Recent concerns about the security of personal data stored in institutions have led to Governments enacting data protection regulations. In 2018 the European Union (EU) operationalised the General Data Protection Regulations (GDPR) that govern how companies handle personal data. Consequently, in 2019 Kenya enacted its own Data Protection Act. The regulations seek to protect the privacy of individuals by enforcing responsible processing of personal data. This includes embedding principles of lawful processing, minimising the collection of data, ensuring the accuracy of data and adopting security safeguards to protect personal data.
2. Policy statement
FlashCredit Africa is committed to complying with all relevant Kenyan legislation and applicable global legislations. FlashCredit Africa recognises that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right. FlashCredit Africa will ensure that it protects the rights of data subjects and that the data it collects, and processes is done in line with the required legislation. FlashCredit Africa staff must comply with this policy, breach of which could result in disciplinary action.
The policy provides guidance on how FlashCredit Africa will handle the data it collects. It helps FlashCredit Africa comply with the data protection law, protect the rights of the data subjects and protects FlashCredit Africa from risks related to breaches of data protection.
The policy applies to:
- Employees of FlashCredit Africa and all FlashCredit Africa associated parties who handle and use FlashCredit Africa information (where FlashCredit Africa is the 'Controller' for the personal data being processed), be it in manual and automated forms or if others hold it on their systems for FlashCredit Africa;
- All personal data processing FlashCredit Africa carries out for others (where FlashCredit Africa is the 'Processor' for the personal data being processed) and,
- All formats, e.g., printed and digital information, text and images, documents and records, data and audio recordings.
Data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data. Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. Data subject means an identified or identifiable natural person who is the subject of personal data. Personal data means any information relating to an identified or identifiable natural person A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject. Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as
- collection, recording, organisation, structuring;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination, or otherwise making available; or
- alignment or combination, restriction, erasure or destruction.
FlashCredit Africa will ensure that data is:
- Processed lawfully, fairly and in a transparent manner and in line with the right to privacy.
- Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that purpose.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.
- Accurate and where necessary kept up to date.
- Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
- Not transferred out of Kenya unless there is proof of adequate data safeguards/ measures or consent from the data subject.
7. Data protection officer
FlashCredit Africa has designated Martin Mogusu to be the Data Protection Officer (DPO). Accordingly, the DPO will:
- Advise FlashCredit Africa staff on requirements for data protection, including data protection impact assessments.
- Ensure that the FlashCredit Africa has complied with the legal requirements on data protection.
- Facilitate capacity building of staff involved in data processing operations.
- Cooperate with external regulators on matters relating to data protection. FlashCredit Africa DPO can be contacted via the email: [email protected]
8. Duty to notify
FlashCredit Africa has a duty to notify data subjects of their rights before processing data. FlashCredit Africa will therefore inform the data subjects of their right:
- To be informed of the use to which their personal data is to be put.
- To access their personal data in FlashCredit Africa custody.
- To object to the processing of all or part of their personal data.
- To the correction of false or misleading data.
- To deletion of false or misleading data about them. 9. Lawful and fair processing of data
FlashCredit Africa will only process data where they have a lawful basis to do so. Processing personal data will only be lawful where the data subject has given their consent for one or more specific purposes or where the processing is deemed necessary:
- For the performance of a contract to which the data subject is a party (for instance a contract of employment).
- To comply with the FlashCredit Africa legal obligations.
- To perform tasks carried out in the public interest or the exercise of official authority.
- To protect the vital interests of the data subject or another person.
- To pursue FlashCredit Africa legitimate interests where those interests are not outweighed by the interests and rights of data subjects.
- For historical, statistical, journalistic, literature and art or scientific research.
9. Minimisation of collection
FlashCredit Africa will not process any personal data for a purpose for which it did not obtain consent. Should such a need arise, then consent must be obtained from the data subject. FlashCredit Africa will collect and process data that is adequate, relevant, and limited to what is necessary. FlashCredit Africa staff must not access data which they are not authorised to access nor have a reason to access. Data must only be collected for the performance of duties and tasks; staff must not ask data subjects to provide personal data unless that is strictly necessary for the intended purpose. Staff must ensure that they delete, destroy, or anonymise any personal data that is no longer needed for the specific purpose for which they were collected.
10. Accuracy of data
FlashCredit Africa must ensure that the personal data it collects and processes is accurate, kept up to date, corrected or deleted without delay. All relevant records must be updated should staff be notified of inaccuracies. Inaccurate or out of date records must be deleted or destroyed.
11. Safeguards and security of data
FlashCredit Africa has instituted data security measures which are laid out in the Information security policy and procedures. These measures serve to safeguard personal data and must be complied with accordingly.
Where necessary FlashCredit Africa will maintain adequate records to show that consent was obtained before personal processing data. Data will not be processed after the withdrawal of consent by a data subject.
13. Processing data relating to a child
FlashCredit Africa will not process data relating to a child unless consent is given by the child’s guardian or parent and the processing is in such a manner that protects and advances the rights and best interests of the child in line with FlashCredit Africa Safeguarding policy. FlashCredit Africa will institute adequate mechanisms to verify the age and obtain consent before processing the data.
14. Data protection impact assessment
FlashCredit Africa will undertake a data protection impact assessment whenever they identify that the processing operation will likely result in a high risk to the rights and freedoms of any data subject. The data protection impact assessment will be done before processing the data. It is the responsibility of the DPO to carry out the impact assessment.
15. Processing sensitive personal data
FlashCredit Africa will process sensitive personal data only when:
- The processing is carried out in the course of legitimate activities with appropriate safeguards and that the processing relates solely to the staff or to persons who have regular contact with FlashCredit Africa, and the personal data is not disclosed outside that FlashCredit Africa without the consent of the data subject.
- The processing relates to personal data that has been made public by the data subject.
- Processing is necessary for:
- The establishment, exercise or defence of a legal claim.
- The purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject.
- Protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.
16. Transferring personal data out of Kenya
FlashCredit Africa will transfer personal data out of Kenya only when they have:
- Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019, such measures include that data is transferred to jurisdictions with commensurate data protection laws.
- The transfer is necessary for the performance of a contract, implementation of pre-
contractual measures such as:
- For the conclusion or performance of a contract to which the data subject is part of.
- For matters of public interest.
- For legal claims.
- To protect the vital interests of data subjects.
- For compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
FlashCredit Africa will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and on receiving confirmation of appropriate safeguards.
17. Onward reporting
In line with regulatory requirements, FlashCredit Africa will report to the Data Protection Commissioner any data breach within 72 hours of being aware. FlashCredit Africa will also communicate the data breach to the data subject as soon as is practical unless the identity of the data subject cannot be established.
18. Training and awareness
FlashCredit Africa will train staff on the contents and implementation of this policy. Staff who join FlashCredit Africa will be required to go through an induction process that entails familiarisation with this policy. FlashCredit Africa will ensure that the requirements of this policy form part of its agreement with its grantees, contractors and third parties who process FlashCredit Africa data.
19. Grantees or partners
Grantees and partners of FlashCredit Africa must report breaches of FlashCredit Africa data in their custody within 48 hours using the emails provided above. Grantees and partners must also abide by this policy and institute adequate mechanisms to safeguard the privacy of individuals data.
20. Roles and responsibilities
All staff must:
- Read, understand and comply with the contents of this policy
- Report suspicions of breaches promptly
All project leads and managers must
- Ensure staff and third parties they work with are aware of the contents of this policy
- Conduct risk assessments, and update controls and procedures to mitigate the risk of data breaches The Chief Executive Officer (CEO) and Chief Operations Officer (COO) are responsible for ensuring employees, consultants, vendors, and partner organisations are aware of the policy and are supported to implement and work by it, as well as creating a management culture that encourages a focus on data protection.
21. Independent assurance
The adequacy and effectiveness of FlashCredit Africa data protection procedures is subject to the regular internal audit reviews where necessary FlashCredit Africa may call an external review provide assurance over the integrity.
22. Data retention
The Data retention period in FlashCredit Africa is determined by legitimate needs. Adequate records of decision making will be maintained to show cause.
23. Review of this policy
The Chief Operating Officer is responsible for ensuring that this policy is reviewed on a timely basis. This policy will be reviewed after every two years and accordingly approved by the Board of Directors.