Last Updated and Effective Date: June 24th 2022
1. Introduction
This internal data protection and privacy policy (Policy) sets out our commitment to ensuring that Blue Consulting Kenya Limited processes personal data in compliance with the Data Protection Act. Blue Consulting Kenya Limited processes a significant amount of personal data and we must ensure our responsibilities in relation to this personal Data are discharged in accordance with our legal and regulatory obligations.
2. Scope of this policy
This policy applies to all personal data processed by Blue Consulting Kenya Limited and is part of Blue Consulting’s overall program and approach to compliance with data protection laws and regulations. It applies to all personal data processed by or on behalf of Blue Consulting including where Blue Consulting outsources the management or processing of personal data to third parties. All Blue Consulting Personnel (Which for the purpose of this policy includes all Blue Consulting partners, employees, contractors and associates working for or on behalf of Blue Consulting) are expected to understand their responsibilities in accordance with this policy
3. Policy owner
This policy (together with all related policies) is an internal document and cannot be shared externally with third parties, clients, or regulators without prior authorization from the data protection officer (DPO)/Privacy compliance officer.
4. Data Protection Laws
This policy reflects the requirements of the data protection laws; the Kenya Data Protection Act 2019 and the Kenya Data Protection Regulations. The Kenya Data Protection Act took take effect on 25th November 2019 and guidance is still being issued. This policy may be amended in response to further guidance as it becomes available. The data protection laws relate to any information from which an individual can be identified (Directly/indirectly) either on its own or together with the information. The Kenya Data Protection Act provides that the level of potential fines for non-compliance depends on the nature of the breach. The maximum penalty that the Data Commissioner can impose under this Act is up to Kshs 5,000,000/- or 1% of an undertaking’s annual turnover of the preceding financial year whichever is lower.
5. Related Policies
This policy is being implemented in conjunction with (and relies on compliance with) the following Blue Consulting policies (Related policies) all of which include additional requirements relating to the processing transferring, storage, and disposal of personal data:
- Blue Consulting information security policy
- Blue Consulting data retention and erasure policy
- Blue Consulting data classification policy
- Blue Consulting Privacy notice
- Blue Consulting incident reporting policy
- Blue Consulting acceptable use policy
- Blue Consulting remote working policy
- Blue Consulting data subject access policy
- Blue Consulting mobile device policy
- Blue Consulting access control policy
6. Blue Consulting Kenya Limited requirements for handling personal data
In our role as an employer and services provider, Blue Consulting Kenya Limited takes data protection very seriously, whether that personal data relates to our clients, suppliers, contractors, business associates, or current, past, or prospective Blue Consulting Kenya Limited personnel. In all cases, we expect Blue Consulting Kenya Limited personnel and all third parties processing personal data for us or on our behalf to comply with the following data protection principles
1. Lawfulness, fairness, and transparency – Personal data must be processed lawfully fairly, and transparently. We will provide individuals with clear and relevant information about how we process their data in order to ensure that the processing meets the requirements of the data protection law act. The data protection act allows the processing of personal data for specific purposes to ensure it is processed fairly and does not adversely affect the individual. Blue Consulting Kenya Limited must only process personal data when it is necessary and meets at least one of these six lawful bases for processing
- Consent – Where the individual has consented for their data to be processed. Any processing must be strictly within the purposes for which the consent is given. Explicit consent is required in most cases when processing sensitive personal data
- Contract – Where the processing is necessary for the performance of a contract with the individual. This includes the performance of contracts to which the individual is a party or in order to take steps at the request of the individual prior to entering into a contract
- Legal Obligation – Where the processing is necessary to comply with legal obligations to which we are subject
- Vital Interests – Where the processing is necessary to protect the vital interests of the individual or another natural person
- Public Interests – Where the processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in us(Public interests must be substantial when we are processing Sensitive Personal Data)
- Legitimate Interests – Where the processing is necessary for our (or a third party’s) Legitimate interests provided they do not override the interests and fundamental rights of the individual.
2. Purpose Limitation – We will only collect Personal Data for specified, explicit, and legitimate purposes. We will not process Personal Data in a manner that is incompatible with the originally stated purposes
3. Accuracy – We will ensure the personal data we process is accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure Personal data is accurate, having regard to the purposes for which it is processed
4. Security and confidentiality – We will take reasonable precautions to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access. These precautions include technical, physical, and organizational security measures to prevent unauthorized access. As documented in the related policies
5. Individual Rights, Information, access, Rectification, Deletion, and Objection – Individuals have rights when it comes to our handling of their data. Those rights include:
- The right to withdraw their consent anytime
- The right to access the data that we process
- The right to object to our processing of their personal data for direct marketing
purposes - The right to request that we erase their personal data if it is no longer necessary for
the purposes for which it is collected - The right to rectify inaccurate or incomplete Personal Data
- The right to challenge our processing of their personal data where we are exercising
our legitimate interests
Where Blue Consulting Kenya Limited is the Data Controller (determining the means and purpose of processing the personal data) we will ensure that we comply with the following requirements:
- Information – We will ensure individuals are informed about our privacy policies and their rights in relation to their personal data at the point of collection in easily accessible notices. This includes data collected on paper, or via mobile app downloads, website registration forms, surveys and telephone and email marketing campaigns.
- Request forms – We will provide reasonable and accessible means for individuals to submit requests through an online link to our data subject access request(DSAR) form on our website or by emailing us, as appropriate Blue Consulting Kenya Limited personnel must be quickly able to identify a DSAR, which does not have to take any specific form and can be submitted by any method.
- Safeguards – We will confirm the identity of any individual submitting a DSAR before providing a response
- Response – within 30 days of validating the identity of any individual submitting a DSAR, we will provide the requested information, or provide legitimate reasons for not complying with their request in certain limited circumstances, we may need to extend our response time up to 60 days.
6. Sensitive personal data -when Blue Consulting Kenya Limited processes sensitive data,we will take additional measures, including applying highly confidential classification and safeguarding in accordance with related policies.
7. Personal Data used for marketing purposes- our marketing activities will comply with the Data Protection Act. The following direct marketing obligations will apply:
- ePrivacy – At the time we collect an individual’s personal data for current or future direct marketing purposes using electronic communications(Fax, text, recorded telephone messages, and email) we will obtain an affirmative indication of agreement (Opt-In) from that individual to receive further marketing communications from us. A pre-checked opt-in box (requiring an individual to opt out) will invalidate the consent and will be non-compliant
- All invitations for consent (opt-in) will be written and easy to find at the point of collection. It will be made clear at the point of collection that consent can be withdrawn at any time, as well as the effects of withdrawal (Including options for opting back in)
- We will ensure we can demonstrate (i) when the individual has consented to the processing (including the purposes and rights described at the time of the collection); (ii) that consent was freely given (i.e that the performance of a contract or services was not conditioned on the consent being given); and (iii) when the consent was withdrawn (where applicable)
8. Automated Processing – where we process personal data on a purely automated basis, individuals have the right to object at any time to our processing of the personal data concerning them if it produces legal effects concerning them or similarly significantly affects them. We will handle such objections through the DSAR procedures outlined above
9. Data minimization and storage limitation – Personal data will be adequate, relevant, and limited to what is necessary in connection with the purposes for which it is processed. Personal data will be maintained in a form identifying or rendering the individual identifiable only for so long as it serves the purposes for which it was initially collected or subsequently authorized, except to the extent permitted or required by applicable law
10. Information transfer and compliance- we may transfer and store personal data to BlueConsulting Kenya Limited partners and or third parties on our behalf outside Kenya for legitimate business activities in accordance with data protection laws and professional standards
- Assurances – We will not transfer personal data to another country or organization outside Kenya unless we are satisfied that the personal data is adequately protected in accordance with data protection laws, this policy and our related policies. Blue Consulting Kenya Limited personnel will ensure that any such transfer of personal data is governed by written agreements with third parties that impose obligations that reflect the requirements of Data Protection laws and this Policy
- Inter-partner transfers – Transfers of personal data to other Blue Consulting Kenya Limited partners are subject to the terms of the contractual terms to ensure the protection of the personal data being transferred in accordance with data protection laws
11. Privacy by design and default, pseudonymization and anonymization –we are required to implement privacy by design and privacy by default by ensuring we have appropriate technical and organizational measures (Such as anonymization and pseudonymization) to ensure compliance with the data protection Act at the outset
- Privacy by design promotes the identification and mitigation of privacy risks at the time a Blue Consulting Kenya Limited product or service is
designed so that privacy and compliance with Data Protection Laws are applied at the earliest stages of a project involving Personal Data and data protection issues are identified and addressed - Privacy by default ensures that by default, Personal data is safeguarded to the greatest extent possible. Blue Consulting Kenya Limited will ensure that it processes such data as necessary for specific purposes of the processing for the shortest period of time possible and with the most appropriate access controls in place
- Pseudonymisation and Anonymisation of personal data- The data protection laws apply to information from which an individual can be
identified. Pseudonymisation and Anonymisation are methods by which elements of personal data are removed or separated so that they cannot be linked back to an individual without additional information - These processes require technical and organizational measures to mitigate the risks of reversal and re-identification, and further guidance regarding the proper application of these techniques will follow. Privacy by design and privacy by default reviews will be undertaken and processes documented through privacy Impact and will follow the mandatory processes set out below, all of which will be documented:
- Privacy Threshold Analysis(PTA)- Questions regarding the processing of personal data will become an element of approving a new supplier process, system, or service. Where personal data is being processed, a privacy impact assessment (PIA) must be completed
- Privacy Impact Assessment(PIA)- The PIA will evaluate how personal data will be collected and processed, whether adequate safeguarding measures are in place, and how and when individuals will be informed. Identified privacy risks will be evaluated and consideration is given to how those risks can be mitigated in compliance with data protection laws. Where high residual risks remain, a data protection impact assessment (DPIA) will be necessary
- Legitimate Interests Assessments (LIA) – this is necessary in circumstances where personal data is being processed using the legitimate interest legal basis. The LIA will be carried out and decisions documented to evidence the balancing of legitimate interests and ensure they do not override the rights and freedom of an individual
- Data protection impact assessment (DPIA)- When a PIA triggers the need for a data protection Impact Assessment, the DPO and team will determine what additional steps are necessary to mitigate the privacy risks identified, including reframing or abandoning the project. A record will be kept of all DPIAs which will be reviewed and updated with the process or business owners
7. Records of Processing Activities
We have created and will maintain a register of all personal Data Processing activities in accordance with our record-keeping obligations under the data protection laws. The tool used to register our records of processing activities (whether automated or manual) will be maintained by the DPO and team. The completeness and accuracy of the information recorded in the register of processing activities will be the responsibility of the process owners within each business function and capability and coverage group
Relevant sections of the register must be available to the ODPC upon request.
8. Blue Consulting Kenya Limited as Data Controller
Data controller – Blue Consulting Kenya Limited will act as a data controller in relation to all employee personal data and customer engagements.
9. Compliance
Compliance with this Policy is mandatory. Failure to comply will not only put Blue Consulting Kenya Ltd’s data protection compliance at risk but could have disciplinary consequences for any partners or employees found to be in breach, including adverse risk metrics and/or investigation and disciplinary action, up to and including dismissal. In addition, breaches of Data Protection Laws can give rise to criminal and/or civil liability for the individuals concerned
10. Training and Awareness
Blue Consulting Kenya Limited will ensure mandatory annual data protection training and periodic privacy awareness communication to Personnel and contractors. Records of training attendance will be maintained and monitored. Non-completion of this mandatory training will be a breach of this policy All Blue Consulting Kenya Limited personnel are expected to regularly review the systems and processes under their control to ensure their ongoing compliance with this policy
11. Data Protection Governance and Data Protection Officer (DPO)
Data Protection Governance – Blue Consulting Kenya Limited will establish a formal governance framework to ensure our processing of personal data safeguards the rights of Data Subjects and complies with Data Protection Laws
Data Protection Officer(DPO) – The DPO owns this policy on behalf of Blue Consulting Kenya Ltd. Please contact us with any questions about this Policy at blueconsulting@cybertembo.com
The DPO will be responsible for the following :
- Informing and advising Blue Consulting Kenya Limited Personnel of their obligations under the data protection act
- Providing appropriate data protection training to all Blue Consulting Kenya Limited partners and employees on the Data Protection Laws and their obligations under this policy and ensuring a record of training attendance is retained
- Providing advice on Data Protection Impact Assessments and monitoring their performance
- Cooperating with the Office of the Data Protection Commissioner
- Acting as a contact point for the ODPC on issues relating to the processing of Personal Data Blue Consulting Kenya Limited and consulting with them on any other matter where appropriate
- Keeping the risks associated with the processing of Personal Data Blue Consulting Kenya Limited under review, having regard to the nature scope context, and purposes of its processing activities
- Conducting regular audits and compliance reviews to assess compliance with data protection laws and this policy, along with related Policies where they relate to the processing of data.
12. Changes to this policy
This policy will be reviewed and updated at least annually to ensure continuous improvement in our compliance with data protection laws and relevant guidance. It is the responsibility of all Blue Consulting Kenya Limited Personnel to read and understand the current version of this policy
This Policy is dated 14/6/2022 and will be reviewed by the DPO within the next 12 months
13. Version History
Date – 14/6/2022
Document Owner – Blue Consulting Kenya Limited, Data Protection Officer
This policy reflects the data protection laws and related Policies that apply to Blue Consulting Kenya Limited
14. Definitions
Consent is the means by which data subject signifies their agreement to the processing of Personal Data relating to them. Consent must be freely given, specific, informed, and an unambiguous indication of the Data Subject’s wishes, and must be expressed by a statement or clear positive action
Data controller under DPA means the natural or legal person, public authority, agency, or other body that, alone or together with others, determines the purposes and means of the processing of personal data
A Data processor under DPA means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller Data Subject means an identified or identifiable natural person. A Data Subject is not a company or other legal person.
Personal Data means any information from which, alone or together with other information, an individual can be identified. Personal Data can be factual, such as names, identification numbers, location information, and online identifiers such as IP addresses or cookies. Personal
Data can also be an opinion about an individual’s actions or behaviour or relate to one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of an Individual, Personal Data includes Sensitive Personal Data
Processing or Process means any activity, operation, or set of operations that is performed on Personal Data, including collecting, holding, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, dissemination, or otherwise making available, aligning, combining, restricting, erasing or destroying
Sensitive Personal Data means Personal Data that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation, as well as criminal offences or convictions. Sensitive Personal Data is referred to as a special category of Personal Data under DPA.