Title and Sub-title Outline
Chams Media Limited (popularly known as Chams Media) is a medium sized communication consultancy firm offering TV content production services among other services. It is headed by prominent Kenyan television journalist of international repute, Alex Chamwada. Its flagship TV programme is Daring Abroad, a series that features Africans who have ventured and made a mark in a wide range of sectors within and outside the African Continent. The production also highlights non-Africans excelling in various life-changing enterprises on the continent. Chams Media also produces documentaries on carefully selected projects (both governmental, non-governmental, private and personal) that have made or are about to make a serious impact in certain places on the African Continent and also offers media liaison services to a wide range of clientele.
Chams media recognizes that data is mission-critical in its work and has to be managed carefully. Some of this data consists of information relating to individuals that needs an elaborate policy on how it is generated, processed, stored, used and distributed. Chams Media Limited values the Privacy and the Protection of Personal Data. The Constitution of Kenya 2010, under Article 31 recognizes the right to privacy. Consequently, Kenya enacted the Data Protection Act, No 24 of 2019 to further guarantee this right. This is also consistent with The Universal Declaration of Human Rights 1948 and the International Covenant on Civil and Political Rights 1976 provisions that support the passage of domestic legislation, on the principles concerning the protection of privacy and individual liberties as set forth in the Declaration and Covenant. In addition, Kenya is party to other conventions that have recognized the right to freedom of expression, including The African Charter on Human and Peoples Rights (ACHPR) and African Union Convention on Cyber Security and Personal Data Protection (2014). Since most Chams Media work end up in TV or other formal and informal media, this policy also ensures that the organisation complies with the Regulations enforced by the Kenya Films Classification Board created under the Films and Stage Plays Act (Chapter 222 of the Laws of Kenya (Revised Edition 1998), the Kenya Information and Communications Act, No 2 of 1998 (Revised Edition 2020), the Regulations enforced by the Media Council of the Kenya that is established under the Media Council Act, No. 20 of 2013 and others.
The aim of the policy is to protect personal data in order to guard against misuse and to eliminate the unwarranted invasion of privacy. The fundamental principles of the policy have been largely informed by global practices and the need to bridge the gaps that exist in contextualizing privacy and data protection in technological environment in Kenya and globally. This policy is Chams Media’s commitment to generate, process, store, use and distribute data in accordance with Kenya’s Constitution, the Data Protection Act, No 24 of 2019, Films and Stage Plays Act (Chapter 222 of the Laws of Kenya (Revised Edition 1998), the Kenya Information and Communications Act, No 2 of 1998 (Revised Edition 2020), the Media Council Act, No. 20 of 2013, international best practices as guided by international instruments such as The Universal Declaration of Human Rights, 1948, the International Covenant on Civil and Political Rights, 1976, The African Charter on Human and Peoples Rights (ACHPR), the African Union Convention on Cyber Security and Personal Data Protection (2014) and the Charter of Fundamental Rights of the European Union, 2000 among others.
2.1. DEFINITION OF KEY TERMS
Anonymisation: Irreversible removal of personal identifiers from information so that the data subject is no longer identifiable;
Biometric data: means personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning and voice recognition;
Collection: The act of gathering, acquiring, or obtaining Personal Data from any source, including third parties and whether directly or indirectly by any means;
Consent: Means any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject;
Control: An agency, natural or legal person, public authority, organisation or any other body which alone or jointly with others has the power to determine the purposes and means of the processing of data, and the manner in which the data is processed;
Critical system: Any system whose 'failure' could threaten human life, the system's environment or the existence of the organisation which operates the system. Such systems include but not limited to electric grid, manufacturing system, transportation system, financial institutions, water treatment facilities and water supply systems;
Data: All data including personal data in electronic or manual form;
Data controller: means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;
Data Processor: In relation to personal data, any person (other than an employee of the data controller) who processes the data on behalf of the data;
Data Subject: A Natural person whose personal data is held by the data controller.
Disclosure: Making data available to others outside Chams Media;
Encryption: The process of converting information or data into code, to prevent unauthorised access;
Investigation — means an investigation relating to:
(a) A breach of this policy;
(b) A contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c) A circumstance or conduct that may result in a remedy or relief being available under any law;
National Interest — includes national security, defense, public security, the conduct of international affairs and the financial and economic interest of Kenya.
Notification: Notifying the Data Protection Regulator/Data Subject about the data breach;
Office of the Data Commissioner / Data Protection Regulator / Supervisory authority: An independent public authority established by state to regulate compliance with data protection law by Data Controllers and Processors and take enforcement action in the case of non-compliance;
Personal data: Any information relating to an identified or identifiable natural person (Data Subject) an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, passport number, birth certificate or to one or more specific factors like physical or physiological;
Processing: Any operation performed on personal data, such as collecting, creating, recording, structuring, organising, storing, retrieving, accessing, using, seeing, sharing, communicating, disclosing, altering, adapting, updating, combining, erasing, destroying or deleting personal data, or restricting access or changes to personal data or preventing destruction of the data;
Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.
Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person. Pseudonymised data is therefore re-identifiable and falls within the definition of personal data;
Sensitive personal data means personal data as to:
(a) The racial, ethnic or social origin,
(b) The political opinions or the religious or conscience belief, culture dress language or birth) of the data subject.
(c) Gender
(d) Whether the data subject is a member of a trade-union.
(e) Disability
(f) Sexual life or orientation
(g) Pregnancy
(h) Colour
(i) Age
(j) Marital status
(k) Health Status
(l) The commission or alleged commission of any offence by the data subject, or
(m) Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
(n) Biometrics (where needed for identification);
Third Party- in relation to personal data, means any person/entity other than the data subject, the data controller, or data processor or other person authorized to process data for the data controller or processor;
Vulnerable Group/ people with incapacity – Any member of the society who is at a risk of being discriminated because of their physical, mental, physiological and social conditions. Such members usually have difficulties giving free and informed consent.
2.2. Scope
This policy sets out the requirements for the protection of Personal Data in manual, electronic or any other form. This policy shall be Chams Media’s guiding policy in relation to matters of Privacy and Data Protection. The policy applies to Personal Data which is processed or controlled by Chams Media in Kenya or outside Kenya with respect to all data subjects, whether resident in Kenya or not, whose data is or has been collected or processed by Chams Media or any other Data Controller in Kenya.
3.1. PRINCIPLES OF AND RULES DATA COLLECTION
Chams Media must collect and use information fairly, store it securely and not to disclose it to any other person unlawfully. The principles applied in this Policy are based on the global best practices in data protection; fairness, lawfulness, and transparency.
3.1.1. Lawfulness and fairness
The processing of Personal Data must happen in a lawful way and have a legal or legitimate basis. Personal data will be considered to have been obtained fairly if the data subject is informed of the name of the data controller/ Chams Media and the purpose(s) for processing the personal data or any further information which is necessary, having regard to the specific circumstances in which the data is or is to be processed, to enable processing in respect of the data subject to be fair.
3.1.2. Transparency
Chams Media should be transparent regarding the processing of personal data and inform the data subject in an open and transparent manner. Personal data should only be processed if and only if there is a legitimate purpose for the processing of that personal data. Chams Media should practice transparency so that the data subjects will be sufficiently informed regarding the processing of their personal data. When processing personal data, the individual rights of data subject must be protected.
3.1.3. Purpose
Personal Data shall be collected for specified, explicit, and legitimate purpose and not further processed in a manner that is incompatible with those purposes. Personal data must be processed only for the purpose that was defined before the data was collected. Further processing for archiving purposes in the public interest, scientific interest or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purpose. Subsequent changes to the purpose are only possible to a limited extent and require legitimate basis.
3.1.4. Data Minimization
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which the data will be processed. Before processing personal data, Chams Media/ Data Controller must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which the data was required.
3.1.5. Data Collected in Advance
Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by law and/ or by express consent of the Data Subject.
3.1.6. Privacy and security should be built and integrated in from the onset in all data management systems that collect and process personal data. Such systems should have privacy incorporated by design or default.
3.1.6. Storage Limitation
Chams Media shall not keep Personal data for longer periods than is necessary to achieve the purpose for which the data was collected and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the archive has evaluated the data to determine whether it must be retained for historical purposes subject to adequate protection against access or use for unauthorized purpose.
3.1.7. Accuracy of Data
Personal data on file must be correct, complete, and be kept up to date. Chams Media shall proactively take suitable steps to ensure that inaccurate or incomplete data is deleted, corrected, supplemented or updated.
3.1.8. Confidentiality and Integrity
Personal data must be processed securely to retain confidentiality and integrity in consistency, accuracy, and trustworthiness over its entire life cycle. Chams Media shall take steps to ensure that data cannot be altered by unauthorized entities or people. Security of personal data shall be preserved by establishing suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
3.1.9. Accountability
Chams Media and all Data Controllers/Processors in and under Chams Media shall be responsible for personal data protection, and be able to demonstrate compliance to the principles on Data Protection.
4.1. DATA SUBJECT RIGHTS
4.1.1. Limitation to Data Rights of Subject
There may be limitations on data rights of data subject when required by the law or when there are competing rights and therefore would require an assessment based on the facts and circumstances. A data subject (an individual to whom personal data relates) has the following rights:
4.1.1.1. Right to access to personal information;
4.1.1.3. Right to information as to whether personal data is being processed;
4.1.1.4. The right to rectification if the information held is inaccurate or incomplete or requires to be updated;
4.1.1.5. The right to restrict processing of their personal data;
4.1.1.6. The right to object decisions solely based on automated processing circumstances such as automated processing, publication/ processing of sensitive personal data profiling which produces legal effects or significantly affects data subject;
4.1.1.7. The right to complain (as would be appropriate to the controller, processor or regulator).
4.1.1.8. The right to object the processing of their data for direct marketing purposes;
4.1.1.9. The right to data portability;
4.1.1.10. The right to be forgotten/ the right to erasure will require mechanisms to be put in place to ensure this right;
4.1.1.11. Right to appropriate security safeguards where personal data is being archived for various purposes;
4.1.1.12. The right to appropriate security safeguards in cross border transfer of personal data; and
4.1.1.13. The right of the data subject to withdraw their consent at any time without detriment to their interests.
5.1. LEGAL GROUNDS FOR PROCESSING DATA
Data protection policy strives to ensure that collecting, processing, transmitting, using, storing and disposal of personal data is permitted only under lawful and legitimate basis.
5.1.1. Consent – Chams Media/Data Controller/Data Processor will obtain consent from Data Subject on the processing of Personal Data including sensitive personal data.
5.1.2. Purpose - Data subject should clearly understand why his/her information is needed, who it will be shared with, and the possible consequences of them agreeing or refusing the proposed use of the data.
5.1.3. Data on Children - The processing of personal data for a child shall be done only with the consent of the child’s parent or guardian.
5.1.4. Exceptions - The policy acknowledges that there will be exceptional circumstances where personal data can be processed without the data subjects consent. There may be limitations on data subject rights when required by the law or when there are competing rights and therefore it will require an assessment based on the facts and circumstances.
5.1.5. Third party data processing - Personal data shall not be disclosed or processed by a third party except when required by law or the third party Data Processing Agreement has been approved and signed by the Data Controller and the Data Processor (i.e. the third party) and the Data subject is aware of this arrangement.
5.1.6. Cross Border Transfer - This policy may allow personal data to be transferred to other countries or entities if such countries or entities have met the adequate safeguards spelt out in this policy for maintaining the required protection for the privacy rights of the data subjects in relation to their personal data.
5.1.7. Big Data and Analytics - The use of big data and analytics is permitted subject to the processes involved in complying with the requirements of the Data Protection Laws.
6.1. OBLIGATIONS FOR DATA PROCESSING
Chams Media and all its agents/representatives/data controllers/data processors must comply with the data protection principles articulated in section 3. This section of the policy defines the key requirements of data controller and data processor.
6.1.1. Chams Media/ Data controller’s obligations
6.1.1.1. Inform the data subject about the data processing activities and the rights of data subject under the law;
6.1.1.2. Specify the purposes for which data is to be used;
6.1.1.3. Should only collect and use personal data in accordance with lawful conditions;
6.1.1.4. Should keep updated Records of Processing activities available to the Office of the Data Commissioner and to the data subject on request;
6.1.1.5. Rely on consent as a condition for processing personal data – Chams Media must first obtain the data subject’s specific, informed and freely given consent;
6.1.1.6. Notify the regulator of any data breach;
6.1.1.7. Register with the data protection regulator when the threshold has been met under the Data Protection Act;
6.1.1.8 Designate a Data Protection Officer to handle all matters of data protection;
6.1.1.9. Conduct data protection impact assessment when undertaking a project that involves big data;
6.1.1.10. Provide privacy notices/notifications to data subject before personal data is collected or used; and
6.1.1.11. The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process that data except on instructions from the controller, unless required to do so by law.
6.2 Joint Data Controllers
6.2.1. Chams Media with another or more controllers may jointly determine the purposes and means of processing personal data.
6.2.2. Joint controllers shall in a transparent manner determine the respective responsibilities for compliance and exercise the rights of the data subject.
6.2.3. The arrangement of joint data controllers shall duly reflect the respective roles and relationships of the joint controllers Vis-a Vis the data subject. The essence of the arrangement shall be made available to the data subject.
6.2.3. Data protection by design and default - Privacy should be built in from the outset in all data management systems including critical systems.
6.2.4. Chams Media/Data Controller should conduct privacy and information audit and risk assessment at each stage of every project or initiative involving collection, processing, transmitting, storage, use and disposal of personal data and in managing upgrades or enhancements to systems and processes used to handle personal data.
6.2.5. The Data Controller/Chams Media should apply appropriate personal data security controls such as encryption, anonymization and Pseudonymisation of personal data.
6.2.6 Data Controller/Chams Media/ Data Processor must protect personal data – Chams Media is required take appropriate technical, organizational and other measures to prevent unauthorized or unlawful processing or accidental loss or destruction of, or damage to, as well as unauthorised access, disclosure, copying, use, or modification of personal information.
6.2.7. Data controller must manage any personal data breaches promptly and appropriately: - All data breaches are to be reported to the Data Protection Regulator. The reporting must be done expeditiously and the frequency and severity of the breach will determine the next level of intervention.
6.2.8. Data controller shall uphold rights of data subject: - Data controller is required to provide a copy of the information comprising personal data of a data subject at minimal cost and within a reasonable time of his/her request.
6.2.8. The Data Controller may disapprove a request for personal data, but must provide reasons for denying the request.
6.2.9. When Data subject successfully demonstrates the inaccuracy or incompleteness of data, Data Controller will amend the data as required within a reasonable time.
6.2.10. Challenge to Compliance – Chams Media shall put mechanisms and processes in place to receive and address complaints or inquiries about its policies and procedures relating to the handling of data including personal data.
7.1. DATA DESTRUCTION POLICY AND PROCEDURES POLICY
7.1.1. When a Restricted Data Agreement (RDA) or any agreement for which this policy is applicable is terminated, Chams Media must certify that they have destroyed:
- Physical media on which the restricted data products were distributed.
- Derived copies of all restricted data files. This may require destruction or secure erasure of the storage device(s) on which the derived files are stored.
- Other materials, which include (but are not limited to) backup media, printed listings or any other means of recordings.
7.1.2. Destruction Procedures
All restricted data files (e.g., all copies of the original restricted data and of all files derived in whole or in part from the restricted data) must be destroyed when the RDA is terminated. There are multiple approaches that can be taken to make such files inaccessible. Restricted data users should choose one of the options listed below:
7.1.3. After completion of one of the above three destruction procedures, Chams Media/Data Collector/Data Processor/Representative/Partner/Staff/ team must submit a Restricted Data File Destruction Certification form to the Client.
7.1.4. Special rules for solid-state-drive (SSD) devices -Sanitizing data stored on SSD media requires the use of special techniques that differ from those used for magnetic storage devices. Although SSD devices have built-in commands for data erasure, this technique may not be totally effective in the context of data security. This policy recommends cryptographic erasure as a solution for removal of restricted data from an SSD device. Cryptographic erasure requires implementation of disk encryption at the beginning of the project. Planning accordingly is needed so that the device need not be destroyed at the end of the project. The steps involved are as follows:
8.1.1. It is the responsibility of Chams Media and all its officers/representatives, partners and agents to adhere to this Data Protection Policy. Misuse of personal data, through loss, disclosure, or failure to comply with the data protection principles and the rights of data subjects, shall result in significant legal, and financial damages. This may include penalties specified in the Data Protection Act and other laws.
