1.1
Recent concerns about the security of personal data stored in institutions have led to Governments enacting data protection regulations. In 2019 Kenya enacted the Data Protection Act. The regulations seek to protect the privacy of individuals by enforcing responsible processing of personal data. This includes embedding principles of lawful processing, minimising the collection of data, ensuring the accuracy of data and adopting security safeguards to protect personal data.
Borana Ranch Ltd is committed to being transparent about how it collects and uses data and to meeting its data protection obligations. This privacy notice describes how the Company collects and uses personal information about you during and after your working relationship with the Company.
2.1
The policy provides guidance on how Borana Ranch Ltd will handle the data it collects. It helps Borana Ranch Ltd comply with the data protection law, protect the rights of the data subjects and protects Borana Ranch Ltd from risks related to breaches of data protection.
3.1
The policy applies to:
3.11
Employees of Borana Ranch Ltd and all its associated parties such as suppliers, contractors and any other third party who handle and use Borana Ranch Ltd information (where Borana Ranch Ltd is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems for Borana Ranch Ltd;
3.12
All personal data processing Borana Ranch Ltd carries out for others (where Borana Ranch Ltd is the ‘Processor’ for the personal data being processed) and,
3.13
All formats, e.g., printed and digital information, text and images, documents and records, data and audio recordings.
4.1
Borana Ranch Ltd therefore commits to:
Complying with all relevant Kenyan legislation and applicable global legislations. It recognises that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right. Ensure that it protects the rights of data subjects and that the data it collects, and processes is done in line with the required legislation. Ensure that company staff comply with this policy, breach of which could result in disciplinary action.
5.1
Data controller means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
5.2
Data processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
5.3
Data subject means an identified or identifiable natural person who is the subject of personal data.
5.4
Personal data means any information relating to an identified or identifiable natural person
5.5
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed
5.6
Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject.
5.6
Processing data means any operation or sets of operations performed on personal data whether or not byautomated means, such as:
Disclosure by transmission, dissemination, or otherwise making available; or
Alignment or combination, restriction, erasure or destruction.
6.1
Borana Ranch Ltd will ensure that data is:.
6.1.1
Processed lawfully, fairly and in a transparent manner and in line with the right to privacy.
6.1.2
Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that purpose.
6.1.3
Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.
6.1.4
Accurate and where necessary kept up to date.
6.1.5
Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
6.1.6
Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
6.1.7
Not transferred out of Kenya unless there is proof of adequate data safeguards/ measures or consent from the data subject.
7.1
Borana Ranch Ltd has designated the General Manager to be the Data Protection Officer (DPO). Accordingly, theDPO will:
7.1.1
Advise Borana Ranch Ltd staff on requirements for data protection, including data protection impact assessments.
7.1.2
Ensure that the Borana Ranch Ltd has complied with the legal requirements on data protection.
7.1.3
Facilitate capacity building of staff involved in data processing operations.
7.1.4
Provide advice on data protection impact assessment
7.1.5
Co-operate with the authorities on matters Data Protection
8.1
Borana Ranch Ltd has a duty to notify data subjects of their rights before processing data. Borana Ranch Ltd will therefore inform the data subjects of their right:
8.1.1
To be informed of the use to which their personal data is to be put.
8.1.2
To access their personal data in Borana Ranch Ltd ’s custody.
8.1.3
To object to the processing of all or part of their personal data.
8.1.4
To the correction of false or misleading data.
8.1.5
To deletion of false or misleading data about them.
9.1
Borana Ranch Ltd will only process data where they have a lawful basis to do so. Processing personal data will only be lawful where the data subject has given their consent for one or more specific purposes or where the processing is deemed necessary:
9.1.1
For the performance of a contract to which the data subject is a party (for instance a contract of employment).
9.1.2
To comply with the Borana Ranch Ltd ’s legal obligations.
9.1.3
To perform tasks carried out in the public interest or the exercise of official authority.
9.1.4
To protect the vital interests of the data subject or another person.
9.1.5
To pursue Borana Ranch Ltd ’s legitimate interests where those interests are not outweighed by the interestsand rights of data subjects.
9.1.6
For historical, statistical or scientific research.
10.1
Borana Ranch Ltd will not process any personal data for a purpose for which it did not obtain consent. Shouldsuch a need arise, then consent must be obtained from the data subject.
10.2
Borana Ranch Ltd will collect and process data that is adequate, relevant, and limited to what is necessary.
Borana Ranch Ltd staff must not access data which they are not authorized to access nor have a reason to access.
10.3
Data must only be collected for the performance of duties and tasks; staff must not ask data subjects to provide personal data unless that is strictly necessary for the intended purpose.
10.4
Staff must ensure that they delete, destroy, or anonymise any personal data that is no longer needed for thespecific purpose for which they were collected.
11.1
Borana Ranch Ltd will ensure that the personal data it collects and processes is accurate, kept up to date, corrected, or deleted without delay. All relevant records must be updated should staff be notified of inaccuracies. Inaccurate or out-of-date records must be deleted or destroyed.
12.1
Borana Ranch Ltd has instituted data security measures such as;
These measures serve to safeguard personal data and must be complied with accordingly.
13.1
Where necessary, Borana Ranch Ltd will maintain adequate records to show that consent was obtained before personal processing data. Data will not be processed after the withdrawal of consent by a data subject.
14.1
Borana Ranch Ltd will not process data relating to a child unless consent is given by the child’s guardian or parent and the processing is in such a manner that protects and advances the rights and best interests of the child inline with Borana Ranch Ltd Safeguarding policy.
14.2
Borana Ranch Ltd will institute adequate mechanisms to verify the age and obtain consent before processing the data.
15.1
Borana Ranch Ltd will undertake a data protection impact assessment whenever they identify that the processing operation will likely result in a high risk to the rights and freedoms of any data subject. The data protection impact assessment will be done before processing the data. It is the responsibility of the DPO to carry out the impact assessment.
16.1
Borana Ranch Ltd will process sensitive personal data only when:
16.1.1
The processing is carried out in the course of legitimate activities with appropriate safeguards and that the processing relates solely to the staff or to persons who have regular contact with Borana Ranch Ltd, and the personal data is not disclosed outside without the consent of the data subject.
16.1.2
The processing relates to personal data that has been made public by the data subject.
16.1.3
Processing is necessary for:
17.1
Borana Ranch Ltd will transfer personal data out of Kenya to France or any other country only when they have:
17.1.1
Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Dat Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019, such measures include that data is transferred to jurisdictions with commensurate data protection laws.
17.1.2
The transfer is necessary for the performance of a contract, and implementation of pre-contractual measures such as:
17.2
Borana Ranch Ltd will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and on receiving confirmation of appropriate safeguards.
18.1
In line with regulatory requirements, Borana Ranch Ltd will report to the Data Protection Commissioner any data breach within 72 hours of being aware. Borana Ranch Ltd will also communicate the data breach to the data subject within 48 hours of being aware or as soon as is practical unless the identity of the data subject cannot be established.
19.1
In line with regulatory requirements, Borana Ranch Ltd will report to the Data Protection Commissioner any data breach within 72 hours of being aware. Borana Ranch Ltd will also communicate the data breach to the data subject within 48 hours of being aware or as soon as is practical unless the identity of the data subject cannot be established.
19.2
Borana Ranch Ltd will ensure that the requirements of this policy form part of its agreement with its employees, contractors, and third parties who process Borana Ranch Ltd ’s data.
20.1
All employees must:
20.1.1
Read, understand and comply with the contents of this policy
20.1.2
Report any data breach or suspicions of breaches promptly to the DPO
20.1.3
Participate in data protection trainings from time to time
20.2
All Supervisors/Managers/Dept Heads must:
20.2.1
Ensure staff and third parties they work with are aware of the contents of this policy
20.2.2
Conduct risk assessments, and update controls and procedures to mitigate the risk of data breaches
20.2.3
Implement Data Processing Agreements with third parties
20.2.4
If authorized to collect, handle or process personal data, secure it and ensure that the data is quality & accurate
20.3
General Manager and HR manager:
20.3.1
Are responsible for ensuring employees, consultants, Suppliers, and partner organizations are aware of the policy and are supported to implement and work by it, as well as creating a management culture that encourages a focus on data protection.
20.3.2
Process data for the legitimate purpose specified to the data subject when collected
20.3.3
Store data for as long as necessary for the specified purpose.
20.3.4
Allow rectification and erasure of data by the data subject
20.3.5
The DPO will provide governance oversight of activities under this policy.
20.3.6
The General Manager will ensure that there are adequate and effective systems and processes in place to safeguard data.
20.3.7
Implement appropriate technical & organizational measures of data security.
21.1
The adequacy and effectiveness of Borana Ranch Ltd ’s data protection procedures are subject to the regular internal audit reviews and where necessary Borana Ranch Ltd may call an external review to provide assurance over the integrity.
22.1
The Data retention period in Borana Ranch Ltd is determined by legitimate needs. Adequate records of decision making will be maintained to show cause.
23.1
The DPO is responsible for ensuring that this policy is reviewed on a timely basis. This policy will be reviewed after every 2 years and accordingly approved by the Managing Director.
24.1
This policy should be read in conjunction with: