpractice and if  unsure about whether a particular act constitutes bribery or corruption, or in the event  of other enquiries, these should be referred to the line manager and/or the Head,  Internal Audit and Compliance.  

13.3 It is important that an offer of a bribe by a third party, request to make one or suspicion  of a future occurrence is reported immediately.  

14. Employee protection  

14.1 Employees who refuse to accept or offer a bribe, or those who raise concerns or report  another’s wrongdoing, are sometimes concerned about potential repercussions.  

14.2 There shall however exist in the Company secure and accessible channels through which  to raise concerns and report violations in confidence and without risk of reprisal. The  management of The Company shall encourage openness and support anyone who raises  genuine concerns in good faith under this policy, even if those concerns turn out to be  mistaken.  

14.3 The management of the Company shall be committed to ensuring that no one suffers any  detrimental treatment as a result of refusing to take part in bribery or corruption, or  suffer any for reporting in good faith their suspicion that an actual or potential fraud,  bribery or other corruption offence has taken place, or may take place in the future, in  accordance with the whistle blowing policy.  

14.4 Detrimental treatments, which may include dismissal, disciplinary action, threats or other  unfavorable treatment connected with raising a concern. Those who believe they have  suffered any such treatment should inform the Head, Internal Audit and Compliance  immediately through appropriate channel for redress.  

 

Anti-Fraud, Bribery and Corruption Policy 11 

15. Red flags  

15.1 The following shall be the list of possible red flags that may arise during the course of  employment which may raise concerns under various anti-fraud, bribery and  anticorruption laws. The list is not exhaustive and is therefore for guidance purposes  only.  

15.2 If any of these red flags is encountered, a report must be made promptly to the Head of  Department or Team Leads or to the Head, Internal Audit and Compliance:  

1. Awareness that a third party engages in, or has been accused of engaging in, improper  business practices;  
2. Knowledge that a third party has a reputation for paying bribes, or requiring that bribes  are paid to them;  
3. A third party insists on receiving a commission or fee payment before committing to  sign up to a contract, project or carrying out a government function or process;  
4. A third-party requests payment in cash and/or refuses to sign a formal commission or  fee agreement, or to provide an invoice or receipt for a payment made;  
5. A third-party request that payment is made to a country or geographic location  different from where the third party resides or conducts business;  
6. A third party requests an unexpected additional fee or commission to “facilitate” a  service;  
7. A third party demands lavish entertainment or gifts before commencing or continuing  contractual negotiations or provision of services;  
8. A third- party requests that a payment is made to “overlook” potential legal violations;  
9. An invoice is received from a third party that appears to be non-standard or  customized;  
10. A third party insists on the use of side letters or refuses to put terms agreed in writing;  k. An observation on an invoice for a commission or fee payment that appears large given  the service stated to have been provided;  
11. A third party requests or requires the use of an agent, intermediary, consultant,  distributor or supplier that is not typically used by or known to the Company; or  m. An offering of an unusually generous gift or lavish hospitality by a third party.  
12. Investigation of potential violations of the policy & sanctions  

16.1 The Company shall take all reports of potential violations of the policy and other  compliance policies seriously and is committed to confidentiality and a full investigation  of all allegations. Such investigations shall be carried out by the Head, Internal Audit and  Compliance.  

16.2 The objectives of the investigation shall include to: 

Anti-Fraud, Bribery and Corruption Policy 12 

1. Confirm whether or not a corrupt activity or bribe has been given or accepted, and  to identify who was responsible;  
2. Confirm whether internal controls and anti-bribery procedures have worked in  practice;  
3. Identify any improvements required for anti-fraud, bribery and corruption procedures;  and  
4. Depending on the findings of the investigation, subsequent disciplinary action will be  determined.  

16.3 This may involve disciplinary action against employee involved or external reporting  to:  

1. A senior official or director of another organization, if the person making the  bribe is from that organization; or  
2. Relevant government department where the bribe occurred.  

16.4 A breach of the provisions of this policy shall constitute serious misconduct and will be  subject to appropriate disciplinary measures including, but not to, termination of  employment or appointment of the affected employee or officer.  

16.5 Breach of this policy by agents, contractors, intermediaries, suppliers, vendors,  consultants or other business partners once established shall lead to the termination of  such business relationships.  

17. Training, Record keeping and Communication  

17.1 This policy shall be hosted on the Company’s website and intranet.  17.2 Training on this policy shall form part of the induction process for all new employees. All  existing employees will receive regular, relevant training on how to implement and  adhere to the policy.  

17.3 The Company’s zero-tolerance approach to fraud, bribery and corruption shall be communicated by all relevant officers of the Company to all vendors, suppliers,  contractors and business partners at the outset of our business relationship with them  and as appropriate thereafter.  

17.4 The Company shall keep all relevant financial records in line with its record keeping  policy and have appropriate internal controls in place which will evidence the reason for  making payments to third parties.  

17.5 Employees shall ensure that all expenses claim relating to hospitality, gifts or expenses  incurred to third parties, along with specific recording of the reason for the expenditure,  are submitted in accordance with operational processes and procedures. 

Anti-Fraud, Bribery and Corruption Policy 13 

17.6 All accounts, invoices, memoranda and other documents and records relating to dealings  with third parties, such as clients, vendor, suppliers, contractors, consultants, business  partners, should be prepared and maintained with strict accuracy and completeness.  

17.7 No accounts shall be kept “off-book” to facilitate or conceal improper payments.  18. Roles and Responsibilities  

18.1 Board of Directors  

18.1.1 The roles and responsibilities of the Board with respect to this policy shall  include:  

1. The Board shall have the ultimate responsibility for compliance with this  policy throughout the Company;  
2. It shall be the highest authority responsible for the adoption and approval  of this policy, and any other supporting policies relating to management of  risk of fraud, bribery and corruption, and associated matters in the  

Company;  

1. The Board shall have oversight responsibility over the implementation of  this policy by the senior management  
2. It shall have the responsibility to promote a culture of strong values, trust  and integrity by all levels of employees and other stakeholders of the  

Company;  

1. It shall ensure that issues relating to the implementation of this policy are  resolved effectively and efficiently by senior management, with support of  the Head, Internal Audit and Compliance and the COO;  
2. It shall initiate and direct appropriate disciplinary action for any breach of  this policy that comes to its attention;  
3. It shall receive and review reports all matters of exceptions, breaches and  non-compliance with this policy presented to it by Head, Internal Audit and  Compliance, and make recommendations and directives as appropriate;  and  
4. The Board may, of course, delegate its responsibilities on this policy to the  Senior Management.  

18.2 Executive Management Committee  

18.2.1 The roles and responsibilities of the management of the Company shall include: 

Anti-Fraud, Bribery and Corruption Policy 14 

1. Management shall be responsible for the implementation this policy  throughout the Company and compliance by all employees at all levels and  other stakeholders;  
2. It shall be responsible for ensuring that all employees and other stakeholder  familiarize themselves with this Policy and understand their respective  responsibilities thereto;  
3. Initiates appropriate disciplinary actions whenever required for any breach  of this policy, or direct any organ to carry out responsibilities, in line with  the authority delegated to it by the Board;  
4. Where appropriate and delegated to it by the Board, it shall initiate criminal  actions, either directly or in conjunction with appropriate law enforcement agents, where the Company has suffered losses as a result of breach of the  provisions of this policy;  
5. It shall provide appropriate oversight to all the organs of the Company with  various roles in the implementation of this policy; and  
6. It shall receive and review reports on all matters relating to the  implementation of this policy presented to it by the COO, and make  recommendations and directives as appropriate.  

18.3 Internal Audit Department  

18.3.1 The roles of the internal audit function, headed by the Head, Internal Audit and  Compliance in this policy shall include:  

1. Carry out independent review of the implementation of this policy as part  of their normal review of the activities of various units, departments,  divisions and projects of the Company;  
2. Report and escalate as appropriate to the Board, Senior Management on  compliance matters relating to this policy that come to its attention in  course of their normal operations;  
3. Carry out special investigations regarding breaches to this policy as may be  directed by MD/CEO or the Board, and present appropriate reports; and  
4. Collaborate with the Finance team to recommend improvements to this  policy.  
5. Put in place appropriate internal procedures, documentation requirements,  triggers and deadlines to monitor and ensure compliance with the Policy;  
6. Escalate and recommend sanctions on all cases of non-compliance with this  policy;  
7. Drive communication and present appropriate reports to the Board and  other stakeholders with respect to compliance with this policy;  
8. Propose and recommend changes, updates and improvements to this policy  in line with changing operating and regulatory environment; 

Anti-Fraud, Bribery and Corruption Policy 15 

18.4 Human Resources Department (HR)  

18.4.1 The roles and responsibilities of the Human Resources Department (HR) in  the implementation of this Policy shall include the following:  

1. Ensure that new employees agree and comply with the requirements of  this policy before joining the Company;  
2. Ensure that all employees of at all levels are adequately aware of, and fully  understand, their rights, responsibilities and obligations under the human  resources policies, staff handbook and manuals;  
3. Refer and escalate all matters covered under this policy that come to their  attention in the normal course of operations to Internal Audit and  

Compliance  

1. Maintain records of declarations and submissions under this policy in each  employee’s personal file;  
2. Facilitate appropriate disciplinary actions required, in conjunction with  other organs of the Company, for any observed breach of this policy; and  f. Carry out any other responsibilities that may be directed to it from time  to time by management in relation to this policy.  

18.5 Heads of Departments/Project Leads  

18.5.1 The responsibilities of the Heads of departments, principals, project and state  lead collectively in relation to this policy shall include:  

1. Familiarize themselves with and adhere to this policy and other compliance related standards, rules and procedures;  
2. Accept responsibility for compliance within their respective areas of  jurisdiction, and support the implementation of this policy;  
3. Ensure that all employees in their respective areas are aware of, familiar  with, understand, and comply with this policy;  
4. Ensure that all employees in their respective areas are trained periodically  on compliance related laws, regulations, rules and standards;  
5. Promote and enforce high ethical standards throughout the Company by  setting a good example;  
6. React promptly and effectively to compliance issues that may arise in their  respective areas and escalate promptly to the Head, Internal Audit and  Compliance as appropriate;  
7. Encourage and reward employees’ ability to proactively manage compliance  risk within their coverage area; and  
8. Actively follow-up recommendations and other directives from  management in relation to this policy so as to ensure that all issues are  promptly and effectively resolved. 

Anti-Fraud, Bribery and Corruption Policy 16 

18.6 Employees  

18.6.1 The Company employees at all levels have the following responsibilities in this  policy:  

1. Understand that compliance is the responsibility of everyone in the  

Company;  

1. Familiarize themselves with and adhere to this policy and other policies  relating to the compliance function in the Company;  
2. Take responsibility for their personal compliance with laws, industry  regulations and standards, as well as their adherence to the Company’s  compliance policies, procedures, systems and controls;  
3. Ensure that known or suspected breaches of this policy are reported to  Internal Audit immediately;  
4. Complete all relevant Anti-fraud, bribery and Corruption training;  
5. Co-operate with Internal Audit and Compliance for any regulatory,  

internal/external audit or internal investigation in respect of this policy; and  

1. Become agents and champions of good behaviors, trust and integrity in  their relationships with other colleagues and in the course of their daily  activities.  
2. Policy Review, Amendments, Custodian and Approval  

19.1 Policy Review and Amendment  

This policy shall be subject to periodic review by the Board, in line with changes in the Company’s  business model, material changes in donor/funders rules, statutory regulations, and critical  economic and other factors that will materially alter the profile of the Company.  

 19.2 Policy Custodian  

The Head, Internal Audit and Compliance shall be responsible for the ownership of the  Company’s Anti-Fraud, Bribery and Corruption policy. Custody of the policy shall be domiciled  with the Internal Audit.  

20. Related Policies and Procedures in the Company  

  

20.1 Code of Conduct and Ethics  

20.2 Complaints and Allegation Policy  

20.3 Conflicts of Interest Policy 

Anti-Fraud, Bribery and Corruption Policy 17 

20.4 Data Management Policy  

20.5 Whistle-Blowing Policy  

20.6 Human Resources Policy  

20.7 Staff Handbook  

21.0 Periodic review  

1.1 These guidelines will be reviewed every two years, or more frequently if and when  required.  

  

 Approval  

This Anti-Fraud, Bribery and Corruption policy was reviewed by SCIDaR’s Management and  approved in November 2022.  

 

Whistle Blower Policy

Introduction  

  

  

SCIDaR believes that good communication at all levels throughout the firm promotes better work  practice. The organization seeks to conduct itself honestly and with integrity at all times.  However, we acknowledge that all organizations face the risk of their activities going wrong from  time to time, or of unknowingly harboring malpractice. We believe we have a duty to take  appropriate measures to identify such situations and attempt to remedy them.  

On this basis, staff are encouraged to raise genuine concerns about malpractice in the workplace  without fear of reprisals and the Company will protect them from victimization and dismissal.  Raising your concerns is vital for us to sustain our reputation, success and ability to operate in  the present and into the foreseeable future.  

  

SCIDaR undertakes to act in accordance with Nigeria law on disclosure of malpractice in the  workplace and to take steps to protect its workers from detrimental treatment or dismissal if  they raise concerns in good faith.  

  

What is the purpose of this Whistle blower policy?  

  

The purpose of this policy is to explain how concerns can be raised about misconduct in  confidence and without fear of retaliation. It also describes what you can expect from our  Company if you raise any concerns  

  

Authority for Whistleblowing Policy  

  

Overall authority for this policy sits with the Managing Partner.  

  

Principals, managers and team leads have a specific responsibility to facilitate the operation of this  policy and to ensure that staff feel able to raise concerns, without fear of reprisals, in accordance  with the procedure set down below. All staff are responsible for the success of this policy and  should ensure that they take steps to disclose any wrongdoing or malpractice of which they  become aware.  

  

Scope  

  

This policy applies to all SCIDaR employees, contractors, and sub-grantees. The policy also  covers the US government statute 41 U.S.C. 4712 on whistleblower protection for federal  sponsored grants and contracts staff.  

 

Whistle Blower Policy 3  

SCIDaR has introduced these procedures to enable employees to raise or disclose concerns  about malpractice in the workplace at an early stage and in the right way, and they apply in all  cases where there are genuine concerns, regardless of where this may be and whether the  information involved is confidential or not.  

  

Whistleblowing is defined as making a disclosure “that an employee or a contractor reasonably  believes is evidence of any of the following:  

  

• A substantial and specific danger to the environment, public Group or safety; or,  • A violation of law, rule, or regulation related to a federal contract or grant (including the  competition for, or negotiation of, a contract or grant).  
• Criminal offences;  
• Miscarriages of justice;  
• Gross mismanagement of a federal contract or grant;  
• A gross waste of federal funds;  
• An abuse of authority relating to a federal contract or grant;  
• Inadequate financial or non-financial recordkeeping  
• Violations of our policies on gifts, entertainment and hospitality  
• Disclosure of confidential information  
• Improper use of company resources  
• Conflicts of interest  
• Bribery  
• Environmental, Group and safety issues  
• Fraud  
• Discrimination or harassment  
• Violations of competition laws and rules  
• The concealment of any of the above.  

  

To qualify under this policy an employee or a contractor’s disclosure must be made to a Principal  or management official who has the responsibility to investigate, discover, or address misconduct.    

If an individual raises a genuine concern and is acting in good faith, even if it is later discovered  that they are mistaken, under this policy they will not be at risk of losing their job or suffering  any form of retribution as a result. This assurance will not be extended to an individual who  maliciously raises a matter they know to be untrue or who is involved in any way in the  malpractice.  

  

Do not use this policy: 

Whistle Blower Policy 4  

  

• To report events presenting an immediate threat to life or property. If you need  emergency assistance, please contact HR/Internal Audit  
• For any grievances you may have in relation to your terms of employment.  • To settle personal disputes.  
• To make accusations which you know are false. Doing so may lead to disciplinary  measures.  

  

Procedure for Raising a Concern  

  

If you believe that the actions of anyone (or a group of people) working for SCIDaR do or could  constitute malpractice you should raise the matter with your line manager. Where this is not  appropriate because the line manager is involved in the alleged malpractice in some way, the  matter should be raised with the line manager’s manager and brought to the attention of the HR  Manager.  

  

You may raise your concern verbally or in writing and should include full details and, if possible,  supporting evidence. You must state that you are using the Whistleblowing Policy and specify  whether you wish your identity to be kept confidential.  

  

In exceptional circumstances where it would be inappropriate to approach either your line  manager, their manager, or the HR Manager, you may raise the matter directly with the internal  auditor or a Partner.  

  

What about ‘external whistleblowing’?  

We strongly encourage you to raise concerns internally. Taking a concern to an outside party  (e.g. the media) can have serious implications; for our Company, for the persons involved and  possibly also for yourself. By Speaking Up internally, you give our Company the chance to look  into the matter and take action if needed. In this way we can truly improve our Company  together.  

What kind of information do you need to provide?  

When you file a report (in person, in writing, online or by phone), please provide as much detailed  information as you have to enable our Company to assess and investigate your concern, such as:  

• the background, history and reason for the concern  
• names, dates, places and other relevant information  
• any documents that may support your report 

Whistle Blower Policy 5  

A report can only be followed up if it contains sufficient information and there is a reasonable  possibility of obtaining further information.  

What should you do if you do not have all the facts?  

We encourage you to raise your concerns as soon as possible, ideally before situations get out  of hand or damage is done. It is always better to discuss upfront than to report afterwards. If you  know about or suspect misconduct, report with the facts you have. We do not expect you to  have all the answers and you are certainly not expected to prove that your concern is well  founded. Let our Company look into the matter to determine if there is a reason for concern.  Never investigate the matter yourself and do not seek evidence to build a strong case. We  guarantee that no disciplinary measures or other steps will be taken against you if your genuine  concern later turns out to be mistaken or misguided.  

Confidentiality  

Every effort will be made to keep your identity confidential, at least until any formal investigation  is under way. In order not to jeopardize the investigation into the alleged malpractice, you will  also be expected to keep the fact that you have raised a concern, the nature of the concern and  the identity of those involved confidential.  

There may be circumstances in which, because of the nature of the investigation or disclosure, it  will be necessary to disclose your identity. This may occur in connection with associated  disciplinary or legal investigations or proceedings. If in our view such circumstances exist, we will  make efforts to inform you that your identity is likely to be disclosed. If it is necessary for you to  participate in an investigation, the fact that you made the original disclosure will, so far as is  reasonably practicable, be kept confidential and all reasonable steps will be taken to protect you  from any victimization or detriment as a result of having made a disclosure. It is possible, however,  that your role as the whistleblower could still become apparent to third parties during the course  of an investigation.  

Equally, should an investigation lead to a criminal prosecution, it may become necessary for you  to provide evidence or be interviewed by the Police. In these circumstances, again, the  implications for confidentiality will be discussed with you.  

Anonymous Reporting  

Anonymous disclosures are very difficult to act upon as there may be little or no corroborated  evidence to substantiate the allegations. Proper investigation may prove impossible if the  investigator cannot obtain further information from you, give you feed back or ascertain whether  your disclosure was made in good faith. The Company does not encourage anonymous reporting  as it feels it is more appropriate for individuals to come forward with their concerns.  

Support for Whistleblowers  

 

Whistle Blower Policy 6  

Once a disclosure is made a member of the HR team will be allocated as your key contact to  keep you up to date with the matter and provide any specific support that you may need.    

No member of staff who raises genuinely held concerns in good faith under this procedure will  be dismissed or subjected to any detriment as a result of such action, even if the concerns turn  out to be unfounded. Detriment includes unwarranted disciplinary action and victimization. If  you believe that you are being subjected to a detriment within the workplace as a result of raising  concerns under this procedure, you should inform HR or Internal Audit immediately. Workers  who victimize or retaliate against those who have raised concerns under this policy will be subject  to disciplinary action.  

  

How a disclosure will be handled. All disclosures will be taken seriously and the following  procedure will be used.  

  

1. If you have any personal interest in the matter you have raised you must disclose this at the  outset. This procedure is not intended to replace the Grievance Procedure, which continues  to be the appropriate way to raise personal issues relating to your specific job or employment.  
2. Your disclosure under this policy will be acknowledged in writing confirming that the matter  will be investigated and that SCIDaR will get back to you in due course.  
3. A suitable person will be identified to manage the disclosure. This will be someone who is in  a position to take any necessary action as an outcome.  
4. A suitable individual will be instructed to conduct an investigation into the allegation (they will  have had no previous involvement in the matter). We aim to start the investigation within  two weeks of the disclosure. The length and scope of the investigation will depend on the  subject matter of the disclosure. In most instances, there will be an initial assessment of the  disclosure to determine whether there are grounds for a more detailed investigation to take  place or whether the disclosure is, for example, based on erroneous information.  
5. You may be asked to provide more information during the course of the investigation.  6. The investigation report will be reviewed by the person managing the disclosure.  7. Appropriate action will be taken – this could involve initiating a disciplinary process, or  

informing external authorities if a criminal action has been committed e.g fraud or theft. We  will endeavor to inform you if a referral to an external authority is about to or has taken place,  although we may need to make such a referral without your knowledge or consent if we  consider it appropriate.  

8. If it is found that there is not sufficient evidence of malpractice, or the actions of the  individual(s) are not serious enough to warrant disciplinary action, it may be more appropriate  for the manager to take a more informal approach to dealing with the matter.  
9. You will receive written notification of the outcome of the investigation, though not all the  details or a copy of the report.  
10. Possible outcomes of the investigation could be that: 

Whistle Blower Policy 7  

• the allegation could not be substantiated; or  
• action has been taken to ensure that the problem does not arise again. You will not,  however, be given details about the action taken as this could breach the human rights  of the person(s) involved.  

11. If you are not satisfied with the response, you have received you should raise the matter with  the Managing Partner outlining your reasons.  
12. If you have asked to remain anonymous, care will be taken to respect this request (see section  on confidentiality above).  

  

Corrective Action and Compliance  

  

As part of the investigation into disclosures made under this policy, recommendations for change  will be invited from the investigator to enable SCIDaR minimize the risk of the recurrence of any  malpractice or impropriety which has been uncovered. The Human Resources Manager will be  responsible for reviewing and implementing these recommendations in the future and for  reporting on any changes required to the board.  

  

False Disclosures  

  

SCIDaR will treat all disclosures of malpractice seriously and protect staff who raise concerns in  good faith. However, appropriate disciplinary action will be taken in accordance with the  Disciplinary Procedure against any employee or volunteer who is found to have made a disclosure  maliciously that they know to be untrue, or without reasonable grounds for believing that the  information supplied was accurate. This may result in dismissal.  

  

1. In cases of sexual misconduct, there are specialist resources available within SCIDaR. Please  contact your HR/Internal Audit Manager.  

  

More information? If you have questions relating to this Whistleblower policy or if you need  assistance, please contact your manager, HR/Internal Audit manager.  

Periodic review  

These guidelines will be reviewed every two years, or more frequently if and when required 

Approval  

This Whistle Blower policy was reviewed by Management and approved in November 2020  

 

Conflict of Interest Policy

1. Purpose of the policy  

When employees’ interests, influences, have the potential to influence, or are perceived to  have influenced their decision making in the discharge of their employment responsibilities, a  conflict-of-Interest situation result.  

This policy provides guidance on how to identify and address potential and actual conflicts of  interest. The policy outlines the principles for preventing or managing conflicts of interest and  how the principles are implemented.  

This policy cannot describe all conflicts of interest situations that may arise. However, in most  instances, employees can avoid conflicts of interest simply by exercising good judgment and  acting with integrity.  

If employees have questions about this policy or its application, it is advisable to err on the  side of caution and proactively seek advice from the Internal Audit and Compliance Unit or  any of the Directors prior to entering into such transaction.  

  

2. Responsibility for and Implementation of the Policy  

All employees are responsible for complying with the provisions of this Policy.  

The Executive Director, the Management of SCIDaR and the Internal Audit and Compliance  Lead are responsible for ensuring that employees comply with this policy. They are also  required to provide guidance to employees on Conflict-of-Interest situations.  

The Human Resource Officer is responsible for ensuring conflicts of interest are disclosed by new  hires during the hiring process.  

Upon engagement by SCIDaR and annually thereafter, all employees are required to sign a  Conflict of Interest disclosure form (Appendix 1). Employees are required to update these  forms when their Conflict-of-Interest situations change.  

The owner of this policy is the Executive Director. He is responsible for making any update to  the policy. 

3. General Conflict of Interest Principles  

An individual is considered to have a potential conflict of interest when:  

o The employee or any family member1receives a financial or non-financial benefit  other than due remuneration as a result of the individual’s position at SCIDaR;  

o The employee has the opportunity to influence the SCIDaR’s procurements,  business, administrative, or other key decisions in a manner that leads to personal  reward, benefit or advantage; or  

o The individual has an existing or potential financial or non-financial interest which  impairs or might appear to impair the individual’s judgment in carrying out their  responsibilities to SCIDaR.  

Having a conflict of interest is not necessarily wrong. However, it can become problematic if  an employee tries to influence the outcome of SCIDaR activities for direct or indirect personal  benefit. For this reason, transparency, in the form of disclosure, is critical and helps to protect  the integrity and reputation of SCIDaR  

SCIDaR understands that avoiding a conflict of interest may not always be possible or  practical. The required action for an employee who cannot avoid a conflict of interest is to  disclose it.  

When deciding what should be disclosed, consider the situation from the perspective of an  outsider and whether the relationship is of a nature that it could raise an allegation of an  apparent or actual conflict of interest, and then err on the side of transparency.  

4. How we make conflict of Interest Decisions  

After an employee discloses a potential conflict of interest, SCIDaR’s management will review  the matter and determine whether the disclosure demonstrates that a conflict of interest  exists or can reasonably be construed to exist.  

If a Conflict of Interest is known or deemed to exist after disclosure, management will not  approve any transaction with a party where a Conflict of Interest is deemed to exist with  such party unless it has determined that:  

1For purposes of the Conflict-of- Interest Policy, the term “family member” means any spouse, domestic partner, parents, siblings, children, any other relative who resides in the same household  and any other familiar relationship that could create the appearance of a conflict. 

Conflict of Interest Policy 3  

– entering into such transaction with the party is in the best interests of SCIDaR  – the transaction is fair and reasonable to SCIDaR, and  

– a more advantageous transaction cannot be obtained under the circumstances  

Management will keep detailed records regarding the matter reflecting the disclosure made,  the decision on whether a conflict of interest is present, the names of the persons participating  in any discussions and deliberations with regards to approving or rejecting the transaction  involving the employee and the substance of such discussions and deliberations and adherence  with the procedures.  

5. Specific Conflict of Interest Guidance  

We outline below specific conflict of interest guidance for SCIDaR employees.  i. Families and Relatives  

o Family members of SCIDaR employees are hired solely based on merit.  

o Employees are not expected to be involved in the recruitment process of family  members. This applies to both internal and external hiring as well as transfers  within SCIDaR  

o There will be no direct or indirect reporting relationship between employees and  family members  

o Employees who have made the required conflict of interest disclosures shall be  recused from any engagement, discussion, or decision-making process that could  directly or reasonably be perceived to influence the party with whom they have a  conflict or relationship. This measure is intended to safeguard independence,  maintain objectivity, and uphold the integrity of SCIDaR’s operations. 

1. Outside engagements, including employment 

Conflict of Interest Policy 4  

o Outside of SCIDaR, employees should not engage in activities (paid or unpaid)  that; interfere with the employee’s responsibilities for SCIDaR, create risks for  SCIDaR’s reputation or in any other way conflict with the interests of SCIDaR  

o Employees should not compete with SCIDaR nor take personal advantage of  business opportunities discovered during the course of their work with SCIDaR  unless SCIDaR elects not to pursue such opportunity  

o When an employee is in doubt about the permissibility of an activity, such  employee should consult the Executive Director.  

iii. Gifts, meals, travel, entertainment  

o Employees should not receive or offer gifts, entertainment or anything else of  significant value for the purpose of influencing the action of SCIDaR or of the  recipient  

o Any gift, entertainment or item above $50 is considered significant  

o Employees should not offer or accept money, loans, kickbacks or similar monetary  advantages from third parties2 irrespective of the value.  

o This guidance does not include meals during official meetings or trainings,  corporate items given to participants in meetings, conferences or training, or  token hosting gifts, provided the value is considered reasonable and insignificant  

o Employees should consult and seek the approval of the Executive Director or the  Chief Operations Officer when they believe there is an appropriate reason to  make an exception to this guidance  

1. Political activities  

SCIDaR does not engage in electoral politics or lobbying activities, by implication SCIDaR  does not make political contributions to political parties or candidates. Employees are allowed  to engage in political activities on a personal basis, provided that: 

o Such activities do not negatively impact on their ability to carry out their  employment responsibilities,  

2For purposes of the Conflict of Interest Policy, the term “third parties” refer to vendors, suppliers, consultants, sub grantees, grantors/donors and any other party in a contractual arrangement  with SCIDaR 

Conflict of Interest Policy 5  

o Such activities are not misconstrued as representative of SCIDaR’s action(s) and  position i.e., where the employee is seen as a representative of SCIDaR as opposed  

to the employee’s personal action(s) and position  

o Any employee who intends to engage in any political activity should consult the  Executive Director before doing so. This helps to avoid or minimize the risk of  

the employee’s personal actions being attributed to SCIDaR, and also to review  any other unintended potential impacts of such activity on SCIDaR.  

o Where the ED is the staff who intends to engage in political activity, he would  consult with the Board Chairman before doing so. 

1. Relationship with third parties  

Employees are required to be sensitive to situations, affiliations and relationships with funders,  vendors, suppliers, consultants, clients, sub grantees and any other party in a contractual  arrangement with SCIDaR that raises conflict of interest concerns. In particular, employees  must consider the following;  

o An employee’s former employment with a third party could raise an apparent or  actual conflict of interest. Such relationships must be disclosed by the employee  

who must be sensitive to the appearance of a conflict of interest.  

o An employee who has control3, financial or otherwise in a third party must disclose  such control, this will help SCIDaR consider and mitigate the risk of conflict of  

interest  

o Employees should not solicit or receive a fee, commission, service, or other favor  from third parties  

1. Seeking guidance  

The table below shows the names of persons to consult when seeking additional guidance on  Conflict of Interest situations;  

S/N	Type of conflict	Contacts for additional guidance
1	Families and relatives	HR Unit
2	Outside engagements, including employment	HR Unit

3Control here means that an employee is exposed, or has rights, to returns (financial or otherwise) from involvement with the third party and has the ability to influence those returns through  ability to direct the relevant activities of the third party 

Conflict of Interest Policy 6  

3	Gifts, meals, travel, entertainment	Chief Operations Officer
4	Political activities	Executive Director
5	Relationship with third parties	Executive Director, Internal Audit and Compliance Unit
6	Other conflict of interest situations	Executive Director, Internal Audit and Compliance Unit

 

 

6. How to correct any identified Conflict of Interest  

If an employee fails to comply with the letter and spirit of this policy, management may take  corrective action as follows:  

– a formal reprimand, or  

– removal of such Person from his or her position(s) in extreme cases  

Such recommendations will be presented with supporting documentation. The employee  involved shall be given an opportunity to be heard prior to Management’s (or a committee  thereof) final decision on the matter.  

7. Periodic Review 

 These guidelines will be reviewed every two years, or more frequently if and when required.  

Approval  

This Conflict-of-Interest policy was reviewed by SCIDaR’s Management and approved in  November 2024.