Skip to main content
Search...

Data Protection Policy

MMP Data Protection Policy

1. Introduction

Mwongozo Mpya Party (“MMP”, “the Party”) is a political party duly registered under the laws of the Republic of Kenya and acts as a data controller and processor in respect of personal data processed in the course of its activities.

The Party recognises the right to privacy as guaranteed under Article 31 of the Constitution of Kenya and is committed to ensuring that personal data, including sensitive personal data, is processed lawfully, fairly, and transparently in accordance with the Data Protection Act, 2019, applicable electoral laws, and regulatory guidance.

This Policy establishes the internal framework for the governance, processing, protection, and management of personal data within the Party.

2. Purpose

This Policy is intended to:

  1. Establish principles and procedures for the lawful processing of personal data;
  2. Ensure compliance with applicable legal and regulatory requirements;
  3. Safeguard the rights and freedoms of data subjects;
  4. Promote accountability and responsible data governance; and
  5. Provide internal guidance on data handling, security, and risk management.

3. Scope

This Policy applies to:

  1. All personal data processed by or on behalf of the Party;
  2. All data subjects, including members, supporters, voters, donors, volunteers, and website users;
  3. All Party officials, employees, agents, and volunteers; and
  4. All data processing activities conducted through:
    1. the Party offices and website;
    2. the ORPP USSD platform; and
    3. the Integrated Political Parties Management System (IPPMS).

4. Governance and Oversight

  1. The Party leadership shall have overall responsibility for ensuring compliance with this Policy and applicable data protection laws.
  2. The Party shall implement governance structures to ensure accountability in data processing activities.
  3. Periodic compliance reviews and reporting mechanisms shall be established.

5. Data Processing Activities

The Party processes personal data in the course of its lawful activities, including:

  1. Collection of membership information through authorised channels;
  2. Facilitation of submission of membership data to the Office of the Registrar of Political Parties through designated systems;
  3. Use of membership data as maintained within regulatory systems;
  4. Political engagement, communication, and campaign activities;
  5. Digital engagement through website interactions, newsletters, and surveys;
  6. Fundraising and donation processing;
  7. Event management and volunteer coordination;
  8. Internal governance and administration; and
  9. Legal and regulatory compliance.

The Party shall not be responsible for the verification, validation, or cleansing of data within regulatory systems maintained by the Office of the Registrar of Political Parties.

6. Data Protection Principles

The Party shall ensure that personal data is processed in accordance with the following principles:

  1. Lawfulness, fairness, and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy (limited to data under the Party's control and submission of accurate data by the Data Subject);
  5. Storage limitation;
  6. Integrity and confidentiality; and
  7. Accountability.

7. Lawful Basis for Processing

  1. The Party may process sensitive personal data, including data relating to political opinions and affiliations, ethnicity, religious beliefs, and disability status, in the course of its lawful activities.
  2. The processing of sensitive personal data shall only be undertaken where:
    1. the data subject has provided explicit, informed, and freely given consent;
    2. such processing is necessary for the purposes of the Party's legitimate activities, provided appropriate safeguards are in place; or
    3. the processing is otherwise permitted or required under applicable law.
  3. The Party shall ensure that the processing of sensitive personal data is limited to what is strictly necessary for the specified purpose and is carried out in a manner that respects the rights and freedoms of data subjects.
  4. The Party shall implement enhanced technical and organisational safeguards in respect of sensitive personal data, including restricted access controls, confidentiality obligations, and appropriate security measures.

8. Sensitive Personal Data

  1. The Party may process sensitive personal data, including data relating to political opinions and affiliations, ethnicity, religious beliefs, and disability status, in the course of its lawful activities.
  2. The processing of sensitive personal data shall only be undertaken where:
    1. the data subject has provided explicit, informed, and freely given consent;
    2. such processing is necessary for the purposes of the Party's legitimate activities, provided appropriate safeguards are in place; or
    3. the processing is otherwise permitted or required under applicable law.
  3. The Party shall ensure that the processing of sensitive personal data is limited to what is strictly necessary for the specified purpose and is carried out in a manner that respects the rights and freedoms of data subjects.
  4. The Party shall implement enhanced technical and organisational safeguards in respect of sensitive personal data, including restricted access controls, confidentiality obligations, and appropriate security measures.

9. Data Collection and Sources

  1. The Party shall collect personal data through authorised channels, including:
    1. the Party website; and
    2. designated regulatory platforms, including the Office of the Registrar of Political Parties (ORPP) USSD platform and the Integrated Political Parties Management System (IPPMS).
  2. Personal data collected through regulatory platforms shall be processed by the Party only to the extent permitted under applicable law and within the scope of access granted by the relevant regulatory authority.
  3. The Party's role in respect of data maintained within regulatory systems shall be limited to lawful access and use of such data for its legitimate activities.
  4. For the avoidance of doubt, the verification, validation, and maintenance of data within regulatory systems shall be the responsibility of the relevant regulatory authority and shall not form part of the Party's data processing obligations under this Policy.

10. Data Subject Rights

  1. The Party shall establish and maintain appropriate procedures to enable data subjects to exercise their rights under applicable data protection laws in a timely, transparent, and accessible manner.
  2. Data subjects shall have the right to:
    1. be informed of the processing of their personal data;
    2. access personal data held by the Party;
    3. initiate/effect rectification of inaccurate, incomplete, or misleading personal data;
    4. request erasure of personal data where legally permissible;
    5. object to the processing of personal data;
    6. request restriction of processing in applicable circumstances;
    7. receive personal data in a structured, commonly used, and machine-readable format; and
    8. not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.
  3. The Party shall ensure that all requests are:
    1. appropriately verified;
    2. responded to within applicable statutory timelines; and
    3. documented for accountability and compliance purposes.
  4. Where personal data is maintained within regulatory systems under the custody of competent authorities, including the Office of the Registrar of Political Parties, requests relating to verification, validation, or correction of such data shall be subject to the processes and procedures prescribed by the relevant authority.

11. Data Sharing and Disclosure

  1. The Party shall ensure that personal data is disclosed only where such disclosure is lawful, necessary, and proportionate to the purpose for which the data was collected.
  2. Personal data may be shared with, or disclosed to:
    1. regulatory authorities, including the Office of the Registrar of Political Parties, where required for compliance with applicable law;
    2. electoral bodies and oversight institutions, where necessary for lawful political or electoral processes;
    3. third-party service providers engaged by the Party to support its operations, subject to appropriate contractual controls; and
    4. auditors, legal advisors, and other professional consultants, where required for governance, compliance, or advisory purposes.
  3. Prior to any disclosure, the Party shall ensure that:
    1. a valid lawful basis for sharing exists;
    2. the disclosure is limited to the minimum data necessary; and
    3. appropriate safeguards, including confidentiality and data protection obligations, are in place.
  4. The Party shall maintain records of data sharing activities and arrangements for accountability and compliance purposes.

12. Cross-Border Data Transfers

  1. The Party shall ensure that any transfer of personal data outside the Republic of Kenya is carried out in accordance with applicable data protection laws and regulatory requirements.
  2. Such transfers shall only take place where the Party has established that appropriate safeguards are in place to ensure an adequate level of protection for personal data.
  3. Without limitation, such safeguards may include:
    1. transfers to jurisdictions recognised as providing adequate data protection;
    2. contractual arrangements imposing equivalent data protection obligations on the recipient; or
    3. any other safeguards permitted under applicable law.
  4. The Party shall assess and document the risks associated with cross-border transfers and shall implement appropriate technical and organisational measures to mitigate such risks.

13. Data Retention

  1. The Party shall ensure that personal data is retained only for as long as is necessary to fulfil the purposes for which it was collected and processed, or as required by applicable law.
  2. The Party shall develop, implement, and maintain a Data Retention Schedule specifying, for each category of personal data:
    1. the purpose of processing;
    2. the applicable retention period;
    3. the legal or regulatory basis for retention; and
    4. the method of disposal upon expiry of the retention period.
  3. Upon expiry of the applicable retention period, personal data shall be securely deleted, destroyed, or irreversibly anonymised in accordance with established procedures.
  4. The Party shall conduct periodic reviews of the data retained to ensure that it remains accurate, relevant, and necessary for the purpose for which it is retained.
  5. For the avoidance of doubt, personal data forming part of statutory registers or regulatory systems shall be retained and managed in accordance with the applicable legal and regulatory framework governing such systems.

14. Data Security

  1. The Party shall implement and maintain appropriate technical and organisational measures to safeguard personal data against unauthorised or unlawful access, disclosure, alteration, or destruction.
  2. Such measures shall be proportionate to the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects.
  3. Without limitation, these measures shall include:
    1. role-based access controls and user authentication mechanisms;
    2. secure systems, infrastructure, and data storage environments;
    3. encryption and secure data transmission protocols, where appropriate;
    4. confidentiality obligations applicable to all personnel handling personal data; and
    5. the use of anonymisation and pseudonymisation techniques where feasible.
  4. The Party shall regularly review and update its security measures to address evolving risks and technological developments.

15. Data Breach Management

  1. The Party shall establish and maintain procedures for the identification, reporting, and management of personal data breaches.
  2. In the event of a personal data breach, the Party shall promptly assess the nature, scope, and potential impact of the breach, and take appropriate steps to contain and mitigate its effects.
  3. All personal data breaches shall be documented, including the facts relating to the breach, its effects, and the remedial action taken.
  4. Where required under applicable law, the Party shall notify the Office of the Data Protection Commissioner and, where applicable, affected data subjects within the prescribed timelines.

16. Data Protection Impact Assessments

  1. The Party shall conduct Data Protection Impact Assessments (DPIAs) where a processing activity is likely to result in a high risk to the rights and freedoms of data subjects.
  2. DPIAs shall be undertaken prior to the commencement of such processing and shall be reviewed periodically where necessary.
  3. Each DPIA shall identify and assess the nature, scope, context, and purposes of the processing, the risks to data subjects, and the measures proposed to mitigate such risks.
  4. DPIAs shall be documented and retained as part of the Party's compliance records.

17. Third-Party Processors

  1. The Party shall ensure that any third party engaged to process personal data on its behalf acts only on documented instructions and in compliance with applicable data protection laws.
  2. All third-party processors shall be engaged under written data processing agreements setting out, at a minimum, the scope, purpose, duration, and nature of processing, as well as obligations relating to confidentiality, security, and data protection.
  3. The Party shall undertake appropriate due diligence prior to engaging third-party processors and shall implement measures to monitor their ongoing compliance.
  4. For the avoidance of doubt, regulatory authorities, including the Office of the Registrar of Political Parties, shall not be considered data processors of the Party but shall act as independent data controllers in the exercise of their statutory mandate.

18. Training and Awareness

  1. The Party shall establish and maintain a structured data protection training and awareness programme for all personnel involved in the processing of personal data.
  2. Such training shall be:
    1. conducted on a periodic basis;
    2. tailored to the roles and responsibilities of personnel; and
    3. updated to reflect changes in legal, regulatory, and operational requirements.
  3. The Party shall ensure that all personnel handling personal data understand their responsibilities, including obligations relating to confidentiality, security, and lawful processing.
  4. The Party shall maintain records of all training and awareness initiatives.

19. Monitoring and Compliance

  1. The Party shall implement appropriate mechanisms to monitor compliance with this Policy and applicable data protection laws.
  2. Monitoring mechanisms shall include periodic audits, compliance reviews, and risk assessments of data processing activities.
  3. The Party shall maintain and regularly update records of processing activities and other relevant documentation to demonstrate compliance.
  4. For the avoidance of doubt, functions relating to the verification, validation, and maintenance of statutory records by regulatory authorities shall fall outside the Party's compliance obligations under this Policy.

20. Review and Revision

This Policy shall be reviewed periodically and updated as necessary.

21. Contact and Complaints

  1. Data subjects may contact the Party regarding data processing.
  2. Where dissatisfied with the handling of Data Subjects' requests or complaints by the Party, Data Subjects may escalate their issue to the Office of the Data Protection Commissioner.