PRIVACY POLICY
1. Introduction
This Privacy Policy explains how Grassroot Community Development Initiative ("the Organization") collects, uses, stores, shares, and protects personal data in accordance with the Constitution of Kenya (2010) and the Data Protection Act, 2019.
The Organization works with community members, small-scale farmers, school children, volunteers, staff, partners, and donors. We are committed to respecting privacy and safeguarding personal data.
2. Scope of This Policy
This policy applies to personal data collected from:
Community members, including farmers and their households
Children and parents/guardians involved in programs
Local and foreign volunteers
Staff, interns, and consultants
Partners, donors, and service providers
3. Legal Basis for Processing Data
We process personal data based on one or more of the following lawful grounds:
Consent of the data subject or parent/guardian (for children)
Performance of a lawful community or volunteer program
Compliance with legal or regulatory obligations
Protection of vital interests of a data subject
Legitimate interests of the Organization, where not overridden by individual rights
4. Types of Personal Data Collected
The Organization may collect the following categories of personal data:
a) General Personal Data
Names, age, gender, and contact details
Identification documents (where legally required)
Education, skills, and occupation details
b) Children’s Data
Names, age, school, class, and participation records
Parent/guardian contact details and consent records
c) Volunteer and Staff Data
Passport details, visa/work permit information
Emergency contact details
Background checks and safeguarding declarations
d) Sensitive Personal Data (where applicable)
Health or disability information (only where necessary and with consent)
5. How We Collect Personal Data
Personal data may be collected through:
Registration and consent forms
Program participation records
Volunteer applications and agreements
Meetings, training sessions, and community activities
Photographs or media (with consent)
6. Use of Personal Data
We use personal data to:
Implement and manage community programs
Safeguard children and vulnerable persons
Manage volunteer and staff engagement
Communicate program information and updates
Meet donor, reporting, and legal requirements
Improve program quality and accountability
7. Children’s Privacy
The Organization prioritizes the protection of children’s personal data.
Personal data of children is collected and processed only with written consent from parents or legal guardians.
Children’s data shall not be used for publicity, fundraising, or media without explicit consent.
8. Data Sharing and Disclosure
We may share personal data only when necessary and lawful, including with:
Government authorities where required by law
Schools, community partners, and safeguarding authorities
Donors or partners (in anonymized or consented form)
Service providers supporting organizational operations
Personal data shall never be sold or shared for commercial purposes.
9. Data Storage and Security
Personal data is stored securely in physical and/or electronic systems.
Access is restricted to authorized personnel only.
Appropriate technical and organizational safeguards are applied to prevent loss, misuse, or unauthorized access.
10. Data Retention
Personal data shall be retained only for as long as necessary to fulfill its purpose or meet legal obligations.
Children’s and safeguarding records may be retained longer as required by law.
Data no longer required shall be securely destroyed or anonymized.
11. Rights of Data Subjects
Under the Data Protection Act, 2019, data subjects have the right to:
Be informed about the use of their personal data
Access their personal data
Correct or update inaccurate data
Object to processing in certain circumstances
Request deletion of data where legally permissible
Requests should be made in writing to the Organization.
12. Consent
Consent shall be obtained clearly, voluntarily, and in writing where required.
Consent may be withdrawn at any time, subject to legal or contractual restrictions.
13. Cross-Border Data Transfers
Personal data may be transferred outside Kenya only where adequate data protection safeguards are in place and in compliance with Kenyan law.
14. Data Breach Management
Any data breach shall be reported internally immediately.
Where required, the Organization shall notify the Office of the Data Protection Commissioner (ODPC) and affected data subjects.
15. Review of Policy
This Privacy Policy shall be reviewed periodically to ensure compliance with applicable laws and best practices.
