1.         Introduction

Recent concerns about the security of personal data stored in institutions have led to   Governments enacting data protection regulations. In 2019 Kenya enacted its own Data Protection Act. The regulations seek to protect the privacy of individuals by enforcing responsible processing of personal data. This includes embedding principles of lawful   processing, minimizing the collection of data, ensuring the accuracy of data and adopting security safeguards to protect personal data.

2.       Policy statement

Kentours Sacco is committed to complying with all relevant Kenyan legislation and applicable global legislations. Kentours Sacco recognizes that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right.

Kentours Sacco will ensure that it protects the rights of data subjects and that the data it collects and processes is done in line with the required legislation. Kentours Sacco data users must comply with this policy.

3.       Purpose

The policy provides guidance on how Kentours Sacco will handle the data it collects. It helps Kentours Sacco comply with the data protection law, protect the rights of the data subjects     and protect Kentours Sacco from risks related to breaches of data protection.

4.       Scope

The policy applies to:

  1. Employees of Kentours Sacco and all Kentours Sacco’s associated parties such as members of the Board and Supervisory Committee, Employer Units, Employer Units Representatives, vendors, auditors and any other third party who handles and uses Kentours Sacco     information (where Kentours Sacco is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems   for Kentours Sacco;
  2. All personal data processing Kentours Sacco carries out for others (where Kentours Sacco is the ‘Processor’ for the personal data being processed) and,
  3. All formats, e.g., printed and digital information, text and images, documents and records data and audio

5.      Definitions

Data controller means a natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purpose and means of the processing of personal data.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Data subject means an identified or identifiable natural person who is the subject of personal data.

Personal data means any information relating to an identified or identifiable natural person

A personal data breach means a breach of security leading to the accidental or unlawful   destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed

Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or  spouses sex, or the sexual orientation of the data subject.

Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as:

 (a) collection, recording, organisation, structuring;

(b) storage, adaptation or alteration;

(c) retrieval, consultation or use;

(d) disclosure by transmission, dissemination, or otherwise making available; or

(e) alignment    or combination, restriction, erasure or destruction.

Customer A person who transacts with Kentours Sacco, including members, former members, suppliers, employers

6.       Principles

Kentours Sacco will ensure that data is:

  1. Processed lawfully, fairly and in a transparent manner and in line with the right to
  2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be
  4. Accurate and where necessary kept up to
  5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or
  7. Not transferred out of Kenya unless there is proof of adequate data safeguards/ measures or consent from the data

7.       Data protection officer

Kentours Sacco has designated the ICT Administrator to be the Data Protection Officer (DPO). Accordingly, the DPO will:

  1. Advise Kentours Sacco staff on requirements for data protection, including data protection impact
  2. Ensure that Kentours Sacco has complied with the legal requirements on data
  3. Facilitate capacity building of staff involved in data processing
  4. Cooperate with external regulators on matters relating to data

 Kentours Sacco’s DPO can be contacted via the email: dpo@kentours.co.ke

 

8.       Duty to notify

Kentours Sacco has a duty to notify data subjects of their rights before processing data. Kentours Sacco will therefore inform the data subjects of their right to:

  1. be informed of the use to which their personal data is to be
  2. access their personal data in Kentours Sacco’s
  3. object to the processing of all or part of their personal
  4. the correction of false or misleading data.
  5. deletion of false or misleading data about

9.       Lawful and fair processing of data

Kentours Sacco will only process data where they have a lawful basis to do so. Processing   personal data will only be lawful where the data subject has given their consent for one or more specific purposes or where the processing is deemed necessary:

  1. For the performance of a contract to which the data subject is a party (for instance a contract of loan application).
  2. To comply with the Kentours Sacco’s legal
  3. To perform tasks carried out in the public interest or the exercise of official
  4. To protect the vital interests of the data subject or another
  5. To pursue Kentours Sacco’s legitimate interests where those interests are not outweighed by the interests and rights of data
  6. For historical, statistical or research.

10.   Minimisation of collection

Kentours Sacco will not process any personal data for a purpose for which it did not obtain  consent. Should such a need arise, then consent must be obtained from the data subject.

Kentours Sacco will collect and process data that is adequate, relevant, and limited to what is  necessary. Kentours Sacco officers must not access data which they are not authorised to access  nor have a reason to access.

Data must only be collected for the performance of duties and tasks; officers must not ask data subjects to provide personal data unless that is strictly necessary for the intended purpose.

Sacco officers must ensure that they delete, destroy, or anonymise any personal data that is no  longer needed for the specific purpose for which they were collected.

11.   Accuracy of data

Kentours Sacco must ensure that the personal data it collects and processes is accurate, kept  up to date, corrected or deleted without delay. All relevant records must be updated  should staff be notified of inaccuracies. Inaccurate or out of date records must be deleted or destroyed.

12.   Safeguards and security of data

Kentours Sacco has instituted data security measures. These measures serve to safeguard personal data and  must be complied with accordingly.

13.   Consent

Where necessary, Kentours Sacco will maintain adequate records to show that consent was  obtained before processing personal data. Data will not be processed after the withdrawal of consent by a data subject.

14.   Processing data relating to a child

Kentours Sacco will not process data relating to a child unless consent is given by the child’s guardian or parent and the processing is in such a manner that protects and advances  the rights and best interests of the child.

Kentours Sacco will institute adequate mechanisms to verify the age and obtain consent before processing the data.

15.   Data protection impact assessment

Kentours Sacco will undertake a data protection impact assessment whenever they identify  that the processing operation will likely result in a high risk to the rights and freedoms of any data subject. The data protection impact assessment will be done before processing the data. It is the responsibility of the DPO to carry out the impact assessment.

16.   Processing sensitive personal data

Kentours Sacco will process sensitive personal data only when:

  1. The processing is carried out in the course of legitimate activities with appropriate safeguards and that the processing relates solely to the staff or to persons who  have regular contact with Kentours Sacco, and the personal data is not disclosed outside Kentours Sacco without the consent of the data
  2. The processing relates to personal data that has been made public by the data
  3. Processing is necessary for:
    1. The establishment, exercise or defense of a legal
    2. The purpose of carrying out the obligations and exercising specific rights of the controller or of the data
  • Protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving

17.                                  Use of information collected

Kentours Sacco will use the information in its possession to operate, provide, improve, understand, customize, support, and market its products and services as below:

  1. Provision of Products and Services

Kentours Sacco will operate and provide products and services, including providing customer support, and improving, fixing, and customizing products and services and to evaluate and improve services, research, develop, and test new products, services and features, and conduct troubleshooting activities and to respond to customer queries.

  1. Safety and Security

The Sacco will verify accounts and activity, and promote safety and security on and of its products and services, such as by investigating suspicious activity or violations of its terms, and to ensure its services are being used legally.

  1. Communications about Products and Services

Kentours Sacco will communicate with customers about products and service and let customers know about terms and policies and other important updates.

  1. Information Sharing

Customers share information as they communicate through the Sacco’s services. The Sacco may share a customer’s information to help it operate, provide, improve, understand, customize, support, and market its Services.

  1. Account Information

A customer’s phone number, profile information, and receipts may be available to anyone who is in a common group and uses the Sacco’s services.

  1. A Customer’s Contacts and Others

Users and businesses with whom a customer communicates may store or reshare a customer’s information  (including a customer phone number or messages) with others on and off the Sacco’s services.

  1. Third-Party Services

When a customer uses third-party services that are integrated with Kentours Sacco’s services, they may receive information about what a customer shares with them. If a customer interacts with a third- party service linked through the Sacco’s services, the customer may be providing information directly to such third party. When a customer uses third-party services, their own terms and privacy policies will govern the customer’s use of those services.

  1. To provide and manage a customer’s account(s) and relationship with the customer.
  2. To give customer statements and other information about a customer’s account or
  3. To handle enquiries and
  4. To provide services to a customer.
  5. For assessment, testing (including systems tests) and analysis (including credit and/or behaviour scoring), statistical, market and product analysis and market research. Kentours Sacco may use this information to prepare statistical reports to be shared internally or with its service providers.
  6. To evaluate, develop and improve services to
  7. To protect its business interests and to develop business
  8. To contact a customer, by post, phone, text, email and other digital This may be:
  • to help customers manage their accounts
  • to meet regulatory obligations
  • to keep customers informed about products and services they hold and to send customer information about products or services (including those of other companies) which may be of interest to the customer.
    1. To collect any debts
    2. To meet regulatory compliance and reporting obligations and to prevent, detect, investigate and prosecute fraud and alleged fraud, money laundering and other
    3. To assess any application a customer makes, including carrying out fraud, money laundering, identity, sanctions screening and any other regulatory
    4. To monitor, record and analyse any communications with the customer, including phone
    5. To transfer a customer information to or share it with  any third party to whom a customer account has been or may be transferred following a restructure or default.
    6. To share a customer’s information with relevant tax authorities, credit reference agencies, fraud prevention agencies, regulators and
    7. To share a customer information with partners and service

18.   Transferring personal data out of Kenya

Kentours Sacco will transfer personal data out of Kenya only when they have:

  1. Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019, such measures include that data is transferred  to jurisdictions with commensurate data protection
  2. The transfer is necessary for the performance of a contract, implementation of pre- contractual measures such as:
    1. For the conclusion or performance of a contract to which the data subject is part
    2. For matters of public
  • For legal
  1. To protect the vital interests of data
  2. For compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data

Kentours Sacco will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and on receiving confirmation of appropriate safeguards.

19.   Onward reporting

In line with regulatory requirements, Kentours Sacco will report to the Data Protection Commissioner any data breach within 72 hours of being aware.

Kentours Sacco will also communicate the data breach to the data subject as soon as is practical unless the identity of the data subject cannot be established.

20.   Training and awareness

Kentours Sacco will train its officers on the contents and implementation of this policy. Staff who join Kentours Sacco will be required to go through an induction process that entails familiarization with this policy.

Kentours Sacco will ensure that the requirements of this policy form part of its agreement with  its grantees, contractors and third parties who process Kentours Sacco’s data.

21.   Grantees or partners

Grantees and partners of  Kentours Sacco must report breaches of  Kentours Sacco’s data in their custody within 48 hours using the email provided above.

Grantees and partners must also abide by this policy and institute adequate mechanisms to safeguard the privacy of individuals data.

22.   Roles and responsibilities         

All officers must:

  1. Read, understand and comply with the contents of this policy,
  2. Report suspicions of breaches Ensure third parties they work with are aware of the contents of this policy,
  3. Conduct risk assessments, and update controls and procedures to mitigate the risk of data breaches

The Sacco Board will provide governance oversight of activities under this policy and will ensure that there are adequate and effective systems and process in place to safeguard data.

23.   Independent assurance

The adequacy and effectiveness of Kentours Sacco’s data protection procedures is subject to the regular internal audit reviews; where necessary Kentours Sacco may call an external review to provide assurance.

24.   Data retention

The Data retention period in Kentours Sacco is determined by legitimate needs.