Purpose
Define data privacy practices and regulatory compliance requirements for the eStudent 360 platform.
Data Classification
| Classification | Examples | Handling |
|---|---|---|
| Sensitive | Government IDs, background check results, guardian consent records | Encrypted at rest and in transit. Access limited to verification team only. Deleted after verification + 1 year retention. |
| Personal | Name, email, phone, profile bio, session history | Encrypted in transit. Access limited to user + assigned admin. Retained while account is active + 2 years after deletion. |
| Usage | Login timestamps, feature usage, session analytics | Anonymised after 90 days. Used for aggregate analytics only. |
| Public | Mentor profiles (name, bio, expertise), career pathway content | Visible to all authenticated users. No special handling required. |
Regulatory Compliance
- Ghana Data Protection Act (2012) — Compliance with data collection consent, purpose limitation, and data subject rights
- Canada PIPEDA — Compliance with personal information protection for Canadian users
- COPPA Alignment — Guardian consent requirements for users under 13 (even though primary target is 13+)
User Rights
- Access — Users can download all their personal data at any time
- Correction — Users can update or correct their personal information
- Deletion — Users can request complete account deletion. Data removed within 30 days except where retention is legally required
- Portability — Personal data exportable in standard format (JSON/CSV)
Data Breach Response
- Contain and assess scope of breach within 4 hours
- Notify affected users within 72 hours
- Notify relevant data protection authorities as required by law
- Conduct root cause analysis and implement preventive measures
- Publish transparency report within 30 days