Professional Documents
Culture Documents
Introduction
Definitions
1. The following terminologies are provided under section 2 of the Data Protection Act.
c. Data Controller is a natural or legal person, public authority, agency or other body
which determines the purpose and means of processing of personal data;
d. Data Processor is a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the data controller;
e. Data Subject is an identifiable natural person who is the subject of personal data.
1
v. alignment or combination, restriction, erasure or destruction.
2. A Data Subject (person who gives data to KEFRI) has the following rights:
3. KEFRI requires the consent of the Data Subject to collect data, which may be revoked at the
person’s request. Thereafter, KEFRI will be required to erase or destroy the data, except in
the following circumstances:
a. Of their rights,
b. Reasons for collection of data,
c. Security measures taken to protect the data;
d. Consequences if the data subject fails to provide sufficient information;
e. Description of security measures; and
2
f. Whether 3rd parties shall have access to the data.
5. The Data Subject has the absolute right to object processing of data if it is intended for
marketing purposes.
6. Register as a Data Handler with the Office of the Data Protection Commissioner.
7. Rectify data upon the data subject’s request if it is untrue, inaccurate, outdated, incomplete
or misleading.
8. Establish personal data retention schedule with appropriate time limits for the periodic
review of the need for the continued storage.
9. Conduct audits of the retained data to ensure the data is up to date and still have a purpose.
If the purpose of retaining the data has lapsed, it shall be erased or destroyed.
10. Develop, publish and regularly update Data Privacy Policy reflecting its personal data
handling practices.
11. Design technical and organizational measures to safeguard and implement the data
protection principles.
12. Conduct a Data Protection Impact Assessment and submit a report to the Data
Commissioner. (A sample of the DPIA form is provided in the Schedule below.)
13. A Data Protection Officer (DPO) is a natural or legal person appointed by KEFRI to assist
with compliance of provisions outlined under the Data Protection Act.
a. Advise KEFRI and its employees on data processing requirements provided under the
Act or any other written law;
b. Ensure on behalf of KEFRI that this Act is complied with;
c. Facilitate capacity building of staff involved in data processing operations;
d. Provide advice on data protection impact assessment; and
3
e. Co-operate with the Data Commissioner and any other authority on matters relating to
data protection.
15. The DPO may be a staff member of KEFRI and may fulfil other tasks and duties provided
that any such tasks and duties do not result in a conflict of interest.
16. Several public bodies may appoint a single DPO, taking into account their organizational
structures.
17. KEFRI shall publish the contact details of the DPO on the website and communicate them to
the Data Commissioner who shall ensure that the same information is available on the
official website.
Conclusion
KEFRI is tasked with processing the data of various stakeholders to achieve its mandate. Various
departments within KEFRI must be involved to ensure that all data is accurately captured and
processed.
Of priority is to ensure the Institute is registered with the Office of the Data Protection
Commissioner. Thereafter, the Institute should appoint a Data Protection Officer. The DPO may
be a member of staff who is academically qualified and trained with matters of data protection,
or a person hired for the specific duty.
I undertake to review the KEFRI Data Privacy Policy to ensure it is updated and propose any
amendments, if necessary.
Best regards,
Mitch Ojwang
Legal Officer- KEFRI
4
SCHEDULE
DPIAs can be regarded as an early warning system enabling all actors to systematically address
potential deficiencies in a process that leads to the violation of fundamental rights and freedoms
protected under articles 31(c) and 31(d) of the Constitution of Kenya 2010.
KEFRI is expected to conduct DPIAs when there exists ‘High risks’ to the data subjects rights.
High risk arises during the processing of Sensitive Personal Data, which require higher
protection under law, and if the high intensity of interference of data processing can lead to
serious consequences for the data subjects and there are no effective safeguards or methods of
intervention for data subjects.
Postal Address:......................................................................................................................
Telephone Number:...............................................................................................................
1. Project Name
(Assess whether there is need for DPIA by determining if project involves personal data
that is likely to result in high risk, specify risk where appropriate)
3. Project Outline:
(Explain broadly what the project aims to achieve and what type of processing it involves
4. Personal data
5
5. Describe the Information Flow.
(Describe the collection, use and deletion of personal data here, including; where you are
getting the data from; how is the data being collected; where the data will be stored; how
long will the data be stored; where data could be transferred to; and, how many
individuals are likely to be affected by the project)
6. Describe how the data processing flow complies with the data protection principles
6
Part 3: The measures envisaged for addressing the risks and the safeguards, security
measures and mechanisms to ensure the protection of personal data and to demonstrate
compliance with the Data Protection Act
Risk Assessment - Identifying Privacy Risks and Evaluating Privacy Solutions
Risk Conseque Risk Current Assessment of Risk Describe what
Identity nce Own internal further
and er CONTRO ACTIONS
Descripti LS you will take to
on (provide reduce the
details of Impact/Likelihoo
how you d and mitigate
will the risk.
manage State who is the
the risk owner for
risk) each action
Impact Likeliho Score(i
(1,2,3,4, od mpact +
5) (1,2,3,4, likelihoo
5) d