Purpose of this Policy
Kenya Markets Trust (KMT) is a Kenyan non-governmental organisation that works in partnership with the private sector; county & national governments; associations; local and internationals partners to unleash large scale, sustainable market growth by changing the underlying incentives, capacities and rules that shape how market systems work.
As an organisation, KMT takes its responsibility regarding the management of our stakeholders’ data very seriously. This policy sets out how the organisation manages those responsibilities.
Kenya Markets Trust obtains, uses, stores and otherwise processes personal data relating to its stakeholders such as potential and current employees, former staff, current and former workers, contractors, website users and contacts, collectively referred to in this policy as data subjects.
As an organisation that was founded, and continues to carry out its obligations with and through UK funding, we heavily draw our data policy guidelines from the General Data Protection and Regulations (GDPR) which came into force in 2018. When processing personal data, KMT is obliged to fulfil individuals’ reasonable expectations of privacy by complying with the GDPR, Kenyan data protection laws and other relevant data protection legislation.
This policy therefore seeks to ensure that we:
- are clear about how personal data must be processed and KMT’s expectations for all those who process personal data on its behalf;
- comply with existing data protection laws and with good practice;
- protect KMT’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
- protect KMT from risks of personal data breaches and other breaches of data protection law
Definition of Key Terms
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. Kenya Markets Trust is the Data Controller of all personal data relating to it and used in facilitating market systems development, conducting research and all other purposes connected with its business purposes.
Data Processing: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Data Protection Officer (DPO): the person appointed as such under the GDPR and in accordance with its requirements. A DPO is responsible for advising the organisation (including its employees) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as with KMT’s polices, and providing advice.
Data Subject: a living, identified or identifiable individual about whom we hold personal data.
Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
Scope of this Policy
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device, KMT servers, KMT website, etc.) and regardless of the data subject. All staff and others processing personal data on KMT’s behalf must read it. A failure to comply with this policy may result in disciplinary action.
The KMT IT Department is responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
KMT Chief Executive Officer is responsible for overseeing this policy.
The KMT IT Officer is the Data Protection Officer (DPO) and can be reached at email@example.com.
Why do we process personal information?
We may collect and use your personal data if it is necessary for our legitimate interest and so long as its use is fair, balanced and does not unduly impact your rights. For example, to process an employment application, for use in research, etc.
We may collect and use your personal information with your consent. For example, to send you marketing emails, to take and use your photograph, to collect relevant medical information. You can withdraw consent for this at any time.
We may also collect and use personal information as required to fulfil our legal obligations as a registered charity and employer.
Usually we will only process sensitive personal data if we have your explicit consent. In extreme situations, we may share your personal details with the emergency services if we believe it is in your ‘vital interests’ to do so. For example, if someone is taken ill during one of our events.
How do we collect personal information?
We collect and use personal information about:
- Funding partners
- Implementing partners and agencies
- Market actors
- Beneficiaries of our work
- Individuals from organisations we work with
- Board of Directors
- Job applicants
- Service providers
- Website visitors, among others
We may collect information about you from different sources, for example:
- From you directly when you:
- Apply for a consultancy from us
- Receive a grant from us
- Register for or at one of events
- Participate in a campaign
- Complete a survey
- Apply to work or volunteer with us
- Subscribe for updates via our website
- From other people who think that you may be interested in collaborating in our work
- From the public domain when we think that our interests may overlap
- From you when you make an application to work for us, or from third parties such as your previous or current employers so we can verify details about you
- From external sources such as publications and works, patents and clinical trials, external reviewers or advisors
- From CVs provided to us in our applications
What personal information do we use?
We only collect personal information that we genuinely need. This may include:
- Contact details such as name address, email address and phone numbers
- Date of birth
- Dietary requirements (where this may be required for catering purposes)
- Bank account details
- National ID and Passport information
- Medical information
- Benefits received
- Employment details
- Photographs and video recordings
- Tax and residency status for statutory requirements
We may also collect:
- your bank account details, tax and residency status
- references from previous employers or educational institutions
- contact details for your family members and next of kin
- information concerning your health and medical conditions
- information about your race, ethnicity and sexual orientation
- details of criminal convictions
- benefits received
Personal Data Protection Principles
When you process personal data, you should be guided by the following principles, which are set out in the GDPR and Kenya’s Data Protection Bill 2018. KMT is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
- Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
- Restriction to a specific purpose
Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
- The identity of the Data Controller
- The purpose of data processing
- Third parties or categories of third parties to whom the data might be transmitted, if any
- Data reduction and data economy
Before processing personal data, you must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
- Factual accuracy; up-to-date data
Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
- Confidentiality and data security
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, modification or destruction.
Rights of the Data Subject
Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.
- The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
- If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.
- If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
- The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
- The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
- The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
- Organisational responsibilities
As the Data Controller, KMT is responsible for establishing policies and procedures in order to comply with the relevant and applicable data protection law(s).
- Data Protection Officer responsibilities
The DPO is responsible for:
- advising KMT and its staff of its obligations under relevant data protection laws and regulations
- monitoring compliance with this policy and other relevant data protection law, KMT’s policies with respect to this, and monitoring training and audit activities that relate to data protection compliance
- to provide advice where requested on data protection impact assessments
- the data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing
- Staff responsibilities
Staff members who process personal data about current and previous staff, applicants, interns, volunteers, or any other individual must comply with the requirements of this policy. Staff members must ensure that:
- all personal data is kept securely;
- no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- personal data is kept in accordance with the KMT’s retention schedule;
- any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer
- any data protection breaches are swiftly brought to the attention of the Human Resource and Administration team and the Data Protection Officer, and that they support the team in resolving breaches;
- where there is uncertainty around a data protection matter advice is sought from the Information Compliance team and the Data Protection Officer.
Where members of staff are responsible for supervising external consultants doing work which involves the processing of personal information (for example in research projects), they must ensure that they are aware of the organizational Data Protection principles.
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Human Resources and Administration team or the Data Protection Officer.
- Third-Party Data Processors
Where external companies are used to process personal data on behalf of the organisation, responsibility for the security and appropriate use of that data remains with KMT.
Where a third-party data processor is used:
- a data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
- reasonable steps must be taken that such security measures are in place;
- a written contract establishing what personal data will be processed and for what purpose must be set out;
- a data processing agreement, must be signed by both parties.
For further guidance about the use of third-party data processors please contact the Human Resources and Administration team.
- Contractors, Short-Term and Voluntary Staff
KMT is responsible for the use made of personal data by anyone working on its behalf. Anyone who employ contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. In addition, managers should ensure that:
- any personal data collected or processed in the course of work undertaken for KMT is kept securely and confidentially;
- all personal data is returned to KMT upon completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and KMT receives written notification in this regard from the contractor or short-term/ voluntary member of staff;
- KMT receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the contractor;
- any personal data made available by KMT, or collected in the course of the work, is neither stored nor processed outside Kenya unless written consent to do so has been received from the organisation;
- all practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly.
How we use personal information
We will only use your personal information for the purpose which it was provided to us for and in ways that you would reasonably expect.
Partnership agreements with organisations and individuals
We collect and use personal information from organisations and individuals who:
- Are interested in applying for a partnership opportunity with us
- Apply for a partnership opportunity
- Enter into a partnership agreement with us
We process this personal information to pursue our legitimate interests (and your interests as an applicant) and fulfil our strategic aims.
The prime use of the personal information is to conduct research, and to process and manage partnership opportunities between us. We also use it for monitoring, evaluation and reporting purposes so that we can consider important factors such as trends in funding areas, the impact and reach of our funding, and the demographic make-up of funding areas.
When legally obliged, we may share our partners’ personal information with relevant statutory bodies as required.
We may need to share it with external reviewers and advisors (e.g. funding partners, program monitors, evaluation specialists) to review, monitor or evaluate these partnership opportunities.
We may need to share your contact details with suppliers.
Raising awareness of our work
We will collect personal information from our existing partners and the public domain to research and identify potential new funders and partners. Our legal basis for using your personal information in this way is legitimate interest.
We will use the contact details of new and existing supporters to inform you about our work. We will send you relevant information by email. Our legal basis for using your personal information in this way is legitimate interest. You can opt out or unsubscribe from receiving these communications at any time.
If you opt in to our mailing list we will use the information that you provide to email you information about our work, events, campaigns and other items of interest. You can opt out or unsubscribe from receiving this information at any time if you wish. Our legal basis for using your personal information in this way is your consent.
We only use your personal information in case studies when you have consented for us to do so. We will make it clear to you how we might use your information and who we may share it with; again, we will only do so with your permission. Our legal basis for using your personal information in case studies is your consent.
Photographs and recordings
We use photographs and recordings to promote KMT and the work that we do. These can be used in the form of reports, news stories on our website, documentation of impact stories, information in our annual reports, on our website, and other such materials that seek to explain or promote our work.
We take photographs and recordings of people who agree to be the subject during our documentation endeavours. We always obtain permission from the individual or group to take and use their image(s) and explain how we intend to use it. Our legal basis for using personal information for this purpose is consent.
Research and Surveys
If you choose to take part in one of our research projects or surveys, we will use the personal information that you provide to process the results of the survey and undertake relevant analysis. We will not share the personal information that you provide in a survey with any other organisations, unless consent is first sought for this. Survey results will be anonymised before being shared or published. Our legal basis for using the personal information that you choose to provide to us in a survey is legitimate interest and consent.
We will use the personal information you provide, including passport and medical information, when making travel arrangements for employees, board members, consultants, civil servants and any other relevant personnel. We may share some of this information with our insurance company and travel agents. Our legal basis for processing this personal information is legitimate interest. We will obtain your consent when collecting and using information relating to your health.
Employee, interns and volunteer recruitment
If you provide us with information about yourself, such as a resume or curriculum vitae, in connection with a job or volunteer application or enquiry, we may use this information to process your enquiry. We will not store this information for any purpose other than that relating to your application. Our legal basis for using your information in this way is for our legitimate interest.
Employee administration and payroll
We will process personal information of our employees to fulfil our contract with them. This includes payroll processing and the provision of training. We are required by law to share some financial information with the Kenya Revenue Authority (KRA), National Social Security Fund (NSSF), National Hospital Insurance Fund (NHIF), National Industrial Training Authority (NITA), and other public and statutory bodies. We may also need to share some personal information with other organisations, for example insurance providers, and pension providers. We process employee personal information to fulfil our contracts with our employees and meet our legal obligations as an employer. This should be done in strict confidentiality at all times.
Processing expenses and honoraria
If you claim expenses from KMT or if we are required to pay you an honorarium, we will use your personal information, including your bank account details to process your claim. Our legal basis for using your information for this is legitimate interest.
We process relevant personal information about existing and potential board of directors, committee members and directors for governance purposes.
We may undertake necessary checks to identify any criminal and other activity we need to be aware of. We will do this with your consent.
We will share some personal information with the relevant regulatory authorities to meet our legal obligations, both within and outside the country.
Health and safety
We are legally obliged to collect personal information of employees, volunteers, and interns, for health and safety purposes. We may be required to share some of this information with our insurance provider.
Volunteers and Interns
We will process your personal information if you choose to volunteer or undertake an internship opportunity with us. We will keep a record of your contact details, experience and qualifications. Our legal basis for using your information in this way is for our legitimate interest. It may also be necessary to run necessary checks to identify any activities we need to be aware of; we will seek your consent before doing so.
We will use the personal information of Researchers to commission research. Our legal basis for using your personal information in this way is for the performance of a contract.
We will use the personal information of consultant to provide various services to KMT. Our legal basis for using your personal information in this way is for the performance of a contract.
We will use the personal information of suppliers’ contacts to pay and communicate with them. Our legal basis for using your personal information in this way is for the performance of a contract.
Complaints and general inquiries
If a complaint is raised with us, we will process the personal information that is provided to us to manage and resolve the complaint. Our legal basis for using personal information for this purpose is legitimate interest.
Cookies and aggregate information
The legal basis for this processing is our legitimate interests, monitoring and improving our website and services. Please see our cookie statement for more information.
Sharing personal information
We will not sell or exchange your personal information.
We will only share your personal information where we are required to fulfill our contract with you, or legitimate interest, where we have your consent, or we are required to do so by law.
We may share your personal information with third party organisations who will process it on our behalf, for example a mailing house, our website administrator or printers. Everything an external service provider does is strictly governed by a contract. In addition, before we share any information with those service providers, we will put in place a signed data processing agreement which confirms that the personal information we provide will only be used for the purposes we specify and will be processed in line with data protection legislation.
- We may share some personal information in relation to partnership applications with: Auditors and reviewers
- Funding partners e.g. the UK’s Department for International Development and Gatsby Trust
- Partners and third parties such as universities and research institutes and for the purposes of monitoring, evaluation, research and learning
We may also share your information with our bank to process a payment; our professional advisers (such as our legal advisers) where it is necessary to obtain their advice; our pension provider; our insurance provider; and our IT support and data storage providers.
Where required, we will process personal information to comply with our legal obligations. In this respect we may use your personal data to comply with subject access requests; tax legislation; for the prevention and detection of crime; and to assist the police and other competent authorities with investigations including criminal and safeguarding investigations.
Confidentiality of Data Processing
Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
Data Processing Security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).
In particular, the responsible department or staff can consult with KMT’s Information Technology Officer and data protection coordinator. The technical and organisational measures for protecting personal data are part of our data security management and must be adjusted continuously to the technical developments and organisational changes.
For how long do we keep your personal information?
We will hold your personal information for as long as is necessary. We will not retain your personal information if it is no longer required. In some circumstances, we may legally be required to retain your personal information, for example for finance, employment or audit purposes.
Changes to this policy