Privacy Statement

Privacy And Data Protection Policy

Introduction

Complete Solution Insurance Brokers Ltd have made a commitment to respect the privacy rights of individuals by ensuring that their personal information is collected, used, and disclosed in such a manner that a reasonable person would consider appropriate in the circumstances.

The Data Protection Act No. 24 of 2019 was passed into law on 8th November 2019 and came into force on July 14, 2022, to give effect to Article 31(c) and (d) of the Constitution that contains the right to privacy which is a fundamental human right. Data protection is the process of safeguarding personal information in accordance with a set of principles laid down by laws.

This policy is based on the basic principles and rules set out in that Act and all issues pertaining to Data privacy and protection not stated in this policy will be handled as per the provisions of the Data Protection Act.

For the purposes of this policy, the following are taken into consideration:

Personal data;
Data controller;
Data processor;
Sensitive personal data.

Our privacy policy is guided by the following principles and obligations of data protection

CSI as data controllers and data processors we shall ensure that;

Personal data is processed in accordance with the right to privacy of the data subject;
Processed lawfully, fairly and in a transparent manner in relation to any data subject;
Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
Kept in a form that identifies the data subjects for no longer than is necessary for the purposes for which it was collected; and
Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Guidelines to Ensure Data Protection in CSI

Accountability

We are responsible for all personal information under our control and we have designated one more individual who is accountable for the organization’s compliance with the policies and procedures described in this policy.

The individual appointed is accountable for the Broker’s compliance. Our commitment is to ensure;

1. We protect personal information; Allow data subjects to request information, and seek amendments to their personal information; train and educate staff on data privacy.
2. We use reasonable means to ensure that client personal information is given a comparable level of protection while being processed by us.

Purpose

Common purposes for collection include:

1. Enabling the Broker to acquire or renew an insurance policy;
2. Assisting the Client and assessing his/her ongoing needs for insurance;
3. Assessing the Client’s need for other products, such as financial products;
4. Ensuring that Client information is accurate and up-to-date; and
5. Protecting the Broker and/or insurer against inaccuracy.

Purpose identification

1. We identify the purposes for which we collect personal information at or before the time the information is collected.
2. We identify the purposes for which we collect personal information to affected individuals at or before the time of collection.
3. We may choose to identify such purposes orally or in writing. Written notification will be used whenever practical to do so.
4. We may choose to orally explain to clients the purposes for which personal information is being collected and then simply place a note in the client’s file indicating that this has been done. Alternatively, an application form may be used.
5. We identify any new purposes that arise during the course of dealing with personal information and obtain prior consent for this new use even if we have already identified certain initial purposes.
6. However, we will only do this when the intended new purpose truly constitutes a new use, i.e., when the purpose now being proposed is sufficiently different from the purpose initially identified.

Personal data that we may process may include but not limited to;

Name and contact details (such as telephone number, e-mail address and postal address);
Date of birth;
Profession
Gender;
Marital status;
Spouse and children
Video, photographic images or audio recordings submitted or made as part of the insurance issuance and claim process.
Medical reports and medical history.

Sensitive Data

We may also process sensitive data where applicable.

When exercising our rights and obligations under the insurance contracts as a brokerage, it may be necessary to process sensitive data. Such sensitive data may include but not limited to;

Medical history
Claim record
Racial/ethnicity information;
Country of origin religion.
Bank accounts

How is Your Personal Data Collected?

We use different methods to collect data from and about you including through:

Register for service
Through emails
Obtaining a quotation for and/or purchasing products or services;
Make a claim following a loss
Giving us some feedback.

We may also get personal data from other parties such as;

Investigators
Assessors
Loss adjusters
Medical practitioners and medical institutions
Insurance investigators
Courier services
Travel insurance agents

Consent

We will obtain the appropriate consent from individuals for the collection, use, or disclosure of their personal information, except where the law provides an exemption.eg Contractual obligation.

Express consent is a specific authorization given by the individual
to the Broker, either orally in writing. Implied consent is one in which
the Broker has not received a specific authorization but the
circumstances allow us to collect, use or disclose personal information.

Express written consent includes a client:

Signing a consent form (such as the personal information CSI Insurance Brokers Ltd Consent Form)
Providing a letter, application form or other binding documents authorizing certain activities.
Providing authorization electronically (through a computer).

Express oral consent can be given in person or over the telephone. If we obtain an express oral consent, we will normally make note of that consent in
the client’s file.

We will often seek express consent at the onset of a new business relationship. However, we may determine that by an individual seeking insurance coverage through our organization, consent has been implied for us to collect, use and disclose personal information in a reasonable manner.

Subject to legal exceptions, consent may be withdrawn at any time. We generally require such withdrawal to be in writing. There may be serious consequences to failing to provide or withdrawing consent, such as the Broker’s inability to acquire or renew an insurance policy and/or in the
cancellation of a policy.

Depending on whether a new purpose is identified during the course of dealing with a client’s personal information, we may choose to seek new consent. We do not consider

A regular updating of information in a client’s file to be a new purpose and, therefore, we will not seek a new consent for this purpose.

Exceptions

There are circumstances in which we are not required to obtain an individual’s consent or explain the purposes for the collection, use or disclosure of their personal information. These include but are not limited to:

Collection -We may collect personal information without consent where it is in the individual’s interest and timely consent is unavailable, or to investigate a breach of an agreement (such as insurance fraud) or a contravention of law.

Use -We may use personal information without consent for similar reasons as those listed beside “collection” above, and also in an emergency situation in which an individual’s life, health or security is threatened.

Disclosure-We may disclose personal information without consent for law enforcement and national security purposes, for debt collection, to a lawyer representing our organization, and in an emergency situation in which an individual’s life, health, or security is threatened

Limiting Collection

The personal information we collect is limited to that which is necessary for the purposes we have identified.

We only collect personal information for specific, legitimate purposes. We do not collect personal information indiscriminately.

We only collect information by fair and lawful means and not by misleading or deceiving individuals about the purpose for which information is being collected.

Our policies and procedures relating to the limitations on the collection of personal information are regularly communicated to our staff members who deal with personal information.

Limiting Use, Disclosure, and Retention

At CSI, Personal information is not used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. We will only retain personal information as long as necessary for the fulfillment of those purposes.

We only use or disclose personal information for legitimate, identified purposes.

We retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected. We abide by industry standards applicable in the province(s) in which we are located, regarding minimum and maximum retention periods.

Personal information that has been used to make a decision about an individual is only retained long enough to allow the individual access to the information after the decision has been made. This period will not exceed applicable industry standards.

Personal information that is no longer required to fulfill identified purposes is destroyed, erased, or made anonymous.

Note; There may be situations in which we use, disclose or retain personal information for legitimate purposes not identified to the individual, including those situations outlined above.

Accuracy

The personal information we collect is accurate, complete and
up-to-date as is necessary for the purposes for which it is to be used.

Our organization, on an ongoing basis, ensures the accuracy and completeness of personal information under our care and control.

Individuals who provide their personal information to us must do so in an accurate and complete manner.

We consider a regular updating of client personal information to be necessary to ensure the accuracy of client files and to provide
appropriate insurance coverage for clients.

Our goal is to minimize the possibility that inappropriate information may be used to make a decision about any individual whose personal information we process.

The process for ensuring accuracy and completeness involves:

Initial collection from the client; is asked to verify accuracy and completeness in case we are in doubt.
Regular reviews; Verifying accuracy by contacting third parties (e.g., motor vehicle and driver licensing authorities, etc.)

As more particularly described in individual Access, we provide recourse to individuals who appear to have legitimate corrections to make to their information on file. Once

Significant errors or omissions have been identified, we correct or amend the information as appropriate. Where necessary, we send such corrected or amended information to third parties who have had access to the information in question (such as insurance companies).

Safeguards

We will safeguard the security of personal information under our
control in a manner that is appropriate to the sensitivity of the
information.

We will protect the security of personal information,
regardless of the format in which it is held, against loss or theft,
and against unauthorized access, disclosure, copying, use, or
modification.

More sensitive information will be safeguarded by a
higher level of protection. However, we will generally seek to achieve
the highest level of security.

In determining what safeguards are appropriate, we will consider the following factors:

The sensitivity of the information;
The amount of information held;
The parties to whom the information will be disclosed;
The format in which the information is held; and
The way in which the information is physically stored.

When transferring client information to a third party, we will remove or mask any information that is not strictly needed by the third party. Our methods of protection may include:

Physical measures, such as locked filing cabinets and/or restricted access;
Organizational measures, such as security clearances and limiting access
Technological measures, such as the use of passwords and encryption.

We will ensure that our policies and procedures on safeguarding personal information are clearly communicated and accessible to our employees by:

Training staff on the subject of personal information protection; and
Having regular staff meetings in which we will review our procedures and revise where appropriate.

We will take precautions in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the
information. These measures may include:

Ensuring that no one may retrieve personal information after it has been disposed of;
Shredding documents before recycling them; and
Deleting electronically stored information.

Openness

We will make readily available to individual’s specific information
about our policies and procedures relating to the management of personal
information which is under our control.

Individuals will be able to inquire about our policies and procedures without unreasonable effort.

We may choose to make some information about our policies and procedures available in a variety of ways, for example:

Making this Policy available;
Mailing out information to clients
Making posts in our website
Providing our telephone number for easier accessibility.

Individual Access

Upon request, an individual (Data subject) may be informed of the existence, use, and disclosure of his or her personal information which
is under our control, and may be given access to, and challenge the accuracy and completeness of that information.

Upon written request, an individual may be informed as to whether or not we hold personal information about him or her. If we do hold such personal
information, upon written request, we will provide access to the information, as well as a general account of its use.

Upon written request, may provide a list of third parties to whom we may have disclosed an individual’s personal information.

Individuals may be required to provide sufficient information to us to permit us to provide an account of the existence, use and disclosure of personal
information

The procedure for making a request is as follows:

All requests must be made in writing.
We
respond to a requests within 30 days after receipt of the request
unless we first advise you that we need a longer period to respond.
Reasons,
if we refuse a request, we inform the individual in writing of the
refusal, explaining the reasons and any recourse the individual may
have, including the possibility that they may file a complaint with the
Data protection commissioner.
Costs for responding, the Broker
may require payment of a modest fee to cover our administrative costs
associated with preparing a response were applicable.

There are also exceptions that may prevent us from providing access, including where:

Personal information about another person might be revealed;
Commercially confidential information might be revealed;
Someone’s life or security might be threatened;
The
information was collected without consent for the purposes related to
an investigation of a breach of an agreement or contravention of the
law; or
The information was generated during the course of a formal dispute resolution process.

Challenging Compliance

An individual may address a challenge concerning compliance with the above guidelines and procedures to our Privacy Officer.

Upon request, individuals who wish to inquire or file a complaint about the manner in which we handled their personal information or about our personal information policies and procedures will be informed of our applicable complaint procedures.

To file a complaint, an individual must fill out a Request/Complaint Form, which requires basic information and a description of the nature of the complaint.

The procedure for filing a complaint about our organization is as follows;

A Request/Complaint in writing should be done to our Privacy Officer;
Acknowledgment of the complaint right away;
Investigation of the complaint
Clarify facts directly with the complainant, where appropriate; and
Advise the complainant in writing of the outcome of our investigation, including any

Steps taken to rectify the problem, if applicable.

We will document all complaints made by clients and employees, as well as our actions in response to complaints, by noting these details in the individual’s file and also in a master privacy file.

Revision of the Policy

From time to time, we may need to make changes to this Data Protection Policy, for example as a result of government regulations new technologies or other developments in data protection laws or privacy generally. We encourage you to review periodically to see the most update Data Protection Policy.

A copy of this Policy is obtained by contacting hr@csi.co.ke. and also annexed to all our policy documents.