DATA PRIVACY AND PROTECTION POLICY

1. BACKGROUND

Dignitas is a leading education development organization. We use an innovative training and coaching approach to empower schools and educators in marginalized communities to transform students’ opportunities. We imagine a world where schools are a vibrant place for all children to develop the skills and strength of character to thrive and
Dignitas is a non-profit company registered in Kenya, with a registered office at PO Box 20024-00200, Nairobi, Kenya, and registered number: CLGN9QFAB

2. SCOPE

This policy covers all processing of personal data by any data controller or data processor established or resident in Kenya and who processes personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya.

3. DEFINITIONS

Controller is the party responsible for deciding what Personal Data to collect and how to use it.

Data Subject means the individual who can be identified from the Personal Data;

Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual;

Processor This means a natural or legal person, business, party, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller. (excluding the data controller’s own employees). Data processor is subject to far fewer obligations under the law.

Special Categories of Personal Data means details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.

4. PRINCIPLES GUIDING DATA PROTECTION

Lawful, Fair Use and Transparent Use
- Individuals must be aware of the personal data, how it is collected, processed, kept and Data should always be accessed, analyzed or otherwise used taking into account the legitimate interests of those individuals whose data is being used.

4.2. Purpose Limitation and Compatibility

The purpose of collection must be for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Requests or proposals for data access should be tailored to a specific purpose. If not compatible with the original request, permission/consent must be

4.3. Data Minimization

Data access, analysis or other use should be kept to the minimum amount necessary to fulfill its e.g. does one need an actual birth date or just an age bracket?
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

4.4. Accuracy

Data collected is accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure inaccurate data is erased or rectified

4.5. Data Retention, Storage and Removal

Any retention of data should have a legitimate and fair basis, including beyond the purposes for which access to the data was originally granted to ensure that no extra or just-in-case data set is stored. Any data retention should be considered in light of the potential risks, harms and benefits.
In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

5. DATA PROTECTION STATEMENT

In order to provide our Services, we may need to process Personal Data from time to time (that is information about someone who can be identified from the data). This Personal Data may be about you or other This notice explains how we will use the Personal Data we hold.
As part of our Services we may transfer Personal Data to other We’ve set out a list of who we might transfer Personal Data to at paragraph 7. This notice only deals with our use of Personal Data. Recipients not bound by this privacy notice.
We might need to change this notice from time to time. If we do, we let you So please do keep an eye on our notice before giving us any Personal Data.
All of the defined terms in this notice are explained in clause 3 above. If you have any questions about this notice, feel free to send us an email to [email protected]

6. PERSONAL DATA

We hold Personal Data about the following groups of people (Data Subjects):

DATA SUBJECTS

DESCRIPTION

Category A

Partner Organisations, Funders, and other

Stakeholders

That is, any party which has engaged us to provide services

(including key contact data);

Category B

Dignitas Learning Champions (Alumni Members)

That is, any party who or which has signed up to be a member of our organisation (including any

individuals in their companies);

Category C

Supporters

That is, anyone who has contacted us to find out about what we do or otherwise supported us, other than

through membership;

Category D

School Partners,

Participating School Leaders and Teachers

That is, any individuals who receive our Services

7. DATA CONTROLLER

7.1. We are a Controller in respect of each of these data sets. This means we make decisions about what data to collect (in respect of those groups of Data Subjects) and how to use it.

8. DATA COLLECTION

We might collect Personal Data in the following ways: CATEGORY A AND C

Source

Types of Data Collected

Direct interactions with the Data Subject

Contact and Identity Data Transaction Data Preferences

Job Roles and Business Data

Publically available sources (internet, Companies House)

Contact and Identity Data Job Roles and Business Data

CATEGORY B AND D

Source	Types of Data Collected
Direct interactions	Contact and Identity Data
with the Data Subject	Transaction Data
	Preferences
	Job Roles and Business Data
Program Evaluation Tools	Survey Data Evaluation Data Participant Information

General

We may also collect, use and share Aggregated Data such as statistical or demographic data which we collect from interactions with Categories B and D. Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.

9. DATA USAGE

We hold and process Data as a Controller, which means we must have a ‘lawful basis’ for doing We have set out how we use Data along with our lawful basis in the table below.

Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a We consider such use goes no further than the Data Subject would reasonable expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.

PURPOSE/ ACTIVITY	TYPES OF DATA	LAWFUL BASIS
To provide our services	Identity Data Contact Data Transaction Data	Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.
To manage our relationship with partners	Identity Data Contact Data	Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract. Legitimate Interest
Administration and Dispute Resolution	Identity Data Contact Data Transaction Data	Legitimate Interest

10. DATA DISCLOSURE

10.1 We will not share personal data with anyone else.

11. SECURITY MEASURES

11.1 It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.

12. DATA STORAGE

12.1 Information submitted on the web information will be stored to allow respond to inquiries. If you would like information about where we hold your data, please contact us by email: [email protected]

13. DATA RETENTION

Our retention policies for are as follows: we may store data related to financial transactions for up to seven years to ensure that we have sufficient records from an accounting and tax perspective;
we may archive data relating to negotiations, contracts agreed, payments made, disputes raised for seven years to protect ourselves in the event of a dispute arising between you and us;
we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

14. DATA SUBJECT RIGHTS

1 Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller.
Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used
Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients to whom the personal data has/will be disclosed;
- for how long it will be stored; and
- if data wasn’t collected directly from the Data Subject, information about the source

Right of rectification: the right to require the Controller to correct any Personal Data held about the Data Subject which is inaccurate or incomplete.
Right to be forgotten: in certain circumstances, the right to have the Personal Data held about the Data Subject erased from the Controller’s

Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.

Right of portability: the right to have the Personal Data held by the Controller about the Data Subject transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable

Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).

Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on the Data

If you want to avail of any of these rights, you should contact us immediately at [email protected] If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.

15. DATA REMOVAL

If we are holding Personal Data about you as a Controller, we will comply with your request unless we have reasons for lawfully retaining data about

If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to receive our

16. COMPLAINTS

If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1 above) or by email to [email protected] If we are processing Personal Data about you on behalf of another party, we will need to pass your complaint to said party – we will only do so with your consent.