Table of Contents
Data Protection and Privacy Policy
Effective Date: 23rd December 2024Last Updated: 23rd December 2024
Terms and Definitions
- Aggregate Data
High-level summary of individual data from various data sources that does not contain individual identifiable personal data - Anonymised Data
Data that has been stripped/removed of all personal information so that data subjects are not identifiable - Consent
The manifestation of express indication of the data subjects’ agreement to the processing of their personal data. - Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data; - Data localisation
Requirement under DPA 2019 that data collected on a data subject in their country of residence shall be retained and/or processed in that country. - Data Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. - Data Subject
An identified or identifiable natural person who is the subject of personal data - DPA 2019
Kenya Data Protection Act (2019) - DPR 2021
Kenya Data Protection Regulations (2021) - GDPR
General Data Protection Regulations - Minors
Individuals legally under the age of consent under Kenya law (under the age of 18 years) - ODPC
Office of the Data Protection Commissioner - Personal Data
Information used to identify individuals including but not limited to names, addresses, phone numbers and online identifiers - Processing
Any operation performed on personal data including, collecting, organization, storage, retrieval, transmission, erasure and deletion - Pseudonymisation
The processing of personal data to making it non-attributable to a specific data subject unless one uses additional information - Sensitive Data
Personal data that needs more protection due to its sensitivity. It includes but is not limited to an individual's race, health status, ethnic origin, beliefs, biometric data, family details, and personal data on minors. - YSK
Young Scientists Kenya
Introduction
1.1. Purpose and Scope
This privacy policy for Young Scientists Kenya, registered as Innovative Young Scientists Kenya (“YSK”, “we”, or “us”), provides a policy framework for the collection, utilisation, processing, storage, and protection of information collected from data subjects (“you”). The privacy policy has been developed in compliance with the Kenya Data Protection Act (2019) and the Kenya Data Protection Regulations (2021).
1.2. Company Information
Young Scientists Kenya (YSK) is a education initiative organisation established in 2017 by the Embassy of Ireland in Kenya and the Ministry of Education, Government of Kenya, through a Memorandum of Understanding. YSK is modelled on the internationally acclaimed British Telecom Young Scientists and Technology Exhibition (BTYSTE) in Ireland.
YSK has been empowering young people to transform lives through Science, Technology, Engineering, and Mathematics (STEM) since 2018. YSK inspires and empowers the next generation of young scientists, innovators, and entrepreneurs to transform their local and global communities through STEM. YSK does this through STEM Outreach and Mentorship, the National Science and Technology Exhibition, and a STEM Bootcamp. YSK sparks the interest of young Kenyans in STEM subjects and careers, builds their confidence and ability to solve complex problems, and provides an enabling environment for learning and innovation. YSK’s primary target audience is learners and educators in the secondary school education ecosystem.
Regulations and Governance
2.1. Registration and Data Controller and Data Processor
YSK is registered as a Data Processor and Data Controller with the Office of the Data Protection Commissioner (ODPC) as per DPR 2021.
2.2. Data Protection Officer
YSK shall establish the position of Data Protection Officer, whose primary responsibility will be to ensure the compliance of YSK with this Data Protection and Privacy Policy, as well as recommend any changes necessary to ensure good practice in the processing of personal data. The Data Protection Officer shall report directly to the National Director, and their roles and responsibilities shall include:
2.2.1. Ensure timely and up-to-date registration of YSK’s Data Processor and Data Controller licences with ODPC.
2.2.2. Ensure compliance with the Data Protection and Privacy policy, as well as applicable Data Protection and Data Privacy regulations
2.2.3. Where applicable, identify and recommend capacity building of staff involved in data processing operations
2.2.4. Shall be the first point of contact in all matters relating to data privacy, including requests for modification of personal data from data subjects within and outside the organisation, and therefore shall have their contact details published
2.2.5. Shall be YSK’s point of contact with the ODPC in all matters relating to data privacy and data regulation
2.2.6. Recommend actions on the improving of data processing and data control within YSK, including but not limited to data impact assessment, data storage, data archiving and data deletion
2.3. Rights of Data Subjects
Data subjects in this policy are defined as persons, organisations, or entities of which YSK has collected or intends to collect personal data necessary for its operations. YSK, in the collection of private and/or sensitive data, recognises the following rights of data subjects:
2.3.1. Right to be informed: at the point of data collection, data subjects shall be informed how the data will be used, how long it will be kept, and whether it shall be shared by third parties. This right shall be evidenced by express consent from the data subject for YSK to collect and use the data subject’s private data.
2.3.2. Right to access personal data: data subjects shall have the right to access their personal data held by YSK. Requests from data subjects for access of their personal data shall be responded to within a maximum of seven (7) days.
2.3.3. Right to correction of false or misleading data: data subjects have the right to correct their data held by YSK which is inaccurate, untrue, outdated, incomplete, or misleading. The request to correct shall be supported with sufficient relevant documentation and corrective action taken within a maximum of fourteen (14) days. Where the request for corrective action is declined, YSK shall notify the data subject of the refusal, and the reasons for the decline.
2.3.4. Right to deletion of false or misleading information: data subject has the right to request YSK to erase or destroy data that is irrelevant, excessive, or no longer authorised for YSK to retain.
2.3.5. Right to not be subjected to automated processing or decision-making: data subjects have the right to not be subject to any automated process or decision-making from YSK.
2.3.6. Right to object: a data subject has the right to object to the processing of their personal data by YSK. A data subject that gives the objection to YSK shall be responded to is seven (7) days with confirmation, and with notification of how the data shall/shall not be processed.
2.3.7. Right to data portability: a data subject has the right to request for a copy of their data in a machine-readable format, and have it transferred to another data processor. Requests from data subject to YSK must be in writing, and the transfer of their data shall be complete within thirty (30) days, with all reasonable costs being covered by the data subject.
2.3.8. Right to notification of data breach: Data subjects have the right to notification of a data breach, including any action that YSK is undertaking to address the breach.
2.4. Data Protection Safeguards
2.4.1. Child Protection Policy
Due to its interaction with secondary school learners, YSK shall develop and maintain a constantly revised Child Protection Policy which, along with this Data Protection and Privacy Policy, shall determine privacy and data protection right of minors, the process of interacting with minors, and the adult, person or institution responsible to consenting and defending the rights of the minors.
2.4.2. Communication and Transparency
To ensure transparency and effective communication, YSK shall ensure that:
2.4.2.1. Communication with data subjects and potential data subjects is clear, understandable, and effective
2.4.2.2. The Data Protection and Privacy policy is available to the public and data subjects, through the YSK website
2.4.2.3. The contact details of the data officer are readily available for data subjects to reach out to YSK
2.4.2.4. The Data Protection and Privacy Policy, as well as other policies and procedures that are affected by or may affect the Data Protection Policy, are constantly reviewed at least once every three (3) years
2.4.2.5. Requests from data subjects are responded to within the timelines and guidelines set out within this policy
2.4.3. Enforcing of YSK’s Data Protection and Privacy Policy
2.4.3.1. As part of the Data Protection and Privacy Policy, YSK shall ensure that all YSK employees, board and committee members, and any suppliers/contractors/consultants shall be made aware of the policy, as well as the legal and statutory requirements for Data Protection and Data Privacy.
2.4.3.2. Any external parties, including but not limited to suppliers, vendors, contractors, and consultants who shall engage with YSK and shall collect or process personal data for or on behalf of YSK will be required to be registered as a data controller and/or a data processor.
2.4.3.3. Any violation of the principles and guidelines of this policy shall be considered to be a disciplinable offence and shall be subject to YSK’s disciplinary procedures as stipulated in the employee’s contract and/or YSK’s Human Resource policy.
Data Collection
YSK will collect information about its data subjects in the following ways:
3.1. Information from attendance of physical events
3.1.1. YSK will ask for certain information when you register for our events, activities, programmes, and any other physical events or activities. This information will include your full names, National ID or passport, phone number, profession, organisation or association, email, physical address, and any special physical or dietary requirements.
3.1.2. YSK will also collect images from the event, and may include your image as part of the event attendees. Notification on the collection of images will be provided at the event to allow data subjects who are not willing to be captured on media to opt out of the event.
3.1.3. YSK may also collect additional information from the event arising from feedback sessions, questionnaires, and queries raised during the event.
3.1.4. In the case of minors attending the event, YSK will also require the express permission of the legal guardian of the minor before collecting personal or sensitive information, or collection of images, videos, and other media information.
3.2. Information from attendance of virtual events
3.2.1. YSK will ask for certain information when you register for virtual events. This will include your full names, National ID or passport, birthdate, phone number, profession, organisation or association, email, physical address, and any special requirements needed to participate.
3.2.2. In line with our child protection and safeguard policy, YSK will not register minors to attend virtual events. It is YSK’s policy that, for those minors wishing to attend our virtual events, they shall be registered by their legal guardian/s, to ensure the involvement of the guardian in the attendance of virtual events.
3.3. Information received from correspondence
YSK will collect information from correspondence initiated by you or initiated by YSK. The detail of the information will vary depending on the nature of the correspondence, but will generally include your name, email address, phone number, profession, organisation and job title.
3.4. Information received from third parties
3.4.1. YSK may obtain information about you from third-party sources such as public sources, social media platforms (such as LinkedIn, Facebook, X, Instagram, and other platforms). Examples of such information may include your name, organisation, job title, and available contact information.
3.4.2. YSK may use this information to contact you to promote our activities and possible partnership areas between us and you/your organisation.
Data Usage
YSK will use the information we collect for the purposes set out below:
4.1. Providing YSK Services
YSK will use the information collected for its activities and programmes including registering participants, communicating on submissions and requirements, informing progress in events, and providing updates on long-term activities (such as our exhibitions and training programmes).
4.2. Data analytics of our activities
In order to ensure we are providing effective services in line with our strategic goals and aims, YSK will analyse data with an aim of providing inclusivity across the country, gender balance, and ensuring groups of participants with special needs are included and well represented.
4.3. Service Improvement
As part of our internal monitoring and evaluation process, YSK will use data from present and past activities to help improve its services, develop and modify its strategies, and improve interaction and service delivery with its stakeholders.
Data Sharing With Third Parties
5.1. Sharing Opportunities with teachers and students
5.1.1. As part of its strategy to improve STEM innovation within the Kenya education system, YSK will share opportunities (such as training courses, scholarships, and materials we deem relevant and/or important) with data subjects such as teachers and students. As part of YSK policy, the personal information of data subjects shall only be shared with express permission of the data subject.
5.1.2. In regard to minors, the personal data shall not be shared to third parties; YSK will only share the personal data of the legal guardian upon consent from the said guardian.
5.1.3. In the case where the data subject is providing the opportunity, YSK will only share data regarding the subject and/or opportunity upon consent from the data subject.
5.2. Sharing of aggregate data or metrics
YSK may share aggregate data or metrics with other third parties or on our social platforms, performance evaluations, post-event reports, and as part of our marketing and communications activities.
Data Storage, Disposal and Archiving
6.1. As per the DPA 2019 and DPR 2020, YSK will store all its data within the Republic of Kenya.
6.2. YSK shall hold personal data from its past events, trainings, and activities for a maximum period of ten (10) years; upon which the data shall be aggregated and/or anonymised.
6.3. Any data subject at any point has the right to request for deletion of their personal data from our records; upon request, YSK will delete all requested information from its records.
How to Contact Us
If you have any question about this privacy policy, or wish to make a request or a complaint as a data subject, please contact our data officer at:
Email:
info@ysk.co.ke
Attn: Data Protection Officer
Post:
Data Protection Officer
Concern Worldwide Offices
Aerial House, Westlands Avenue
P. O. Box 30659-00100
Nairobi, Kenya