Data Privacy Policy

Revision History

1. Objective

The objective of this Data Privacy Policy (hereinafter referred to as the "Policy") is to set standards for the lawful collection, usage and protection of confidential data handled by Metaschool Ltd. The Policy communicates our commitment to the privacy principles and accountability obligations established under the Ghana Data Protection Act, 2012 (Act 843), supporting documentation issued by the Data Protection Commission (DPC), and any other applicable sector regulations. It is evidence of the organization's pledge to embed privacy and security by design across every product, service and partnership carried out in Ghana or impacting Ghanaian data subjects.

2. Scope & Applicability

This Policy applies to all employees, students, guardians, schools, suppliers, volunteers, external consultants, partners, contractors and any other party that processes personal data for Metaschool. It covers data collected through our learning platforms, USSD/SMS services, mobile applications, websites, events or offline engagements taking place in Ghana or involving Ghanaian residents. The Policy defines the types of personal and special personal data that may be processed, the lawful bases for processing, and the protective measures required before data leaves Ghana or is shared with third parties.

3. Definition & Glossary

4. Policy / Process

4.1 Policy Definition

The Data Privacy Policy is designed to protect "personal data", which is "any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data". This expressly includes an individual's name, voice, image, identification number, electronic identifier, bio-data, phone number, device identity, and geographical location. It also includes sensitive personal data and biometric data.

The Policy is aligned to Act 843 to standardize the use, monitoring and management of data. The main goal is to protect and secure all data consumed, managed and stored by the organization. The Policy includes all data stored by the core infrastructure of the organization, including on-premise storage equipment, offsite locations, and cloud services. It helps the organization ensure the security and integrity of all data—data-at-rest and data-in-transit. A summary of Act 843 is provided in ANNEXURE A.

4.2 Procedures

The Data Privacy Policy implementation is defined via procedures. Information Technology (IT) department plays a vital role in implementing policy and ensuring adherence to the policy across the organization.

IT department, i.e. the IT Manager and/or chosen representative from the IT department, shall devise a comprehensive inventory cataloguing the storage locations of sensitive company data.

The comprehensive inventory should include the following analysis:

• CRM systems data storing employee and customer records in terms of name, gender orientation, designation, department, date of joining, compensation and wages details, payroll, health and retirement benefits.
• Employee and Customer records in the policy is defined as Personal data. Personal data is any information about an identified or identifiable person, known as a data subject, i.e. employee's. Personal data includes any information that can be used to identify someone, alone or in combination with other information. This includes the employee's name, date of birth, address proof and/or passport details, compensation & benefits, and educational qualifications- all of which can be utilized as identification of employees.
• Unstructured data residing in company equipment, remote servers and email accounts.
• Persons with a view or edit access to the data.
• The volume of data ageing.

The Data Privacy Policy of the organization is implemented by adhering to the following steps:

• Data Life Cycle Management - This refers to a framework that standardizes data processes in the organization, from data creation through storage and archiving until its final deletion.
• Data Risk Management - This includes identifying and assessing all risks and threats that may affect the data and thereby protecting the data confidentiality via undertaking necessary steps as may be deemed to be considered necessary.
• Data Back-up and Recovery - This includes the backup support mechanisms for data once data is created. All organization data is supported by a backup drive that is accessible in the case of an emergency, i.e. all systems failure.
• Data Access Management Controls - This includes that the data related to the organization shall be used only by authorized user/s. The records of the same shall be kept by the organization's IT department.
• Data Storage Management - This includes tasks related to securely moving data on-premises or in external cloud environments. These may be data stores for frequent, high-performance access or archival storage for infrequent access.
• Data Breach Prevention - Data breach prevention measures are implemented for the purpose of preventing unauthorized access to data. The goal is to avoid external malicious viruses or internal threats from gaining unauthorized access to information and systems. Cyber security measures are put in place for the purpose of preventing attacks on internal networks, network perimeters, data-in-transit, and data-at-rest. Typically, these measures include data encryption, implementation of antivirus software, protection against ransomware, perimeter security hardware and software, and access management software.
• Monitoring and Reviewing - Monitoring and reviewing processes help organizations gain visibility into data activities, risks and controls, helping improve protection and respond to threats and anomalies. Monitoring and reviews may also be necessary to meet compliance requirements. Ongoing monitoring provides visibility into all aspects of the data lifecycle, including data creation, storage, transmission, archiving, and destruction. These activities offer essential evidence for internal and external auditors that examine controls for data protection and management.

4.3 Responsibility - IT Department / HR Department / Finance Department / Supply Chain

The organization upholds the highest responsibility in data collection from the subscribers if any, and the data received for job applications. Therefore data collected from subscribers, if any, job applicants, employee's, data related to products, new product development and innovations, finance, supply chain and any other data shall be treated with confidentiality.

All data shall be treated in the following manner:

• All data shall be processed within its legal and moral boundaries.
• All data shall be protected against illegal and unauthorized access.
• All data shall be protected against any unauthorized or illegal access by internal or external parties.
• Data shall not be communicated informally.
• The data shall not be stored for more than the specified time.
• Data shall not be distributed or transferred to organizations, states or countries that do not have adequate data protection policies.
• Data shall not be distributed to any other parties other than the agreed upon (exempting legitimate requests from law enforcement authorities).
• Let the employees and/or parties involved from whom the data is being collected and keep them informed of how, i.e. how, the data shall be processed/used and who has access to it.

• The IT Manager must formulate an effective governance strategy to keep track of inward or outward data flow.
• The IT Manager and the Supply Chain Manager shall have to maintain oversight of third-party service providers and data processors since Act 843 considers the collecting party responsible for the safeguarding of personal data even if the information has subsequently been shared with other parties.
• HR Manager's and/or Business Head's of the organization are strictly responsible for adhering to and ensuring the culture of data confidentiality with respective teams. Building an enterprise-wide appreciation of good information security practices requires a combination of senior-level buy-in and a commitment to continuous learning.
• The IT Manager should constantly be vigilant in maintaining IT security and controls similar to the adoption of information security frameworks or the ISO/IEC 27701 International Standard for Privacy Information Management.
• Adoption of effective data breach response measures.

4.4 Lawful Basis for Processing

Personal data shall only be processed when a lawful basis under Act 843 is identified, documented and communicated to the data subject. Metaschool commonly relies on:

• Consent: explicit consent from parents, guardians, staff or learners before collecting new data or sending marketing communications.
• Performance of a contract: processing that enables us to deliver curriculum, assessment, mentorship and support services requested by a school or household.
• Legal obligation: compliance with statutory reporting such as GES, WAEC, SSNIT, tax and anti-money laundering requirements.
• Vital interests: safeguarding learners and responding to emergencies affecting their lives or health.
• Legitimate interests: running and improving our platforms, provided such interests are balanced against the rights of the child.

Sensitive or special personal data is processed only with explicit consent, authorization granted by the DPC, or in situations strictly permitted by Act 843.

4.5 Data Subject Rights

Every learner, parent, teacher, employee or partner whose personal data is held by Metaschool has the rights guaranteed under sections 18–35 of Act 843. These include the rights to:

• Receive transparent notice when we collect or use their data.
• Access their personal data and obtain a description of how it is processed.
• Request corrections, updates or completion of inaccurate or outdated information.
• Object to processing for direct marketing or where legitimate interests cannot be demonstrated.
• Withdraw consent at any time without affecting the lawfulness of prior processing.
• Request deletion, restriction, or anonymization when retention is no longer necessary.
• Complain to the DPC or seek redress through the courts.

Requests may be sent to privacy@metaschoolai.com or by writing to our Data Protection Officer, Metaschool Ltd, East Legon Hills, Accra. Identity verification is required before actioning any request.

4.6 Retention, Cross-border Transfers and Localisation

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, comply with statutory retention periods, or defend legal claims. Student academic records are kept for seven years after course completion unless a longer period is mandated by the Ghana Education Service. Recruitment data is retained for three years.

Where personal data must leave Ghana for cloud hosting, analytics or support purposes, Metaschool ensures that the receiving country has adequate protection as defined by Act 843, or we implement contractual clauses approved by the DPC. We maintain a register of all international transfers and conduct Transfer Impact Assessments before onboarding a new processor.

Data breaches likely to adversely affect data subjects are reported to the DPC and impacted individuals within seventy-two (72) hours of confirmation, together with remedial steps taken.

5. Non-compliance and consequences

In the event of non-compliance with this Policy or Act 843, the relevant Department Manager(s) and/or individuals involved shall be subject to disciplinary proceedings that may include mandatory retraining, suspension, termination and/or referral to law enforcement. The DPC may also impose administrative penalties, including fines or orders to cease processing. All breaches and sanctions are recorded in the compliance register and reported to senior management.

6. Special Circumstances and Exceptions

In situations where strict compliance is not possible due to urgent operational, public interest or legal reasons, the Data Protection Officer must document the rationale, obtain executive approval, and, where required, notify the DPC for guidance or exemption. Any temporary exception must include compensating controls and an agreed review date.

ANNEXURE A

The Ghana Data Protection Act, 2012 (Act 843) establishes a framework to ensure confidentiality and protect the privacy of individuals (data subjects) by requiring organizations that collect, hold, use or disclose personal data in Ghana to implement appropriate governance for managing and protecting personal data.

The Data Protection Commission (DPC) is the national regulator mandated to enforce Act 843. The DPC is responsible for:

• registering and licensing data controllers and processors, and maintaining the public register.
• issuing codes of practice, directives and standards for monitoring compliance with Act 843.
• conducting inspections and investigations, and responding to complaints lodged by data subjects.
• providing education and awareness on privacy rights and obligations.
• approving data transfer agreements and authorizing the processing of special personal data.

Act 843 has extra-territorial reach. It applies to any organization established in Ghana and processing the personal data of data subjects inside or outside Ghana, as well as any organization established outside Ghana that processes the personal data of Ghanaian residents.

The Act does not apply to government data classified as exempt by the Minister, processing by national security or intelligence agencies acting under lawful authority, or personal data processed by an individual for purely household purposes. Additionally, the Act provides separate regimes for:

1. Health records regulated through the Public Health Act and professional codes.
2. Banking and financial data governed by Bank of Ghana directives and anti-money laundering legislation.

Act 843 therefore operates alongside sector-specific statutes and does not replace obligations contained in education, telecoms or financial services regulations.

The DPC may exempt certain controllers from portions of the Act where the processing presents minimal risk, provided that the controller demonstrates adequate safeguards and continues to respect data subject rights.