CEMASTEA eLearning Portal

Article 1: Introduction

The Centre for Mathematics, Science and Technology Education in Africa
(CEMASTEA) is a State Corporation under the Ministry of Education. Established in 1998,the Centre aimed to improve the quality of mathematics and science education through capacity building for teachers and pedagogical leaders, among other educational stakeholders.

The Centre is also the Secretariat of the Strengthening of Mathematics and Science Education in Africa (SMASE-Africa) Association which is a continental organization with membership from 26 African countries. The policy was collectively developed by staff, management and Board of Governors (BoG) guided by a consultant team backed by data protection experts. Intensive stakeholders’ consultations provided rich policy input, deliberations, and policy position consensus consistent with legal requirements.

Dedicated to innovation and excellence, CEMASTEA variously collaborates with diverse persons in developing and promoting innovative teaching pedagogies, research emphasizing learner-centered and inquiry-based teaching/learning methods and content in STEM education. Runs various teacher professional development programs and conducts STEM programs encouraging teachers to adopt innovative approaches in their classrooms. In the ordinary course of executing its diverse programs, CEMASTEA interacts with diverse individuals’ personal data.

Cognizant of Article 31 of the Constitution of Kenya and Data Protection Act, 2019 on
upholding individual privacy, lawful processing of personal data is undertaken pursuant to the Act and in accordance to the provisions of the Registration of Persons Act (Cap 107); the Births and Deaths Registration Act (Cap. 149); the Kenya Citizenship and Immigration Act (Cap. 170); the Marriage Act (Cap. 150); the Children Act (Cap. 141); the Refugee Act (Cap. 173); or any other law relating to the issuance of identity documents and subsequent Regulations. The Centre has developed this institutional policy framework and is committed to continual review of personal data handling in compliance with legal requirements on safeguarding privacy.

This policy aims to provide a comprehensive framework for privacy protection of every person interacting with CEMASTEA by pronouncing the personal data protection systems,processes, and measures required of every person engaged with Centre on its mandate on STEM research and training core mandate and commitment to the public interest. The policy is applicable to all full- and part-time staff and employees, teachers, learners, and non-employees who use CEMASTEA funds, facilities or other resources, or participate in CEMASTEA - administered research, including visiting lecturers, industrial personnel and fellows, regardless of their obligations to other entities, companies or institutions. For the purposes of this policy, these individuals will be referred to as “covered persons” or “persons covered by this policy.”

Article 2: Policy Statement

This policy outlines how CEMASTEA sets out to protect personal data requirements under Section 23 of the Data Protection Act, 2019.

Purpose of this policy
The purpose of this policy is to guide institutional data governance on; -
1. The nature of personal data collected and held;
2. How a data subject may access their personal data and exercise their rights in
respect to that personal data;
3. Complaints handling mechanisms;
4. Lawful purpose for processing personal data;
5. Obligations or requirements where personal data is to be transferred outside
the country, to third parties, or other data controllers or data processors located
outside Kenya;
6. The retention of personal data; and
7. The collection of personal data from children, and the criteria to be applied.

Article 3: Aim of this Policy
This Data Protection Policy is established by the Centre for Mathematics, Science and
Technology Education in Africa (CEMASTEA) to affirm our commitment to protecting the
personal information of our stakeholders, including students, educators, researchers, staff, and partners.

The Centre is keen to meet its human rights obligations in the Constitution of Kenya and
internationally. More specifically, its duty is to protect, respect and fulfil the right to privacy
of all our stakeholders, to ensure effective protection and management of personal data being processed by the Centre in an automated or non-automated manner, whether in manual, electronic or any other form. The aim is to ensure responsible processing, setting requisite standards and practices for privacy and personal data protection. In alignment with CEMASTEA's mission to advance mathematical, scientific, and technological education across Africa, this policy aims to:

a) Ensure the responsible and ethical collection, processing, storage, and management of
personal data.
b) Comply with the Data Protection Act No. 24 of 2019 and other relevant Kenyan data
protection regulations.
c) Safeguard the privacy rights of individuals.
d) Maintain the confidentiality, integrity, and security of personal information.
e) Support CEMASTEA's strategic objectives of promoting educational research and
technological innovation.

This policy establishes the framework for data handling practices that uphold transparency, accountability, and legal compliance while supporting our core Central objectives of enhancing educational capacity and technological advancement in Africa.

Article 4: Scope of the Policy
This Data Protection Policy applies to; -
a) The processing of personal data activities of CEMASTEA as a data controller or
processor in Kenya, regardless of whether the processing takes place in Kenya or not.
b) All entities at or connected to CEMASTEA including the following;-
1. All CEMASTEA staff, administrators, and the Board of Governors
2. Every person employed or engaged howsoever by CEMASTEA in the
carrying out of its mission, and;
3. Implementing partners, suppliers, sub-guarantees, stakeholders and other
associated entities, including third-party representatives.
4. All personal data that CEMASTEA holds relating to identifiable individuals,
that is, any information relating to an identified or identifiable individual.

Article 5: Governing Laws
This policy shall be interpreted in accordance with the Laws of Kenya.

Article 6: Principles
The Centre is guided by the following data protection principles:

Principle 1: Lawfulness, Fairness and Transparency
Process personal data lawfully, fairly and in a transparent manner in relation to the data
subject (individual). When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal, transparent and fair manner. Data collected shall be adequate, relevant and not excessive in relation to the purposes for which they are obtained and their further processing.
Individual data can only be processed upon voluntary consent of the data subject.
The data subject shall have the right to: -
A. Be informed of the use to which their personal data is to be put;
B. Access their personal data in the custody of the Centre;
C. Object to the processing of all or part of their personal data;

The rights of a data subject shall be exercised in the following manner: -
1. Where the data subject is a minor; by a person who has parental authority or by a
guardian. The processing of a minor’s data shall be done in a manner that advances
the best interests of the minor;
2. Where the data subject is a person suffering from mental disability; by a person duly
authorized to be their guardian; or
3. In any other case, by a person duly authorized by the data subject.

Principle 2: Purpose Limitation
Collect personal data for a specific, explicit and legitimate purpose. Must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose. Data not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Personal data may only be processed for the purpose that was defined before the data was
collected. Personal data shall be obtained for specified and legitimate purposes and shall not subsequently be processed in a manner that is incompatible with those purposes.

Principle 3: Data Minimization (Adequacy)
Ensure that personal data processed is adequate, relevant and limited to what is necessary for purposes for which they are processed. Only collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Principle 4: Accuracy
Take every reasonable step to update or remove data that is inaccurate. Individuals have the right to request for erasure or rectification of erroneous data that relates to them, and
undertaken without delay. Personal data on file must be correct, complete, and, if necessary, kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
The data subject shall have the right to: -
a) Demand the correction of false, inaccurate or misleading data; and
b) Deletion of false, inaccurate or misleading data.

Principle 5: Storage Limitation (Retention)
Must not keep data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by law in order to safeguard the rights and freedoms of individuals.

Personal data shall only be retained in a form that allows the identification of the data
subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

Principle 6: Integrity and Confidentiality (Security)
Must keep personal data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Personal information must be processed in line with the data subjects’ rights.

The Centre will employ industry best practices to prevent unauthorized modifications,
corruption, or tampering of Personal Data. Additionally, the Centre will implement resilient
infrastructure, regular backups, and disaster recovery measures to minimize downtime and
ensure uninterrupted access by Data Subjects.

Principle 7: International Transfers
Personal information must not be transferred to other countries without adequate protection. The Centre shall restrict the transfer of Personal Data outside Kenya in compliance with the following protective measures:
A. Adequate Data Protection Safeguards: The Centre may transfer Personal Data
outside Kenya only when:

● Appropriate and verifiable data protection safeguards are in place;
● The Office of the Data Protection Commissioner (ODPC) has issued a formal
adequacy decision; or
● The transfer meets one of the following essential conditions:
(a) Necessary for contract performance involving the Data Subject
(b) In the public interest
(c) Required for exercising or defending a legal claim
(d) Directly beneficial to the Data Subject's interests

B. Data Subject Consent. Transfers are permissible with explicit Consent from the Data
Subject, which must be freely given, specific, informed, and unambiguous.
C. Compliance Requirements. Every international transfer of Personal Data must
satisfy at least one of the aforementioned conditions, ensuring the protection of the
Data Subject's privacy rights and data security.

Principle 8: Accountability
The Data Controller must take responsibility for complying with the principles, and to have
appropriate processes and records in place to demonstrate compliance. The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of, or informed of the purpose of data processing and categories of third parties to whom the data might be transmitted. Processing of personal data must have received the consent of the data subject or must meet one of the following conditions:

i. Compliance with any legal obligation to which the Centre is subject;
ii. The protection of the data subject’s life; or
iii. The performance of a public service mission entrusted to the Centre.

Article 7: Lawful Data Processing
The Centre shall always ensure that before collecting and processing Personal data, there is a
legal basis and purpose for doing so. The Centre shall not process personal data unless:
a) The data subject consents to the processing for one or more specified purposes; or
b) The processing is necessary for:

1) Performance of a contract which the Data subject is privy;

2) Meeting the Centre’s legal compliance obligations that it is subject;
3) Protection of the important interests of the data subject or another data subject;
4) Performance of a task in the public interest or in the exercise of official authority
vested in the Centre;
5) The legitimate interests pursued by the Centre by a third party to whom the data is
disclosed, except if the processing is unwarranted in any particular case having
regard to the harm and prejudice to the rights and freedoms or legitimate interests
of the data subject; or
6) The purpose of historical, statistical, journalistic, literature and art or scientific
research.

c) Where a data subject’s personal data is required for purposes other than the
above-listed, the Centre shall seek the consent of the Data subject. The Centre, in
seeking the consent, shall inform the data subject of the following:

a. The purpose of each of the processing operations for which the consent is
sought;
b. The type of personal data that is to be collected and used;
c. The possible risks of data transfers due to the absence of an adequacy
decision or appropriate safeguards;
d. Whether the personal data will be shared with third parties; and
e. The right to withdraw consent and the implication of providing,
withholding or withdrawing consent.

d) Where a third-party provides the Centre with another individual’s personal data, the
Centre shall make an effort to confirm that:

a. The data was collected in accordance with the applicable laws;
b. Such personal data was lawfully processed;
c. The sharing of the personal data with the Centre was clearly explained to
the data subject by such third party; and
d. Where required consent to process including sharing of the information
was obtained from the data subject.

Article 8: Processing of Sensitive Personal Data
The Centre will process Sensitive Personal Data strictly in compliance with Applicable Laws. Processing is permissible under the following circumstances:
1. Public Data Sensitive : Personal Data that has been manifestly made public by the Data Subject
may be processed.
2. Specific Lawful Grounds for Processing : The Centre may process Sensitive Personal Data without explicit Consent when such processing is:
a.) Necessary for the establishment, exercise, or defence of a legal claim;

b.) Required to fulfil the Company's obligations or exercise specific rights of
the Company or the Data Subject; or
c.) Essential to protect the vital interests of the Data Subject or another person
when the Data Subject is physically or legally incapable of providing
Consent. Employees are strictly prohibited from processing Sensitive Personal Data outside the
grounds specified above. Unauthorized processing of Sensitive Personal Data may result in:

1. Disciplinary action within the Company;
2. Potential criminal liability;
3. Civil penalties; or
4. Administrative sanctions.

Any employee processing Sensitive Personal Data must ensure full compliance with these
provisions and the underlying legal requirements. Failure to adhere to these guidelines may
expose both the individual employee and the Centre to significant legal and regulatory risks.

Article 9: Restrictions on Processing
The Centre shall, at the request of a data subject, restrict the processing of personal data
where:
a) The accuracy of the personal data is contested by the data subject for a period
enabling the Centre to verify the accuracy of the data;
b) Personal data is no longer required for the purpose of the processing unless the
Centre requires the personal data for the establishment, exercise, or defence of a
legal claim;
c) Processing is unlawful, and the data subject opposes the erasure of the personal
data and requests the restriction of their use instead; or
d) The data subject has objected to the processing, pending verification as to
whether the legitimate interests of the Centre override those of the data subject.
Where the processing of personal data is restricted under this section:
The personal data shall, unless the data is being stored, only be processed with the data
subject's consent or for:
i) The establishment, exercise, or defence of a legal claim;
ii) the protection of the rights of another person; or
iii) Reasons of public interest;
The Centre shall implement mechanisms to ensure that time limits are established for the
rectification, erasure, or restriction of processing of personal data, and for conducting
periodic reviews of the need for storing the personal data.

Article 10: Data Retention Schedule
The Centre reiterates that it retains personal data for as long as necessary to fulfil the purpose for which it was collected in compliance with the legal requirements.
a) The retention period of personal data may vary depending on the nature and purpose
of the data.
b) Customer and supplier data is retained for the duration of the business relationship
and for a period afterwards as required by contractual, legal and regulatory
obligations.
c) Employee data is retained for the duration of employment and for a reasonable period
afterwards to fulfil legal obligations, address potential disputes and maintain
employment records.
d) Website usage data is retained for a period necessary to analyse traffic, ensure website
security and improve user experience.

 Article 11: Data Security
CEMASTEA shall implement robust security measures to protect personal data, including:
a) Restricting access to personal data to authorized personnel only.
b) Encrypting sensitive data both in transit and at rest.
c) Conducting regular security audits and vulnerability assessments.
d) Establishing a data breach response plan to address potential security incidents promptly

Data Subject Rights
Employees, contractors, suppliers, and other data subjects have the following rights:
a) The right to access their personal data is held by CEMASTEA
b) The right to request correction or rectification of inaccurate or incomplete data.
c) The right to request erasure or deletion of personal data under certain conditions.
d) The right to request the restriction of data processing in specific circumstances.
e) The right to receive their data in a structured, commonly used, and machine-readable
format.
f) The right to object to data processing based on legitimate interests.
g) The right to withdraw consent at any time for processing activities based on consent.
Requests to exercise these rights should be directed to the Data Protection Officer.

Data Breach Management
In the event a detected data breach, CEMASTEA shall:
1. Verify and contain breaches immediately.
2. Notify ODPC & affected individuals within required timelines.
3. Investigate risk mitigation
4. Implement corrective actions.

Article 12: Responsibilities
The Centre shall establish and implement policies and procedures compliant with this policy. Further, the Centre shall ensure that all the staff who process personal data are well sensitized and comply with this data protection policy to the realization of underlying safeguards, practices and protocols are adhered to. Breach of this policy shall result in disciplinary action.

Data Protection Officer (DPO)
The Centre shall appoint a Data Protection Officer (DPO) who shall have comprehensive
responsibilities for overseeing data protection compliance and managing data protection
risks. The DPO's key responsibilities include:

a) Regulatory Compliance and Liaison
i. Serve as the primary point of contact for the ODPC and other data protection
regulatory authorities.
ii. Manage the Company's registration as a data controller or data processor.
Responsible for overseeing compliance with data protection laws,
iii. Liaise with the ODPC and other relevant authorities during periodic audits,
investigations, and regulatory activities.

b) Compliance Advisory and Monitoring
i. Advise the Company and its staff on compliance with applicable data protection
laws and internal data protection policies.
ii. Continuously monitor organizational compliance with data protection regulations.
iii. Provide expert guidance on interpreting and implementing data protection
requirements.

c) Risk Management and Impact Assessments
i. Identify and assess reasonably foreseeable internal and external risks to personal
data.
ii. Conduct comprehensive data protection impact assessments.
iii. Establish and maintain appropriate safeguards against identified data protection
risks.
iv. Consider the nature, scope, context, and purposes of data processing when
evaluating risks.

d) Data Protection Strategies:
i. Recommend and oversee data anonymization, pseudonymization, and encryption
strategies.
ii. Develop and maintain a personal data retention schedule.
iii. Establish time-limited protocols for periodic review of stored personal data.
iv. Determine when personal data is no longer necessary and should be removed or
archived.

e) Contractual and Operational Oversight:

i. Review all written contracts related to data processing.
ii. Advise the Company on engagements with data processors.
iii. Ensure contractual provisions adequately protect personal data.
iv. Verify compliance of third-party data processing arrangements.

f) Capacity Building and Training
i. Facilitate capacity building for staff involved in data processing operations
ii. Develop and implement training programs to enhance organizational data
protection awareness
iii. Support employees in understanding their roles and responsibilities in data
protection.

The DPO shall be provided sufficient resources, authority, and independence to effectively
perform these duties, with direct access to senior management to ensure comprehensive data protection governance.

Staff Responsibilities
Staff members handling personal data of any stakeholder shall comply with the requirements
of this policy. They shall ensure that:
i. All personal data is secure;
ii. All personal data is kept confidential from unauthorized persons;
iii. Personal data is kept in accordance with this policy;
iv. All concerns and queries connected with data protection, are directed to the DPO;
v. Any data breaches are forwarded to the DPO.

Third-Party Data Processors
The Centre may share data with government agencies, academic institutions, and service
providers to facilitate educational programs, compliance with legal requirements, and
improve service delivery. Data sharing will be conducted based on legal obligations,
contractual requirements, or consent from the data subject.

When external entities are engaged to process personal data on the Centre's behalf, the Centre retains full responsibility for data security and appropriate usage. In instances of third-party data processing:
i. The selected data processor must implement robust security protocols to safeguard
personal data processing.
ii. Comprehensive due diligence shall be conducted to verify and validate the
security measures implemented by the third-party processor.
iii. A comprehensive written agreement shall be executed, explicitly detailing the
specific personal data to be processed, the precise purpose of data processing and
explicit security and confidentiality requirements.
iv. All third-party processors engaged by CEMASTEA must sign Data Processing
Agreements (DPAs) outlining their obligations to ensure data security,
confidentiality, and compliance with the Kenyan Data Protection Act, 2019.

The external parties shall be vetted and thoroughly briefed on the Centre's Data Protection
Policy. They must explicitly acknowledge and guarantee that any unauthorized disclosure or misappropriation of confidential information — whether by managers, employees,
consultants, or collaborators — constitutes a fundamental breach potentially causing severe and irreparable harm to the Centre. Any violation of data protection legal requirements will trigger the penalties specified in the contract and or as prescribed by applicable data protection regulations.

Roles of the CEO
a) Ensure overall compliance with data protection laws and policies.
b) Allocate necessary resources for implementing data protection measures.
c) Oversee the designation and function of the Data Protection Officer (DPO).
d) Approve key strategic decisions related to data security and compliance.
e) Provide leadership in fostering a culture of data privacy within the organization.
f) Promoting awareness and training among staff regarding data protection
principles and practices, ensuring that all employees understand their
responsibilities in handling personal data.
g) Provide quarterly policy implementation reports to the Board for review.

Roles of the Board
a) Establish and review governance frameworks for data protection and security.
b) Ensure that CEMASTEA complies with legal and regulatory data protection
requirements.
c) Monitor and assess data protection performance through regular reporting and
audits
d) Engage in regular strategic planning and review sessions on data protection and
security at least twice a year.
e) Support the implementation of best practices in data security and risk mitigation.

Article 13: Complaints Handling Mechanism
Data Subjects may submit a complaint regarding the processing of their Personal Data.
Complaints should be directed to DPO and the Centre will acknowledge the Complaint
within 7 working days. Noteworthy, however, is that the Centre will only entertain a
Complaint from the Data Subject's representative if the representative provides the Data
Subject's written Consent authorizing the personal representative to act on the Data Subject's behalf in relation to the Complaint.

Upon verification of all identification requirements, the investigation will be conducted
within 30 working days. Should further clarification be required from the complainant or
additional time be necessary to complete the response, the Centre will notify the complainant before the original deadline expires. The complaint outcome will be communicated to the complainant in writing via email or any other appropriate means.

If the complainant disagrees with or is unsatisfied by the outcome, they may request a review of the decision. Should the complainant remain aggrieved by the Centre's decision following such review, they retain the right to lodge a complaint with the ODPC.

Article 14: General Exemptions
Notwithstanding the provisions of this part, the Centre shall not be exempt from complying
with data protection principles relating to lawful processing, minimization of collection, data quality and adopting security measures to safeguard personal data. The processing of personal data by an individual shall be exempt from this policy if;
a) It relates to the processing of personal data by an individual in their individual
capacity;
b) If it is necessary for national security or public interest;
c) Disclosure is required by or under any written law or by order of the court.

Journalism, Literature and Art
a) The principles of processing personal data shall not apply where—
i) processing is undertaken by a person for the publication of a literary or
artistic material;
ii) the Centre reasonably believes that publication would be in the public
interest; and
iii) the Centre reasonably believes that, in all the circumstances, compliance
with the provision is incompatible with the special purposes.
b) Subsection (a)(ii) shall only apply where it can be demonstrated that the
processing is in compliance with any self-regulatory or issued code of ethics in
practice and relevant to the publication in question.

Research, History and Statistics
a) The further processing of personal data shall be compatible with the purpose of
collection if the data is used for historical, statistical or research purposes. The
Centre shall ensure that further processing is carried out solely for such purposes
and will not be published in an identifiable form.
b) The Centre shall take measures to establish appropriate safeguards against the
records being used for any other purposes.
c) Personal data which is processed only for research purposes is exempt from the
provisions of this policy if;
i. data is processed in compliance with the relevant conditions; and
ii. results of the research or resulting statistics are not made available in a form
which identifies the data subject or any of them.
d) The Centre shall prepare a code of practice containing practical guidance for
processing personal data for purposes of Research, History and Statistics.

Article 15: Amendment of Policy
This policy shall be reviewed after every three (3) years and when need arises.
18.1 Requirements for Implementation
Implementation of this policy will require the following:
1. Organization structure that clearly outlines the responsibility areas and the reporting
lines.
2. Provision of the necessary budget, equipment and tools required for effective and
efficient communication including but not limited to internet and ICT infrastructure
3. Capacity building of all internal and external staff on communication skills.
4. Advocacy, effective dissemination of the Information Education and Communication
(IEC) materials among CEMASTEA’s publics.
5. All records shall be kept in accordance with the International Quality Management
Systems.