Data classification is the process of sorting and categorizing data into various types, forms or any other distinct class based on its sensitivity. The Sacco classifies its data into the following categories;
Category 1: Highly Sensitive Data
Highly sensitive data refers to data and information that must be guarded due to proprietary, ethical, privacy or business process considerations.
Distribution is limited to a few individuals performing certain roles and disclosure is strictly on a need-to-know basis. External disclosure must be expressly authorized by the CEO in consultation with the Board. Examples of such data include business strategy, staff health records, staff payroll information and litigation records among others.
To achieve this, there will be stringent access control and users will be reviewed to confirm compliance with policy.
Category 2: Confidential Data
Confidential data is information protected by government regulations, statutes, industry regulations or specific internal policies.
A breach could lead to legal liability, damage to Sacco reputation or financial loss. Distribution is limited to authorized users within the Sacco and disclosure may only be made to the data subject in the normal course of business or parties with a legitimate reason to know e.g., loan guarantors upon default of the principal borrower. Examples of such data include supplier contracts, member information and employee records among others.
To achieve this, there will be stringent access control and users will be reviewed to confirm compliance with policy.
Category 3: For Internal Use Only
Data for internal use only is information whose circulation is restricted to staff and directors only. Internal memos and communication sent on staff emails are examples of information
meant for internal use only.
Category 4: Public Data
Public information that can be communicated without restrictions and is intended for general public use. Examples include product information, Sacco vision and mission that are openly published on the Sacco website and external communications.
Justification for collection of personal information
The Sacco may collect and use Data Subject’s personal data:
The Sacco will only process sensitive personal data if it has data subject’s explicit consent. In extreme situations, the Sacco may share data subject’s personal details with the emergency services if it believes it is in data subject’s ‘vital interests’ to do so.
Sources of personal information
The Sacco may collect information about data subject from different sources, for example:
Forms of personal information collected.
The Sacco only collect personal information that is genuinely needed for its operations. This may include:
Personal Data Protection Principles
In processing personal data, Tembo Sacco shall be guided by the principles of data protection as captured in the Data Protection Act, and requires the Sacco to ensure that personal data is:
In complying with the stated data protection principles, Tembo Sacco will observe the following:
Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected. The Sacco shall have a statement on all data collection forms and portals authorizing the use of members’ data.
Personal data must be collected and processed in a legal and fair manner.
Restriction to a specific purpose
Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
Transparency
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
Data reduction and data economy
Before processing personal data, the Sacco will determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
Deletion
Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the Sacco has evaluated the data to determine whether it must be retained for historical purposes.
Factual accuracy; up-to-date data
Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
Confidentiality and data security
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
Rights of the Data Subject
Every data subject has the following rights:
A right conferred on a data subject may be exercised:
Data Subject Consent
A data subject may prior to the processing of their personal data give consent either orally or in writing, and may include a handwritten signature, an oral statement, or use of an electronic or other medium to signify agreement.
The Sacco shall seek consent from data subjects through various means. These include the data subjects willingly:
In obtaining consent from a data subject, the Sacco shall ensure that the data subject:
Confidentiality of Data Processing
Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. The staff shall therefore sign an oath of secrecy at the time of engagement by the Sacco. This obligation shall remain in force even after employment has ended.
Data Processing Security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data.
In particular, the responsible department or staff can consult with the Sacco’s ICT Officer. The technical and organizational measures for protecting personal data are part of the Sacco’s data security management and will be adjusted continuously to the technical developments and organizational changes.
Duration for holding personal information
The Sacco will hold personal information for durations stipulated in the Information preservation policy and will therefore not retain personal information if it is no longer required. In some circumstances, the Sacco may legally be required to retain data subject’s personal information, for example for finance, employment or audit purposes.
Data Breach and Notification
Tembo Sacco shall promptly notify the Office of the Data Commissioner upon becoming aware of personal data breach involving data subject within its records and properly record the breach. The Sacco shall also undertake to inform the data subject within reasonable time of the breach on their personal data and explain mitigating measure taken to safeguard the data and address potential adverse effects of the breach.