Grassroots Economics Foundation's Data Protection Policy¶
Note about this policy: Protecting individuals’ Personal Data is an integral part of protecting their life, integrity and dignity. The right to privacy has long been recognized globally as a human right, while the right to Personal Data protection is a relatively recent human right that is closely connected to the right to privacy and sets forth conditions for the Processing of data of an identified or identifiable individual. This is why Personal Data protection is of fundamental importance for Humanitarian Organizations like us. This policy details our Foundations commitment to Data protection and privacy.
Grassroots Economics recognizes and does comply with GDPR and its rights, except as limited. We make it as easy as possible to exercise most rights directly from your account. Users may contact us at privacy@grassecon.org to exercise their GDPR rights.
Definitions¶
GE / the Foundation | Grassroots Economics Foundation, a registered non-profit |
GDPR | The General Data Protection Regulation |
Responsible Person | GE HR department |
Register of Systems | GE IT Department |
PII | Personal Identifying Information |
1. Data protection principles¶
The Foundation is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,using appropriate technical or organisational measures.”
2. General provisions¶
- This policy applies to all personal data processed by the Foundation.
- The Responsible Person shall take responsibility for the Foundation’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Foundation shall adhere to the Data Protection Act of 2019 which was assented to by the President of the Republic of Kenya on 08 November 2019 (the "Act").
- The Foundation will ensure to have all the appropriate licenses/permits required for the handling of personal information
- The Foundation shall ensure all staff have read and signed the Data Protection & Privacy policy
- The Foundation will ensure that in the case of personal data being shared to external parties; that they are informed and instructed on adequate methods of Data Handling to ensure safety and dignity of individuals.
In the case of Humanitarian aid ie. cash transfers being dependent on data collection; It would therefore not be necessary to inform all individuals of the conditions of data collection prior to receiving aid, if this would seriously hamper, delay or prevent the distribution of aid. Rather, the Humanitarian Organizations involved could provide such information in a less targeted and individualized way with public notices, or individually at a later stage.
3. Lawful, fair and transparent processing¶
- To ensure its processing of data is lawful, fair and transparent, the Foundation shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the foundation shall be dealt with in a timely manner.
- The Foundation shall always inform the individuals whose PII data is being shared.
4. Lawful purposes¶
- All data processed by the foundation must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see Kenya Data Protection Act Guideline).
- The Foundation shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Foundation’s systems.
5. Data minimisation¶
- The Foundation shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6. Sensitive Data¶
- Sensitive Data means Personal Data (aka Personal Identifying Information (PII)), which if disclosed, may result in discrimination or violence against or the repression of an individual. Typically, data relating to health, race or ethnicity, religious/political/armed group affiliation, or genetic and biometric data are considered to be Sensitive Data.
- All Sensitive Data requires augmented protection. Given the environments in which Humanitarian Organizations work and the possibility that various data elements that we handle may give rise to discrimination, setting out a definitive list of Sensitive Data categories. For example, in some situations, a simple list of names may be very sensitive, if it puts the individuals on the list and/or their families at risk of persecution. Equally, in other situations, data collected to respond to Humanitarian Emergencies may need to include data that in a regular data protection context would be considered to be Sensitive Data and the Processing of such data would be, in principle, prohibited, but in the local culture and the specific circumstances may be relatively harmless. Therefore, it is necessary to consider the sensitivity of data and the appropriate safeguards to protect Sensitive Data (e.g. technical and organizational security measures) on a case-by-case basis.
7. Accuracy¶
The Foundation shall take reasonable steps to ensure personal data is accurate. Note that the majority of PII data is user generated and optional. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date. Data shall be collected in accordance with the Handbook on Data Protection and Humanitarian Action by ICRC
8. Archiving / removal¶
- To ensure that personal data is kept for no longer than necessary, the Foundation shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why. (Various partners require records for 10 years)
9. Security¶
- The Foundation shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- An annual security audit should be carried out to test the Register of Systems integrity
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
10. Breach¶
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Foundation shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the appropriate parties.
11. Training¶
Regular staff training will be conducted to ensure individuals are sensitive to the latest Data Protection legislation and are aware of sensitive data, its collection and processing.
12. Data Stored and Classifications¶
The following data are stored by the Foundation. Note that data that contitutes non-public identifying information (non-PII) as well as information users have chosen to share publicaly is considered non-confidential.
Data | Type | Description | Classification |
Instrument Data | Mandatory | All public information about the details and obligations associated with Instruments such as Vouchers. E.g. This is to ensure that anyone can look-up who issued a Voucher and how it can be redeemed as payment. This may include contact information and endorsments for a business or community group issuing a Voucher. | Non-Confidential |
Phone Number | Mandatory | Phone Number for Account (USSD) Access | Confidential |
Pin / Password | Mandatory | Needed for account access | Confidential |
Public Key | Mandatory | Anonymous ledger account code | Non-Confidential |
Private Key | Mandatory | Ledger account key needed for Account (USSD) Access | Confidential |
Transaction Histories | Mandatory | Ledger Information (non-PII) referencing only Public Key for all registered Instruments utilized by Members | Non-Confidential |
Agreements
/Contracts |
Mandatory | Signed agreements for groups issuing their own Instruments. Used to ensure that people holding Instruments know who created them. | Non-Confidential |
Full Name / Alias / Email | Optional | Name or alias that appears on receipts or used for account access | Confidential |
Geo-Region | Optional | A generalized geographical regional location | Non-Confidential |
Geo-Location | Optional | The user entered geographical location | Confidential |
Offering Type | Optional | A generalized user offering | Non-Confidential |
Offering | Optional | An offering of Goods or Services | Confidential |
Age | Optional | The user entered gender | Non-Confidential |
Endorsements | Optional | Users endorsements of other user’s offerings and information keyed by public-key (non-pii) | Non-Confidential |
Gender | Optional | The user entered gender | Non-Confidential |
13. Sharing of Non-Confidential Data¶
Non-Pii (Non-Confidential) Data (see example) is shared with researchers via the UK Data Archive, a formal interface with ORCID integration which is Social-science and demographics focused. It is professionally administered by University of Essex on behalf of e.g. UK Census with the following stipulations:
- “Open data”
- CC-BY-NC-SA, allows non-commercial and “open” use only
- “Safeguarded data” -- research only, access granted on a standardized basis
- UKDA is granted authority to administer data on GE’s behalf
- Access is automatically limited to “registered users”
- Researchers must give name, address, legal affiliation, and more.
- Must agree to to follow the licenses on data files, on threat of losing access and/or legal action
-
UKDATA “End User License”
- Prohibits attempting to identify people in the data
- Prohibits commercial use unless granted permission
- Requires the data be stored safely (behind a password)
-
Requires any derivative datasets also be deposited
i.e. network repositories could only _link to _the data
-
Requires anyone publishing from the data to report this
- There are ways to make it more complicated up to, like, requiring trainings
END OF POLICY
APPENDIX¶
Data Protection checklist for Data collection from ICRC Handbook
- Is there Processing of Personal Data? (yes)
- Are individuals likely to be identified by the data processed? (no)
- Does the information require protection even if it is not considered to be Personal Data?
- Have (if applicable) local data protection and privacy laws been complied with?
- For what purpose are the data being collected and processed? Is the Processing strictly limited to this purpose? Does this purpose justify the interference with the privacy of the Data Subject?
- What is the legal basis for Processing? How will it be ensured that the data are processed fairly and lawfully?
- Is the Processing of Personal Data proportionate? (yes) Could the same purpose be achieved in a less intrusive way? Only the data necessary for operation is required and any PII is considered confidential.
- Which parties are Data Controllers and Data Processors? What is the relationship between them? (GE)
- Are the data accurate and up to date? (Yes)
- Will the smallest amount of data possible be collected and processed?
-
How long will Personal Data be retained? How will it be ensured that data are only retained as long as necessary to achieve the purpose of the Processing?
(Yes) - as long as the user is using the system and wishes to be active. Their PII data will be removed after 10 years of inactivity.
-
Have adequate security measures been implemented to protect the data?
(Yes) - Our data services are all encrypted with only two staff with the ability to decrypt them.
-
Has it been made clear to individuals who is accountable and responsible for the Processing of Personal Data?
(Yes) GE is responsible for the processing and handling of all personal data.
-
Has information been provided to individuals about how their Personal Data are processed and with whom they will be shared? (Yes) this is part of the terms of service
- Are procedures in place to ensure that Data Subjects can assert their rights with regard to the Processing of Personal Data? (Yes) users can always remove their personal data and all personal data is optional for usage.
- Will it be necessary to share data with Third Parties? Under what circumstances will Personal Data be shared with or made accessible to Third Parties? How will individuals be informed of this? (No) - Personal Data will not be shared with third parties. Non-PII data is shared with researchers under strict conditions as per the terms of service agreement.
- Will Personal Data be made accessible outside the country where they were originally collected or processed? (no) What is the legal basis for doing so? (n/a)
- Have Data Protection Impact Assessments been prepared to identify, evaluate, and address the risks to Personal Data arising from a project, policy, programme or other initiative? (Yes)