Data Protection & Compliance β
Last Updated: January 2025
Version: 2.0
Executive Summary β
OpenCHS demonstrates unwavering commitment to data protection through compliance with international and regional legal frameworks. This document provides assurance to donors, government partners, and implementing organizations.
Quick Reference β
| Framework | Status | Documentation |
|---|---|---|
| π°πͺ Kenya DPA 2019 | β Compliant | Details |
| πΊπ¬ Uganda DPPA 2019 | β Compliant | Details |
| πΉπΏ Tanzania PDPA 2022 | β Compliant | Details |
| π±πΈ Lesotho DPA 2011 | β Compliant | Details |
| πͺπΊ GDPR | β Compliant | Details |
| πΊπ³ UNCRC | β Aligned | Details |
| πΊπ³ CRPD | β Aligned | Details |
1. Core Commitment β
BITZ IT Consulting Ltd. affirms that OpenCHS:
β
Protects Personal Data by design and by default
β
Safeguards Children with enhanced protections
β
Ensures Compliance across all deployment jurisdictions
β
Maintains Transparency in data handling practices
β
Upholds Accountability through regular audits
2. Adherence to Legal Frameworks β
Regional Compliance β
π°πͺ Kenya - Data Protection Act (2019) β
Status: Fully Compliant
- Data Controller registration with ODPC
- Privacy notices in Swahili and English
- Data Protection Impact Assessments (DPIAs)
- Data breach notification procedures (72 hours)
- Data subject rights implementation
Contact: Office of the Data Protection Commissioner
Email: info@odpc.go.ke
Website: odpc.go.ke
πΊπ¬ Uganda - Data Protection and Privacy Act (2019) β
Status: Fully Compliant
- Registration with Personal Data Protection Office
- Consent mechanisms for data processing
- Cross-border data transfer safeguards
- Privacy by design implementation
- Regular compliance audits
Contact: Personal Data Protection Office
Email: info@pdpo.go.ug
Website: pdpo.go.ug
πΉπΏ Tanzania - Personal Data Protection Act (2022) β
Status: Fully Compliant
- Data processing registration
- Data protection officer appointment
- Privacy policy publication
- Data security measures
- Compliance monitoring
π±πΈ Lesotho - Data Protection Act (2011) β
Status: Fully Compliant
- Registration requirements met
- Privacy safeguards implemented
- Data security standards maintained
International Benchmark β
πͺπΊ GDPR (2016/679) β
Status: Benchmark Standard
OpenCHS uses GDPR as the gold standard, ensuring:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
3. International Standards β
πΊπ³ UN Convention on the Rights of the Child (UNCRC) β
Alignment Areas:
- Article 3: Best interests of the child as primary consideration
- Article 16: Protection from interference with privacy
- Article 19: Protection from all forms of violence
Implementation:
- Enhanced data protection for child information
- Age-appropriate consent mechanisms
- Privacy-preserving case management
- Secure data handling protocols
πΊπ³ UN Convention on the Rights of Persons with Disabilities (CRPD) β
Alignment Areas:
- Article 9: Accessibility of information and communications
- Article 22: Respect for privacy
Implementation:
- Accessible interface design (WCAG 2.1 AA)
- Screen reader compatibility
- Alternative input methods
- Dignity-preserving data practices
4. Operational Implementation β
Compliance is embedded in every layer of OpenCHS:
Privacy by Design β
βββββββββββββββββββββββββββββββββββββββββββ
β Privacy by Design Principles β
βββββββββββββββββββββββββββββββββββββββββββ€
β 1. Proactive not Reactive β
β 2. Privacy as Default Setting β
β 3. Privacy Embedded in Design β
β 4. Full Functionality β
β 5. End-to-End Security β
β 6. Visibility and Transparency β
β 7. Respect for User Privacy β
βββββββββββββββββββββββββββββββββββββββββββImplementation:
β Data Minimization
- Collect only necessary data
- Regular data necessity reviews
- Automatic field validation
β Anonymization & Pseudonymization
- PII masked in analytics
- Pseudonyms for reporting
- De-identification tools
β Purpose Limitation
- Documented processing purposes
- Consent for secondary use
- Purpose-specific access controls
Security Architecture β
Multi-Layer Protection:
π Layer 1: Application Security
- Input validation
- XSS protection
- CSRF tokens
- Secure session management
π Layer 2: Data Security
- TLS 1.3 encryption (transit)
- AES-256 encryption (rest)
- Encrypted backups
- Secure key management
π Layer 3: Access Security
- Role-Based Access Control (RBAC)
- Multi-Factor Authentication (MFA)
- Principle of least privilege
- Regular access reviews
π Layer 4: Infrastructure Security
- ISO 27001 certified hosting
- SOC 2 Type II compliance
- Firewall protection
- Intrusion detection
π Layer 5: Monitoring
- 24/7 security monitoring
- Audit trail logging
- Anomaly detection
- Incident response
Data Protection Impact Assessments (DPIAs) β
When Conducted:
- New deployment in jurisdiction
- New feature involving PII
- Significant system changes
- Annual compliance review
DPIA Process:
Risk Identification
- Data flow mapping
- Threat assessment
- Vulnerability analysis
Impact Analysis
- Likelihood evaluation
- Severity assessment
- Mitigation planning
Consultation
- Stakeholder input
- DPO review
- Legal counsel
Documentation
- Risk register
- Mitigation measures
- Approval sign-off
Training & Awareness β
Mandatory Training Programs:
| Role | Training Type | Frequency |
|---|---|---|
| All Users | Data Protection Basics | Annual |
| Operators | Secure Data Handling | Annual |
| Supervisors | Privacy Management | Annual |
| Administrators | Technical Security | Quarterly |
| DPO | Advanced Compliance | Ongoing |
Training Content:
- Legal framework overview
- Data subject rights
- Secure data practices
- Incident response
- Case studies
Verification:
- Completion certificates
- Assessment tests
- Training records
- Audit trails
5. Data Sovereignty β
In-Country Data Residency β
Default Configuration:
- Data stored within country of operation
- Local server deployment options
- Regional cloud availability
- Data sovereignty compliance
Supported Configurations:
| Country | Storage Location | Backup Location | Compliance |
|---|---|---|---|
| π°πͺ Kenya | Nairobi DC | Regional | β ODPC Approved |
| πΊπ¬ Uganda | Kampala DC | Regional | β PDPO Approved |
| πΉπΏ Tanzania | Dar es Salaam DC | Regional | β Compliant |
| π±πΈ Lesotho | Local/Regional | Regional | β Compliant |
Cross-Border Transfers β
Safeguards Required:
- β Standard Contractual Clauses (SCCs)
- β Data Processing Agreements (DPAs)
- β Adequacy decisions
- β Explicit consent
- β Legal framework compliance
Transfer Principles:
- Minimal data transfer
- Purpose-specific transfers
- Documented justification
- Regular compliance reviews
6. Continuous Improvement β
Monitoring & Review β
Regular Activities:
π Monthly
- Security log reviews
- Access audits
- Incident reviews
π Quarterly
- Compliance assessments
- Policy updates
- Training delivery
π Annually
- Full compliance audit
- DPIA reviews
- Legal framework updates
- Certification renewals
Audit Program β
Internal Audits:
- Monthly security reviews
- Quarterly compliance checks
- Annual comprehensive audit
External Audits:
- Independent security assessments
- Regulatory inspections
- Third-party certifications
7. Certification & Standards β
Target Certifications β
| Certification | Status | Target Date |
|---|---|---|
| ISO 27001 | π In Progress | Q2 2025 |
| SOC 2 Type II | π In Progress | Q3 2025 |
| CSA STAR | π Planned | Q4 2025 |
8. Contact Information β
Compliance Inquiries β
π§ Data Protection Officer: dpo@openchs.com
π Website: https://openchs.com/compliance
π Phone: [Contact implementing organization]
Regulatory Contacts β
Kenya: Office of the Data Protection Commissioner
- Email: info@odpc.go.ke
- Website: odpc.go.ke
Uganda: Personal Data Protection Office
- Email: info@pdpo.go.ug
- Website: pdpo.go.ug
9. Related Documentation β
- Privacy Policy - User-facing privacy information
- Data Privacy & Security - Technical implementation
- Terms of Service - Legal agreements
- Open Source License - Software licensing
Last Updated: January 2025
Next Review: July 2025
Version: 2.0