Purpose of this Policy

TransTally Systems is a private organization that works in partnership with political candidates contesting for elective positions to enhance integrity in democratic election processes through equipping candidates with data driven solutions to collect, transmit, process, present and monitor election results.

As an organization, TransTally takes its responsibility regarding the management of our stakeholders’ data very seriously. This policy sets out how the organization manages those responsibilities.

TransTally Systems obtains, uses, stores, and otherwise processes personal data relating to its stakeholders such as potential and current clients, current and former system Administrators, candidates, agents, website users and contacts, collectively referred to in this policy as data subjects and or users.

As an organization we heavily draw our data policy guidelines from the General Data Protection and Regulations (GDPR) which came into force in 2018. When processing personal data, TransTally is obliged to fulfil individuals’ reasonable expectations of privacy by complying with the GDPR, Kenyan data protection laws and other relevant data protection legislation.

This policy therefore seeks to ensure that we:
  1. Are clear about how personal data must be processed and TransTally’s expectations for all those who process personal data on its systems.
  2. Comply with existing data protection laws and with good practice.
  3. Protect TransTally’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights.
  4. Protect TransTally from risks of personal data breaches and other breaches of data protection law.

Definition of Key Terms

Consent

Agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.

Data Controller

The person or organization that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. TransTally Systems is the Data Controller of all personal data relating to it and used in facilitating market systems development, conducting research and all other purposes connected with its business purposes.

Data Processing

Any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

Data Protection Officer (DPO)

The person appointed as such under the GDPR and in accordance with its requirements. A DPO is responsible for advising the organization (including its clients) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as with TransTally’s polices, and providing advice.

Data Subject

A living, identified or identifiable individual about whom we hold personal data.

Personal Data

Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person’s actions or behavior.

Personal Data Breach

Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.

Profiling

any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling is an example of automated processing.

Scope of this Policy

This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an own device, TransTally servers, TransTally website, clients, etc.) and regardless of the data subject. All staff, clients and others processing personal data on TransTally’s behalf must read it. A failure to comply with this policy may result in consequences defined in the agreement or contract.

The TransTally is responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls, and training to ensure that compliance.

The TransTally IT Officer is the Data Protection Officer (DPO) whereas the IT personnel appointed by a candidate using our system becomes the delegated DPO at that level.

Why do we process personal information?

We may collect and use your personal data if it is necessary for our legitimate interest and so long as its use is fair, balanced and does not unduly impact your rights. For example, to process client registration, processing, etc.

We may collect and use your personal information through our clients such as candidates with your consent. For example, to recruit and activate you as a polling station agent.

How do we collect personal information?

We collect and use personal information about:

  • Election Candidates.
  • Election Agents.

We may collect information about you from different sources, for example:

  • From you directly when you:
    • Subscribe to our system as a candidate.
    • Accept to be enrolled as an election agent.
  • From officially published or gazetted election related materials.
  • From you when you make an application to subscribe to our system through third parties.
What personal information do we use?

We only collect personal information that we genuinely need. This may include:

  • Contact details such as name address, email address and phone numbers
  • Gender.
  • National ID or Passport information.
  • Photo.
How do we protect information?

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of personal information, username, password, transaction information and data stored on our site.

Sensitive and private data exchange between the site and its users happens over an SSL secured communication channel and is encrypted and protected with digital signatures.

Third-Party Privacy Policies

TransTally Systems Privacy Policy does not apply to other websites you get redirected. For more details about the third-party site, you can check their privacy policy of that respective website. We currently do not apply third-party ads on our website. We use third-party analytics services like Google Analytics to track user behavior on our website. We use it to improve our website and user experience.

Users may find some links to other websites, which may be our partners or other third-party websites. These sites are linked to providing you reference, to make it more clear about what we’re talking.

We do not control the content or links that appear on these third-party sites and we’re are not responsible for the practices employed by websites linked to or from our site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.

Personal Data Protection Principles

When you process personal data, you should be guided by the following principles, which are set out in the Kenya’s Data Protection Bill 2018. TransTally is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:

  • Fairness and lawfulness

When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.

  • Restriction to a specific purpose

Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.

  • Transparency

The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:

  1. The identity of the Data Controller
  2. The purpose of data processing
  3. Third parties or categories of third parties to whom the data might be transmitted, if any
  • Data reduction and data economy

Before processing personal data, you must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.

  • Deletion

Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

  • Confidentiality and data security

Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, modification or destruction.

Rights of the Data Subject

Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.

  1. The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose.
  2. If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.
  3. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
  4. The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
  5. The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
  6. The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.

Data Responsibilities

TransTally is responsible for establishing policies and procedures to comply with the relevant and applicable data protection law(s). TransTally system administrators, Clients (Candidates, DPOs & Agents) must also ensure that:

  1. All personal data is kept securely.
  2. No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party.
  3. Personal data is kept in accordance with the TransTally’s retention schedule.
  4. Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer
  5. Any data protection breaches are swiftly brought to the attention of the immediate supervisor, Senior leadership and that they support the team in resolving breaches.
  6. Where there is uncertainty around a data protection matter advice is sought from the Information Compliance team and the Data Protection Officer.

Users who are responsible for managing and or processing of personal information, must ensure that they are aware of the organizational Data Protection principles.

Clients who are unsure about who are the authorized third parties to whom they can legitimately disclose personal data should seek advice from TransTally leadership.

How we use personal information

We will only use your personal information for the purpose which it was provided to us for and in ways that you would reasonably expect.

Photographs and recordings

We use field photographs and recordings to promote TransTally and the work that we do. These can be used in the form of reports, news stories on our website, documentation of impact stories, information in our annual reports, on our website, and other such materials that seek to explain or promote our work.

Occasionally we take photographs and recordings of people who agree to be the subject during our documentation endeavors. We always obtain permission from the individual or group to take and use their image(s) and explain how we intend to use it. Our legal basis for using personal information for this purpose is consent.

Cookies and aggregate information

Like any other website, TransTally uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information.

Confidentiality of Data Processing

Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data is prohibited. Any data processing undertaken by a user that he/she has not been authorized to carry out as part of his/her legitimate responsibilities is unauthorized. The “need to know” principle applies. users may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.

Users are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Clients and system administrators must inform their users at the start of the system utilization about the obligation to protect data secrecy. This obligation shall remain in force even after system usage has lapsed.

Data Processing Security

Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).

In particular, the responsible department or staff can consult with TransTally’s Information Technology Officer and data protection coordinator. The technical and organizational measures for protecting personal data are part of our data security management and must be adjusted continuously to the technical developments and organizational changes.

For how long do we keep your personal information?

We will hold your personal information for as long as is necessary. We will not retain your personal information if it is no longer required. In some circumstances, we may legally be required to retain your personal information, for example in case of an election petition.

Changes to this policy

This Data Protection and Privacy Policy may change from time to time. Please visit this web page periodically to keep up to date with the changes in this policy.

error: Content is protected !!