Image
Loading

SEARCH



Data Protection and Privacy

1.0 Purpose

This policy elaborates Science for Africa Foundation (SFA Foundation’s) obligations to protect the personal information of all those who provide it to SFA Foundation, and to ensure that all personal data that come into the possession of SFA Foundation in the performance of its duties and responsibilities are properly collected, securely protected, confidentially managed, processed and not made accessible to any third party without following due process or getting the consent of parties involved. This policy is a show of SFA Foundation commitment to respecting and protecting the privacy of data subjects in compliance with the applicable laws and obligations on data use and privacy. SFA Foundation therefore provides this policy and statements hereto to explain how it collects, uses, retains, and protects all personal and collected data. This Policy and Statement(s) hereto should be read together with employment contract, Terms and Conditions of Use, Contracts for and/ or Service, Letters of Agreement, grant agreements and other internal policies and procedures. Where there is a conflict, this Policy will prevail. This Policy applies to all employees, interns, candidates, grantees, consultants, volunteers, and contractors.

2.0 Scope

This policy covers all personal data collected from individuals that engage with SFA Foundation directly and/ or indirectly from within or outside the organization during the organisation’s operations including: a. Employees, interns, candidates, volunteers, casual and/ or temporary employees and contractors, board members, b. Applicants, experts, consultants, grantees, customers, suppliers, agents, partners, dealers, members of the public undertaking any of SFA Foundation activities, all visitors frequenting any of SFA Foundation premises and those who visit SFA Foundation social media sites and pages, website, and related online platforms. During processes defined by SFA Foundation for purposes of meeting its institutional mandate. The types of personal data include name, contact details, photos and/or videos, Internet Protocol address, cookies, family and social circumstances, and genetic and biometric data which could be processed to uniquely identify an individual. Other types of personal data include gender, race, identity card/passport information, education and training records, ethnic identity, religion, political belief and sexual orientation, medical information, bank accounts, personal tax related information, details obtained during routine due diligence/background checks or any other data that will be classified as personal data by the Data Protection Act of Kenya and General Data Protection Guidelines and United States of America laws on data protection. (See guidelines for complete list of all personal data collected)

3.0 Definition

Data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights while still allowing data to be used for business purposes (See the policy for specific definitions).

4.0 Policy Statement

  1. SFA Foundation recognizes its activities cut across different jurisdictions including Africa, Europe, and United States of America. SFA foundation has set up operations in Kenya and the primary legislation governing data protection will be the Data Protection Act of Kenya and the regulations thereunder, SFA foundation will however invoke other data protection laws in different jurisdictions depending on the nature of engagement and activities especially with third parties outside Kenya.
  2. SFA Foundation will store personal data in line with the provisions of various laws and regulations guiding the storage of different types of data. SFA Foundation will store raw data for a minimum of seven years. Cleaned, processed, and anonymized data will be stored for as long as is necessary. Employee data will be stored for as long as is necessary in line with the existing laws.
  3. SFA Foundation shall not sell personal data or derive any financial benefit from handling personal data. With unambiguous consent, SFA Foundation may use personal information for purposes relating to the visibility of its products, services and to advance its mission and vision. 4. Where SFA Foundation wants to use personal data for any other reason other than the initial intended purposes, SFA Foundation shall seek express consent of the data owner.

5.0 Data Protection and Privacy Undertakings

  1. SFA Foundation is committed to ensuring that all personal data it collects and process, including that of employees, potential employees, board members, temporary staff, volunteers, suppliers, grantees, partners, contractors, consultants, suppliers and any and all third parties, is managed appropriately and in compliance with the Data Protection Act 2019 and Regulations thereunder (collectively referred to as “Data Protection legislation”).
  2. As SFA Foundation processes personal data it is committed to ensuring all unauthorised or unlawful processing, loss, transfer, destruction of or damage to data (personal data breaches) are swiftly identified and reported to the regulator in this case the Office of the Data Commissioner and the affected data subjects and where applicable to Funding partners where necessary. 
  3. SFA Foundation may deal with negligent or malicious non-compliance with these guidelines through the disciplinary process and (measures to deal with external third parties).
  4. Under the Data Protection Act 2019 and Regulations, SFA Foundation is a data controller and undertakes to uphold the data protection principle which state that organisations, which process personal data, must ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
  5. This Policy lays out the process and personal data to be collected, together with the actions where a breach has occurred.

6.0  Use of Personal Information

SFA Foundation may use the personal information collected by it for the following purposes including:

  • To process, evaluate and review applications made on SFA Foundation website/online and other third-party platforms managed and/ or maintained by SFA Foundation and external parties’ vendors;
  • To facilitate media and digital media engagement
  • For co-creation that advances science and innovation in Africa
  • To correspond with data owners who may be applicants, experts, consultants, and partners;
  • To conduct due diligence activities which may include identity verification, anti- terrorism, anti- corruption, legal personality, detection, investigation, economic sanctions, and financial checks through publicly available and/or restricted government databases to comply with applicable regulatory requirements;
  • To provide ongoing service to applicants, experts, consultants, partners and other relevant organizations and individuals;
  • For research, statistical, survey and other scientific or business purposes;
  • To inform applicants, experts, consultants, and partners about any relevant SFA Foundation news and information, or any relevant news or information of SFA Foundation’s partners or affiliates, including future Requests for Proposals or any other related information.
  • Creating a record of a data subject on SFA Foundation’s system to verify identity, provide services/ grants applied for or from third parties' platforms that we manage and maintain;
  • Responding to any of your queries, complaints, or concerns; (See the guidelines for a comprehensive list)

7.0 Disclosure of Personal Information

SFA Foundation takes safeguarding of personal information as a priority and provides a clear and transparent outline of how it manages personal data.

Personal information will not be shared with third parties unless if, in the judgement of the disclosing party, there is a lawful basis to do so.

SFA Foundation will only disclose personal data to third parties for the purpose of conducting services for and on behalf of SFA Foundation in the following instances.

  • Limited Disclosure: This necessity may arise when SFA Foundation engages third parties to carry out services as relates to SFA Foundation website, newsletters, participate in human resource processes, access SFA Foundation's collaterals (including brochures and infographics), or engage with SFA Foundation publications such as annual reports, media, and advertising, as well as various program-related activities of SFA Foundation through the grants management system such as in grant application, application reviews, due diligence, grant awards, whistleblower platforms etc.
  • Partners and Service Providers: In the ordinary course of operations, SFA Foundation may need to share personal information with science experts, trusted partners, service providers, and suppliers. This sharing may occur in instances such as when making travel and accommodation arrangements, providing insurance (medical or otherwise), payroll processing, application reviews, case studies and evaluations. These disclosures will always be made in strict compliance with Data Protection Laws, ensuring the security and confidentiality of personal data."
  • Legal Purposes: SFA Foundation must also disclose personal information when required by law. For example, if SFA Foundation is presented with a search warrant or other legal order or if personal information is requested from an investigative body in relation to a breach of the law, personal information may be disclosed. Moreover, SFA Foundation may disclose personal information to collect a debt owed by applicants to SFA Foundation.

8.0 Data Transfers/ Sharing

SFA Foundation shall in some circumstances have to share with or transfer Personal Data with Third Parties, including service providers and other statutory bodies. SFA Foundation shall require Third Parties to fully comply with this Policy and the law.

  • SFA Foundation shall ensure that no Personal Data is transferred to a country or organization unless that country or organization ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data, unless such transfer is for compliance with its data protection in accordance with SFA Foundation’s ICT Policies', Human Resources Policy and Business Continuity Plans.
  • In the event of transfer of such personal data SFA Foundation shall ensure that the data is encrypted and / or Pseudonymisation where and if appropriate to do so.
  • SFA Foundation shall in some circumstances have to share Personal Data with Third Parties, including service providers and other statutory bodies. SFA Foundation shall require Third Parties to fully comply with this Policy.
  • Without prejudice to the foregoing, from time to time, SFA Foundation may need to transfer personal data outside Kenya or share Personal Data with Third Parties, including service providers and other statutory bodies. Where SFA Foundation stakes any of the above action to, transfer or share personal data, SFA Foundation shall ensure that it complies with the Law and that the third parties fully comply with the Law and this policy.

9.0 Data Protection Breaches

  • Failure to observe the Data Protection Principles within this Policy and its guidelines may result in the employee and Third Parties incurring personal liability both civil and criminal. It may also result in disciplinary action up to and including dismissal of an employee where there are negligent, or deliberate breaches of this Policy, such as accessing personal, transferring, and processing data without consent, authorisation or a legitimate reason to do so.
  • Employees must immediately report to the Chief Operating Officer any actual or suspected data protection breaches or as is outlined in the Data Protection and Privacy Guidelines.
  • Where SFA Foundation engages Third Parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data.
  • SFA Foundation shall not be held responsible for disclosure of Personal Data in its possession that is also held in other public or private systems.

10.0 Use Of Cookies

SFA Foundation will not use cookies to profile site users. However, cookies will be connected with site users to permit better and easier use of the site, for transmission of orders and for statistical purposes. Depending on the browser one is using, it may be possible to be prompted before accepting any cookies, or to prevent the browser from accepting any cookies at all (this will cause certain features of the web site not to be accessible).

11.0  General Data Protection Regulation (GDPR) Rights

SFA Foundation will enable these rights for all users whose personal information is held in corporate systems:

  • Right to Access: Data owners can access their personal data that SFA Foundation holds through their portal on the SFA Foundation grants management system, or any other corporate system in use. If users would like a complete report on what personal information the SFA Foundation holds, they should write to SFA Foundation through the details provided below.
  • Right to Rectification: SFA Foundation will strive to keep its records accurate. If data owners would like to modify an inaccurate and incomplete record on any of the SFA Foundation platforms, they can edit the data themselves through their respective portals or write to SFA Foundation giving instructions to that effect.
  • Right to Data Portability: If data owners would like a copy of their personal data to transfer to a new system.
  • Right to Object and Withdrawal of Consent: Data owners can object to SFA Foundation processing their data in certain circumstances.
  • Right to Restrict Use: Data Owners can request that SFA Foundation restrict the processing of their data in certain circumstances.
  • Right to Erasure: Data owners can request that SFA Foundation delete their data in some circumstances. g. Be informed that personal data is being collected.
  • Right to Lodge Complaint: Data owners have the right to lodge a complaint with the relevant supervisory authority that is tasked with personal data protection within the Republic of Kenya, and any other related authority.

If Data owners wish to exercise any of the rights set out above, please contact SFA Foundation. SFA Foundation may need to request specific information from data owners to help it confirm identity and ensure that right to access personal data (or to exercise any of the other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. SFA Foundation may also contact data owners to ask for further information in relation to a request to speed up its response.

SFA Foundation will try to respond to all legitimate requests within a reasonable time. Occasionally it could take longer if the request is particularly complex, or data owners have made several requests. In this case, SFA Foundation will notify the data owners and keep them updated.

12.0 Safeguarding and Protection of Information

Foundation has put in place processes, guidelines, resources, controls, tools, and other adequate technical and operational measures to protect personal data from unauthorised access, accidental loss, or destruction. As far as is practical, SFA Foundation has also put in place measures to ensure adequate technical and operational measures are implemented by any persons processing personal data in delivering any service to data owners.

Contact  & Review of Policy

  1. The policy & guidelines will be reviewed and updated when new information becomes available, at least every two years.
  2. A data owner’s continued use of SFA Foundation's products and services constitutes an agreement to be bound by the terms of any such review, amendment, or variation.
  3. Any amendment or modification to this policy, guidelines and statement will take effect from the date  of notification on the SFA Foundation website.

For any inquiries, questions or concerns about

  1. The full Data protection and privacy policy & guidelines or
  2. How SFA Foundation collects and processes personal data or
  3. Exercising any rights in relation to personal data should be directed to [email protected] or;

Legal, Risk and Compliance Department

Science for Africa Foundation

Riverside Drive Westlands

P.O Box 50877-00100

Nairobi Tel : +254705199199