Go back to previous page

List of active policies

Name Type User consent
CEMASTEA Data Privacy Policy Site policy All users

CEMASTEA Data Privacy Policy

Summary

CEMASTEA DATA PROTECTION POLICY

Full policy

Article 1: Introduction

The Centre for Mathematics, Science and Technology Education in Africa (CEMASTEA) is a State Corporation under the Ministry of Education. Established in 1998, the Centre aimed to improve the quality of mathematics and science education through capacity building for teachers and pedagogical leaders, among other educational stakeholders.

The Centre is also the Secretariat of the Strengthening of Mathematics and Science Education in Africa (SMASE-Africa) Association which is a continental organization with membership from 26 African countries. The policy was collectively developed by staff, management and Board of Governors (BoG) guided by a consultant team backed by data protection experts. Intensive stakeholders' consultations provided rich policy input, deliberations, and policy position consensus consistent with legal requirements.

Dedicated to innovation and excellence, CEMASTEA variously collaborates with diverse persons in developing and promoting innovative teaching pedagogies, research emphasizing learner-centered and inquiry-based teaching/learning methods and content in STEM education. Runs various teacher professional development programs and conducts STEM programs encouraging teachers to adopt innovative approaches in their classrooms. In the ordinary course of executing its diverse programs, CEMASTEA interacts with diverse individuals' personal data.

Cognizant of Article 31 of the Constitution of Kenya and Data Protection Act, 2019 on upholding individual privacy, lawful processing of personal data is undertaken pursuant to the Act and in accordance to the provisions of the Registration of Persons Act (Cap 107); the Births and Deaths Registration Act (Cap. 149); the Kenya Citizenship and Immigration Act (Cap. 170); the Marriage Act (Cap. 150); the Children Act (Cap. 141); the Refugee Act (Cap. 173); or any other law relating to the issuance of identity documents and subsequent Regulations.

This policy aims to provide a comprehensive framework for privacy protection of every person interacting with CEMASTEA by pronouncing the personal data protection systems, processes, and measures required of every person engaged with the Centre on its mandate on STEM research and training core mandate and commitment to the public interest.

The policy is applicable to all full- and part-time staff and employees, teachers, learners, and non-employees who use CEMASTEA funds, facilities or other resources, or participate in CEMASTEA-administered research, including visiting lecturers, industrial personnel and fellows, regardless of their obligations to other entities, companies or institutions. For the purposes of this policy, these individuals will be referred to as "covered persons" or "persons covered by this policy."

Article 2: Policy Statement

This policy outlines how CEMASTEA sets out to protect personal data requirements under Section 23 of the Data Protection Act, 2019.

The purpose of this policy is to guide institutional data governance on:

  1. The nature of personal data collected and held
  2. How a data subject may access their personal data and exercise their rights in respect to that personal data
  3. Complaints handling mechanisms
  4. Lawful purpose for processing personal data
  5. Obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya
  6. The retention of personal data
  7. The collection of personal data from children, and the criteria to be applied

Article 3: Aim of this Policy

This Data Protection Policy is established by CEMASTEA to affirm our commitment to protecting the personal information of our stakeholders, including students, educators, researchers, staff, and partners.

In alignment with CEMASTEA's mission to advance mathematical, scientific, and technological education across Africa, this policy aims to:

a) Ensure the responsible and ethical collection, processing, storage, and management of personal data

b) Comply with the Data Protection Act No. 24 of 2019 and other relevant Kenyan data protection regulations

c) Safeguard the privacy rights of individuals

d) Maintain the confidentiality, integrity, and security of personal information

e) Support CEMASTEA's strategic objectives of promoting educational research and technological innovation

Article 4: Scope of the Policy

This Data Protection Policy applies to:

a) The processing of personal data activities of CEMASTEA as a data controller or processor in Kenya, regardless of whether the processing takes place in Kenya or not.

b) All entities at or connected to CEMASTEA including the following:

  1. All CEMASTEA staff, administrators, and the Board of Governors
  2. Every person employed or engaged howsoever by CEMASTEA in the carrying out of its mission
  3. Implementing partners, suppliers, sub-grantees, stakeholders and other associated entities, including third-party representatives
  4. All personal data that CEMASTEA holds relating to identifiable individuals

Article 5: Governing Laws

This policy shall be interpreted in accordance with the Laws of Kenya, including:

  • Data Protection Act No. 24 of 2019
  • Constitution of Kenya — Article 31 (Right to Privacy)
  • Registration of Persons Act (Cap 107)
  • Births and Deaths Registration Act (Cap. 149)
  • Kenya Citizenship and Immigration Act (Cap. 170)
  • Marriage Act (Cap. 150)
  • Children Act (Cap. 141)
  • Refugee Act (Cap. 173)

Article 6: Data Protection Principles

The Centre is guided by the following eight data protection principles:

Principle 1: Lawfulness, Fairness and Transparency

Process personal data lawfully, fairly and in a transparent manner in relation to the data subject. Personal data must be collected and processed in a legal, transparent and fair manner. Data collected shall be adequate, relevant and not excessive in relation to the purposes for which they are obtained.

The data subject shall have the right to:

  • Be informed of the use to which their personal data is to be put
  • Access their personal data in the custody of the Centre
  • Object to the processing of all or part of their personal data

Principle 2: Purpose Limitation

Collect personal data for a specific, explicit and legitimate purpose. The purpose must be clearly stated, and data collected only for as long as necessary to complete that purpose. Personal data shall not be further processed in a manner that is incompatible with those purposes.

Principle 3: Data Minimisation (Adequacy)

Ensure that personal data processed is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

Principle 4: Accuracy

Take every reasonable step to update or remove data that is inaccurate. The data subject shall have the right to:

  • Demand the correction of false, inaccurate or misleading data
  • Demand the deletion of false, inaccurate or misleading data

Principle 5: Storage Limitation (Retention)

Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate technical and organizational safeguards.

Principle 6: Integrity and Confidentiality (Security)

Personal data must be kept safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. The Centre will employ industry best practices to prevent unauthorized modifications, corruption, or tampering of personal data and will implement resilient infrastructure, regular backups, and disaster recovery measures.

Principle 7: International Transfers

Personal data must not be transferred to other countries without adequate protection. The Centre shall restrict the transfer of personal data outside Kenya unless:

  • Appropriate and verifiable data protection safeguards are in place, or an adequacy decision has been issued by the ODPC
  • The data subject has given explicit consent
  • The transfer is necessary for contract performance, public interest, legal claims, or is directly beneficial to the data subject

Principle 8: Accountability

The Data Controller must take responsibility for complying with all principles and maintain appropriate processes and records to demonstrate compliance. Personal data must generally be collected directly from the individual concerned, who must be informed of the purpose of processing and categories of third parties to whom data may be transmitted.

Article 7: Lawful Data Processing

The Centre shall not process personal data unless at least one of the following bases applies:

a) The data subject consents to the processing for one or more specified purposes

b) The processing is necessary for:

  1. Performance of a contract to which the data subject is a party
  2. Meeting the Centre's legal compliance obligations
  3. Protection of the important interests of the data subject or another person
  4. Performance of a task in the public interest or in the exercise of official authority vested in the Centre
  5. The legitimate interests pursued by the Centre or a third party, except where such processing is unwarranted having regard to harm and prejudice to the rights and freedoms of the data subject
  6. Historical, statistical, journalistic, literary, artistic or scientific research purposes

Where consent is required, the Centre shall inform the data subject of: a) The purpose of each processing operation b) The type of personal data to be collected and used c) The possible risks of data transfers due to the absence of adequate safeguards d) Whether the personal data will be shared with third parties e) The right to withdraw consent and the implications of providing, withholding or withdrawing consent

Article 8: Processing of Sensitive Personal Data

The Centre will process Sensitive Personal Data strictly in compliance with applicable laws. Processing is permissible under the following circumstances:

  1. Sensitive Personal Data that has been manifestly made public by the data subject may be processed.
  2. The Centre may process Sensitive Personal Data without explicit consent when processing is: a) Necessary for the establishment, exercise, or defence of a legal claim b) Required to fulfil the Centre's obligations or exercise specific rights of the Centre or the data subject c) Essential to protect the vital interests of the data subject or another person when the data subject is physically or legally incapable of providing consent

Employees are strictly prohibited from processing Sensitive Personal Data outside these grounds. Unauthorised processing may result in disciplinary action, criminal liability, civil penalties, or administrative sanctions.

Article 9: Restrictions on Processing

The Centre shall, at the request of a data subject, restrict the processing of personal data where:

a) The accuracy of the personal data is contested by the data subject, for a period enabling the Centre to verify the accuracy of the data b) Personal data is no longer required for the purpose of processing, unless required for the establishment, exercise, or defence of a legal claim c) Processing is unlawful, and the data subject opposes erasure and requests restriction of use instead d) The data subject has objected to processing, pending verification as to whether the legitimate interests of the Centre override those of the data subject

Where processing is restricted, the personal data shall only be processed with the data subject's consent or for: i. The establishment, exercise, or defence of a legal claim ii. The protection of the rights of another person iii. Reasons of public interest

Article 10: Data Retention Schedule

The Centre retains personal data for as long as necessary to fulfil the purpose for which it was collected, in compliance with legal requirements.

  • Employee data is retained for the duration of employment and for a reasonable period afterwards to fulfil legal obligations, address potential disputes and maintain employment records.
  • Customer and supplier data is retained for the duration of the business relationship and for a period afterwards as required by contractual, legal and regulatory obligations.
  • Website usage data is retained for a period necessary to analyse traffic, ensure website security and improve user experience.
  • Research and statistical data is retained for the duration of the research project and anonymised before any public release.

Article 11: Data Security

CEMASTEA shall implement robust security measures to protect personal data, including:

a) Restricting access to personal data to authorised personnel only b) Encrypting sensitive data both in transit and at rest c) Conducting regular security audits and vulnerability assessments d) Establishing a data breach response plan to address potential security incidents promptly

Data Subject Rights

All data subjects have the following rights:

a) The right to access their personal data held by CEMASTEA b) The right to request correction or rectification of inaccurate or incomplete data c) The right to request erasure or deletion of personal data under certain conditions d) The right to request the restriction of data processing in specific circumstances e) The right to receive their data in a structured, commonly used, and machine-readable format f) The right to object to data processing based on legitimate interests g) The right to withdraw consent at any time for processing activities based on consent

Requests to exercise these rights should be directed to the Data Protection Officer.

Data Breach Management

In the event of a detected data breach, CEMASTEA shall:

  1. Verify and contain breaches immediately
  2. Notify the ODPC and affected individuals within required timelines
  3. Investigate and implement risk mitigation measures
  4. Implement corrective actions to prevent recurrence

Article 12: Responsibilities

Data Protection Officer (DPO)

The Centre shall appoint a Data Protection Officer who shall be responsible for:

Regulatory Compliance and Liaison:

  • Serving as the primary point of contact for the ODPC and other data protection regulatory authorities
  • Managing the Centre's registration as a data controller or processor
  • Liaising with the ODPC during periodic audits, investigations, and regulatory activities

Compliance Advisory and Monitoring:

  • Advising the Centre and its staff on compliance with applicable data protection laws and internal policies
  • Continuously monitoring organisational compliance with data protection regulations
  • Providing expert guidance on interpreting and implementing data protection requirements

Risk Management and Impact Assessments:

  • Identifying and assessing reasonably foreseeable internal and external risks to personal data
  • Conducting comprehensive data protection impact assessments
  • Establishing and maintaining appropriate safeguards against identified risks

Data Protection Strategies:

  • Recommending and overseeing data anonymisation, pseudonymisation, and encryption strategies
  • Developing and maintaining a personal data retention schedule
  • Determining when personal data is no longer necessary and should be removed or archived

Capacity Building and Training:

  • Facilitating capacity building for staff involved in data processing operations
  • Developing and implementing training programmes to enhance organisational data protection awareness
  • Supporting employees in understanding their roles and responsibilities in data protection

Staff Responsibilities

Staff members handling personal data shall ensure that: i. All personal data is kept secure and confidential from unauthorised persons ii. Personal data is kept in accordance with this policy iii. All concerns and queries connected with data protection are directed to the DPO iv. Any data breaches are immediately reported to the DPO

Third-Party Data Processors

When external entities are engaged to process personal data on the Centre's behalf:

  • The Centre retains full responsibility for data security and appropriate usage
  • Selected processors must implement robust security protocols
  • Comprehensive due diligence shall be conducted to verify security measures
  • A comprehensive written agreement shall detail the specific data, purpose, and security requirements
  • All third-party processors must sign Data Processing Agreements (DPAs) outlining their obligations under the Kenyan Data Protection Act, 2019

Roles of the CEO

a) Ensure overall compliance with data protection laws and policies b) Allocate necessary resources for implementing data protection measures c) Oversee the designation and function of the Data Protection Officer d) Approve key strategic decisions related to data security and compliance e) Provide leadership in fostering a culture of data privacy within the organisation f) Promote awareness and training among staff regarding data protection principles and practices g) Provide quarterly policy implementation reports to the Board for review

Roles of the Board

a) Establish and review governance frameworks for data protection and security b) Ensure that CEMASTEA complies with legal and regulatory data protection requirements c) Monitor and assess data protection performance through regular reporting and audits d) Engage in regular strategic planning and review sessions on data protection at least twice a year e) Support the implementation of best practices in data security and risk mitigation

Article 13: Complaints Handling Mechanism

Data subjects may submit a complaint regarding the processing of their personal data. The following process applies:

  1. Complaints should be directed to the Data Protection Officer. A representative may act on behalf of a data subject only with written consent from the data subject.
  2. The Centre will acknowledge the complaint within 7 working days of receipt.
  3. An investigation will be conducted within 30 working days. Should further clarification be required or additional time be necessary, the Centre will notify the complainant before the original deadline expires.
  4. The complaint outcome will be communicated to the complainant in writing via email or any other appropriate means.
  5. If the complainant is unsatisfied with the outcome, they may request a review. Should they remain aggrieved following such review, they retain the right to lodge a complaint with the ODPC.

Article 14: General Exemptions

Notwithstanding any exemptions, the Centre shall not be exempt from complying with data protection principles relating to lawful processing, minimisation of collection, data quality, and adopting security measures to safeguard personal data.

The processing of personal data shall be exempt from this policy if: a) It relates to the processing of personal data by an individual in their personal capacity b) It is necessary for national security or public interest c) Disclosure is required by or under any written law or by order of the court

Journalism, Literature and Art

The principles of processing personal data shall not apply where: i. Processing is undertaken for the publication of a literary or artistic material ii. The Centre reasonably believes that publication would be in the public interest iii. The Centre reasonably believes that compliance with the standard provisions is incompatible with the special purposes

Research, History and Statistics

The further processing of personal data shall be compatible with the purpose of collection if the data is used for historical, statistical or research purposes, provided it is carried out solely for such purposes and will not be published in identifiable form. Personal data processed only for research purposes is exempt from this policy if the results are not made available in a form which identifies the data subject.

Article 15: Amendment of Policy

This policy shall be reviewed after every three (3) years and when the need arises due to changes in legislation, organisational structure, or operational requirements.

By proceeding to use this platform, you confirm that you have read and understood this Data Protection Policy and agree to its terms. CEMASTEA will handle your personal data in accordance with this policy and the Data Protection Act No. 24 of 2019.

Before proceeding, please confirm your agreement to the CEMASTEA Data Protection Policy.

Back to top