Data Protection and Privacy Policy

Protecting our people and brand Respecting privacy rights
Knowing how to do the right thing

Overview and Policy Statement

At Postman Limited (POSTMAN) we are committed to protecting the confidential and personal details of our colleagues, customers and other individuals who trust us to handle their personal data safely and securely. We have a set of privacy principles which are based on data protection laws and everyone in POSTMAN has a responsibility to handle data in line with these principles.
POSTMAN respects the privacy of all its colleagues and customers and the confidentiality of any personal data it holds about them. This policy sets out what steps employees must take to ensure personal data is correctly handled. When handling personal data, the following Privacy Principles should be followed:

Our Privacy Principles

  • Only collect personal data that is relevant and used solely for the purpose in which it was collected and ensure that the data is processed under the right lawful basis.
  • Only use personal data fairly and in accordance with the relevant published Privacy Notice and/or Employee Privacy Notice.
  •  Complete a Privacy Impact Assessment when undertaking a project for a new system, process or product that will involve processing personal data or when processing personal data for a new purpose.
  • Keep personal data accurate and up to date and maintain a record of any changes.
  • Make sure we keep personal data confidential and secure, and limit the people who can access it in line with the POSTMAN Information Security Policy.
  • Follow approved destruction and disposal processes as stipulated in the POSTMAN Information Security Policy.
  • Complete data security training promptly when requested.
  • Report personal data breaches through the mandated process within 24 hours.
  • Retain personal data for longer than necessary to achieve the business purpose or to meet minimum legal requirements in line with the Corporate Retention Schedule.
  • Dispose of personal data carelessly.
  • Discuss or disclose personal data to colleagues or anyone outside POSTMAN unless there is a business reason to do so and this is relevant to the purpose for why it was collected.
  • Transfer data outside the country in which it is collected, even within POSTMAN, without advice from the legal team as there may be restrictions/requirements relating to the transfer.
  • Use a third-party supplier to process personal data on our behalf without undertaking the necessary due diligence and ensuring there is a contract with an appropriate data processing and security clause in place. Seek guidance from Procurement if necessary.
  • Deal with data protection issues and complaints without the proper advice. Pass data protection enquires to privacy@postman.ug

Further information

What is ‘personal data’?
Personal data is any information that can be used to
directly or indirectly identify a living individual. This can include name, email address, phone number, location data, financial data such as bank account or credit card information, CCTV footage, photographs or factors more specific to the physical or social identity of a person. It includes data held on our systems, in paper documents, emails, call recordings, mobiles or other storage media. It should be noted that information which doesn’t immediately identify someone (e.g., address data) could still be considered personal data in Postman’s hands if it could identify a person when combined with other information we hold.
Certain data is especially sensitive and is known as “special category” data. Examples include information about someone’s health, race, religious beliefs, political opinions, trade union membership, criminal offence or sexuality, and biometric or genetic data. There are extra requirements to ensure this data is handled in compliance with law, so if your job involves working with this information and you need advice, please refer to our Guidance and ask the Information Rights and Governance team.

Scope of Policy
This Policy applies to Postman Limited and its wholly or majority owned subsidiary companies registered in the Republic of Uganda. Individuals include employees, casuals, agents, professional interims, agency workers, contract staff, consultants, officers and any other representative. This Policy does not form part of any employee’s contract of employment and we may amend this policy at any time.

Breach of this Policy
The Privacy Principles are mandatory. Any employee that fails to comply with this policy may be subject to disciplinary action up to and including dismissal.
You may also commit a criminal offence if you deliberately access, disclose, or misuse personal data. This includes obtaining stolen marketing lists or taking customer or colleagues data for your own use.
POSTMAN employees have a legal obligation to formally report data incidents which have led to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. These could include:
• Loss or theft of devices or data, including on USB drives or paper.
• Hacking or other forms of unauthorized access to a device, email account, or the network.
• Disclosing personal data to the wrong person, through wrongly addressed emails.
• Alteration or destruction of personal data without permission.
Where an employee discovers or suspects a personal data breach, this should be reported through the mandated process within 24 hours.

Getting help with this Policy
If you have any concerns with this policy then please contact privacy@postman.ug

Policy Governance
Policy Reference number:  POD/COMP/POL/016 Version Number: 006.1
Policy Owner: Director of Information Governance/DPO
Policy Effective from: August 2021
Last Review Date: December 2021
Approved by: Chief Risk and Governance Officer
Approval date: December 2021
Please note this document is classified: POSTMAN – PUBLIC