PRIVACY POLICY

  1. Introduction

PRIVACY POLICY

Introduction

Biblia Regulated Non-WDT Sacco Society Limited is a Savings and Credit Co-operative Society (SACCO) regulated by SASRA to offer financial services. We operate the https://bibliasacco.com website, which provides more information of us and our various services/facilities as well as the MBIBLIA mobile application. As an organization, we take our responsibility regarding the management of our stakeholders’ data very seriously. This document informs you of our policy as a Data Controller and data Processor regarding the collection, use and disclosure of Personal Data when you use our services. It sets out how we manage our responsibility in the use of your data and the choices you have associated with that data as the Data Subject.

POLICY STATEMENT

Biblia Regulated Non-deposit taking Sacco (Referred in here as Biblia Regulated Non-WDT Sacco Society Limited) is committed to complying with all relevant Kenyan legislation and applicable global legislations. Biblia Regulated Non-WDT Sacco Society Limited recognizes that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right.

PURPOSE OF THIS POLICY

This Data Protection Policy has been developed as a guide to Biblia Regulated Non-WDT Sacco Society Limited in management of its Members, Officials, BOD & Third-party entities contracted by Biblia Regulated Non-WDT Sacco Society Limited data. Biblia Regulated Non-WDT Sacco Society Limited obtains, uses, stores personal data relating to its stakeholders such as potential and current employees, former Biblia Regulated Non-WDT Sacco Society Limited staff, Biblia Regulated Non-WDT Sacco Society Limited members, suppliers, visitors to Biblia Regulated Non-WDT Sacco Society Limited premises, contractors, and Biblia Regulated Non-WDT Sacco Society Limited website users, collectively referred to in this policy as data subjects. This Policy sets out how Biblia Regulated Non-WDT Sacco Society Limited manages those responsibilities.

In developing this Policy, Biblia Regulated Non-WDT Sacco Society Limited BOD intends to have this as the primary reference point for all matters pertaining to data management in Biblia Regulated Non-WDT Sacco Society Limited. The contents of this Policy will therefore be carefully studied and implemented, as it constitutes an integral part of Biblia Regulated Non-WDT Sacco Society Limited ’s risk management processes. The Policy will be circulated to all Biblia Regulated Non-WDT Sacco Society Limited Staff, officials and management to enable them to familiarize themselves with the provisions herein.

Biblia Regulated Non-WDT Sacco Society Limited heavily draws its data policy guidelines from the Data Protection Act, 2019. When processing personal data, Biblia Regulated Non-WDT Sacco

Society Limited is obliged to fulfil Biblia Regulated Non-WDT Sacco Society Limited Members, Staff, officials and stakeholders’ reasonable expectations of privacy by complying with the Act.

The policy document is therefore intended to ensure that Biblia Regulated Non-WDT Sacco Society Limited:

  1. Is clear about how personal data must be processed and the Sacco’s expectations for all those who process personal data on its behalf.
  2. Complies with existing data protection laws and with good practice.
  3. Protects its reputation by ensuring the personal data entrusted to it is processed in accordance with data subjects’ rights;
  4. Protects itself from risks of personal data breaches and other breaches of data protection law.

SCOPE

The policy applies to:

  • Employees of Biblia Regulated Non-WDT Sacco Society Limited, associated parties such as vendors, contractors and any other third party who handle and use Biblia Regulated NonWDT Sacco Society Limited information (where Biblia Regulated Non-WDT Sacco Society Limited is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems for Biblia Regulated Non-WDT Sacco Society Limited).
  • All personal data processing Biblia Regulated Non-WDT Sacco Society Limited carries out for others (where Biblia Regulated Non-WDT Sacco Society Limited is the ‘Processor’ for the personal data being processed) and,
  • All formats, e.g., printed, digital information, text and images, documents and records, data and audio recordings.

All Biblia Regulated Non-WDT Sacco Society Limited staff and others processing personal data on Biblia Regulated Non-WDT Sacco Society Limited ’s behalf must read and comply with the provisions of this Policy. Failure to comply with this policy may result in disciplinary action.

PRINCIPLES

Personal Data Protection Principles for Biblia Regulated Non-WDT Sacco Society Limited.

In processing personal data, Biblia Regulated Non-WDT Sacco Society Limited shall be guided by the principles of data protection as captured in the Data Protection Act, and requires Biblia Regulated Non-WDT Sacco Society Limited to ensure that personal data is:

  1. Processed in accordance with the right to privacy of the data subject.
  2. Processed lawfully, fairly and in a transparent manner in relation to any data subject.
  3. Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  4. Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
  5. Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  6. Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  7. Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  8. Not transferred outside Biblia Regulated Non-WDT Sacco Society Limited and the country unless there is proof of adequate data protection safeguards or consent from the data subject.

In complying with the stated data protection principles, Biblia Regulated Non-WDT Sacco Society Limited will observe the following:

  1. Fairness and lawfulness

Biblia Regulated Non-WDT Sacco Society Limited in processing or while allowing processing of personal data, the individual rights of the data subjects must be protected and Personal data will only be collected and processed in a legal and fair manner.

  1. Restriction to a specific purpose

Within Biblia Regulated Non-WDT Sacco Society Limited and as part of Biblia Regulated Non-WDT Sacco Society Limited procedures & processes, Personal data will be processed only for the purpose that was defined before the data was collected for instance; data collected for loan processing will only be used for the purpose of loan processing etc. Subsequent changes to the purpose are only possible to a limited extent and require substantiation by Biblia Regulated Non-WDT Sacco Society Limited and with consent from the data Subject.

  1. Transparency

Biblia Regulated Non-WDT Sacco Society Limited data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from Biblia Regulated Non-WDT Sacco Society Limited Member or Staff concerned. When the data is collected, the data subject must either be aware of, or informed of:

  1. The identity of the Data Controller- in this case it is Biblia Regulated Non-WDT Sacco Society Limited
  2. The purpose of data processing e.g loans processing, Marketing of Sacco products,etc.
  3. Third parties or categories of third parties to whom the data might be transmitted, if any.
  1. Data reduction and data economy

Before processing personal data, Biblia Regulated Non-WDT Sacco Society Limited will determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. In the day-to-day operations of Biblia Regulated Non-WDT Sacco Society Limited, Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.

  1. Deletion

Biblia Regulated Non-WDT Sacco Society Limited will make sure that Personal data that is no longer needed after the expiration of legal or business process related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, Biblia Regulated Non-WDT Sacco Society Limited will ensure that the data remains on file until the interests that merit protection have been clarified legally, or Biblia Regulated Non-WDT Sacco Society Limited has evaluated the data to determine whether it must be retained for historical purposes.

  1. Factual accuracy; up-to-date data

Biblia Regulated Non-WDT Sacco Society Limited will ensure that Personal data on file must be correct, complete, and – if necessary – kept up to date. Biblia Regulated Non-WDT Sacco Society Limited will ensure Suitable steps are taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.

  1. Confidentiality and data security

Biblia Regulated Non-WDT Sacco Society Limited upholds that Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing, or distribution, as well as accidental loss, modification, or destruction within Biblia Regulated Non-WDT Sacco Society Limited and by all Biblia Regulated Non-WDT Sacco Society Limited Staff, officials, and stakeholders.

Rights of the Data Subject

Biblia Regulated Non-WDT Sacco Society Limited will ensure that Every data subject domiciled to the Sacco has the following rights:

  • To be informed of the use to which their personal data is to be put;
  • To access their personal data in custody of data controller or data processor;
  • To object to the processing of all or part of their personal data. This does not apply if a legal provision requires the data to be processed;
  • To correction of false or misleading data; and
  • To deletion of false or misleading data about them.

Biblia Regulated Non-WDT Sacco Society Limited will ensure that a right conferred on a data subject may be exercised:

  • By a person who has parental authority or by a guardian if the data subject is a minor;
  • By a person duly authorized to act as a guardian or administrator in a case where the data subject has a mental or other disability; or
  • By a person duly authorized by the data subject.

Justification of collection of personal data by Biblia Regulated Non-WDT Sacco Society Limited Biblia Regulated Non-WDT Sacco Society Limited will collect Data subjects’ personal data:

  • If it is necessary for the Sacco’s legitimate interest and so long as its use is fair, balanced and does not unduly impact data subject’s rights.
  • With the Data Subject’s consent. For example, to send marketing emails, to take and use a data subject’s photograph, to collect relevant medical information. The data subject can withdraw consent for this at any time.
  • As required to fulfil Sacco’s legal obligations as a registered and regulated Nonwithdrawable Deposit Taking Cooperative Society and employer. This includes sharing personal info with bodies such as SASRA, NSSF, NHIF, Courts, Police, EACC, CRBs,among other legal/statutory bodies.
  • Member data update
  • For KYC, AML & CTF requirements.

Biblia Regulated Non-WDT Sacco Society Limited will only process sensitive personal data if it has data subject’s explicit consent.In extreme situations, the Sacco may share data subject’s personal details with the emergency services if it believes it is in data subject’s ‘vital interests’ to do so.

Biblia Regulated Non-WDT Sacco Society Limited will be exempted from obtaining data subjects consent before processing of personal data if-

  • exemption is necessary for national security or public order.
  • disclosure is required by or under any a written law or by an order of the court e g Anti Money.
  • Laundering (AML) Laws.
  • the prevention or detection of crime e g AML/CTF laws.
  • the apprehension or prosecution of an offender or
  • the assessment or collection of a tax or duty or an imposition of a similar nature

Collection of personal data

Sources of personal information for Biblia Regulated Non-WDT Sacco Society Limited ;

Direct Sources form data subject through;

  1. Member Application forms
  2. Member bio data capture forms
  3. KYC/KYS provision
  4. Loan Application forms
  5. Apply for employment/internship.
  6. Are employed in the Sacco.
  7. Apply as a supplier.
  8. Register for or at one of Biblia Regulated Non-WDT Sacco Society Limited events.
  9. Complete a survey.
  10. Subscribe for updates via Sacco’s Member portal and electronic services.
  11. Use of the Biblia Regulated Non-WDT Sacco Society Limited Mobile applications or Biblia Regulated Non-WDT Sacco Society Limited website
  12. Registration for virtual meetings
  13. Video recordings from virtual meetings
  • Indirect sources from data subject:
  • From social media
  • From CRB’s
  • From national registration Centre
  • From other people who think that the data subject may be interested in collaborating in our work.
  • From the public domain when the data subject has deliberately made the data public.
  • From third parties such as previous or current employers to verify details about job applicants.
  • From external sources such as publications and external reviewers or advisors.
  • From another source when the guardian appointed has consented to the collection in cases where the data subject has incapacity.
  • Where collection of data from another source is necessary:
  • for the prevention, detection, investigation, prosecution, and punishment of crime.
  • for the enforcement of a law which imposes a pecuniary penalty; or
  • For the protection of the interests of the data subject or another person.

Biblia Regulated Non-WDT Sacco Society Limited will collect personal information specifically for its operation which may include but not limited to the following forms;

  • Contact details such as name address, email address and phone numbers
  • Biometric data such as thumb prints
  • Nationality
  • National ID and Passport information
  • Date of birth
  • Gender
  • Information about race and ethnicity
  • Qualifications
  • Bank account details
  • Medical information
  • Benefits received
  • Employment details
  • Photographs and video recordings
  • Tax and residency status for statutory requirements
  • References from previous employers or educational institutions
  • Contact details for family members and next of kin
  • Details of criminal convictions

Biblia Regulated Non-WDT Sacco Society Limited ways of obtaining consent from data subjects.

The Sacco will use the following ways/options to register or obtain consent from data subjects on the use of personal data;

  • Signing loan application forms
  • Signing membership forms
  • Signing Bio data Capture forms
  • Signing forms for data submission
  • Through emails
  • Through short messaging services
  • Online consent forms available on the Sacco member portal.

Biblia Regulated Non-WDT Sacco Society Limited shall seek consent from data subjects through various means. These include the data subjects willingly:

  • Appending their signature of acceptance of terms and conditions of engagement on physical consent form.
  • Ticking an opt-in box on paper or electronically.
  • Clicking an opt-in button or link online.
  • Responding to an email requesting consent.
  • Volunteering optional information for a specific purpose.
  • Selecting from equally prominent Yes/No options.
  • Accepting cookies on Sacco website and or mobile applications

In obtaining consent from a data subject, Biblia Regulated Non-WDT Sacco Society Limited shall ensure that the data subject:

  • Has capacity to understand and communicate their consent.
  • Is informed of the nature of processing in simple and clear language that is understandable.
  • Is informed whether data is being transferred to third party or implementing partners, or whether data is being collected by a third party on behalf of Biblia Regulated Non-WDT Sacco Society Limited.
  • Is informed of their duty to keep Biblia Regulated Non-WDT Sacco Society Limited informed of changes to their personal data and status.
  • Is informed of right to access to their personal data, or correction or deletion of it.
  • Is informed of procedure to lodge a complaint in case of suspected breach.
  • Is informed of the importance of providing accurate and complete information.
  • Voluntarily gives consent and that the consent is specific.

Processing of personal data relating to a child

Biblia Regulated Non-WDT Sacco Society Limited as a data controller shall not process personal data relating to a child unless

  • consent is given by the child’s parent or guardian; and
  • the processing is in such a manner that protects and advances the rights and best interests of the child.

A child by Kenyan law is anyone below the age of 18 years as defined in the Children Act No. 8 of 2001 and as such the age of consent is 18 years. Under Article 49 of the General Regulations, where children’s data is to be processed by Biblia Regulated Non-WDT Sacco Society Limited, a Data Protection Impact Assessment (DPIA) will be done accordingly.

Duration for holding personal information.

Biblia Regulated Non-WDT Sacco Society Limited will hold personal information for as long as is necessary and will therefore not retain personal information if it is no longer required. In some circumstances, Biblia Regulated Non-WDT Sacco Society Limited may legally be required to retain data subject’s personal information, for example for finance, employment, or audit purposes.

Data Breach and Notification

Biblia Regulated Non-WDT Sacco Society Limited Data Breach includes but not limited to the following;

  • Unauthorized disclosure of Personal Data belonging to Biblia Regulated Non-WDT Sacco Society Limited staff members, Sacco members, board of directors or customer personal data;
  • Loss or theft of confidential or sensitive data;
  • Loss or theft of equipment on which Personal Data is stored (e.g., loss of laptop, USB stick,iPad/tablet device, or paper record);
  • Unauthorized use of, access to or modification of IT, data or information Systems (e.g., via a hacking attack); and 
  • Attempts (failed or successful) to gain unauthorized access to IT, data or Information systems.

If any Biblia Regulated Non-WDT Sacco Society Limited member of Staff, or other person learns of a suspected or actual Personal Data Breach, it must be reported to immediately or within 12 hours to the senior management or the Data Protection Officer through the following email: dpo@bibliasacco.com

Transferring personal data out of Kenya

Biblia Regulated Non-WDT Sacco Society Limited will transfer personal data out of Kenya only when they have:

  1. Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019, such measures include that data is transferred to jurisdictions with commensurate data protection laws.
  2. The transfer is necessary for the performance of a contract, implementation of pre-contractual measures such as:
  1. For the conclusion or performance of a contract to which the data subject is part of.
  2. For matters of public interest.
  3. For legal claims.
  4. To protect the vital interests of data subjects.
  5. For compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights, and freedoms of the data subjects.

Biblia Regulated Non-WDT Sacco Society Limited will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and on receiving confirmation of appropriate safeguards