Privacy Policy

1. Introduction

1.1. This Policy on Use of NP Wallet Facilities (the “Policy”) describes the principles underlying the acceptable use of NP Wallet facilities (described in paragraph 2.1, below) and summarises the main responsibilities and obligations associated with that use. This Policy is effective upon the completion and adoption of all the NP Wallet system deliverables.

1.2. This Policy is written in accordance with the Information Technology (I.T.) Security Policy and applies to all persons using NP Wallet facilities (the “Users”).

1.3. The Head of the NP Wallet Project is responsible for reviewing this Policy biannually and, where necessary, recommending updates to this Policy.

1.4. The Head of the NP Wallet Project is responsible for ensuring that all Users are aware of this Policy and receive appropriate information on IT security.

1.5. This Policy does not affect or in any way abrogate the principles set forth in or the applicability of (i) the Code of Conduct for NP-SL LTD Personnel (ii) The NP-SL LTD IT Policy.

1.6. Additional controls, procedures and technical responsibilities carried out by the IT Department on behalf of the Office are detailed in the IT Controls Procedures [3].

1. Use of NP Wallet Facilities

2.1. Reference to NP Wallet facilities includes hardware and software (including, but not limited to networks, servers, switches, cabling, computers, storage media and devices (fixed, portable, removable or otherwise), access control devices and mobile and fixed telephony apparatus) owned, leased, hired or licensed by or to the Office.

2.2. NP Wallet facilities and data that resides on the Office’s IT facilities shall be used primarily for Office purposes as provided for in this Policy.

2.3. Information, data, and applications held or created in NP Wallet facilities, systems, and devices are the property of the Office and Users are responsible for ensuring that all Office data, information, and systems under their control are protected against unauthorized access, disclosure, and modification.

2.4. The IT Department is authorized to identify instances of excessive volumes of material stored on the Office’s network and which is believed by IT to be non-business-related after giving due notice to the owner of such files and allowing the owner to make a business case to the IT and relevant line manager for their retention. The IT Department will remove such files if retention is not approved.

2.5. Users must not use or access or attempt to use or access data or software stored in NP Wallet facilities for which they are not authorized.

2.6. Users who print, photocopy or transfer any Office data (e.g., onto laptops, disks, memory sticks or any other removable media) are responsible for ensuring that such information on these materials, media, or devices is protected from unauthorized access. Such materials must be destroyed and such Office data deleted once no longer required. Refer to the IT Controls Procedures for additional information on the secure deletion of Office data.

2.7. NP Wallet equipment, including removable storage media, are the responsibility of the Department or Resident or Regional Office to which they have been allocated (the “User Department/Office”). NP Wallet equipment, and in particular devices capable of data storage, must be secured from theft and unauthorized use. If IT equipment is lost, stolen, or damaged, the User Department/Office must inform relevant authorities immediately. The User must also notify the owner of any Office data retained on the device so as to consider potential data leakage. The User Department/Office is responsible for the replacement cost of any lost, stolen, or damaged NP Wallet IT equipment.

2.8. Only software approved for use by the relevant authorities and acquired through and to the extent authorized under vendor/licensing agreements via such authorities may be used on NP Wallet facilities. Only individuals authorized by the same may install software on NP Wallet facilities. Downloading, installing, copying or using of non-Office authorized software on NP Wallet facilities is prohibited as is unauthorized copying and/or use of Office authorized software.

2.9. Computers or devices that are not approved by the relevant authorities must not be directly physically connected to the Office’s computers and the Office’s computer networks.

2.10. Users will not be granted additional privileges, such as local administrator rights to his or her account or workstation, unless the request is supported by the Head of the relevant User Department/Office and approved by the relevant authority.

2.11. Technical information regarding the NP Wallet facilities must not be shared with third parties, verbally, in hard copy, or electronically unless with the prior written consent of the Head of NP Wallet. This information includes, without limitation, how systems operate, system documentation, access control, and account information.

2.12. Fixed equipment or components, e.g., workstations, servers, switches, routers, etc., must not be removed from Office premises unless their removal has been authorized by the relevant authorities.

2.13. Any NP Wallet IT equipment to be disposed of must first be checked by the IT Department and data must be permanently removed to ensure that it does not contain Office information. Refer to the IT Controls Procedures for information on the secure deletion of electronic data.

2.14. Users of Office laptops shall connect their laptops to the Office’s network at least once a month to enable the latest security patches and software updates to be applied. Non-compliant laptops may be denied access to Office networks.

1. Usage Monitoring

3.1. The Office automatically monitors the use of NP Wallet facilities.

3.2. The Office shall only permit the routine inspection and monitoring of operational logs generated by automated monitoring tools by Users performing their normal authorized duties within the Office. Disclosure of information from such logs, or other electronic media, shall only occur in accordance with the Office’s Codes of Conduct. Investigation of data on the NP Wallet facilities shall only be undertaken within the limits and subject to the procedures set out in the Office’s Codes of Conduct and may additionally include IT providing information stored on NP Wallet facilities.

1. Use of Passwords and Secure Access

4.1. Users must treat their passwords as sensitive, confidential Office information.

4.2. Each User is responsible for protecting his/her password(s) and SecurID token from unauthorized use whether working on Office premises or from home or other non-Office locations. Users are to take due care when using their passwords and SecurID tokens whilst in public areas.

4.3. User network log-on passwords must be at least eight characters and contain at least three of the following four character types: uppercase, lowercase, numeric, and special (!ӣ$%^&*()) characters. Network log-on passwords must be changed every thirty days and the same password cannot be repeated within a twelve-month period. Application passwords should, where possible, conform to these minimum standards of strength and frequency of change.

4.4. Users should not use NP Wallet passwords for non-NP Wallet accounts. NP Wallet related and non-NP Wallet related passwords should differ from one another.

4.5. Users must not attempt to discover the password of another User.

4.6. Users must not share or disclose their passwords under any circumstances. Users must not display passwords openly, for example, on Post-It notes, notepads, etc.

4.7. Compromised passwords must be changed immediately and reported to the service provider Helpdesk without delay.

4.8. Users must not attempt to access the NP Wallet facilities or any part thereof using someone else’s User ID and/or password.

4.9. Each User must secure access to his or her computer, via the standard Windows screen saver, if the computer is to be left unattended.

4.10. Users should, at a minimum, log off from the network at the end of each working day as referenced in section 7.1 below.

1. Information Systems and User Access

5.1. Accounts for new Users will be created by the service providers on receipt of an authority from the Head of NP Wallet with the User’s bio details. Users are required to change their passwords on first log on.

5.2. Users are only authorized to access data that they have been approved to do as part of their current role.

5.3. Access to specific areas of the NP Wallet applications requires the User to complete the necessary training as approved by the User’s line supervisor or Head of Department.

5.4. The service provider must be informed by the Head of Department/ Office when a User moves between User Departments/Offices, changes responsibilities, leaves the Office, or is absent from the Office for more than 30 days. The service provider will disable a User’s network logon account if it has not been used in a period of 30 days and report this to the relevant Head, NP Wallet. If there has been no request by the relevant User to enable access after another 30 days, the account will be deleted. Exceptions to the foregoing shall be authorized by the Head, NP Wallet.

5.5. Head of User Departments/Offices responsible for Users of applications that process financial information are responsible for reviewing, maintaining, and approving appropriate User access rights at least annually as part of the NP Wallet Internal Controls procedures.

1. Use of and access to e-mail and the Internet

6.1. The use of e-mail is intended primarily for NP Wallet purposes. The Office may monitor and review e-mail use. The Office reserves the right to withhold delivery and quarantine e-mail that is deemed non-Office related.

6.2. Users are responsible for ensuring that the content of e-mail is appropriate for the intended audience, recognizing that an email and its contents can be forwarded beyond the initially intended recipients.

6.3. Users shall not use the Office’s email system for the creation or distribution of any offensive or disruptive messages; Users who receive any emails with this content should report the matter to the IT Helpdesk.

6.4. Access to the Internet and other external facilities is provided for NP Wallet purposes, including research and study. The Office monitors access to these facilities to ensure that Users do not access inappropriate content such as pornographic material.

6.5. Users must not forward or copy any e-mails containing Office data or information to a non-Office account or use non-Office Internet e-mail accounts (e.g. Gmail, Yahoo, etc.) to conduct Office business.

6.6. Users must not distribute any information using the NP Wallet facilities or their own personal devices that breaches the Office’s Code of Conduct for Personnel.

6.7. Users should not use instant messaging and / or, their personal e-mail accounts (e.g. Google mail) for Office purposes and should not download attachments or click on URL links whilst accessing personal e-mail via NP Wallet IT facilities.
6.8. If ordinary Users include signature blocks on emails, these should only contain name, position and contact details.
6.9. Users may not make comments or representations, including in any blogs, Newsgroups, Usergroups, Bulletin Boards etc., which might be construed as an official comment on behalf of the Office without specific prior approval from authorities.

1. Data Backups
   7.1. Data held on the network will be automatically backed up by the IT Department and the service provider. Users should log off each night to allow full backups to take place successfully. Data held on the local drives of Office desktops and laptops is not backed up. It is the responsibility of Users to ensure that all data requiring backing up is stored on the network.
2. Viruses, Malicious Code and Malware
   8.1. Users must comply with periodic advice and instructions from the IT Department in order to ensure that up-to-date virus protection is loaded and maintained on all NP Wallet facilities. Users must not attempt to bypass Office virus protection software or any other system safeguards.
   8.2. Users should contact the IT Helpdesk if they require information or need to report issues related to viruses, malicious code, and malware, for example, if they suspect a file or e-mail attachment contains a virus or inappropriate material.
   8.3. Any activities that have the intention of or may result in the creation and/or distribution of malicious programs into NP-SL LTD’s networks (e.g., viruses, worms) are prohibited.
3. Telecommunications
   9.1. NP Wallet-approved and owned/leased telecommunications devices, for example SIMS, mobile phones, MoDems, and flash drives, should be used for NP Wallet purposes wherever possible.
   9.2. Users of these devices are responsible for personal usage and may be liable for charges incurred.
   9.3. The Office may record voice telephony conversations carried out over NP Wallet facilities. The Office routinely records voice telephony conversations of certain staff in support of their business activities, and such staff are made aware of this.
4. Remote Access
   10.1. Remote access to the NP Wallet facilities will only be allowed after attendance at the relevant training course and authority granted to do so.
   10.2. By remotely connecting to the Office environment with personal equipment, users must understand that their machines are in effect an extension of NP-SL LTD’s network and should take all reasonable steps to ensure anti-virus software is up to date whenever possible to reduce the risk of viruses, malicious code, and malware.
5. IT Security Incidents
   11.1. For the purposes of this Policy, NP Wallet security incidents are incidents that have occurred through non-compliance with this Policy. These include, but are not limited to, theft or loss of IT equipment, loss of service or facilities, malfunctions of hardware or software, access violations, or any other breach of this Policy.
   11.2. A weakness in NP Wallet facilities is defined for these purposes as a flaw in a system that allows a breach of this policy once exploited. Users should report weaknesses in NP Wallet facilities to the IT Helpdesk. Users should not attempt to test the weakness as doing so may be treated as a breach of this policy.
   11.3. All actual or suspected IT security incidents or weaknesses should be immediately reported according to the Information Security Incident Management Process.
6. Breaches of this Policy
   12.1. Failure of Users to observe the requirements of this Policy may be regarded by NP Wallet as misconduct, subject to the provisions of the Codes of Conduct or as appropriate.
7. Document Reference