Data Protection Policy
(Between BUCABUMA and Website Visitors / Scholarship Applicants)
1. Introduction
The BUCABUMA Project (“BUCABUMA”, “we”, “us”, or “our”) is committed to protecting the privacy, confidentiality, and security of personal data belonging to:
-
Visitors to the BUCABUMA public website
-
Registered users
-
Scholarship applicants
-
Evaluators and administrative users (where applicable)
This Policy explains how personal data is collected, used, stored, protected, and deleted, and outlines the rights of individuals whose data we process.
By using the BUCABUMA Website or Scholarship Application Portal, you acknowledge and agree to the terms of this Privacy Policy.
2. Data Controller
For the purposes of applicable data protection laws:
Data Controller:
BUCABUMA Project
Under the authority of Kwame Nkrumah University of Science and Technology (KNUST)
BUCABUMA determines the purposes and means of processing personal data submitted through its digital platforms.
3. Categories of Individuals Covered
This policy applies to:
-
Website Visitors – Individuals browsing the public website.
-
Registered Users – Individuals who create accounts.
-
Scholarship Applicants – Individuals submitting applications and supporting documents.
-
Administrative Users – Authorized internal users of the system.
4. Categories of Data Collected
A. Personal Identification Data
-
Full name
-
Date of birth
-
Nationality
-
Gender (where relevant)
-
Contact details (email, phone number)
B. Academic & Professional Data
-
Educational background
-
Certificates and transcripts
-
CV/Resume
-
Supporting documentation
C. Technical & System Data
-
IP address
-
Device/browser information
-
Login credentials (encrypted)
-
Activity logs and timestamps
D. Administrative Data
-
Evaluation scores
-
Reviewer comments
-
Application decisions
5. Legal Basis for Processing
Personal data is processed under one or more of the following lawful bases:
-
Consent – When you voluntarily submit an application or register an account
-
Contractual necessity – Processing required to evaluate scholarship applications
-
Legal obligation – Compliance with donor, institutional, or regulatory requirements
-
Legitimate interest – System security, fraud prevention, and service improvement
Where special category data is processed, it shall be handled in strict accordance with GDPR Article 9 requirements.
6. Purpose of Data Processing
BUCABUMA processes personal data for the following purposes:
-
Managing scholarship applications
-
Evaluating and shortlisting candidates
-
Communicating application status updates
-
Ensuring transparency and auditability
-
Complying with donor and institutional reporting obligations
-
Maintaining system security and integrity
Personal data will not be used for unrelated commercial marketing purposes.
7. Data Sharing
Personal data may be shared only with:
-
Authorized project administrators
-
Evaluation committees
-
Institutional authorities (e.g., KNUST)
-
Donor agencies (where required for compliance)
-
GDPR-compliant technology providers (e.g., secure email hosting)
Data will never be sold or shared for unrelated commercial purposes.
All third-party processors operate under binding Data Processing Agreements (DPAs).
8. Data Security Measures
BUCABUMA implements technical and organizational measures aligned with ENISA cybersecurity guidelines:
Access Control
-
Role-Based Access Control (RBAC)
-
Least privilege principle
-
Multi-factor authentication for administrators
-
Secure password hashing (bcrypt/argon2)
Encryption
-
HTTPS/TLS encryption in transit
-
Encryption of sensitive data at rest
-
Encrypted database backups
Infrastructure Security
-
Firewall protection
-
Server hardening
-
Intrusion detection monitoring
-
Regular security patching
Logging & Monitoring
-
Tamper-resistant audit logs
-
Administrative action tracking
-
Log retention policy
9. Data Retention Policy
-
Application data retained for the donor-mandated retention period
-
Unsuccessful applications securely archived
-
Data anonymized for research/statistical use where possible
-
Secure deletion after retention expiry
Deletion includes:
-
Database removal
-
File purge
-
Removal from backup cycles (where technically feasible)
10. International Data Transfers
If hosting or technical services involve cross-border data transfers:
-
EU Standard Contractual Clauses (SCCs) shall apply
-
Adequacy decisions will be verified
-
Hosting providers must meet GDPR-compliant standards
11. Data Subject Rights
Under GDPR and applicable Ghanaian law, you have the right to:
-
Access your personal data
-
Rectify inaccurate data
-
Request erasure (“Right to be Forgotten”)
-
Restrict processing
-
Request data portability
-
Object to processing
-
Withdraw consent
Requests will be responded to within 30 days.
12. Data Breach Procedure
In the event of a data breach:
-
Immediate containment of affected systems
-
Risk assessment
-
Notification to relevant supervisory authority within 72 hours (if required)
-
Notification to affected individuals without undue delay
-
Documentation in a breach register
13. Privacy by Design & Default
BUCABUMA implements:
-
Minimal mandatory data fields
-
Default privacy-protective settings
-
No unnecessary public exposure of personal data
-
Configurable retention settings
14. Confidentiality
All personnel with access to personal data:
-
Sign confidentiality agreements
-
Undergo data protection training
-
Access only necessary system modules
Confidentiality obligations continue after termination of contract.
15. Acceptance of Policy
By:
-
Browsing the BUCABUMA website
-
Registering an account
-
Submitting a scholarship application
You acknowledge that you have read and understood this Privacy & Data Protection Policy.