Overview
Most recent technological advancements have laid bare the need to
create better protection frameworks where data collection is concerned.
In 2018 the European Union (EU) operationalized the General Data
Protection Regulations (GDPR) that govern how companies handle
personal data. Consequently, in 2019 Kenya enacted its own Data
Protection Act. The regulations seek to protect the privacy of individuals
by enforcing responsible processing of personal data. This includes
embedding principles of lawful processing, minimizing the collection of
data, ensuring the accuracy of data and adopting security safeguards to
protect personal data.
-
- Policy Statement
SAIF GROUP OF COMPANIES (hereinafter referred to as “the
Company”) is committed to complying with all relevant Kenyan
legislation and applicable global legislations.
The Company recognizes that the protection of individuals through
lawful, legitimate, and responsible processing and use of their personal
data is a fundamental human right.
The Company will ensure that it protects the rights of data subjects and
that the data it collects, and processes is done in line with the required
legislation.
The Company’s staff must comply with this policy, breach of which could
result in disciplinary action.
- Policy Statement
-
- Purpose
The purpose of this policy is to provide guidelines relating to the processing
of personal data by SAIF GROUP OF COMPANIES.
- Purpose
-
- Scope
This policy covers data collected, received and stored on the Company’s
owned physical and electronic databases and resource centres.
It shall apply to all staff and members of the Company, its foreign branches,
its sister Companies, its subsidiaries and all its associated parties such as
implementing partners.
It shall also apply to all users of the Company’s applications, software,
databases, websites, social media platforms and all other suchlike
resources.
This policy shall cover all data/ information collection tools of the Company
including but not being limited to assessment tools, client databases,
financial databases, third-party databases, mobile applications, research
publications and communication tools such as photos, videos, social and
main stream media.
- Scope
-
- Definitions
5.1 Consent means any freely given, unambiguous and informed
indication by a statement or by a clear positive action, signifies an
agreement by the user to the processing of his/her personal data.
5.2 Data controller means a natural or legal person, public authority,
agency or other body which has authority to oversee the
management of, and to determine the purposes for the processing
of personal data.
5.3 Data processor means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of
the data controller.
5.4 Data processing means converting of data into information. This
includes collecting, recording, rationalizing, storage, alteration,
retrieval, use, transmission, dissemination, erasure or destruction
of data.
5.5 Data subject means an individual whose personal data is subject
to processing.
5.6 Data transfer means all acts that make personal data accessible to
third parties outside of the Company on paper, via electronic
means, on internet or through other means.
5.7 Data Transfer Agreement means an agreement between the
Company and a third party that states the terms and conditions of
use of personal data, including which data components are to be
shared, the mode of transfer, how the data may be used, data
security measures and other related issues.
5.8 Personal data means any data related to a user who can be
identified from that data; from that data and other information; or
by means reasonably likely to be used related to that data.
Personal data includes biographical data (bio data) such as name,
sex, date of birth, country of origin, Identification Number, contact
addresses, work places, occupation as well as the user’s next of kin
details.
5.9 Personal data breach means a breach of data security leading to
the accidental or unlawful/illegitimate destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transferred,
stored or otherwise processed.
5.10 Processing of personal data means any operation, or set of
operations, automated or not, which is performed on personal
data, including but not limited to the collection, recording,
organization, structuring, storage, adaption or alteration, retrieval,
consultation, use, transfer, dissemination or otherwise making
available, correction, or destruction.
5.11 Third party means any natural or legal person other than the user.
Examples of third parties are national governments, international
governmental or non-governmental organizations, private sector
entities or individuals.
- Definitions
-
- Policy guidelines
6.1 The Company shall, in dealing with personal information and data,
ensure that the information/ data is processed:
a) without infringing the privacy rights of the data subject;
b) in a lawful manner; and
c) in a reasonable manner.
6.2 Data shall be collected only for specified, explicit and legitimate
purposes and not further processed in a manner incompatible with
that purpose.
6.3 Data collected shall be adequate, relevant, and limited to what is
necessary in relation to the purposes for which it is to be
processed.
6.4 Data collected shall be accurate and where necessary kept up to
date.
6.5 Data collected shall not be kept in a form which permits
identification of data subjects for longer than is necessary for the
purposes for which the data is processed.
6.6 Data collected shall be processed in a manner that ensures its
security using appropriate technical and organizational measures
to protect against unauthorized or unlawful processing and
accidental loss, destruction, or damage.
6.7 Data collected shall not be transferred out of the material country
of origin unless there is proof of adequate data
safeguards/measures or consent from the data subject.
6.8 The collection, use, storage and transfer of personal data will only
be done in a manner guided by the fundamental principles of the
SAIF GROUP OF COMPANIES.
6.9 This policy will guide the Company’s ICT Acceptable Use Policy, the
Record Retention and Destruction Policy and the Accountability
Framework.
- Policy guidelines
-
- Data protection officer
The Company has designated the Group’s Chief Executive Officer, and
any other person as may be duly authorised so to do from time to time,
to be the Data Protection Office (DPO). Accordingly, the DPO will:
a. Advise the Company staff on requirements for data protection,
including data protection impact assessments.
b. Ensure that the Company has complied with the legal
requirements on data protection.
c. Facilitate capacity building of staff involved in data processing
operations; and,
d. Cooperate with external regulators on matters relating to data
protection.
- Data protection officer
-
- Accuracy
8.1 The Company shall store personal data/information as accurately
as possible and update and systematically review it to ensure it
fulfills the purpose(s) for which it is processed.
8.2 The data subject may request the correction of personal data that
is inaccurate, incomplete, unnecessary or excessive.
8.3 When personal data is corrected, the Company will notify, as soon
as is reasonably practicable, all third parties to whom the relevant
personal data was transferred and to the data subject.
- Accuracy
-
- Lawful and fair processing
9.1 Data processing shall be carried out in a lawful and fair manner
for specified and legitimate purposes without prejudicing the
fundamental rights and freedoms of data subjects.
9.2 The processing shall only be justified based on one (or more) of the
legal rationales including:
a) data subject giving his or her consent
b) the processing is necessary for the performance of a contract
with the data subject
c) to meet legal compliance obligations
d) public interest considerations
e) to protect the data subject’s vital interests or any other person
who may be indirectly affected
f) to pursue the Company’s legitimate interests which are not
overridden because the processing prejudices the interests or
fundamental rights and freedoms of data subjects
- Lawful and fair processing
-
- Further processing
10.1 Further processing for research or marketing purposes shall be
compliant with the conditions outlined in order to be compatible
with the purposes for which the data is obtained.
10.2 Personal data which is processed for research or marketing
purposes may be exempt from provisions of this policy if the
results of the research and statistical data is not made available in
a form which identifies the data subject.
10.3 Further processing of data shall comply with the data protection
principles set out in this policy, in particular in ensuring the
security and confidentiality of sensitive personal data.
- Further processing
-
- Minimization of collection
The Company will not process any personal data for a purpose for which it
did not obtain consent. Should such a need arise, then consent must be
obtained from the data subject.
The Company will collect and process data that is adequate, relevant, and
limited to what is necessary. The Company’s staff must not access data
which they are not authorised to access nor have a reason to access.
Data must only be collected for the performance of duties and tasks; staff
must not ask data subjects to provide personal data unless that is strictly
necessary for the intended purpose.
Staff must ensure that they delete, destroy, or anonymize any personal data
that is no longer needed for the specific purpose for which they were
collected.
- Minimization of collection
-
- Confidentiality
12.1 The confidentiality of personal data must be respected by the
Company when processing data at all times with access to the
same limited on a need-to-know basis.
12.2 The Company shall maintain the confidentiality of the personal
data throughout and even after the user is no longer of concern to
the Company.
12.3 The data controller may specify other categories of personal data
that will require additional safeguards and restrictions and may be
classified as sensitive personal data.
12.4 In the processing of sensitive personal data, the data controller will
specify further grounds on which these categories will be processed
with consideration of:
a) the increased risk of significant harm that may be caused to the
data subject by processing this category of personal data.
b) the degree of confidentiality attached to the category of personal
data.
c) the level of protection afforded by provisions applicable to
personal data.
12.5 The data controller shall process personal data of children in a
manner that protects their rights and best interests.
12.6 The data controller will incorporate a process of obtaining parental
consent and age verification in order to process personal data of
children.
- Confidentiality
-
- Security
13.1 The Company will ensure and implement a high level of data
security that is appropriate to the risks presented by the nature
and processing of personal data taking into account the level of
technology available and existing security conditions as well as the
costs of implementing additional security measures.
13.2 In order to ensure and respect confidentiality, personal data will be
filed and stored in a way that is accessible only to authorized staff
and transferred only through the use of protected means of
communication.
13.3 In order to ensure the confidentiality of the personal data, the
Company shall take appropriate technical and organizational data
security measures.
13.4 The nature of risks will include but not be limited to risk of
accidental or unlawful/illegitimate destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data.
13.5 Access to personal data/content/knowledge shall be restricted to
authorized personnel using it in the performance of their duties at
the Company and as determined by appropriate authorization of
both the staff supervisor and data subjects.
13.6 Personal data/content/knowledge may not be used by any
employee or staff for purposes other than the business of the
Company.
13.7 Staff allowed access of personal data/content/knowledge of the
Company shall sign a non-disclosure agreement banning them
from using the content for business other than the Company’s core
mandate.
13.8 Private email accounts shall not be used to transfer Personal Data.
13.9 Information technology will be used to process, communicate and
store Company data and information which will be classified as
Confidential Information (CI).
13.10 Data security measures will be routinely reviewed and upgraded as
deemed appropriate to ensure the level of protection is
commensurate to the degree of sensitivity applied to personal data
and considering the possible development of new technology in
enhancing data security.
- Security
-
- Accountability
14.1 The Company will be responsible for compliance and will be
required to demonstrate that appropriate measures have been
employed within the organization to comply with the data
protection guidelines.
14.2 The Company will implement data protection training programs for
all staff.
14.3 The Company will bear the burden of proof to establish the data
subjects’ consent of the processing of their personal data for a
specific purpose.
14.4 The Company will ensure that it is as easy to withdraw as it is to
give consent.
- Accountability
-
- Rights of data subjects
15.1 A data subject has a right to—
a) be informed of the use to which their personal data is to be put.
b) withdraw consent at any time.
c) access their personal data in custody of data controller or data
processor.
d) object to the processing of all or part of their personal data.
e) correction of false, inaccurate or misleading data.
f) deletion of false or misleading data about them.
g) request for erasure of their personal data where it irrelevant,
excessive or was obtained unlawfully.
- Rights of data subjects
-
- Data collection
16.1 When collecting personal data from the user, the Company shall
inform the user of the following in writing/orally and in a manner
and language that is understandable to the user:
a) The specific purpose(s) for which the personal data or categories of
personal data will be processed.
b) Whether such data will be transferred to third parties and the
specific third parties.
c) The data subject’s right to request access to their personal data, or
correction or deletion of it.
d) How to lodge a complaint with the data controller.
e) The mandate and contact details of the data controller.
16.2 Where data is not collected directly from the data subject either
orally or in writing, other means will be considered as far as is
practicable such as radio communication, posters and flyers in an
accessible location, online postings and any other appropriate
method of transmission.
16.3 At the request of the data subject the data controller may restrict
the processing of personal data where:
a) The accuracy of the data is contested by the data subject.
b) The data subject has objected to the processing.
- Data collection
-
- Data Protection Impact Assessments
17.1 Where a type of processing in particular using new technology, and
taking into account the nature, scope, context and purposes of the
processing, is likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall, prior to the
processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data.
17.2 A single assessment may address a set of similar processing
operations that present similar high risks.
17.3 A data protection impact assessment shall in particular be
required in the case of:
a) a systematic and extensive evaluation of personal aspects relating to
natural persons which is based on automated processing, including
profiling, and on which decisions are based that produce legal
effects concerning the natural person or similarly significantly affect
the natural person; or
b) a systematic monitoring of a publicly accessible area on a large
scale.
17.4 The assessment shall contain at least:
a) a systematic description of the envisaged processing operations and
the purposes of the processing, including, where applicable, the
legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing
operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of data
subjects; and
d) the measures envisaged to address the risks, including safeguards,
security measures and mechanisms to ensure the protection of
personal data and to demonstrate compliance with this Policy taking
into account the rights and legitimate interests of data subjects and
other persons concerned.
- Data Protection Impact Assessments
-
- Data retention and disposal
18.1 Data will not be kept in a form that allows data subjects to be
identified for longer than needed for the legitimate Company’s
purposes or other purposes for which the Company collected it.
18.2 The purposes of data retention shall include satisfying any legal,
contractual, accounting or reporting requirements.
18.3 Personal data may be retained for a longer period in the event of a
complaint there is reasonable belief that there is a prospect of
litigation in respect to the Company’s relationship with the data
subject.
18.4 The Company shall take all reasonable steps to destroy or erase
from its systems all personal data that are no longer required in
accordance with the Company’s Record Retention and Destruction
Policy.
- Data retention and disposal
-
- Transfer of personal data to third parties
19.1 The Company may transfer personal data to third parties with the
data controller.
19.2 The Company may only transfer personal data/content/knowledge
to third parties on condition that the third party affords a level of
data protection the same or comparable to this Policy.
19.3 In order to mitigate risks associated with transfer of data to third
parties, the Company will only transfer data to a third party if:
a) The data is stripped off personal and identifiable information;
b) The transfer is based on one or more legitimate basis including:
i. explicit consent by the data subject;
ii. compliance with national or international law; or
iii. in exercise, establishment and defense of any contractual or
legal obligations;
c) The personal data to be transferred is adequate, relevant,
necessary and not excessive in relation to the purpose(s) for which
it is being transferred;
d) The data subject has been informed either at the time of the
collection or subsequently, about the potential transfer of his/her
personal data;
e) The third party has in the past respected the confidentiality of
personal data transferred to them by the Company; and
f) The third party maintains a high level of data security that protect
personal data against the risk of accidental or
unlawful/illegitimate destruction, loss, alteration unauthorized
disclosure of, or access to it.
19.4 The Company will also ensure that transferring personal data does
not negatively impact:
a) The safety and security of the Company staff, volunteers and
beneficiaries.
b) The effective functioning of an operation or compromise in the
Company’s mission, vision or fundamental principles, for
example due to the loss of trust and confidence between the
Company and persons of concern.
19.5 The processing of sensitive personal data out of Kenya shall only
be effected upon obtaining consent of a data subject and on
obtaining confirmation of appropriate safeguards.
- Transfer of personal data to third parties
-
- Data transfer records
20.1 The Company shall keep and maintain full and accurate records
reflecting all phases of data management cycle, including records
of data subjects’ consents and procedures for obtaining consent,
where consent is the legal basis of processing.
20.2 The data transfer records shall include, at a minimum:
a) the name and contact details of the individual entity authorizing
the transfer;
b) clear descriptions of the personal data types;
c) data subject types;
d) processing activities;
e) processing purposes;
f) third-party recipients of the personal data;
g) personal data storage locations;
h) personal data transfers;
i) the personal data’s retention period; and
j) a description of the security measures in place.
- Data transfer records
-
- Data transfer agreements
21.1 The Company will require all third parties to comply with this
Policy through an agreement or a non-disclosure agreement as
part of the signing of any partnership agreements. Such
agreements will specify the specific purpose(s) and legitimate basis
for the processing or transfer of personal data.
21.2 Data transfer agreements shall;
a) address the purpose(s) for data transfer, specific data elements
to be transferred as well as data protection and data security
measures to be put in place;
b) require the third party to undertake that its data protection and
data security measures are in compliance with this Policy; and
c) stimulate consultation, supervision, accountability and review
mechanisms for the oversight of the transfer for the life of the
agreement.
21.3 The Legal Department of the Company shall review and approve all
data transfer agreements and maintain copies of final agreements.
- Data transfer agreements
-
- Data breach
22.1 The Company will maintain a register of all data breaches.
22.2 The Company’s staff will notify their line managers as soon as
possible upon becoming aware of a personal data breach.
22.3 The member of staff will record the breach.
22.4 If a personal data breach is likely to result in personal injury or
harm to a data subject, the data controller will communicate the
personal data breach to the data subject and take mitigating
measures as appropriate without undue delay. In such cases, the
data controller shall also notify the Company’s Director(s) of the
personal data breach.
22.5 The notification will describe:
a) The nature of the personal data breach, including the categories
and number of data subjects and data
b) records concerned;
c) The known and foreseeable adverse consequences of personal
data breach; and
d) The measures taken or proposed to be taken to mitigate and
address the possible adverse impacts of the personal data breach.
- Data breach
Need help?
Contact us at {email} for questions related to refunds and returns.