FastLearners

Data Breach Response Policy

FastLearners App

Effective Date: 10 April 2026

Data Controller: FastLearners Limited

1. Purpose and Scope

This Data Breach Response Policy outlines the procedures that FastLearners Limited (“FastLearners”, “we”, “us”, or “our”) will follow in the event of a personal data breach. The policy ensures a swift, coordinated, and effective response to minimise harm to our users, fulfil our legal obligations, and maintain trust in our online learning platform.

We are committed to complying with the Nigeria Data Protection Act 2023 (NDPA), the General Application and Implementation Directive (GAID) 2025, and all relevant guidelines issued by the Nigeria Data Protection Commission (NDPC). This policy applies to all employees, contractors, and third-party service providers who process personal data on behalf of FastLearners.

The primary goals are to contain the breach quickly, assess its impact, notify relevant parties as required by law, remediate vulnerabilities, and prevent recurrence. Special attention is given to breaches involving children’s data due to the sensitive nature of our educational services.

2. Definition of a Personal Data Breach

A personal data breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed by us.

This includes, but is not limited to:

  • Unauthorised access to our systems by hackers or insiders
  • Loss or theft of devices, laptops, or storage media containing user data
  • Accidental deletion, modification, or disclosure of personal data
  • Malware, ransomware, or other cyber-attacks
  • Human error leading to unintended data exposure
  • Unauthorised sharing or leakage of data to third parties
  • Any incident that exposes students’ educational records, parental information, or children’s personal data

Even suspected or near-miss incidents must be reported internally for assessment.

3. Roles and Responsibilities

a. Data Protection Officer (DPO)

The DPO is responsible for overseeing the entire breach response process. This includes coordinating the response team, ensuring proper documentation, liaising with the NDPC and other regulators, approving external communications, and conducting post-incident reviews. The current DPO is Oladele Joshua O., supported operationally by the designated breach response contact.

b. Engineering and IT Team

This team is responsible for technical containment, forensic investigation (where needed), system recovery, applying security patches, and providing technical details to support assessment and notification.

c. Senior Management

Management is responsible for authorising major decisions, including notifications to regulators and users, allocating resources for remediation, and ensuring the organisation learns from the incident.

d. All Staff

Every employee and contractor has a duty to report any suspected or actual data breach immediately to the DPO or through the designated internal channel. Failure to report promptly may result in disciplinary action.

4. Breach Response Procedure

Our response follows a structured six-step process designed for speed and accountability.

Step 1: Identification and Reporting

A breach may be identified through user reports, system monitoring alerts, security tools, routine audits, or third-party notifications. All staff must report any suspected breach to the DPO immediately (within one hour where possible). The initial report should include as much known information as possible, such as the time of discovery, description of the incident, and any affected systems or data.

Step 2: Containment

Upon confirmation or strong suspicion of a breach, the IT team will take immediate steps to contain it. Actions may include isolating affected systems, disabling compromised accounts, revoking access tokens, blocking malicious IP addresses, changing passwords, or temporarily shutting down vulnerable services. The aim is to stop further unauthorised access or data loss as quickly as possible.

Step 3: Assessment (Target: Within 24 Hours)

The response team will assess the breach in detail. Key factors to determine include:

  • The nature and categories of personal data involved (e.g., names, emails, academic records, payment references, or children’s data)
  • The approximate number of affected data subjects
  • Whether the data was encrypted or otherwise protected
  • The likely consequences and risk level to individuals (low, medium, or high risk to rights and freedoms)
  • Whether the breach involves children’s data, which automatically elevates the risk level

This assessment informs notification obligations and remediation priorities.

Step 4: Notification

Notification requirements are strictly time-bound under the NDPA:

To the NDPC:

We will notify the Nigeria Data Protection Commission within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of data subjects. The notification will include a description of the breach, categories and approximate numbers of affected individuals and records, likely consequences, and measures taken or proposed to address it. If full details are not available within 72 hours, we will provide them in phases without further delay.

To Affected Data Subjects:

If the breach is likely to result in a high risk to individuals, we will communicate the breach to affected users immediately in clear and plain language. The communication will explain the nature of the breach, possible consequences, recommended protective steps the user can take, measures we are taking, and contact details for further assistance. For high-risk breaches involving children’s data, parents or legal guardians will be notified as a priority.

Where direct notification would involve disproportionate effort, we may use public announcements through widely used media channels.

Step 5: Documentation

Every incident, regardless of scale, will be fully documented. Records will include the date and time of discovery, description of the breach, systems and data affected, actions taken at each stage, decisions made, lessons learned, and evidence of notifications. These records support accountability, future audits, and NDPC enquiries.

Step 6: Remediation and Recovery

After containment and notification, we will focus on full recovery and strengthening our defences. This may involve patching vulnerabilities, resetting affected credentials, enhancing encryption or access controls, conducting additional staff training, updating policies, or engaging external security experts. We will also review and test the effectiveness of new measures.

5. Special Handling for Children’s Data Breaches

Breaches involving personal data of children under 18 years of age receive heightened priority. In such cases:

  • Parents or legal guardians will be notified immediately upon confirmation of high risk.
  • A rapid senior-level review will be conducted.
  • Additional support, such as guidance on protecting the child from potential harm (e.g., identity-related risks), will be provided.
  • We will consider the heightened vulnerability of minors and the educational context when assessing risk and determining remediation steps.

6. Preventive Security Measures

To reduce the likelihood and impact of breaches, we maintain robust technical and organisational safeguards, including:

  • Encryption of data in transit and at rest where feasible
  • Hashed and salted passwords
  • Firewalls, intrusion detection systems, and secure cloud infrastructure
  • Role-based access controls and the principle of least privilege
  • Regular security audits, vulnerability scanning, and penetration testing
  • Staff training on data protection and security awareness

These measures are reviewed regularly and improved based on emerging threats.

7. Policy Review and Training

This policy will be reviewed at least annually, or immediately following any significant breach or changes in law. All staff receive training on this policy and general data protection obligations at least once every six months, or more frequently as needed.

8. Contact Information

For any questions regarding this policy or to report a suspected breach, please contact:

Data Protection Officer: Oladele Joshua O.

DPO Email: joshua.oladele@fastlearnersapp.com

FastLearners Limited

Support Email: support@fastlearnersapp.com

Telephone: +234 706 544 7436

Address: 3 Chief Aaron Nteubong Street, Okorombokho, Eastern Obolo, Akwa Ibom State, Nigeria

Users may also contact the Nigeria Data Protection Commission (NDPC) directly if they have concerns about our handling of a breach.