ChildFund International
BACKGROUND
ChildFund International is a global organization whose vision is a world in which every child realizes their rights and achieves their potential. Our mission is to build the capacity of children experiencing deprivation, exclusion, and vulnerabilities because of poverty to improve their lives and become leaders who bring lasting and positive change to their communities.
ChildFund Kenya has been operational in Kenya since the 1960s and currently works with 11 implementing partners (IPs) and two direct implementation programs spread across 27 counties out of 47 counties, reaching approximately 1.3 million children, families, and community members through various sponsorship and development interventions.
The collection, use, and sharing of personal information has become an integral part of our life. However, the increased use and access to personal information has also raised concerns about its protection and misuse. In Kenya, the right to privacy is enshrined in the Constitution under Article 31.
The Data Protection Act, 2019 was enacted on 25th November 2019. The purpose of the Act is to regulate the processing of personal data in Kenya and to give individuals greater control over the way their data is used. The Act established the Office of the Data Commissioner who is the regulatory authority responsible for the implementation and enforcement of the provisions of the Act.
Non-compliance with the provisions of the Act attracts high financial as well as criminal sanctions. Therefore, it is important to ensure compliance to the Act.
PURPOSE AND OBJECTIVES
ChildFund Kenya is a data controller as it collects and stores personal data of a wide range of parties including Employees, Children, Program participants, Suppliers, etc.
While ChildFund Kenya may conform to some provisions of the Act, the country office has not undertaken a methodical and comprehensive approach to assess compliance against the requirements of the Data Protection Act in totality. The purpose of this assignment is to undertake a comprehensive review and assessment of the organisations data protection compliance as viewed against the Data Protection Act 2019 and its subsidiary regulations.
SCOPE OF WORK
ChildFund Kenya seeks the services of a suitably qualified and experienced consultant to undertake the following:
i. Conduct a data mapping of personal data inventory by various departments within ChildFund Kenya.
ii. Undertake a data protection compliance assessment and gap analysis to ensure organization wide compliance to the Data Protection Act and related regulations.
iii. Review existing policies, procedures, and practices in relation to Data Protection Act & related regulations and make recommendations to ensure compliance to the provisions of the Act.
iv. Formulate a framework for Data management, including the detection, reporting and investigation of data breaches.
v. Create a framework for third party due diligence (includes third parties processing personal data on the organization’s behalf) and data protection audits.
vi. Conduct training and capacity building across the organization i.e. employees, senior management, Data Protection committee, & any other relevant stakeholders on implications of Data Protection Laws and Regulations on our business processes, legal basis and scope of the Act.
The consultant will be required to describe what tools and methodology proposed to collect the information, and how the information will be analyzed.
KEY DELIVERABLES
The expected outputs from this assignment will be as follows:
i. Personal data inventory: a record of all personal data processes and systems.
ii. Gap assessment & Implementation roadmap: a data protection gap assessment report outlining identified gaps, proposed remedial actions, & an implementation road map.
iii. Data Protection Framework: this includes data protection policies, procedures, statements, and data protection governance structures defining roles and responsibilities. Develop data sharing consent processes and templates and advise on how they may be digitally implemented.
iv. Staff Awareness and training: conduct training for staff and other stakeholders to create awareness of the DPA. The training should be molded in accordance with its audience and adapted to their needs by linking the legal frameworks with ChildFund Kenya’s business operations. The training should emphasize staff duties and responsibilities with regards to existing policies and the importance of compliance.
v. Data protection awareness training materials
vi. Third Party Vendor Management Framework: this includes privacy notices and how to manage third parties.
vii. Policies such as Privacy Policy, Record Management Policy, Data Subject Access Request Policy, Incident Response Plan in the event of breach of the data protection act.
TIMELINES
The consultant is expected to complete the scope of work and provide the key outputs within 90 days of commencement of the assignment. ChildFund will provide support in the form of individuals assigned to support the compliance assessment in each department as well as draft documents for review. The Consultant will report to the HRD and also work closely with the Data Protection committee members.
QUALIFICATIONS & EXPERIENCE
In addition to the documents requested in the RFP main document, the Consultant should have the following:
i. Experience of 5 to 10 years in undertaking compliance, regulatory, legal and information assessments/ audits on data in non-profit organisations.
ii. Have a person with comparable legal qualification with experience in interpretation and dealing with data protection matters.
iii. Have demonstrable knowledge and experience in data protection law and related matters.
iv. Appropriate technical skills, professional qualifications, and suitable practice experience.
v. Evidence of having undertaken similar assignments.
TERMS AND CONDITIONS
a) Confidentiality of Information: the consultant may receive confidential information of ChildFund Kenya while carrying out the assignment. The consultant shall not disclose any confidential information and documentation to any person or other third party at any time without ChildFund’s Kenya prior written consent. shared during and after the assignment.
b) Conflict of Interest: the consultant is expected to read and become familiar with ChildFund’s Code of Business Conduct and Ethics and the standards described therein.
c) Safeguarding: ChildFund Kenya has a commitment to Child Safeguarding and expects any contracted parties to adhere to the same. This includes acting to ensure that children (anyone below 18 years of age) is not a victim of any form of physical and/or emotional abuse or neglect, reporting any concern or suspicion of such abuses, not condoning such actions, and not participating in such actions (i.e. forced labor, sexual exploitation or discrimination)
PROPOSAL SUBMISSION
Bidders are required to submit a detailed technical and cost proposal to ChildFund Kenya.
In addition, the consultant should provide at least 3 references for similar assignments successfully undertaken in the last 2-3 years.
Bidding documents will include:
Technical proposal with CVs of the technical team that will undertake the assignment.
Work plan and timelines.
References for similar previous work done.
Financial proposal quoted in Kenya shillings including taxes.
Sole proprietors
i. Certificate of Registration.
ii. Business permit
iii. KRA PIN Certificate.
iv. KRA Tax Clearance Certificate
v. Company/Organization Profile.
vi. List of at least 3 references within the NGO sector in the last three years.
Limited Liability Company
i. Certificate of incorporation
ii. Business Permit
iii. KRA PIN Certificate
iv. KRA Tax Compliance Certificate
v. Copy of CR12
vi. List of at least 3 references within the NGO sector in the last three years
NB: This information will be treated in accordance with the ChildFund’s Record Management Policy and Kenya’s Data Protection Act in regard to Personal Identifiable Information.
Evaluation of the proposals will be made by ChildFund Kenya who may engage in an interactive process with shortlisted applicants to further specify the scope and methodology to be used as well as budget, deliverables, and deadlines.
How to apply
Proposals to be submitted to [email protected] not later than 20th March 2024, with the subject line “Data Protection Compliance Consultancy.”
Deadline: 20 Mar 2024