Aim of the Data Protection Policy

WezaCare Solutions (hereafter referred to as WezaCare), recognizes that data and information should be at the service of our partners, beneficiaries and every citizen in Kenya and the world over. Any data or Information we collect and/or share shall not violate human dignity, human rights, privacy, or individual or public liberties. WezaCare is committed to national and international compliance with data protection laws. This data protection policy applies worldwide to WezaCare. It is based on globally accepted, basic principles on data protection to make sure data protection is the foundation of trustworthy relationships and the reputation of WezaCare as a credible partner.

The main aim of this Data Protection Policy is to ensure our partners, employees, beneficiaries, customers and users understand how their data is being used and have access to it. It also outlines how staff should handle confidential information disclosed to them during their employment at WezaCare. This gesture is to protect individuals from having their data misused or mishandled. This Data Protection Policy shall ensure a satisfactory level of data protection as stipulated by relevant legal and ethical frameworks. The WezaCare Data Protection policy is a practical and easy-to-understand record to which all WezaCare departments, partners, beneficiaries, customers and stakeholders can refer.

Scope of the Data Protection Policy

WezaCare Data Protection Policy applies to all data (personal or otherwise) that WezaCare collects, holds, uses and/or shares and specifically as relates to Personally identifiable information; meaning any information relating to an identified or identifiable individual.

This data protection policy applies to all entities of WezaCare, including network and branch offices in all counties and countries of operation.

• The policy applies to all WezaCare Staff.
• The guidelines outlined in this policy may also be applied to any person employed by an entity that carries out missions for WezaCare.
• In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders, contractors and other associated entities.

This Protection Policy covers the information WezaCare collects about staff, guests, recipients, beneficiaries, clients, partners, service providers, contractors, stakeholders, etc who use WezaCare products or services, or otherwise interact with WezaCare (for example, by attending WezaCare premises or events or by communicating with WezaCare), unless a different policy is displayed. “WezaCare”, “we” and “us” refer to Weza Care Solutions and any of our corporate affiliates. We offer a wide range of products, including but not limited to our digital, cloud, server and data-based products. We refer to all of these products, together with our other services and websites as "Services" in this policy.

This policy also explains your choices surrounding how we use information about you, which include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this policy, do not access or use our Services, Products or interact with any other aspect of WezaCare

Sets of Data and Definitions

Sets of Data

Sets of data refer to personal data currently stored, maintained, and handled by WezaCare, and more specifically relating to the following identifiable groups of personal data:

• WezaCare’s contractors, suppliers, consultants, and partners; entities that are currently under contract with WezaCare.
• WezaCare’s personnel; including national and international staff, interns, and volunteers.
• WezaCare’s direct and indirect beneficiaries
• WezaCare’s donors and well-wishers
• WezaCare’s research participants

Personal Data

Personal data refers to any information relating to a natural person who can be identified directly or indirectly, by reference to an identification number or code, or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Personal data can include in particular:

• Names of individuals
• Postal or living addresses
• Email addresses
• Telephone numbers
• Identity card and passport numbers
• Date and place of birth
• Identification of relatives
• Fingerprints
• Geo-referencing
• Business referencing
• Associates referencing
• Internet protocol (IP) addresses
• Software used
• Time spent on websites or applications
• Navigation through sites
• Images
• Video recordings
• Audio recordings

Processing of Personal

Data Processing of personal data herein refers to any operation or set of processes concerning such data, whatever the mechanism used, especially the obtaining, organization, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.

Application of National Laws and Sources of Authority

WezaCare is headquartered in Kenya and observes the laws of the Republic of Kenya; these include the national laws of general applicability regulating the collection and use of personal data in Kenya; the Constitution of Kenya 2010, the Access to Information Act of 2016, the Consumer Protection Act of 46 of 2012, and most recently, the 2019 Data Protection Act. The 2019 Data Protection Act has the essence of the European Union’s General Data Protection Regulation (GDPR) 2018 in stating the principles of data protection and the rights of data subjects to the actions of processors and collectors.

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data protection laws. The relevant state law will take precedence if it conflicts with this Data Protection Policy or if it has stricter requirements than this policy. The content of this Data Protection Policy takes precedence in the absence of corresponding national legislation. WezaCare Solutions must observe the reporting requirements for data processing under national laws. Each entity of WezaCare, including network and branch offices, is responsible for compliance with this Data Protection Policy and its legal obligations. In the event of conflicts between national legislation and this Data Protection Policy, WezaCare will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy.

This policy is aimed at guiding WezaCare staff and must be considered together with:

• WezaCare’s Child Safeguarding and Protection Policy
• WezaCare’s Code of Conduct and Policies outlined in the Human Resource Management Policies and Procedures Manual
• Any other relevant WezaCare’s manuals and guidelines

Principles for Processing Personal Data

WezaCare Solutions will use the following principles to ensure that data is only used in specifically stated ways and not stored for a longer time than necessary. The principles help to keep individuals' data accurate, safe, secure, and lawful. Therefore, WezaCare recognises that compliance with these key principles is a fundamental building block for good data protection practice.

Fairness and lawfulness

• When processing personal data at WezaCare Solutions, the individual rights of the data subjects will always be protected. Personal data will be collected and processed in a transparent, legal, and fair manner.
• WezaCare will ensure that at all times, collected data shall be adequate, relevant, and not excessive in relation to the purposes for which they are obtained and their further processing.
• WezaCare will ensure that individual data is only processed upon the voluntary consent of the person concerned.

Restrictions to a specific purpose

• WezaCare will ensure that at all times, personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with the intended purposes. Subsequent changes to the goal are only possible to a limited extent and require justification.
• Further data processing at WezaCare for statistical, scientific, and historical purposes shall be considered compatible with the initial data collection purposes if it is not used to make decisions concerning the data subjects.

Transparency

• WezaCare will always ensure that data collected is adequate, relevant, and limited to what is necessary to the purposes for which they are processed (‘data minimization’);
• Wezacare will ensure that the data subject is informed of how their data is being handled. In general, personal data will be collected directly from the individuals concerned and when the data is collected, Wezacare will ensure that the data subject is either aware or informed of:
  • The purpose of data processing.
  • Categories of the third parties to whom the data might be transmitted.
• Wezacare will ensure that data processing of personal data is done with the consent of the data subject or meets one of the following conditions:
  • Compliance with any legal obligation to which WezaCare is subject
  • The protection of data subjects' life, including security, privacy, health, and financial status.
  • The performance of a public service mission entrusted to WezaCare.

Confidentiality and Data Security

WezaCare recognizes that personal data is subject to data secrecy. Personal Data collected by WezaCare will always be treated as confidential, private, and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, and accidental loss, modification, or destruction.

Deletion

Wezacare will ensure that personal data is not retained in a form that allows the identification of the data subjects for a period longer than is necessary for the purpose for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. In such instances, the data will remain on file until the interests that merit protection has been clarified legally or WezaCare has evaluated the data to determine whether it must be retained for historical purposes.

Factual accuracy and Update of Data

WezaCare will ensure that personal data on file is correct and kept up to date if necessary. Suitable steps will be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated.

Data Processing

Data Processing refers to any operation or set of functions concerning such data, whatever the mechanism used, especially the obtaining, organisation, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.

This may be simply stated as the conversion of data into a usable and desired form. This conversion is carried out using a predefined sequence of operations either manually or automatically. This processing is often performed in order to store the most refined information in a system for later retrieval and use.

Data Processing at WezaCare is guided by the following concepts:

Consent to Data Processing

Data processing at WezaCare can only be done upon the consent of the person concerned. Declarations of consent will be obtained voluntarily, either in writing or by agreeing to online prompts or signing physical or digital forms. In certain exceptional circumstances, consent may be given verbally.

Data Processing Pursuant to Legitimate Interest

Personal data retained by WezaCare will only be processed if the processing is necessary to enforce a legitimate interest. Legitimate interests may be of financial or audit nature, or relate to legal issues such as filing, enforcing or defending against legal claims. Personal data will not be processed by WezaCare based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Control measures that require processing information may only be affected if there is a legal obligation to do so or if there is a legitimate reason.

Telecommunications and Internet

Telephone equipment, email addresses, intranet and internet along with social networks such as Slack, Click-up and Airtable are provided by WezaCare primarily for work-related assignments. They are to be used within the applicable legal regulations and internal WezaCare communications policies. There will be no general monitoring of telephone and e-mail communications or intranet/internet use.

Imperative measures to protect the IT infrastructure and individual users may be implemented for the connections to the network used by WezaCare that block technically harmful content or that analyze any attack patterns aimed at compromising network integrity.

For security reasons, the use of telephone equipment, e-mail addresses, the internet/intranet and internal social networks may be blocked for a temporary period, especially in cases where an individual is suspected to be violating policies. Evaluation of this data from a specific person will be made only in concrete, justified case of suspected violations of policies and procedures of WezaCare. Such evaluation will only be conducted by investigating departments while ensuring relevant national laws are observed in the same manner as WezaCare regulations.

Applications and Web-Platforms

WezaCare may provide applications and web platforms for use in data capture and processing by partners and other authorized stakeholders. Such applications and web platforms are sufficiently protected using state-of-the-art encryption and access is only granted to authorized stakeholders. Restrictions are applied through the use of QR codes for application setup and authorized level-access usernames and passwords. Web platforms are protected using Secure Sockets Layer (SSL) certificates to further protect personal information.

Such applications and web platforms include:

• Nexus forms library
• Nexus tracker
• Nexus care

Rights of the Data Subject

All individuals who are the subject of personal data held by WezaCare are entitled to the following:

• To request information on which personal data relating to him or her has been stored, how the data was collected, and the intended purpos
• To be informed beforehand of the possibility of their personal data being transmitted to third parties.
• To demand that their personal data be corrected or supplemented if they deem the data incorrect or incomplete.
• To request that his or her data be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply.
• To request that his or her data be deleted if the purpose behind the data processing has lapsed or has ceased to apply for other reasons.
• To object to his or her data being processed. This does not apply if legal (or financial or audit) provisions require the data to be processed.

Transmission of Personal Data

Transmission of personal data may only be done with the consent of the data subject and only for defined purposes.

In the event that data is to be transmitted to a recipient outside WezaCare, this recipient must agree to maintain a data protection level equivalent to this data protection policy. This does not apply if the transmission is based on a legal obligation, where the recipient may be law enforcement agencies. Personal data may be transmitted without the consent of the data subject in such instances.

Where disclosure of personal data is to be made, only WezaCare’s Executive Director can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to WezaCare. Where necessary, the WezaCare Executive Director will refer to legal services for advice, especially in cases involving direct security threats and implications or global organisational risks, including reputation.

Before approving such disclosure, the Executive Director will check that the recipient intends to use the data for the defined purposes only and that it demonstrates the capacity and will to abide by such an obligation.

Subject Access and Modification Requests for Personal Data

Subject access, which is also the right of access, gives individuals the right to obtain a copy of their personal data from WezaCare as well as other supplementary information. It is a fundamental right for individuals as it helps them understand how and why you are using their data and check if you are doing it lawfully.

All WezaCare staff and individual partners can contact WezaCare to request rights as listed in Section 6.5. Rights of the data subject. Individual subject access requests received by WezaCare should be in mail or writing. If not in writing, the request should be taken and handled by a duly authorised WezaCare staff and registered in a log for reference and follow-up.

Any individual subject access request received by WezaCare will be duly verified before being handled, with the verification of the identity of anyone making a subject request, before handling any information. Response to individual requests will be in a timely manner.

WezaCare will ensure that any data subject including but not limited to staff, partners and stakeholders, have the means to contact WezaCare to verify the data the organization holds about them and can have authorized WezaCare personnel update and correct personal information. Such obligation involves the following:

• WezaCare staff shall have access to their personal files and to any information held by WezaCare on them, by simple request to the Human Resources department, to be presented and corrected by a duly authorised staff only. The consultation of any information on any other staff is strictly prohibited.
• Partners listed by WezaCare can reach out and check the data held by WezaCare and have it corrected as well as deleted. Information on this right and on how to reach out to WezaCare for such a purpose shall be clearly indicated on the WezaCare website, as well as the main media of communication to partners.
• WezaCare's current direct and indirect partners ( including survey respondents) shall have access to WezaCare and any data it holds on them, to ensure its correctness, and fairness and to have it modified and updated upon request by duly authorized WezaCare personnel. For such a purpose, WezaCare shall set up and maintain a complaints response mechanism that is both open and accessible to individuals with limited constraints, while ensuring that any requests by individuals are duly followed by appropriate corrective measures and communications. Contact information to uphold this right and reach out to WezaCare for such a purpose should be clearly indicated on the WezaCare website as well as on other means of public information
• WezaCare contractors and suppliers can reach out to WezaCare to check their data and have it corrected. WezaCare implementing partners shall have access to check any data WezaCare holds on them to ensure its correctness, and fairness, and to have it modified and updated upon request by duly authorized WezaCare personnel.

Providing Information

Child Safeguarding and Protection Policy WezaCare aims to ensure that individuals, partners and stakeholders are aware that their data is being processed and that they understand:

• How their data is being used.
• How to exercise their rights.

For this purpose, the current Data Protection policy is shared with all WezaCare staff, and partners and available upon request by any other stakeholders.

Any subscriber or user of an electronic communication service such as Nexus Tracker shall be informed in a clear and comprehensive manner by WezaCare, except if already previously informed regarding;

Child Safeguarding and Protection Policy
• The purpose of any action intended to provide access, by means of electronic transmission, to information previously stored in their electronic connection terminal device or to record data in this device,
• The means available to them to object to such action.

Confidentiality of Processing

WezaCare employees are forbidden to use personal data from data subjects for private or commercial purposes, disclose it to unauthorized persons, or make it available in any other way. Management must inform their employees at the start of the employment relationship about the obligation to ensure data protection. This obligation shall remain in force even after the employment has ended.

Employees' unauthorized collection, processing, and or use of personal data is prohibited. Duly-authorized employees may have access to personal data only as appropriate for the type and scope of the task. This shall require a detailed breakdown and separation and implementation of roles and responsibilities.

Processing Security

Personal data stored at WezaCare either in electronic or paper form must be safeguarded from unauthorised access and unlawful processing or disclosure and accidental loss, modification or destruction.

Data Protection Control

Compliance with this Data Protection Policy and the applicable data protection laws shall be checked regularly by carrying out rigorous data protection audits and other controls. The performance of these controls is the responsibility of the WezaCare Solutions Executive Director or appointed representative. The results of the data protection controls performed by the appointed representative must be reported to the Executive Director. On request, the results of the data protection controls will be made available to the responsible data protection authority.

Complaints Response Mechanism

Data subjects and third parties may make a complaint relating to WezaCare's use of personal data. Complaints should be sent directly to dataprotection@wezacare.org. A member of our data protection team will normally acknowledge the complaint within 5 working days. WezaCare will only accept a complaint from a data subject's representative if the representative provides the data subject's written consent authorising the representative to act on the data subject's behalf in relation to the complaint.

Investigations on complaints about data protection will be carried out normally within 20 working days. If further clarification is required from the complainant or more time is required for the response to be completed, WezaCare will inform the complainant prior to the original deadline. The complaint outcome will be communicated to the complainant in writing, normally by email.

Violation, Sanction and Reporting

Failure to comply with the current Data Protection Policy or to deliberately violate the rules set in the policy will result in the launch of an appropriate investigation by WezaCare.

Depending on the outcome of the independent investigation, if it comes to light that anyone associated with WezaCare has deliberately violated the guidelines set out in the policy for their personal profit or any other usage of personal data, or has systematically and deliberately contravened with the principles and standards contained in this document, WezaCare will take immediate disciplinary action and any other action which may be relevant to the situation.

Some of the actions against certain parties may include:

• Employees - disciplinary action/dismissal
• Trainees and interns - ending the relationship with the organization
• Partners - withdrawal of support
• Contractors, consultants, and suppliers - termination of the contract.

Responsibilities

WezaCare Management is responsible for ensuring that organizational, human resources, and technical measures are in place so that any data processing is carried out in accordance with data protection. The managers shall ensure that their employees are sufficiently trained in data protection.

Compliance with this Data Protection Policy is the responsibility of the relevant employees.

Implementation of the Policy

This policy has been approved by WezaCare Executive Director on 1st October 2022 and comes into effect immediately. It could be reviewed regularly.