KWETU SACCO SOCIETY LTD DATA PROTECTION POLICY 

Kwetu Sacco Society Ltd  | Protection Policy 

ABBREVIATIONS AND ACRONYMS 

BOD – Board of Directors

 CEO – Chief Executive Officer

 CRB – Credit Reference Bureau

 DPIA – Data Protection Impact Assessment

 DPO – Data Protection Officer 

EACC – Ethics and Anti-Corruption Commission 

ID – Identification

 NHIF – National Hospital Insurance Fund

 NSSF – National Social Security Fund 

SACCO – Savings and Credit Co-operative Society 

SASRA – Sacco Societies Regulatory Authority 

SLA – Service Level Agreement

 NWDTS – Non-Withdrawable Deposit Taking Sacco Data Protection Policy

DEFINITION OF TERMS 

Anonymization- The removal of personal identifiers from personal data so that the data subject is no longer identifiable.

 Biometric data- Personal data resulting from specific technical processing based on physical, physiological, or behavioral characterization including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning, and voice recognition.

 Consent Agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them. Data Information which is processed by means of equipment operating automatically in response to instructions given for that purpose or recorded with intention that it should be processed by means of such equipment or recorded as part of a relevant filing system. 

Data Controller- The person or organization that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the Data Protection Act. Kwetu Sacco is the Data Controller of all personal data relating to it and used in facilitating its business operations.

 Data Processing -Any activity that involves the use of personal data and includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction. 

Data Protection Impact Assessment (DPIA) -This is a tool or procedure of identifying and reducing risks involved in any processing activity that will involve personal data. Data Protection Policy 

Data Protection Officer- The person appointed as such under the Data Protection Act and in accordance with its requirements. A data protection officer is responsible for advising the Sacco (including employees) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as with Kwetu Sacco policies.

 Data Subject- A living, identified or identifiable individual about whom the Sacco holds personal data.

 Personal Data- Any information identifying a data subject or information relating to a data subject that the Sacco can identify (directly or indirectly) from that data alone or in combination with other identifiers the Sacco possess or can reasonably access. Personal data includes sensitive personal data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behavior Personal Data Breach Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data, where that breach results in a risk to the data subject. Profiling Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling is an example of automated processing. Third Party Any natural or legal person other than the data subject, Kwetu Sacco, or any implementing partner. Data Protection Policy 

1.0 INTRODUCTION 

1.1 Purpose of this Policy This Data Protection Policy has been developed as a guide to Kwetu Sacco Society Ltd in management of stakeholders’ data. Kwetu Sacco obtains, uses, stores and otherwise processes personal data relating to its stakeholders such as potential and current employees, former staff, members, suppliers, visitors to Sacco premises, contractors and website users, collectively referred to in this policy as data subjects. This Policy sets out how the Sacco manages those responsibilities. In developing this Policy, the BOD intends to have this as the primary reference point for all matters pertaining to data management in the Sacco. Contents of this Policy will therefore be carefully studied and implemented, as it constitutes an integral part of the Society’s risk management processes. The Policy will be circulated to all Sacco officials and management to enable them to familiarize themselves with the provisions herein. The Sacco heavily draws its data policy guidelines from the Data Protection Act, 2019 and the Data Protection General Regulations, 2021. When processing personal data, the Sacco is obliged to fulfill individuals’ reasonable expectations of privacy by complying with the Act and related Regulations and other relevant data protection legislation. The policy document is therefore intended to ensure that the Sacco: 

• Is clear about how personal data must be processed and the Sacco’s expectations for all those who process personal data on its behalf;

 • Complies with existing data protection laws and with good practice;

 • Protects its reputation by ensuring the personal data entrusted to it is processed in accordance with data subjects’ rights; 

• Protects itself from risks of personal data breaches and other breaches of data protection law. Data Protection Policy 

1.2 Scope of this Policy 

This policy applies to all personal data the Sacco processes regardless of the location where that personal data is stored (e.g. on an employee’s own device, Kwetu Sacco’s servers, Sacco website, etc.) and regardless of the data subject. All staff and others processing personal data on Kwetu Sacco’s behalf must read and comply with the provisions of this Policy. Failure to comply with this policy may result in disciplinary action in line with the Sacco Human Resources Policy. The Compliance Department shall be responsible for ensuring that all staff of Kwetu Sacco comply with this policy and shall implement appropriate practices, processes, controls, and training to ensure that compliance. The Compliance Manager shall be the Data Protection Officer (DPO). The Chief Executive Officer shall be responsible for overseeing the implementation and compliance with this policy. 

1.3 Registration

 with the Office of the Data Commissioner the Sacco shall register with the Office of the Data Commissioner as a data controller and processor in accordance with the Data Protection Act and Regulations thereof. Data Protection Policy 

2.0 PERSONAL INFORMATION MANAGEMENT 

2.1 Justification for collection of personal information The Sacco may collect and use Data Subject’s personal data:

 • If it is necessary for the Sacco’s legitimate interest and so long as its use is fair, balanced and does not unduly impact data subject’s rights.

 • With the Data Subject’s consent. For example, to send marketing emails, to take and use a data subject’s photograph, to collect relevant medical information. The data subject has rights and may withdraw consent for this at any time. 

• As required to fulfill its obligations as a registered Co-operative Society and employer. This includes sharing personal information with bodies such as SASRA, Ministry of the day responsible for co-operatives, NSSF, NHIF, Courts, Police, EACC, CRBs, among other legal/statutory bodies. The Sacco shall only process sensitive personal data when it has the data subject’s explicit consent. In emergency circumstances, the Sacco may share the data subject’s personal data with the emergency services if it believes it is in the data subject’s ‘vital interests’ to do so. 

2.2 Sources of personal information The Sacco may collect information about data subject from different sources, for example:

 i. Directly from data subject when they: 

• Apply for membership

 • Apply for account opening

 • Apply for sacco loan products 

• Apply for employment/internship

 • Are employed in the Sacco

 • Apply as a supplier Data Protection Policy

 • Register for or at one of its events 

• Complete a survey 

• Visit sacco premises and register as guests 

• Subscribe for updates via Sacco’s mobile and electronic services ii.

 Indirectly:

 a) From other people who think that the data subject may be interested in collaborating in the Sacco activities.

 b) From the public domain when the data subject has deliberately made the data public. 

c) From third parties such as previous or current employers to verify details about job applicants. 

d) From external sources such as publications and external reviewers or advisors.

 e) From another source when the guardian appointed has consented to the collection in cases where the data subject has an incapacity.

 f) Where collection of data from another source is necessary:

• for the prevention, detection, investigation, prosecution, and punishment of crime;

 • for the enforcement of a law which imposes a pecuniary penalty; or

 • for the protection of the interests of the data subject or another person. 

2.3 Forms of personal information collected The Sacco shall only collect personal information that is genuinely needed for its operations. This may include: 

• Contact details such as name address, email address and phone numbers 

• Biometric data such as thumb prints 

• Nationality 

• National ID and Passport information Data Protection Policy 

• Date of birth 

• Gender

 • Information about race and ethnicity 

• Qualifications 

• Bank account details

 • Medical information 

• Benefits received

 • Employment details

 • Photographs and video recordings

 • Tax and residency status for statutory requirements

 • References from previous employers or educational institutions

 • Contact details for family members and next of kin

 • Details of criminal convictions 

2.4 Personal Data Protection Principles In processing personal data, Kwetu Sacco Society Ltd shall be guided by the principles of data protection as captured in the Data Protection Act, and requires the Sacco to ensure that personal data is: 

a) Processed in accordance with the right to privacy of the data subject;

 b) Processed lawfully, fairly and in a transparent manner in relation to any data subject; 

c) Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;

 d) Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed; 

e) Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;

 f) Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay; Data Protection Policy.

 g) Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and 

h) Not transferred outside the Sacco and the country, unless there is proof of adequate data protection safeguards or consent from the data subject. In complying with the stated data protection principles, Kwetu Sacco will observe the following: 

2.4.1 Fairness and lawfulness When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner. 

2.4.2 Restriction to a specific purpose Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation. 

2.4.3 Transparency The data subject must be informed of how their personal data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of: a) The identity of the Data Controller b) The purpose of data processing c) Third parties or categories of third parties to whom the data might be transmitted, if any. 

2.4.4 Data reduction and data economy Before processing personal data, the Sacco will determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which Data Protection Policy is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law. 

2.4.5 Deletion Personal data that is no longer needed after the expiration of legal or business process related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the Sacco has evaluated the data to determine whether it must be retained for historical purposes. 

2.4.6 Factual accuracy; up-to-date data Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated. 

2.4.7 Confidentiality and data security Personal data is subject to data secrecy/privacy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing, or distribution, as well as accidental loss, modification, or destruction. 

2.5 Rights of the Data Subject Every data subject has the following rights:

 a) To be informed of the use to which their personal data is to be put;

 b) To access their personal data in custody of data controller or data processor; Data Protection Policy

 c) To object to the processing of all or part of their personal data. This does not apply if a legal provision requires the data to be processed; 

d) To correct false or misleading data; and 

e)To delete false or misleading data about them. A right conferred on a data subject may be exercised:

 a) by a person who has parental authority or by a guardian if the data subject is a minor;

 b) by a person duly authorized to act as a guardian or administrator in a case where the data subject has a mental or other disability; or

 c) by a person duly authorized by the data subject. 

2.6 Data Subject Consent A data subject may prior to the processing of their personal data give consent either orally or in writing, and may include a handwritten signature, an oral statement, or use of an electronic or other medium to signify agreement. The Sacco shall seek consent from data subjects through various means. 

These include the data subjects willingly:

 i. Appending their signature of acceptance of terms and conditions of engagement on physical consent form.

ii. Ticking an opt-in box on paper or electronically.

 iii. Clicking an opt-in button or link online.

 iv. Responding to an email requesting consent. 

v. Volunteering optional information for a specific purpose. 

vi. Selecting from equally prominent Yes/No options. In obtaining consent from a data subject, the Sacco shall ensure that the data subject:

 a) has capacity to understand and communicate their consent; Data Protection Policy 

b) is informed of the nature of processing in simple and clear language that is understandable; 

c) is informed whether data is being transferred to third party or implementing partners, or whether data is being collected by a third party on behalf of Kwetu Sacco. 

d) is informed of their duty to keep Kwetu Sacco informed of changes to their personal data and status. e) is informed of the right to access their personal data, or correction or deletion of it.

 f) is informed of the procedure to lodge a complaint in case of suspected breach.

 g) is informed of the importance of providing accurate and complete information.

 h) voluntarily gives consent and that the consent is specific. 

regardless of 2.7 Confidentiality of Data Processing Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of their legitimate duties is unauthorized. The “need to know” principle shall apply. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities. Data Protection Policy Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. The staff shall therefore sign an oath of secrecy at the time of engagement by the Sacco. This obligation shall remain in force even after employment has ended. 

2.8 Data Processing Security Personal data shall be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. This shall apply whether the data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data shall be defined and implemented. These measures shall be based on the state of the art, the risks of processing, and the need to protect the data. In particular, the responsible department or staff shall consult with the Sacco’s Compliance Manager. The technical and organizational measures for protecting personal data are part of the Sacco’s data security management and shall be improved continuously in tandem with technical developments and organizational changes. 2.9 Duration for holding personal information The Sacco shall hold personal information for as long as is necessary and shall therefore not retain personal information if it is no longer required. In some circumstances, the Sacco may legally be required to retain data subject’s personal information, for example for finance, employment, or audit purposes. 

2.10 Data Breach and Notification Kwetu Sacco shall promptly notify the Office of the Data Commissioner within 72 hours upon becoming aware of personal data breach involving data subject within its records Data Protection Policy and properly record the breach. The Sacco shall also undertake to inform the data subject within reasonable time of the breach on their personal data and explain mitigating measures taken to safeguard the data and address potential adverse effects of the breach. Data Protection Policy 

3.0 DATA RESPONSIBILITIES 

3.1 Organizational responsibilities 

3.1.1 Policies and Procedures Kwetu Sacco being the Data Controller, shall be responsible for establishing policies and procedures in order to comply with the relevant and applicable data protection laws. 

3.1.2 Data Protection Impact Assessment (Privacy Assessment) 

a) The Sacco being a Data Controller shall undertake to carry out a Privacy Impact assessment to identify and minimize risks involved in projects, processes and activities involving directly or indirectly processing of personal data.

 b) The DPIA will be required for processing where there is a likelihood of high risk to individuals and their personal data and where new technologies are involved.

 c) The Data Protection Officer shall undertake the privacy assessment in assistance with the relevant department and sign off the reports. 

3.2 Data Protection Officer responsibilities The Data Protection Officer shall be responsible for: 

a) Advising the Sacco and its staff of their obligations under relevant data protection laws and regulations. 

b) Monitoring compliance with this Policy and other relevant data protection laws, and monitoring training activities that relate to data protection.

 c) Providing advice were requested on data protection impact assessments. d) Having due regard to the risk associated with data processing, considering the nature, scope, context, and purposes of processing. 

3.3 Staff responsibilities Staff members who process personal data about sacco members, current and previous staff, applicants, interns, or any other individual must comply with the requirements of this policy. Staff members must ensure that:

 a) All personal data is kept securely; Data Protection Policy

 b) No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party;

 c) Personal data is kept in accordance with the Sacco’s retention schedule;

 d) Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer;

 e) Any data protection breaches are swiftly brought to the attention of the Data Protection Officer and the Chief Executive Officer, and that they support the team in resolving breaches;

 f) Where there is uncertainty around a data protection matter advice is sought from the Data Protection Officer or the Chief Executive Officer. Where members of staff are responsible for supervising external service providers doing work which involves the processing of personal information, they must ensure that such external persons are aware of the Sacco’s organizational Data Protection principles. Staff who are unsure about who are the authorized third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Officer or the Chief Executive Officer through their line managers. 

3.4 Third-Party Data Processors Where external companies are used to process personal data on behalf of the Sacco, responsibility for the security and appropriate use of that data remains with the Sacco. Where a third-party data processor is used: 

a) a data processor must be chosen which provides enough guarantees about its security measures to protect the processing of personal data;

 b) reasonable steps must be taken that such security measures are in place; 

c) a written contract establishing what personal data will be processed and for what purpose must be set out; 

d) a data processing agreement must be signed by both parties. Data Protection Policy In the event of termination of partnership, all personal data collected for or on behalf of the Sacco by the third party shall be returned to Kwetu Sacco as stipulated in the agreement except where exceptions were provided for in the signed service level agreements (SLA’s) or where there’s legitimate reasons to do so. 

3.5 Contractors and Temporary Staff The Sacco is responsible for the use made of personal data by anyone working on its behalf. The Sacco shall ensure that contractors and staff working on short-term engagement are appropriately vetted for the data they will be processing. In addition, managers should ensure that: 

a) any personal data collected or processed in the course of work undertaken for the Sacco is kept securely and confidentially; 

b) all personal data is returned to the Sacco upon completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed, and the Sacco receives written notification in this regard from the contractor or short-term member of staff;

 c) the Sacco receives prior notification of any disclosure of personal data to any other organization or any person who is not a direct employee of the contractor; 

d) any personal data made available by the Sacco, or collected in the course of the work, is neither stored or processed outside Kenya unless written consent to do so has been received from the Sacco;

 e) all practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly. 

4.0 CAPACITY BUILDING

4.1 All Sacco officials and staff are expected to familiarize themselves with the content of this Policy. 4.2To enhance compliance with this Policy, the Sacco shall organize periodic sensitization forums for Sacco officials and staff members. Data Protection Policy 

5.0 COMPLIANCE 

5.1 All officials, staff and stakeholders of the Sacco shall comply with the provisions of this Policy. Non-compliance shall constitute a misconduct. 

5.2To ensure compliance, officials, staff of the Sacco shall sign an oath of confidentiality committing to treat accessed personal information securely and in confidentiality. Stakeholders’ contracts shall have a clause on confidentiality on accessed personal information. The oath shall be binding during and after exit from service of the Sacco. 

5.3Staff not complying with this Policy shall face disciplinary action in line with the Human Resource Policy. 

5.4Sacco officials not complying shall face disciplinary action in line with the Sacco Bylaws, Board Charter, Board Code of Conduct and Ethics Policy and relevant laws and regulations. 

5.5External service providers not complying with the provisions of this policy will be handled in accordance with provisions of contracts signed and the applicable laws. Data Protection Policy.