Data Protection Policy

Integrity & Legitimacy Verification Council (ILeVeC) is committed to protecting the confidentiality, integrity, and appropriate use of information entrusted to it in the course of its verification and assurance work.

1. Purpose

This Data Protection Policy sets out how ILeVeC collects, processes, stores, and safeguards information obtained during organizational verification activities. As an independent verification body focused on strengthening donor confidence and institutional integrity, ILeVeC treats data protection as a core component of its mandate.

2. Scope

This policy applies to all ILeVeC staff, assessors, consultants, partners, and representatives involved in verification, monitoring, research, or administrative activities. It covers all data processed in physical, digital, or verbal form.

3. Nature of Data Processed

ILeVeC does not collect personal data unrelated to organizational verification. Information processed is limited to data directly connected to an organization’s legitimacy, governance, operations, and funding readiness. This may include:

• Organizational registration and legal documentation
• Governance and leadership records
• Policies, procedures, and internal controls
• Financial and operational documentation
• Official organizational contact details
• Statements or information provided by authorized organizational representatives

Where information relates to individuals, it is processed only insofar as it is directly linked to the organization (for example, directors or authorized officers acting in an official capacity).

4. Data Protection Principles

ILeVeC processes data in accordance with the following principles:

• Lawfulness and fairness: data is processed only for legitimate verification purposes
• Purpose limitation: data is used solely to support verification, assurance, and funding-readiness decisions
• Data minimization: only information necessary for assessment is collected
• Accuracy: reasonable steps are taken to ensure information is reliable and current
• Confidentiality: access is restricted to authorized personnel
• Accountability: ILeVeC remains responsible for appropriate data handling

5. Data Collection Methods

Data may be collected through documentation review, interviews, operational checks, public records, and site visits. Verification is conducted physically on the ground as standard practice, and may be conducted virtually in selected cases where access constraints exist and risk is assessed as acceptable.

6. Storage and Security

ILeVeC applies appropriate technical and organizational safeguards to protect data against unauthorized access, loss, or misuse. These include controlled access, secure storage systems, confidentiality obligations, and role-based data handling.

7. Data Sharing

Information is shared strictly on a need-to-know basis and only with:

• Authorized ILeVeC staff and assessors
• Partners acting under confidentiality agreements
• Mandating entities, within the agreed verification scope
• Legal or regulatory authorities where required by law

ILeVeC does not sell, trade, or commercially exploit data.

8. Retention

Data is retained only for as long as necessary to support verification outcomes, certificate validity periods (typically three to five years), or applicable legal and contractual obligations. Information is securely deleted or archived once no longer required.

9. Policy Review

This policy is reviewed periodically to ensure continued relevance and alignment with ILeVeC’s mission, operational needs, and evolving best practice.

10. Contact

Questions regarding this Data Protection Policy may be directed to:
Email: privacy@ilevec.com