Data Management at the BIEA
The BIEA is a registered charity in the UK and therefore governed by the UK General Data Protection Regulations (GDPR): https://www.gov.uk/government/collections/data-protection-act-2018) which state amongst many that data should be:
- “Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
As a registered NGO in Kenya, BIEA Kenya also follows Kenya Data Protection Law (see below).
Introduction:
British Institute in Eastern Africa is a research-focused institution that gathers and uses individual data on day-to-day basis.
Data group includes; customers, suppliers, business contacts, researchers, employees and other persons the organization has a relationship with or may need to contact.
This policy describes how personal data is to be collected, handled and stored to meet the company’s data protection standards and to comply with the UK and Kenya Data Protection Law.
This policy sets expectations, obligations and acceptable user practices when creating, consuming, managing or deleting BIEA information.
Information is a key asset that must be managed, maintained and protected to ensure its accessibility, reliability and timeliness to support BIEA business functions.
Purpose of this Policy:
This data management policy ensures BIEA and our employees:
•Complies with data protection law and follows good practice
• Protects the rights of customers, staff and partners
• Is transparent about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach
Data protection law:
Data Protection Law governs the processing and use of data. The following are key principles key for personal data processing:
• An individual’s data should be collected only when they consent. Consent is either orally or in writing, and may include a handwritten signature, an oral statement, or use of an electronic or other medium to signify agreement.
• Personal data should be processed lawfully, fairly and in a transparent manner in accordance with the right to privacy of the data subject.
• Personal data should be collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Personal data should be collected only where a valid explanation is provided whenever information relating to family or private affairs is required.
• Personal data should be accurate and where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
• Personal data should not be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
• Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.
For further details see the following Data Protection Law link: http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/2019/TheDataProtectionAct__No24of2019.pdf
BIEA Data Management Principles:
1. To enable BIEA to efficiently and effectively manage and safeguard its data, it must be managed as a strategic asset through clear processes, procedures, standards and guidelines.
2. Institutional data is the property of BIEA, no single person or business group/unit “owns” the data and everyone is responsible for managing it effectively.
3. Every data source must have a defined data custodian and steward, who act in a business leadership role and a subject matter expert role.
4. Data should only be collected and readily available for use for a specific and documented purposes, in a simple, user centric approach that supports and enables data value to be realised.
5. Data capture, validation and processing should be automated, wherever possible.
6. Unnecessary duplication of BIEA data is to be avoided.
7. Data is managed through approved, managed structures and models that provide context and a best practice approach that enables active data lifecycle management.
8. Data must be protected from unauthorised access and modification.
Roles and responsibilities:
Everyone at British Institute in Eastern Africa contributes to compliance with data protection law as outlined above. Key decision makers must understand the requirements and accountability of the organization sufficiently to prioritize and support the implementation of compliance. The Data Protection Officer, with the help of management, must ensure data management responsibilities are shared by all staff (as also outlined in the staff handbook: Data Protection Protocol, see below). These responsibilities include (but are not necessarily limited to):
• Keeping senior management updated about data protection issues, risks and responsibilities.
• Documenting, maintaining and developing the organization’s data protection policy and related procedures, in line with agreed schedule.
• Embedding ongoing privacy measures into corporate policies and day-to-day activities, throughout the organization and within each business unit that processes personal data. The policies themselves will stand as proof of compliance.
• Dissemination of policy across the organization, and arranging training and advice for staff
• Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
• Checking and approving contracts or agreements with third parties that may handle the company’s sensitive data
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards
• Performing regular checks and scans to ensure security hardware and software is functioning properly
• Evaluating any third-party services, the company is considering using to store or process data, to ensure their compliance with obligations under the regulations
• Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data
• Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the data protection principles
Data Protection Officer (DPO)
Data Protection laws requires an organization to appoint Data Protection Officer or ensure sufficient staff with skills to discharge Data Protection Law Obligations. Best practice dictates that, irrespective of circumstances, organizations should appoint a DPO to lead in ensuring that data protection obligations are met. The minimum tasks of the DPO are:
• To inform and advise the organization and its employees about their obligations to comply with the data protection law and other data protection laws
• To monitor compliance with the data protection law and other existing data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)
The person responsible for fulfilling the tasks of the Data Protection Officer at BIEA is the Finance Assistant.
Data Custodian
The Data custodian is responsible for the security and availability of BIEA data. They oversee systems used to collect, manage and provide access to data. Their responsibilities are:
• Maintain physical and system security including server physical security and user access security as determined by the data steward.
• Ensure adequate system backups are completed and disaster preparedness and recovery plans exist.
• Ensure adequate system availability and performance
The person responsible for this role is the BIEA’s IT consultant.
Data Sharing
Data sharing with a third party must be protected both in transit or at rest through encryption. There should be a clear highlighted procedure, permission and mutual agreement before sharing of data to enable data audit trail. BIEA research policy highlights the procedures researchers follow when sharing their data to avoid data breach or loss.
Security measures:
BIEA as an organization has put various measures in place to ensure data processed, shared or stored, are protected from breach. These measures include:
• Encryption of computer devices, emails addresses to ensure data shared is safe and secured.
• Use of password locked screen saver to avoid unauthorized personnel from accessing data.
• Servers are in place to maintain, store and back up data shared within BIEA.
• BIEA uses cloud storage such as Dropbox, Google drive to update, store and clean data on regular basis. Access is limited to a few individuals.
• Installation of antivirus on staff computers to help filter viruses and threats that may occur when sharing data or using unsecured site. There should be frequent checks of computers for updates.
• IT policy highlights clear guidelines and measures put in place in case of a data breach.
• Data deletion after a period of 10yrs should be deleted in line with the guidelines provided in the IT policy.
Subject access requests:
All individuals who are the subject of data held by your company are entitled to:
• Ask what information the company holds about them and why
• Ask how to gain access to it
• Be informed how to keep it up to date
• Be informed how the company is meeting its data protection obligations
BIEA does this by allowing a subject to directly email data collector for more enquires or clarification on requested data and intended use.
The right to be forgotten:
Individual personal data should be deleted from BIEA system after a period of 10 years when a contract ends, employees leaves the organization or when the data is deemed irrelevant. Deletion period various depending on the type of data stored as some data are processed solely for archiving purposes.
Privacy notices:
BIEA aims to ensure that individuals are aware that their data is being processed, and that they understand:
• Who is processing their data?
• What data is involved
• The purpose for processing that data
• The outcomes of data processing
• How to exercise their rights.
Ongoing documentation of measures to ensure compliance
Meeting the obligations of the GDPR and Kenyan Data Law to ensure compliance is an ongoing process. BIEA details here the ongoing measures implemented to:
1) Maintain documentation/evidence of the privacy measures implemented and records of compliance.
2) Regularly test the privacy measures implemented and maintain records of the testing and outcomes.
3) Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.
4) Keep records showing training of employees on privacy and data protection matters.
BIEA data protection protocol (see Staff Handbook)
All staff who are involved in processing personal data must read this protocol and send written acknowledgement that they are aware of its terms, and will abide by them, to their line manager. Staff must be aware that BIEA has a legal responsibility to ensure that personal data is handled properly: deliberate disregard of this protocol may be regarded as gross misconduct and treated accordingly.
General principles
Personal data is information that relates to an identified or identifiable individual. This is a very large category: any email, for example, will likely constitute personal data. UK and EU law (the General Data Protection Regulations (GDPR) and the UK Data Protection Act (2018)) require that before processing data in any way – which means doing anything with it, including erasing it – we must think carefully about whether we have the right to do this.
Because BIEA’s activities – even those in Kenya – require staff to process personal data which may have been gathered in the UK, BIEA and its staff must act in accordance with these regulations. This protocol is intended to provide guidance for staff, and should be read carefully. If at any time any member of staff is in doubt about whether they have the right to process data, they should seek advice from their line manager.
There is a useful guide to the regulations at https://ico.org.uk/for-organisations/guide-to-the-general- data-protection-regulation-gdpr/
A general rule to bear in mind: there are several legitimate grounds for processing data, and these regulations should not require any major change in practice. But they do mean that you should always think before processing data. Two key considerations:
1. We have a legal responsibility to safeguard personal data – which means keeping it accurate, as well as secure, and making sure that it is safely backed-up and can be retrieved in the event of unforeseen circumstances – a fire, or the less of key staff, for example.
2. You should never process (remember, that includes sharing it with anyone else ) personal data unless you are sure that you have the right do so: through the consent of the individual concerned; or because of a statutory obligation (to tax authorities, for example); or to complete a contractual obligation (to supply a journal, for example).
Securing data
Any personal data that you hold as a result of your work with BIEA must be kept secure. Do not share your email password with anyone, and change it regularly.
Make sure that data are backed up; what will happen if your PC breaks or is stolen? Or if you have an accident? Will it be possible to retrieve? Your PC must be passworded, and the data on it protected by encryption; you should not leave your PC open and running where others may access it. If you cannot see your computer, it should not be running.
Think before you share personal data: if you are asked by a third party for someone’s contact details, you should not supply these unless there is a clear reason to do this: you must think – do I have the right to share those details? Unless there is some other legitimate reason for this, you should seek the consent of the individual first Personal data is not always in digital form: paper lists of names and addresses, for example, must not be left visible to others.
Processing data
It is often necessary to share personal data with other members of BIEA staff, or with trustees: for example, when assessing applications, or developing a research partnership. Before doing so, you must ask yourself whether you have the right to share, and whether the information is accurate and is being processed in a secure way. Passing around lists of names and addresses may not be secure; nor is sending data by email if you think that the addressees account may have been hacked. File sharing software, such as Dropbox, is not necessarily secure: use the most secure form practicable.
It may also be necessary to share data with third parties: with the printers of our journals, or publishers; it may also be appropriate to use third-party platforms for sending out information. Before doing so, always think: do we have the right to do this? And also think: can I trust this platform to keep the data secure?
Ensuring that BIEA’s privacy policy is understood and securing consent
If you think that you are likely to receive personal data from someone, make sure that they know how this will be processed. The best way to do this will probably be to insert a short explanatory phrase in emails or in material on the web site, drawing attention to BIEA’s privacy policy.
1. Any website page that allows individuals to sign up as members, and any paper form completed by members, must carry a clear explanation: ‘By becoming a member of BIEA, you agree to the terms of the BIEA privacy policy [insert web address]. BIEA will securely hold and process your personal data in line with this policy. If you cease to be a member, BIEA will continue to hold your personal data for xx years, after which it will be erased unless there is a statutory requirement to hold it longer.’
2. Any website page, email or other document that invites applications for employment, grants or any form of internship must carry a clear explanation: ‘By applying, you give consent for BIEA to hold and process your personal data in line with the BIEA privacy policy [insert link]. BIEA will securely hold and process your data in order to assess your application. If your application is unsuccessful, your data will be erased after a maximum of one year. If your application is successful, your data will be held in line with the policy, for 7 (seven) years after the end of the grant period, internship or employment.’
3. Any email correspondence regarding possible or actual research partnerships must carry a
clear explanation: ‘By continuing this correspondence, you give consent for BIEA to hold and process your personal data in line with the BIEA privacy policy [insert link].’
Responding to requests regarding data
People have a right to know what data are held on them, and to have these corrected if inaccurate. They may also ask us to delete their data if they no longer wish us to hold them (though we can only do this if there is no statutory requirement to hold them: we have to retain, for example, an employee’s payment record or the details of a donation for a specified period). If you receive a request from an individual regarding their personal data:
1. Make sure that the person requesting the data really is who they say they are.
2. Notify the BIEA’s data processing officer
3. If you are unsure, consult your line manager
4. If the request is genuine and within the law, ensure that you fulfil it within ten working days; if this is not possible, you must explain this to the person who has made the request.