Purpose

This policy provides a framework for safeguarding personal data handled by Ukombozi NW-DT Sacco Ltd. It ensures compliance with the Data Protection Act, 2019 (Kenya), promotes accountability, and protects the rights of members, staff, and stakeholders.

Scope

Applies to:

  • All employees, Board members, interns, consultants, contractors, and members.
  • All personal data collected, processed, stored, or shared by the Sacco.
  • All ICT systems, applications, and physical records containing personal data.

Guiding Principles

The Sacco commits to:

  • Lawfulness & Transparency – Data collected and processed lawfully, with clear communication.
  • Purpose Limitation – Data used only for legitimate Sacco operations.
  • Data Minimization – Only necessary data collected.
  • Accuracy – Records kept current and correct.
  • Storage Limitation – Data retained only as long as necessary.
  • Confidentiality & Security – Protected against unauthorized access, loss, or misuse.
  • Accountability – Demonstrable compliance with the Act.

Categories of Data Collected

  • Member registration details (ID, contacts, next of kin).
  • Financial records (deposits, loans, share capital, dividends).
  • Employment records (contracts, payroll, performance).
  • Digital interactions (Sacco app, online enquiries).
  • Regulatory compliance records (AML/CFT, SASRA reporting).

Rights of Data Subjects

Members and staff have the right to:

  • Access their personal data.
  • Request correction of inaccurate data.
  • Withdraw consent for processing.
  • Request deletion of data where applicable.
  • Be informed of breaches affecting their data.
  • Object to processing for non-essential purposes.

Data Processing and Sharing

  • Data processed only for Sacco operations (membership, loans, compliance, reporting).
  • Shared with regulators (SASRA, CBK, ODPC), auditors, banks, and insurance providers only where legally required.
  • Cross-border transfers require safeguards and ODPC approval.

Security Measures

  • Role-based access controls for sensitive data.
  • Encryption of digital records and secure backups.
  • Physical security for paper records and safe custody.
  • Regular ICT audits and penetration testing.
  • Incident response protocols for breaches.

Data Breach Management

  • Breaches reported immediately to the Data Protection Officer (DPO).
  • DPO to notify the Office of the Data Protection Commissioner (ODPC) and affected individuals within statutory timelines.
  • Corrective and preventive measures implemented promptly.

Governance & Oversight

  • Board of Directors – Policy approval and oversight.
  • Management – Implementation and monitoring.
  • Data Protection Officer (DPO) – Compliance, assessments, liaison with ODPC.
  • Staff – Adherence to policy and reporting of breaches.

Training & Awareness

  • Mandatory induction training on data protection for all new staff.
  • Annual refresher training for employees and Board members.
  • Awareness campaigns for members on their data rights.

Disciplinary Measures

  • Breaches of this policy by staff may result in disciplinary action, including warnings, suspension, or termination.
  • Contractors or third parties violating the policy may face contract termination and legal action.

Compliance & Reporting

  • Annual self-assessment using ODPC tools.
  • Regular reporting to the Board on compliance status.
  • Documentation of all data processing activities.
  • Cooperation with audits and inspections by regulators.

Review and Updates

This policy shall be reviewed annually or when there are changes in legislation, regulatory requirements, or Sacco operations. Updates must be approved by the Board and communicated to all staff and members.

Click to Download Privacy Policy