KENVIP DATA PRIVACY STATEMENT

Version 1.0 Dated 2^nd April 2025

Policy Statement

MoH including all its user departments is committed to protecting the fundamental human right to privacy. KeNVIP is a Ministry of Health [hereinafter MoH tool] which complies with the Constitution and Data Protection Act to respect the personal information and data we collect from users of the platform.

This Privacy Statement, applies to personal data that MoH specifically collects, handles or stores through KeNVIP for purposes of operationalizing vaccination programs across the Republic of Kenya. For the purposes of this Privacy Statement, “Personal data” means any information relating to an identified or identifiable natural person.

 

Who we are.

KeNVIP is a platform operated by the Ministry of Health P.O. Box:30016–00100, Nairobi. Afya House, Cathedral Road , Nairobi  and is both a controller and a processor in respect of personal data it processes in connection with the services provided under the relevant engagement with its customers.

 

What Personal Data Do We Collect About You?

As a Data Controller and a Data Processor, KeNVIP collects personal data directly from the Data Subject or indirectly through intermediaries, service providers and other third parties. We may collect the following personal information.

Types of Information	Examples
Identification and Contact Information	name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, date and place of birth, ,.
Government Generated Information	National ID Number, Tax PIN, Passport Details, NHIF & NSSF Details,
Employment and Educational Information	Employment History, Educational Background including institutions attended and Professional Memberships
Personal Data	Personal Data and sensitive personal data only to the extent relevant to the risk being insured and may include: Health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, blood group, relevant personal habits (e.g., vaccinations taken prior), prescription information, medical history.
Audio-Visual Information	Photographs, Videos, Audios i.e. During vaccination drives photos which demonstrate proof of the exercise and a testimony of the actual activity taking place. Telephone Recordings – Collected during interactions with our customer service/experience teams.
Online Activity Information	MoH though KeNVIP automatically logs information about you and your computer or device such as the IP address, pages viewed and action on our website through Cookies and Web Beacons

The above list is not exhaustive, and KeNVIP-MoH may collect additional personal data in the course of our interactions with you.

 

Where We Collect Personal Information

We use Personal Information to carry out health activities.  The purposes for which we use your Personal Information will differ based on our relationship (i.e. Guardian, Partner, Employee, Health worker) including the type of communications between us and the services we provide.

We collect Personal Data from various sources, including (depending on the country you are in):

• Individuals and their family members,on platform, online or by telephone, or in written correspondence
• Individual’s Guardians
• Information on partner and government agencies and companies.

We obtain your personal data from sources such as;

• Application forms, Vaccination certificates, medical forms, and other forms that you fill.
• Software applications (apps) made available by us to you
• Our Website
• Meetings, Telephone conversations and other forms of communication
• Social Media applications and/or tools
• Job applications and their attachments

How we process your personal data

We use information we hold about you to provide you with access to the Products and Services offered on our Platforms. We use the information to:

• Register your account and provide you access to our Platforms.
• Process your Product and Services’ requests relating to registrations, transactions, subscriptions or customer support queries on our Platforms.
• Manage your relationship with us and the third parties offering their Products and Services.
• Track our users’ demographics, interests, and behaviours to recommend Products or Services which may be of interest to you through marketing, promotional campaigns, and commercial partnerships.
• Enable us and our advertisers and social media partners to display advertisements to you and appropriate target audience(s) and for other marketing and advertising purposes;
• Improve the functionality, performance and operations of our Platforms by tracking the performance and engagement on our Platforms.
• Aggregate information on an anonymous basis for data analytical and reporting purposes.
• Comply with our legal obligations to ensure that fraudulent, unlawful or unauthorised activities on our Platforms. 

How we store and protect your data

All information you provide to us is stored on our secure servers. We do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our Platforms from your personal devices; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.

We take appropriate measures to ensure that your personal data is kept secure including security measures to prevent personal data from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

To ensure that your data is stored securely, we use a variety of technical measures to ensure that your data is secure. If we or our service providers transfer personal data outside of the Kenya, we always require that appropriate safeguards are in place to protect the information when it is processed. We have put in place safeguards to protect personal data processed in or accessed from our Platforms.

If we suspect or become aware of any unauthorized access to your data by any unauthorized person or third party, or become aware of any other security breach relating to personal data held by us, we shall notify you in writing regarding the data breach and the assistance required from you. In the event of such data breach, we shall comply with applicable laws and shall take the appropriate steps to remedy such data breach.

 

Data Security

We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorised access, loss, misuse, or alteration. We have implemented robust security measures to ensure theconfidentiality, integrity, and availability of your information, including: – 

• Technical Safeguards: To protect your information during transmission, we utilise industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
• Organisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasising the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorisation mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences.

While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information.

If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email __________________________

 

 

Data Sharing

We may share your personal data within MoH user departments, Kenya National Bureau of Statistics as well as our partners to inform proper decision making and facilitate internal operations improving the viability of vaccines and services. 

We may share your personal data with third parties in the following circumstances:

• Service Providers:We may engage third-party service providers to perform various services on our behalf, such as our nurses, staticians, pharmaceuticals, medical research and analysis service providers; banks and financial institutions that service our accounts, document and records management providers, and document storage providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
• Partners:We may share your personal data with trusted partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
• Legal Obligations:We may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry or with insurance regulators, tax auditors or other authorities when we believe in good faith that the law or other regulations requires us to share this data.
• Consent:We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.

When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.

We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.

 

Personal Data Retention And Disposal

We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, or as required by applicable laws and regulations. 

Once the retention period expires, we securely delete or anonymise your data to ensure it is no longer identifiable or accessible. 

The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements. Here are some general guidelines regarding data retention: 

 If you are a Website/Mobile App User or a visitor to the company premises, we will retain your personal data for as long as it is necessary which duration, we have determined to be one (1) year to achieve the purpose stipulated. If this time has come or you have expressly indicated that you are not interested in our website or mobile app services anymore, we will delete it from our systems unless we believe in good faith that the law or other regulation requires us to preserve it for example because of our obligations.

 

Your Data Protection Rights

We will collect, process and store your personal data in accordance with your rights under the Data Protection Act and attendant Regulations. Under certain circumstances, you have the following rights in relation to your personal data.

In exercising your right as provided above, we may request specific information from you to help us confirm your identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

 

Your Rights

The Data Protection Act accords you with several rights over your data. 

• right to information: you have a right to be informed of how MOH will use your personal data.

• right of access: you are entitled to access your personal data that is in our possession or custody.

• right to object: you can object to the processing of all part of your personal data, unless we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.

• right to rectification: you have the right to request us to rectify or correct, without undue delay, personal data in our possession or under our control that is inaccurate, outdated, incomplete or misleading.

• right to erasure: you can request us to delete or destroy, without undue delay personal data that we are no longer authorised to retain, or which is irrelevant, excessive, or obtained unlawfully.

• right to data portability: you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format and to transmit the data to another data controller without hindrance. Where technically possible. have personal data transmitted directly from us to another data controller or data processor.

• automated decision making you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or that significantly affects you. MOH may from time to time make decisions based on the automated processing of your personal data. In such instances, you will be informed, in writing, whenever a decision based on automated processing is taken. In addition, you can request us to reconsider any decisions made based on automated processing or to take a new decision that is not based solely on automated processing.

• right of restriction: You have the right to request us to restrict the processing of personal data where: – oyou contest the accuracy of the personal data  o the personal data is no longer required for the purpose of the processing

• the processing is unlawful, or you have opposed the erasure of the personal data and requested for restriction of its use instead.
• you have objected to the processing of personal data, pending verification as to whether the legitimate interests of the data controller or data processor override those of the data subject.

• right to raise a complaint: You can raise a complaint about our processing with the Regulator i.e., the Data Commissioner in Kenya. You may also be able to seek a remedy through the courts if you believe that your rights have been breached.
  If you wish to exercise any of our rights above, please contact us on (Email………) We will seek to deal with your request without undue delay and in any event in accordance with the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner.

  While we strive to fulfil all valid requests, there may be cases where we are unable to comply. If such a situation arises, we will inform you of the reasons for our inability to fulfil your request

Enforcing Your Rights

If you wish to enforce any of your rights as highlighted above as provided under the Data Protection Act and attendant Regulations, then please contact us on our details in clause 16 below. You may use the various statutory forms made available by us and we will respond to your request without undue delay and within the statutory timelines.

 

Your Responsibilities

As a data subject, it is important that you understand and fulfil certain responsibilities to ensure the protection and privacy of your personal data.

By providing your personal data to KenVIP you agree to adhere to the following responsibilities: 

• Accuracy and Updates: You are responsible for providing accurate and up-todate personal data to the Company. Please inform us promptly of any changes or updates to your contact details or other relevant information.

• Third-Party Data: If you give us personal data of third parties, such as family members or associates, next of kin or your dependents, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.

• Exercise of Rights: If you wish to exercise your rights with respect to your personal data, including the rights of access, rectification, erasure, objection, or data portability, please follow the procedures outlined in our Privacy Policy. We may require additional information or verification to process your request and ensure the security and confidentiality of your data.

• Reporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at (_______) We appreciate your feedback and will promptly address any issues raised.

Complaints

If you feel we have not complied with your right to privacy and other provided rights regarding your personal data, you have a right to complain to us through the provided tool available on our website or you may pay us a visit and fill the complaint form and we shall endeavor to resolve such a complain. You however have the right to contact the Office of the Data Commissioner or such other data supervisory authority in the jurisdiction we operate in.

International Data Transfers

As part of our business operations, we may transfer personal data to recipients located in countries outside Kenya.

We are committed to ensuring that any transfer of personal data outside of Kenya complies with the provisions set forth by the Data Protection Act, 2019.

 We prioritise the security and protection of your personal data throughout the transfer process. Therefore, we have implemented the following policy regarding international data transfers: 

• Appropriate Safeguards: Before transferring personal data to another country, we ensure that we have appropriate safeguards in place to ensure the security and protection of your data. These safeguards may include technical, organisational, and legal measures to uphold data privacy standards. We will document these safeguards and provide proof to the Data Commissioner as and when required.

• Legal Grounds: We will only transfer personal data outside of Kenya when it is necessary and lawful. This includes situations where the transfer is required for the performance of a contract between you and MoH, the establishment, exercise, or defense of legal claims, the protection of vital interests, matters of public interest, or compelling legitimate interests that are not overridden by your rights and freedoms.

• Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.

• Data Commissioner Oversight: We acknowledge the authority of the Data Commissioner to request demonstrations of the effectiveness of security safeguards or the existence of compelling legitimate interests prior to the transfer of personal data. We will cooperate with the Data Commissioner and comply with any conditions or restrictions imposed to protect the rights and fundamental freedoms of data subjects. We are committed to maintaining the privacy and security of your personal data, regardless of its location. If you have any questions or concerns regarding our international data transfer practices, please contact our Data Protection Officer (DPO) at (email). We will strive to address your inquiries and provide you with transparent information regarding the transfer of your personal data outside of Kenya.

Legal Justification for Our Use of Personal Data

The primary purpose for collecting and processing your personal data is to perform contractual and statutory tasks related to management of the financial products/solutions you have with us. We will also process your data in connection with other tasks as required by law and statutory regulations. In addition to these, personal data may be used in product and service development.

We commit to always identify and document without prejudice the lawful basis of processing your personal data for each specific purpose and put necessary security measures to ensure safeguarding of your personal data and the lawful purpose consented to always applies.

Disclosure of Personal Data.

MoH undertakes to keep your personal data confidential and where it is necessary to satisfy the purpose for which it was collected or as may be required by law KeNVIP will share your data with third parties.

In connection with the purposes described above we sometimes need to share your Personal Information with third parties. Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes we explain in this Privacy Statement to service providers, contractors, agents and MoH agencies that perform activities on our behalf.

MoH  shall not disclose your personal information to any third parties such as service providers other than with your prior consent, for a legitimate reason or for the performance of a contract.

 

Consent

In order to facilitate the provision of our financial solutions including asset management, investment, insurance cover, and administer insurance claims, we rely on the data subject’s consent to process personal sensitive information, such as medical records and financial information. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).

You understand that by using our site services and our products you agree to be bound by this statement of privacy. If you agree to this statement on behalf of an entity, you represent and warrant that you have the authority to bind that entity to our privacy statement, by using our products and/or accessing our site, if you do not accept it in entirety you must inform us immediately indicating what part of our privacy statement you are not agreeable to.

The affected individual’s consent to this processing of personal information is a necessary condition for KeNVIP to be able to provide the services the client requests. Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.

Individuals may withdraw their consent to such processing at any time. However, doing so may prevent KeNVIP from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Personal Data, it may not be possible for the insurance cover to continue.

 

Retention of Personal Data

Personal Data is retained as long as necessary for the purpose for which it is collected and to meet legal, regulatory and operational requirements. Retention periods may differ for each financial product purchased. At the end of the retention period, anonymized data is kept for management information purposes. MoH has also put in place Data retention policy in line with Data Protection law.

MoH may also retain your contact information for the purposes of inviting you to renew any of your insurance policy from time to time and may use your contact to send you notifications notifying you of our various products, renewal notice and claim updates.

You are responsible for the confidentiality of any password you have put in place to allow you to access certain products or services. Please note our customer service agents will never request you to share your password.

 

Changes to This Data Privacy Statement

MoH reserves the right to change the provisions of this Privacy Statement at any time. Where the changes will have a fundamental impact on the nature of the processing of your data or your rights, we shall notify you in advance. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Statement.

Your use of the Website and applications following the posting of such revised Statement shall constitute your acceptance of any such changes. We encourage you to review our Privacy Statement whenever you visit the Website and application(s) to guarantee your understanding of how your information may be collected, processed and used.

 

Contact Information

If you have any queries relating to your personal data and/or this Privacy Statement, contact the Data Protection Officer – Ministry of Health.