Data Protection Policy
1.Policy Statement
1.1 This policy is designed to comply with the Data Protection Act No. 24 of 2019 Data Protection (General) Regulations 2021 and any regulatory obligations applicable to the company in ensuring that:a
a) The Company manages Data Privacy Risk and the protection of personal data as prescribed in the law and regulations;
b) The Company maintains and continuously improves its Data Privacy culture;
c) All employees are made aware of their obligations and their capacity to build in terms of applicable legislation in internal rules relating to data protection;
d) The Company is protected from criminal sanction, reputational damage, fines and penalties that may be imposed by authorities as a result of the unlawful processing of Personal Data or failure to adequately safeguard Personal Data.
2.Scope
2.1 This policy reflects the Company’s minimum requirements and may be supplemented by a business process or procedure manual.
2.2 This policy applies to all organizational members and subsidiaries regardless of rank or employment type, our staff members, trainers, customers, third parties dealing with the company, the Board of Directors and any other business affiliates/partners.
2.3 This policy shall also apply to all customer data, personal data, or other company data defined as sensitive by the Company’s Data Protection Process and Standards. Therefore, the policy applies to every server, database and IT system that handles such data, including any device that is regularly used for e-mail, web access or other work-related tasks.
2.4 The Data Protection Officer must be consulted and provide approval in respect of any supplements to this policy’s requirements that are applied through any business policy or procedure.
2.5 In the event of any conflict between this policy and any other policy dealing with the processing of Personal Data, this policy takes preference. Where a business policy or procedure requires stricter requirements, those requirements will apply.
3.Out of Scope
3.1 Information that has been classified as public in accordance with the company’s data protection process, standards and applicable privacy laws is not subject to this policy.
4.Purpose of Policy
The purpose of this policy is to:
4.1 Legally document and disclose the company’s practices on managing, processing, storage and protection of its data or data it accesses, in compliance with the requirements of the law and data protection standards.
4.2 Prevent unauthorized collection, access, use, transfer, disclosure or other unauthorized processing of personal information.
4.3 Protect the personal information that is transmitted into or outside of the organisation through both manual and electronic means.
5.Definitions
All Reference to any data protection terms herein shall be subject to interpretation and definition as captured under Section 2 the Kenya Data Protection Act No. 24 of 2019 and attendant legislation Professionalism
6.Data Protection Principles
All entities that fall under the scope of this policy shall ensure that personal data is:
6.1 Processed in accordance with the right to privacy of the data subject;
6.2 Processed lawfully, fairly and in a transparent manner;
6.3 Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
6.4 Adequate, relevant and limited to what is necessary in relation to the purpose for which it was processed;
6.5 Collected only when a valid explanation is provided whenever information relating to family is private affairs is required;
6.6 Accurate, and where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
6.7 Kept in a form which identifies the data subjects for no longer than necessary for the purposes which it was collected; and
6.8 Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
7.Statutory Procedures under this Policy
7.1 Registration of the Company as a Data Controller (DC) or a Data Processor(DP):
a) The Company shall be registered as a DC/DP with the Office of the Data Protection Commissioner (ODPC), taking into account any thresholds set by the Act;
b) The Company shall provide the particulars set out in the Act for registration or renewal as DC/DP, notify the ODPC of any changes in particulars and shall ensure the details provided are not false or misleading;
7.2 Data Protection Systems and Processes Audits:
a) The Company shall regularly undertake internal periodic audits of systems and processes of its data processing in compliance with the Data Protection Act and in preparation of compliance audits by the ODPC.
7.3 Appointment of Data Protection Officer(DPO):
a) The Company shall appoint a DPO who may be an officer of the company or outsourced.
b) The DPO shall have relevant academic and professional qualifications including knowledge and technical experience relating to data protection.
c) The Company shall publish the details of the DPO on its website and communicate the details to the ODPC for publication on its official website.
8.Company’s Obligations on Data Protection
8.1 The Board of Directors of the Company, Senior Management and all employees have an obligation to ensure Personal Data:
a) Is processed in accordance with the right to privacy.
b) Is processed lawfully, fairly and in a transparent manner.
c) Is collected for explicit, specified and legitimacy purposes and processed in a manner compatible with those processes.
d) Processing is adequate, relevant, limited to what is necessary in relation to purpose.
e) Is collected upon valid explanation whenever data relates to family or personal affairs.
f) Is accurate, where necessary kept to date, with every step taken to ensure inaccurate data is erased or rectified without delay.
g) Is kept in a form that identifies the customers only for as long as is necessary for the purpose of collection.
h) Is not transferred outside Kenya unless there is adequate data protection safeguards or consent from the customer.
9.Rights of Data Subjects and Customers
9.1 Data Subjects and Customers shall have a right to:
a) Be informed of the use to which their personal data is to be put;
b) Access their personal data in custody of the Data Controller/Processor;
c) Object to the processing of all or part of their data;
d) Correction of false or misleading data about them; and
e) Deletion of false or misleading data about them.
9.2 Data Subjects Right to Restriction- The Company shall at the request of a data subject, restrict the processing of personal data where:
a) Accuracy off the personal data is no longer required for the purpose of the processing unless required for the establishment, exercise or defense of a legal claim;
b) processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
9.3 Restrictions on Processing- where the data subject has objected to the processing, pending verification as to whether the legitimate interests of the Company overrides those of the data subject, the company shall inform the data subject before withdrawing the restriction on processing of the personal data.
9.4 Right in case of Automated Processing- the Company shall observe every data subject’s right not to be subject to a decision based solely on automated processing, including, profiling, which produces legal effects or significantly affects the data subject except where the decision is necessary for entering into, or performing, a contract between the data subject and the Company.
9.5 Right to Object Data Processing- A data subject has a right to object to the processing of their personal data, unless the Data Controller/Processor demonstrates compelling legitimate interest for the processing which overrides the data subject’s interest’s, or for establishment, exercise or defense of a legal claim.
9.6 Right in cases of Commercial Use-
a) The Company shall not use, for commercial purposes, personal data obtained pursuant to the provisions of the Act, unless it has sought or obtained express consent from a data subject, is authorized to do so under any written law and the data subject has been informed of such use when collecting the data from the data subject.
b) Where the Company uses personal data for commercial purposes, it shall, where possible, anonymize the data in such a manner as to ensure the data subject is no longer identifiable and adhere to commercial use practice guidelines prescribed by the ODPC.
9.7 Right to Personal Data- a data subject shall have the right to receive personal data concerning them in a structured, commonly used and machine-readable format.
9.8 Right to Transmit Data- the data subject has a right to transmit the data so obtained to another Data Controller/Processor to another
10.The right to receive personal data and transmission of data shall not apply in circumstances where:
a) Processing may be necessary for the performance of a task carried out in the public interest or in the exercise of an official authority;
b) It may adversely affect the rights and freedoms of others.
11.Collection of Personal Data
11.1 The Company shall collect personal data directly from the data subject.
11.2 The Company may collect personal data indirectly where:
a) The data is contained in a public record;
b) The data subject has deliberately made the data public;
c) The data subject consented to the collection from another source;
d) The guardian appointed has consented to the collection from another source in the case of incapacity;
e) The collection from another source would not prejudice the interests of the data subject;
f) The collection is necessary for the prevention, detection, investigation, prosecution and punishment of crime.
12.Notification of Rights to a Data Subject Before Collection of Personal Data
12.1 The Company shall before collecting personal data, inform the data subject of:
a) The rights of data subject specified in Clause 9 herein;
b) The fact that personal data is being collected;
c) The purpose for which the data is being collected
d) The third parties whose personal data has been or will be transferred to, including details of safeguards adopted;
e) The contacts of the Company and whether any other entity may receive the collected personal data;
f) A description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data;
g) The data being collected pursuant to any law and whether such collection is voluntary or mandatory;
h) The consequences if any, where the data subject fails to provide all or any part of the requested data
12.2 Channels of notification shall include Statements, Audio, Video, and the Company Website.
13.Consent to Collection of Personal Data
13.1 The Company shall not process personal data, unless-
a) The data subject consents to the processing for one or more specified purposes; or
b) The processing is necessary as set out in the Data Protection Act, 2019.
13.2 The company shall put in place procedures, forms and tools for implementation of the above requirements relating to processing and collection of data as outlined in this policy.
14.Withdrawal of Consent
14.1 A data subject shall have the right to withdraw consent at any time unless otherwise provided under the Data Protection Act, 2019.
14.2 The withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal.
15.Processing of Personal Data of a Minor
15.1 Processing of data of a minor shall not be undertaken unless-
a) consent is given by the minor’s parent or guardian;
b) the processing is in such a manner that protects and advances the rights and best interests of the child.
15.2 The Company shall incorporate appropriate mechanisms for age verification and consent in order to process the personal data of a minor, other mechanisms such as technology, volume of personal data processed, proportion of such personal data, and possibility of harm to a child arising out of processing of personal data.
16.Portability of Data Requests
16.1 The Company shall comply with data portability requests, at reasonable cost and within a period of thirty (30) days.
16.2 Where a portability request is complex or numerous, the period may be extended for a further period as may be determined in consultation with the ODPC.
17.Retention of Data
17.1 The Company shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed unless it is required for other purposes as set out in the Data Protection Act, 2019
18.Rectification of Data
18.1 A data subject may request a data controller or data processor to rectify without undue delay personal data in its possession or under its control that is inaccurate, outdated, incomplete or misleading.
18.2 A data subject may request a data controller or data processor to erase or destroy without undue delay, personal data that the Data Controller/Processor is no longer authorized to retain, irrelevant, excessive or obtained unlawfully.
18.3 Where the Data Controller has shared the personal data with a third party for processing purposes, they shall take reasonable steps to inform third parties processing such data, that the data subject has requested rectification, the erasure or destruction of such personal data restriction of its processing and inform the data subject within a reasonable time.
19.Organizational and Technical Protection Measures
19.1 The Company shall implement appropriate technical and organizational measures which are designed-
a) To implement the data protection principles in an effective manner;
b) To integrate necessary safeguards into the processing;
c) For ensuring that, by default, only personal data which is necessary for each specific purpose is processed, including identification of reasonably foreseeable internal and external risks to personal data;
d) To pseudonymization and encryption of personal data
e) To the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
f) To verify that the safeguards are effectively implemented
g) To ensure that the safeguards are continually updated in response to new risk deficiencies.
19.2 Where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, the Company shall notify the ODPC without delay, within seventy-two (72) hours of becoming aware of such breach; and communicate to the data subject in writing within a reasonably practical period.
19.3 Where notification to the ODPC is not made within seventy-two 972) hours, the notification shall be accompanied by reasons for the delay.
19.4 Where a Data Processor becomes aware of a personal data breach, the data processor shall notify the data controller without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach.
19.5 The Company shall record the following information in relation to a personal data breach-
a) The facts relating to the breach;
b) Its effects; and
c) The remedial action taken.
20.Processing Sensitive Data
20.1 The Company shall process sensitive data-
a) To the risk of significant harm that may be caused to a data subject by the processing of such category of personal data;
b) To the expectation of confidentiality attached to such category of personal data;
c) To whether a significantly discernible class of data subjects may suffer significant harm from the processing of such category of personal data; and
d) To the adequacy of protection afforded by ordinary provisions applicable to personal data.
21.Data Protection Impact Assessment (DPIA)
21.1 The Company shall prior to the processing of data, conduct a DPIA, where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.
21.2 A DPIA shall include the assessment of the impact of the envisaged processing operations and purpose;
21.3 DPIA shall include:
a) A systematic description of envisaged processing operations and purpose;
b) Assessment of risks to rights and freedoms of data subjects;
c) Measures and safeguards to address risks and ensure protection of personal data;
d) Consultation with the ODPC and any other Authority the DPIA prepared indicates that the processing of the data would result in a high risk to the rights and freedoms of the data subject.
e) DPIA reports shall be submitted sixty (60) days prior to processing of data.
22.Cross-Border Transfer of Data
The following conditions must be met prior to transfer of personal data out of Kenya:
22.1 The data controller or data processor must give proof to the ODPC on the appropriate safeguards with respect to the security and protection of the personal data;
22.2 The transfer is necessary for the performance of a contract between the data subject and the data controller or the data processor or implementation of pre-contractual measures taken at the data subject’s request;
22.3 The transfer is necessary for conclusion or performance of a contract between the controller and another person;
22.4 The transfer is necessary for any matter of public interest;
22.5 The transfer is necessary for the establishment, exercise and defense of a legal claim;
22.6 The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
22.7 The transfer is necessary for the purpose of compelling legitimate interests pursued by the data controller or the data processor which are not overridden by the interests, rights and freedoms of other data subjects.
23.Systems and Data Back-Up
23.1 Each department head must ensure its data and customer data is backed up during the required times per the data protection process and standards;
23.2 The Information Technology (IT) department shall ensure that backup copies of operating systems and other critical information system software shall not be stored in the same location as the operational software;
23.3 Whenever shared, system backup information shall be provided with protection from unauthorized modification and environmental conditions;
23.4 All backups must be periodically tested by IT to ensure that they are recoverable; and
23.5 Proof of testing shall be made available upon request by the Board, Senior Management or Regulator.
24.Data Protection Training
24.1 All entities that fall under the scope of this policy shall ensure that they undertake the mandatory company-sanctioned data protection training in a manner to be determined by the company;
24.2 Testing of understanding of the requirements of this Policy and privacy laws shall be done on an ongoing basis.
25.Role of Data Protection Officer
The company shall designate a Data Protection Officer who shall:
25.1 Advise the data controller or data processor and members of staff on matters touching on data processing;
25.2 Ensure the Company complies with the requirements of the Data Protection Act, 2019;
25.3 Facilitate capacity building of staff involved in data processing operations;
25.4 Provide advice on data protection impact assessments;
25.5 Facilitate capacity building of staff involved in data processing operations; and
25.6 Co-operate with the ODPC and any other Regulator on matters touching on data protection.
25.7 Monitor and Report on the Company’s adherence to this Policy; both to the Board of Directors and the Regulator(s).
26.Lawful, Fair and Transparent Processing
26.1 To ensure its processing of data is lawful, fair and transparent, the company’s Data Protection Officer shall maintain a Register of Systems used by the company.
26.2 The Register of Systems shall be reviewed at least quarterly.
26.3 Individuals have the right to access their personal data and any such requests made to the company, shall be dealt with in a timely manner.
27.Data Minimization & Accuracy
27.1 The company shall ensure that personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
27.2 The company shall take reasonable steps to ensure personal data is accurate.
27.3 Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
28.Data Archiving/Removal
28.1 To ensure that personal data is kept for no longer than necessary, the company shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
28.2 The archiving policy shall consider what data should or must be retained, for how long, and why.
29.Data Security
29.1 The company shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
29.2 Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information.
29.3 When personal data is deleted this should be done safely such that the data is irrecoverable.
29.4 Appropriate back-up and disaster recovery solutions shall always be expected to be in place.
29.5 In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, the company shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the appropriate authority.