HRMIS PORTAL – PRIVACY & DATA GOVERNANCE POLICY

1. Introduction

This Privacy & Data Governance Policy sets out the principles, controls, and responsibilities governing the use of the Human Resource Management Information System (“HRMIS” or “the System”). The HRMIS Portal is an internal, controlled environment used exclusively by authorized employees, HR officers, ICT teams, and senior management to manage human resource operations and related workflows.

The HRMIS Portal is not a public-facing system and does not collect information from the general public. It processes only HR operational records and system-generated information as required for day-to-day HR administration, governance, reporting, and decision-making.

2. Purpose of this Policy

The purpose of this Policy is to:

• Define how information processed within the HRMIS Portal is managed, protected, and used.
• Standardize practices across all HRMIS modules and environments.
• Clarify roles and responsibilities for HR, ICT, and management users.
• Support compliance with applicable HR, ICT, records management, and data governance standards.

3. Scope of Application

This Policy applies to all data and records processed through the HRMIS Portal, including but not limited to information held and managed within the following modules:

• Dashboards and analytics
• Employee / Staff Records and Deployment Reports
• System Users, Roles & Permissions
• Timesheet & Attendance
• Performance Appraisal & Competency Management
• HR Admin Setup (discipline, transfers, promotions, terminations, complaints, awards, etc.)
• Recruitment (internal HR side) and related interview configuration
• Health & Safety / Incident Reporting
• Surveys & Feedback
• Committees, Events & Meetings
• Asset Management
• Document Management
• Employee Training & Development
• Trips & Travel Management
• Leaves & Holiday Management
• Communication Modules (Email, SMS, Notifications)
• Audit Trail & System Access Logs
• System Setup & System Settings (including SMS/Email, Video, Collaboration, AI, Calendar, Webhooks, Storage, Security, and Cache)

The Policy also applies to test, training, and staging environments where HRMIS functionality is configured, tested, or demonstrated.

4. Key Definitions

• HRMIS Portal – the web-based platform and associated back-end services used to manage HR operations.
• HR Operational Information – information and records created or used in the course of human resource management (e.g. staffing, leave, attendance, performance, training, disciplinary workflows, HR analytics).
• System-Generated Information – logs, timestamps, status codes, notifications, and technical metadata created automatically by the HRMIS.
• User – any authorized person with login credentials to the HRMIS Portal (employees, HR officers, supervisors, managers, ICT support, and system administrators).
• System Owner – the designated HR/management authority accountable for HRMIS business processes and data governance.
• System Administrator – ICT personnel responsible for technical configuration, hosting, security controls, and availability of the HRMIS.

5. Types of Information Processed (Module View)

The HRMIS Portal processes structured HR operational information by module as outlined below. Examples are indicative and not exhaustive.

• Dashboards: Aggregated metrics and visualizations on headcount, attendance trends, leave utilization, performance status, and other KPIs derived from underlying HR modules.
• Employee & Deployment: HR records about staffing positions, duty stations, organizational units (departments, directorates, divisions, sections), and deployment history required for workforce planning and reporting.
• System Users, Roles & Permissions: User profiles, role definitions, and permission mappings that enforce role-based access control (RBAC) across the Portal.
• Timesheet & Attendance: Daily/periodic attendance entries, timesheets, and, where integrated, summaries of biometric or clock-in/clock-out records to support attendance management and related approvals.
• Performance Appraisal & Competencies: Performance cycles, objectives, ratings, comments, competency matrices, and appraisal outcomes supporting performance management.
• HR Admin Setup: Records for internal HR actions such as disciplinary cases, complaints, warnings, awards, transfers, promotions, demotions, reinstatements, terminations, holidays, and HR announcements.
• Recruitment (Internal HR): Job requisitions, interview sessions, interview stages, panels, and scoring templates used to manage recruitment workflows internally. Public applicants interact through a separate careers portal that has its own notifications.
• Health & Safety: Incident logs, follow-up actions, and resolution status for occupational health and safety management.
• Surveys & Committees: Configured surveys, questionnaires, committee membership, meeting records, and decisions used to collect internal feedback and support governance structures.
• Events & Training: Event and training session records, attendance lists, training schedules, and evaluation outputs.
• Trips & Leaves: Travel and trip requests, approvals, itineraries, leave applications, leave balances, and holiday schedules.
• Assets & Documents: Asset registers, assignments, and controlled document repositories (e.g. policies, HR circulars, letters, forms) managed under Storage Settings (file types and size limits).
• Communication (Email/SMS/Notifications): Notification templates, dispatch logs for emails and SMS, and in-system alerts generated by workflows and system events.
• Audit Trail & System Access: Detailed logs of logins, logouts, modules visited, records created/updated/deleted, configuration changes, IP addresses, user agents, and related technical metadata, used for accountability and incident investigation.
• System Setup & System Settings: Configuration data including company/organization profile, calendars, currencies, notification rules, IP restrictions, reCAPTCHA, cookie preferences, storage configuration, SEO metadata, cache settings, webhooks, AI and chatbot settings, email and SMS gateway parameters, video conferencing, collaboration channels, and calendar integration.

6. Purposes of Processing Information

Information processed within the HRMIS Portal is used strictly for official HR and organizational purposes, including:

• Supporting the full HR lifecycle (on-boarding, deployment, development, separation) in a controlled and auditable manner.
• Providing accurate and timely HR analytics for management, planning, budgeting, and reporting.
• Managing attendance, leave, performance, training, and discipline within approved HR policies and procedures.
• Facilitating secure, reliable, and traceable communication between HR, management, and employees.
• Ensuring accountability through comprehensive Audit Trail and System Access logging.
• Supporting compliance with internal HR, ICT, records management, and governance frameworks.

7. Roles and Responsibilities

• System Owner / HR Department: Defines HR business rules, approves module configurations, owns HR workflows and reports, and ensures HRMIS usage aligns with HR policies and regulations.
• ICT / System Administrators: Manage hosting, database administration, backups, security patches, user provisioning/de-provisioning, configuration of integrations (SMS, email, video, collaboration, AI, calendar, webhooks), and systems monitoring.
• Supervisors & Managers: Use the System to review and approve transactions (leave, timesheets, performance, disciplinary actions, etc.) and are responsible for the integrity of approvals made via their accounts.
• HRMIS Users (Employees and Officers): Use the Portal only for official tasks, keep login credentials confidential, ensure information they enter is accurate and authorized, and immediately report suspected misuse or security incidents.

8. Access Control and Security Measures

The HRMIS Portal implements multiple security controls to safeguard information and ensure that only authorized users can access appropriate modules and actions. Key measures include:

• Unique user credentials for all users; shared accounts are not permitted.
• Role-Based Access Control (RBAC) managed through the System Users and Roles & Permissions modules.
• One-time password (OTP) or similar mechanism to strengthen authentication where configured.
• Session management with automatic time-out, idle session handling, and safe logout behaviour.
• Transport layer security (HTTPS/TLS) between browsers and the HRMIS server.
• IP Address restriction and reCAPTCHA features (where enabled) as additional protection against automated or unauthorized access.
• Control of uploadable file types and file sizes via Storage Settings to mitigate malware and abuse risks.
• Separation of duties between functional HR users and technical ICT administrators.

9. Logging, Monitoring and Audit

The HRMIS Portal maintains detailed Audit Trail and System Access logs for all significant actions and access events. These logs are used to:

• Provide traceability for approvals, updates, and deletions across modules.
• Support troubleshooting, performance optimization, and capacity planning.
• Detect and investigate suspicious or unauthorized activities.
• Provide evidence for internal and external audits and management reviews.

Access to logs is restricted to authorized ICT, HR, and audit personnel, as defined by internal governance arrangements.

10. Integrations and Third-Party Services

The HRMIS may integrate with approved external services, configured via System Settings, including:

• SMS gateways and bulk SMS providers;
• Email transport services (SMTP/transactional email);
• Video conferencing platforms (for interviews, meetings, training);
• Collaboration and notification channels (e.g., Slack, Telegram, Twilio);
• Calendar platforms such as Google Calendar;
• Webhook endpoints for system-to-system notifications;
• AI and chatbot services for user assistance and support.

All integrations are used solely to deliver HRMIS functionality and official communication. Integration credentials (API keys, tokens, secrets) are stored in restricted configuration sections and managed only by authorized ICT/system administrators.

11. Data Lifecycle and Retention

HRMIS records are retained for as long as necessary to:

• Support ongoing HR operations and historical reference;
• Comply with records management, audit, and statutory requirements;
• Provide evidence for HR decisions and governance processes.

Detailed retention schedules are defined in HR and records management policies. Where records are no longer required operationally, they may be archived, aggregated, or removed in accordance with those policies and ICT procedures.

12. User Obligations and Acceptable Use

All HRMIS users must:

• Use the System strictly for official, authorized purposes.
• Protect their credentials and never share passwords or OTPs.
• Ensure all information entered or approved is accurate, complete, and authorized.
• Respect confidentiality and refrain from disclosing or exporting information without proper authorization.
• Immediately report suspected misuse, errors, or security incidents to HR/ICT support.

13. Incident Management and Escalation

Any suspected security incident, unauthorized access, or abnormal system behaviour must be reported to the designated ICT and HRMIS support teams without delay. Incident handling may include:

• Temporary suspension or reset of affected accounts;
• Review of Audit Trail and System Access logs to determine impact and root cause;
• Containment measures such as IP blocking, configuration adjustments, or disabling of specific features;
• Notification of relevant internal authorities and escalation per ICT/HR incident management procedures;
• Implementation of corrective and preventive measures to avoid recurrence.

14. Governance, Review and Updates

This Policy forms part of the HRMIS governance framework and must be read together with applicable HR, ICT, security, and records management policies and procedures. It will be reviewed periodically or when there are significant changes in:

• HRMIS modules, architecture, hosting, or integrations;
• Internal HR, ICT, or security policies;
• Applicable regulatory or governance requirements.

Updated versions of this Policy will be published within the HRMIS Portal and communicated to relevant user groups.

15. Contact and Support

For clarification on this Policy or assistance related to the HRMIS Portal, authorized users should contact:

• HRMIS Functional Support (HR): ________________________________
• HRMIS Technical Support (ICT): ________________________________

All communication should be made through official channels.

Notice: By accessing and using the HRMIS Portal, you acknowledge that you have read, understood, and agree to comply with this Privacy & Data Governance Policy and all related HRMIS procedures.