Introduction

Growing concerns surrounding the security of personal data in institutional hands have spurred governments all around the world to enact data protection regulations. In 2018, the European Union (EU) ushered in the General Data Protection Regulations (GDPR), outlining strict guidelines for companies handling personal data. Inspired by this move, Kenya enacted its own Data Protection Act in 2019. These regulations serve as shields for individual privacy, mandating responsible handling of personal data. Core principles enshrined in these regulations include lawful processing, minimizing data collection, ensuring data accuracy, and implementing robust security measures to safeguard personal information.

Policy Statement

Engishu Insurance Agency prioritizes ethical data practices, adhering to both Kenyan and global regulations. Recognizing the fundamental right to privacy, we are committed to protecting individuals through lawful, responsible, and legitimate use of their personal data. We guarantee data subject rights and ensure all data collection and processing aligns with mandated legislation. This policy is mandatory for all Engishu Insurance Agency staff, and non-compliance will result in disciplinary action.

Purpose

This policy establishes clear guidelines on how Engishu Insurance Agency will collect, use, and store personal data. The policy ensures compliance with relevant data protection laws, safeguards the rights and privacy of data subjects, and mitigates the risks of data breaches.

Definition of Terms

• Data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
• Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
• Data subject means an identified or identifiable natural person who is the subject of personal data.
• Personal data means any information relating to an identified or identifiable natural person.
• A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject.
• Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as (a) collection, recording, organisation, structuring; (b) storage, adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.

Scope

The policy applies to:

• Employees of Engishu Insurance Agency (where Engishu Insurance Agency is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems for Engishu Insurance Agency;
• All personal data processing Engishu Insurance Agency carries out for others (where Engishu Insurance Agency is the ‘Processor’ for the personal data being processed) and,
• All formats, g., printed and digital information, text and images, documents and records, data and audio recordings.

Data Protection Officer

Engishu Insurance Agency has designated the Principal Officer to be the Data Protection Officer (DPO). Accordingly, the DPO will:

• Advise Engishu Insurance Agency staff on requirements for data protection, including data protection impact assesments.
• Ensure that the Engishu Insurance Agency has complied with the legal requirements on data protection.
• Facilitate capacity building of staff involved in data processing operations.
• Cooperate with external regulators on matters relating to data Engishu Insurance Agency’s DPO can be contacted via the email: dpo@engishu.com

Principles

Engishu Insurance Agency will ensure that data is:

• Processed lawfully, fairly and in a transparent manner and in line with the right to privacy.
• Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that purpose.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.
• Accurate and where necessary kept up to date.
• Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
• Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
• Not transferred out of Kenya unless there is proof of adequate data safeguards/ measures or consent from the data subject.

Duty to Notify

Engishu Insurance Agency has a duty to notify data subjects of their rights before processing data. Engishu Insurance Agency will therefore inform the data subjects of their right:

• To be informed of the use to which their personal data is to be put.
• To access their personal data in Engishu Insurance Agency’s
• To object to the processing of all or part of their personal data.
• To the correction of false or misleading data.
• To deletion of false or misleading data about them.

Lawful and Fair Processing of Data

Engishu Insurance Agency will only process data where they have a lawful basis to do so. Processing personal data will only be lawful where the data subject has given their consent for one or more specific purposes or where the processing is deemed necessary:

• To facilitate the creation of a contract of insurance to which the data subject is a party.
• To facilitate the creation of other contracts to which the data subject is a party (for instance a contract of employment).
• To comply with the Engishu Insurance Agency’s legal obligations.
• To perform tasks carried out in the public interest or the exercise of official authority.
• To protect the vital interests of the data subject or another person.
• For historical, statistical, journalistic, literature and art or scientific research.

What Personal Data Do We Collect?

Personal data that we may process, as appropriate throughout the insurance and claim process, but is not limited to:

• Name and contact details (such as telephone number, e-mail address and postal address)
• Date of Birth
• Profession
• Gender
• Marital status
• Spouse and children
• Video, photographic images or audio recordings submitted or made as part of the insurance issuance and claim process.
• Medical reports and medical history.

We may also process sensitive or special personal data where relevant to the insurance and claim processes, including where necessary to accommodate any disability needs.

When exercising our rights and obligations under the insurance contracts, it may be necessary to process sensitive data categories. Such sensitive may include but not limited to;

• Claim record;
• Medical history
• Previous claims experience
• Country of origin

Minimization of Collection

Engishu Insurance Agency prioritizes respecting your privacy and adheres to strict data handling practices. We are committed to processing only the personal data necessary for fulfilling our duties and obtaining your explicit consent if the intended purpose falls outside the initial scope.

We strictly prohibit unauthorized access to any data, and our staff are trained to collect and retain only the data relevant and strictly necessary for their assigned tasks. Once the data serves its purpose, it is securely deleted, destroyed, or anonymized. You can be confident that your information will be handled responsibly and ethically at Engishu Insurance Agency.

Accuracy of data

Engishu Insurance Agency is committed to maintaining the accuracy and integrity of your personal data. We implement robust measures to ensure that all collected information is kept up-to-date and promptly corrected or deleted upon your request or notification of inaccuracies. Should any staff member become aware of outdated or incorrect data, they are obligated to initiate the necessary updates immediately. Rest assured, any information deemed inaccurate or no longer relevant will be securely deleted or destroyed to safeguard your privacy.

Safeguards and security of data

Engishu Insurance Agency has instituted data security measures which are laid out in the Information security policy and procedures. These measures serve to safeguard personal data and must be complied with accordingly.

Consent

Where necessary, Engishu Insurance Agency will maintain adequate records to show that consent was obtained before personal processing data. Data will not be processed after the withdrawal of consent by a data subject.

Processing data relating to a child

Engishu Insurance Agency will not process data relating to a child unless consent is given by the child’s guardian or parent and the processing is in such a manner that protects and advances the rights and best interests of the child in line with Engishu Insurance Agency Safeguarding policy.

Engishu Insurance Agency will institute adequate mechanisms to verify the age and obtain consent before processing the data.

Data protection impact assessment

Engishu Insurance Agency will undertake a data protection impact assessment whenever they identify that the processing operation will likely result in a high risk to the rights and freedoms of any data subject. The data protection impact assessment will be done before processing the data. It is the responsibility of the DPO to carry out the impact assessment.

Processing sensitive personal data

Engishu Insurance Agency will process sensitive personal data only when:

• The processing relates to personal data that has been personally availed by the data subject.
• Processing is necessary for:
  • The establishment, exercise or defence of a legal claim.
  • The purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject.
  • Protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.

Transferring personal data out of Kenya

Engishu Insurance Agency will transfer personal data out of Kenya only when they have:

• Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019, such measures include that data is transferred to jurisdictions with commensurate data protection laws.
• The transfer is necessary for the performance of a contract, implementation of pre- contractual measures such as:
  • For the conclusion or performance of a contract to which the data subject is part of.
  • To protect the vital interests of data subjects.
  • For compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.

Engishu Insurance Agency will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and on receiving confirmation of appropriate safeguards.

Onward reporting

In line with regulatory requirements, Engishu Insurance Agency will report to the Data Protection Commissioner any data breach within 72 hours of being aware.

Engishu Insurance Agency will also communicate the data breach to the data subject as soon as is practical unless the identity of the data subject cannot be established.

Training and Awareness

Engishu Insurance Agency will train staff on the contents and implementation of this policy. Staff who join Engishu Insurance Agency will be required to go through an induction process that entails familiarisation with this policy.

Engishu Insurance Agency will ensure that the requirements of this policy form part of its agreement with its Insurance Partners and any third parties who Engishu Insurance Agency’s data.

Roles and Responsibilities

The Data Protection Officer is responsible for ensuring that employees are aware of this policy and are supported to implement and work by it, as well as creating a management culture that encourages a focus on data protection.

All staff must:

• Read, understand and comply with the contents of this policy
• Report suspicions of breaches promptly

Independent Assurance

The adequacy and effectiveness of Engishu Insurance Agency’s data protection procedures is subject to the regular internal audit reviews. Where necessary, Engishu Insurance Agency may call an external review to provide assurance over the integrity of its data protection procedures.

Data Retention

The Data retention period in Engishu Insurance Agency is determined by legitimate needs. Adequate records of decision making will be maintained to show cause why various types of data has been retained for the respective durations of their retention.

Review of this Policy

The Data Protection Officer is responsible for ensuring that this policy is reviewed on a timely basis. This policy will be reviewed after every two years.