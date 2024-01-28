Columnists Why data protection and privacy should matter to saccos

By LAVELYNE NUSU

With digitisation, data, especially personal data, has become the new gravy train. With the increased regulation on individuals’ privacy, both internationally and regionally, Kenya enacted the Data Protection Act, 2019 (DPA). Subsequently, its regulations came into force in 2022.

Data protection and privacy is of great importance to Savings and Credit Cooperative Organisations or Societies (saccos) and ought to be considered in the way saccos discharge their functions. Saccos collect and process large volumes of personal data from their members, vendors and staff (data subjects).

Such personal data includes subject’s name, identity card and/or passport number, physical and postal address, email address and financial account details. Additionally, saccos in Kenya collect data such as property details for credit facilities, gender, marital status and family details including names of family members.

The Sacco Societies Regulatory Authority (Sasra) released its Supervision Annual Report 2022, which highlighted that data protection and privacy as one of the key legal developments that the entities should comply with.

Under the DPA saccos would be required to comply with the registration requirement. As saccos provide financial services, they fall within the class of organisations that must register either as data controllers and/or data processors, regardless of the number of employees and annual turnover.

In line with the principle of transparency, saccos are required to publish a data protection and privacy policy, which is an internal-facing document, that outlines their personal data handling practices.

Additionally, saccos should have a data protection and privacy notice/statement, which is an external facing document, that should be made available to data subjects at the point that their personal data is collected.

People join saccos to save and access credit. Some have revised their business models to include investment option(s) for member funds. In line with the DPA, when the purpose that Saccos had initially collected the personal data changes, this should be communicated to its members.

Though not a mandatory requirement, Saccos may consider having a data protection officer within their organisation structure. This is because the core activities consist of processing operations which by their nature, scope and purpose consist of sensitive personal data and regular monitoring of data subjects.

It is also important for such organisations to ensure that any transfer of personal data from Kenya across borders should be done in accordance with the DPA’s requirements for cross-border data transfers such as ensuring that there are safeguards for such transfers. Additionally, saccos should review their contractual arrangements with their third parties to ensure that there are clauses addressing data protection and privacy.

Saccos need to go back to the drawing board to assess if they have any data protection and privacy gaps in regard to the DPA, supporting regulations and best practices. This will help to ensure that their personal data handling practices are compliant with the law.

