NCI Portal Privacy Policy

1. What is Personal Information

"Personal Information" is the information that identifies and relates to you, or to other individuals who also benefit from our Services, such as your dependents and can include sensitive personal data. "Sensitive Personal Data" includes information revealing your race, health status, ethnic social origin, belief, genetic data, marital status, your sex or sexual orientation.

2. What types of personal information will be collected?

We will collect and process various types of personal data about you, such as:

• General information such as your name, contact details (email address and telephone numbers), date of birth and gender
• Location information;
• IP addresses when visiting web pages with cookies;

3. How will we obtain your personal information?

We will collect and use the personal information that you provide to us and that we receive about you from different sources for a number of purposes and with your explicit consent unless applicable laws and regulations do not require us to obtain your explicit consent. The sources include:

• You directly when you provide it to us;
• As we are required to collect your Personal Information as a consequence of contractual agreements, the failure to provide this information may prevent or delay the fulfilment of these obligations. For example, if you do not provide certain Personal Information, we will not be able to provide you with the Services.

4. Why will we obtain your personal information?

Your Personal Information is collected in order to provide the Services you are entitled to. We use your Personal Information to:

• Verify your identity information;
• Process products and services on our platforms;
• Send you important information regarding changes to our policies, other terms and conditions, and other administrative information;
• Make non-automated decisions about whether to provide the Services to you;
• Provide improved quality, training, and security (e.g. with respect to recorded or monitored phone calls to our contact numbers);
• To detect, prevent, investigate, and protect our business against fraud or other crimes;
• Manage our systems and infrastructure, ensure effective business operations, and comply with internal policies and procedures, including those relating to audits, finance and accounting, billing and collections, IT systems, business continuity, and records, document and print management;
• To customize our Services for you, including providing recommendations, personalized content, and customized search results;
• Continuously improve the quality of our Services and processes, e.g., conducting surveys, measuring performance, research, and data analysis to understand how our Services are used;
• Resolve complaints, respond to queries, and settle disputes;
• Comply with applicable laws and regulatory obligations, including those relating to anti-money laundering and anti-terrorism; and respond to requests from public and governmental authorities and litigation;
• Establish and defend legal rights; protect our operations or those of any of our group companies or business partners; safeguard our rights, privacy, safety, or property, and/or that of our group companies, you or others; and pursue available remedies or limit our damages.

5. What is the legal basis for processing?

We may use your Personal Information for a number of different purposes as outlined above that are always connected with the Services we provide. Consequently, we will rely on the following legal grounds to use your Personal Information:

1. The use of your Personal Information is necessary for the performance of a contract to which you are a party;
2. We have a legal or regulatory obligation to use your Personal Information. For example, we will rely on this ground to comply with anti-money laundering and anti-terrorism obligations;
3. We have a legitimate interest in using your Personal Information. We may rely on this legal ground for the purpose of providing improved quality, training and managing our infrastructure and operations. When collecting and processing your Personal Information under this ground, we put in place robust safeguards to ensure that your privacy is protected and that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.
4. Due to the nature of the Services you are entitled to, we may process sensitive data connected with the provision of such Services.
5. Generally, your consent shall be required when signing up for our Services, and in specific situations due to the nature of the data required to be disclosed, or where required under any applicable laws and regulations.

6. Disclosure of Information

Your personal information may be disclosed where it is necessary for providing you with the Services you are entitled to, or for any of the purposes described in this Policy, we may disclose your Personal Information to other parties. We shall assess and review each application for information and may decline to grant such information to the requesting party. Where granted, only minimum and necessary personal information may be shared. Sensitive information (i.e. medical information related to you) will not be shared without seeking your express consent;

We may disclose your Personal Information to be accessed by:

1. NCI-Kenya and its partner companies, and Savannah Informatics group of companies, but restricted to those individuals and entities who have a requirement to access the information for the purposes described in this Policy;
2. External third-party service providers, such as IT systems, support and hosting service providers; document and records management providers; translators; and similar third-party vendors and outsourced service providers that assist us in carrying out business activities;
3. Marketing and promotion service providers where you have provided your express consent to opt in to the service, and where you opt-out, your personal information will not be shared;
4. External professional advisors and partners such as medical professionals, accountants, actuaries, auditors, experts, consultants, lawyers; banks and financial institutions that service our accounts; claim investigators, adjusters, and others;
5. Our regulators and other governmental or public authorities where necessary to comply with a legal or regulatory obligation, formal request, court order, or similar legal procedure;
6. The police and other third parties or law enforcement agencies, court, regulator, government authority, or other similar third parties where necessary for the prevention or detection of crime or to comply with a legal or regulatory obligation; or otherwise to protect our rights or the rights of a third party;
7. Debt collection agencies and organizations;
8. Survey agencies that conduct surveys on our behalf;
9. Selected third parties in connection with any sale, transfer, or disposal of our business;
10. Other third parties, such as emergency providers (fire, police, and medical emergency services) and travel carriers;
11. Publicly available and/or restricted government databases to verify your identity information in order to comply with regulatory requirements.

7. International Data Transfers

Your personal information may be disclosed where it is necessary for providing you with the Services you are entitled to, or for any of the purposes described in this Policy, we may disclose your Personal Information to other parties. We shall assess and review each application for information and may decline to grant such information to the requesting party. Where granted, only minimum and necessary personal information may be shared. Sensitive information (i.e. medical information related to you) will not be shared without seeking your express consent;

We may disclose your Personal Information to be accessed by:

1. Due to the nature of the Service, the data that we collect from you may be transferred to and stored at, a destination outside Kenya.
2. Your Personal Information can be shared with or accessed by parties located in other countries outside Kenya that have a different data protection regime from Kenya.
3. In any case, where we transfer your Personal Information outside Kenya, we will conduct the transfer in accordance with the applicable data protection laws and ensure that there are appropriate safeguards, such as contractual obligations in place with respect to the protection of your Personal Information in accordance with this Policy.

8. Retention of Personal Information

1. We will only retain your Personal Information for as long as is necessary to: provide you with the Services; fulfil the purposes outlined in this Policy; and for the purposes of complying with, or satisfying any legal obligations, or regulatory, tax, accounting, or reporting requirements.
2. We ensure that proper procedures are in place to manage your Personal Information and to remove or archive it when necessary.
3. We will delete your personal information once our retention period of 6 years after your last use of our services expires, and once we have complied with any afore-mentioned purposes.
4. Anonymized information that can no longer be associated with you may be held indefinitely.

9. Your Rights

Under data protection laws you have certain rights in relation to the Personal Information that we hold about you. You may exercise, as may be applicable, these rights at any time by contacting us using the details set out in the “Contact Us” section below.

Your rights include:

1. The right to information - You are entitled to be informed of the purpose to which your personal information is to be put.
2. The right to access your Personal Information - You are entitled to a copy of the Personal Information we hold about you. Your information will be provided to you in electronic means unless otherwise requested.
3. The right to object to or restrict processing - You are entitled to object to our processing of your Personal Information or ask us to stop using your Personal Information. Please note that in some circumstances exercise of these rights will render us unable to continue providing you with the Services, or compliance with the request may not be possible where there may be compelling and legitimate reasons that override your interests.
4. The right to rectification - You are entitled to correct, amend, or update the Personal Information we hold about you. Please note that we take reasonable steps to ensure that the Personal Information we hold about you is accurate and complete.
5. The right to erasure - You are entitled to request the erasure of your Personal Information, including information that is inaccurate, outdated, incomplete or misleading. Please note that in some circumstances exercise of this right will mean we are unable to continue providing you with the Services.
6. The right to data portability - You have the right to ask that we provide your Personal Information to you in a commonly used electronic format, and to transfer any Personal Information that you have provided to us to another third party of your choice where technically possible.
7. The right to object to direct marketing - You are entitled to object to the commercial use of your data, or to request us to stop sending you marketing communication. Where you give your express consent, the data shall be anonymized to ensure you are no longer identifiable.
8. The right not to be subject to automated decision-making (including profiling) - You have a right to not be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning or significantly affecting you. We do not base our decisions solely on automated means. Please note that in some circumstances exercise of these rights will render us unable to continue providing you with the Services, or compliance with the request may not be possible where there may be compelling and legitimate reasons that override your interests.
9. The right to withdraw consent - You have a right to withdraw your consent at any time. We seek and obtain your consent to collect and process your Personal Information in order to provide the Services. Please note that in some circumstances exercise of this right will mean we are unable to continue providing you with the Services.
10. The right to lodge a complaint - You have a right to complain to our Data Protection Officer and the Office of the Data Protection Commissioner if you believe that any use of your Personal Information by us is in breach of applicable data protection laws and regulations. Making a complaint will not affect any other legal rights or remedies that you have.

10. Security of Personal Information

We will take appropriate technical, physical, legal and organizational measures, which are consistent with applicable data protection laws to protect your Personal Information.

11. Changes to this Policy

We may update this Privacy Policy from time to time to ensure that it remains accurate. Please check back each time that you provide additional Personal Information to us. Where changes to the Policy will have a fundamental impact on the nature of our processing of your Personal Information or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights in relation to your Personal Information.
This Privacy Policy was last updated in October 2023.

12. How to Contact Us

If you would like to contact us on any aspect of this privacy policy or have any questions concerning the processing of your Personal Information, you can contact us through the channels below or submit a request via our digital platforms.