1.

Purpose
The purpose of this document is to outline C. Mputhia Advocates’ client
privacy and confidentiality policy and procedure.

2. Background

C. Mputhia Advocates is committed to protecting, respecting and upholding

the rights of our clients to privacy and confidentiality. As per the Advocates
Act and Advocates regulations on implications of duties on an Advocate to a
Client, the firm must observe its duty to maintain confidentiality as per the
law. Pursuant to Article 31 of the Constitution of Kenya as read together with
Section 25 & 26 of the Data Protection Act, 2019 it is the firm’s obligation to
have a document that clearly sets out its policies on handling personal
information, including health information. The firm shall uphold its
commitment to collect, store, and use information about clients, their needs,
and the services we provide to them that are secure and confidential.
This privacy policy is to provide information on how personal information
is collected and used within our operations, and the circumstances in
which we may share it with third parties. This privacy policy also outlines
how we manage personal information and safeguard privacy according to
the Constitution of Kenya, the Advocates Act, and the Data Protection Act,
2019. The aspect of confidentiality shall be embedded in the employment
contract and/or consultancy contract for all staff members and contracted
individuals.

3. Policy

3.1 Scope

This procedure is to be used by all staff, practitioners, sub-contractors, volunteers,

and members of C. Mputhia Advocates.
Types of information collected by C. Mputhia Advocates

The firm may collect and store personal and sensitive information about
employees and clients including, but not limited to, their:
 Name/ Residential address
 Information in identification documents (for example, passport,
driver’s license, Immigration identification card)
 Case issues
 Email address/ Phone number
 Gender/ Date of birth/ Nationality
 Languages spoken
 Bank account details
 Proof of identity
 Medical information/ Emergency contact details
 How information is collected by C. Mputhia Advocates

Due to the Firm’s work with clients it is important and necessary to collect
sensitive information in order to provide clients with specific interventions.

All relevant staff members will advise all clients of what information
we collect, why, and the circumstances in which we need to share it with
others. Information may be collected in hard copy form or electronic. C.
Mputhia Advocates will only collect sensitive information with the
individual’s consent.

The Firm may collect personal information in several different ways.

1. When you make your first appointment our administrative staff will
collect relevant and personal information. A collection consent statement
shall be attached to the registration form for compliance and convenience.

2. During the course of providing services, the firm may collect further
personal information.

3. The firm may also collect personal information when clients visit
our website, send us an email or SMS, telephone us, make an online
appointment or communicate with us using social media.

4. In some circumstances personal information may also be

collected from other sources. Often this is because it is not practical or
reasonable to collect it from the client directly. This may include
information from:

• guardian or responsible person

• other involved healthcare providers

• Successors

• Any other reasonable entity.

Storage of information

Personal information may be stored by the firm in various forms.

The firm shall store all personal information securely primarily personal information
electronically is password protected at all times.
Physical storage shall only be accessible by relevant staff.
These staff members are legally bound by the Firm’s duty to confidentiality to protect
its clients’ information at all times.
Disclosure of personal information

C. Mputhia Advocates shall only use personal information for the purposes for
which permission was given and/or for obligations that are directly related to one
of the functions or activities of the firm.
Personal information may be provided to government agencies, other
organizations or individuals if:
 The client has consented. This consent may be evidenced by a
Signature or obtained verbally and documented.

C. Mputhia Advocates also collects, stores and uses personal information for a
number of purposes including:

 When we engage with service providers, government or agencies

relating to service delivery
 to respond to client feedback or complaints, and to conduct
surveys and seeking for client feedback.
 With government regulatory bodies to show compliance as per the
law. For example, Kenya Revenue Authority.
 with healthcare providers if need be subject to consent from data subjects.
 when it is required or authorized by law (e.g. court subpoenas)
 to assist in locating a missing person
 to establish, exercise, or defend an equitable claim
 for the purpose of a confidential dispute resolution process
 when there is a statutory requirement to share certain personal
information

The firm shall not use your personal information for marketing any of our goods
or services.
However, the firm may use your personal information to improve the quality of
the services we offer to our clients through research and analysis of our client’s
data.

Integrity of information

C. Mputhia Advocates will take all reasonable steps to ensure the personal
information we hold, use, and disclose is accurate, complete, and up to date.
If an individual believes that the information the firm holds about them is
incorrect, they must provide up-to-date information to the Administrative
Manager.
We may request evidence to support the request to ensure accuracy.
1. Procedure

Any relevant staff attending to a client(s) shall inform our client(s) about our
policies regarding the collection and management of their personal
information via privacy disclosure located on Client Consent Form.

All staff shall be made aware of this policy during staff orientation.

Only staff who need to see your personal information will have access to it. If we
need to use your information for anything else, we will seek additional consent
from you to do this.

All staff members are provided with ongoing support and information to
assist them to establish and maintain privacy and confidentiality.

The privacy of personal information is defined by the Data Protection Act,

2019 and EU General Data Protection Regulation (where necessary). The
Firm shall act in accordance with these legal requirements at all times as
underpinned by the policy outlined herein.

All staff members must also strive to respect the confidentiality of other
sensitive information. However, in the spirit of partnership, we share
information with clients and other involved individuals and organizations
(subject to consent), where it would be in the best interest of the client, or
other individual, to do so.

Personal information collected by C. Mputhia Advocates is only used for

purposes that are directly related to the functions or activities of the Firm.

When collecting personal information, staff must provide information to

clients regarding:
 The purpose for collecting information
 How information will be used
 To whom (if anyone) information may be transferred and under
what circumstances information will be transferred
 Limits to the privacy of personal information
 How a client can access or amend their health information, and,
 How a client can make a complaint about the use of their
personal information.
Data quality

Relevant agents of the firm shall take steps to ensure that the personal
information they collect is accurate, up-to-date, and complete.

These steps include:

i. Maintaining and updating personal information when the firm is
advised by individuals that the information has changed (and at
other times as necessary), and
ii. Checking that information provided about an individual by
another person is correct.
iii. Any reasonable step deemed fit and within the scope and guiding
principles of Data Protection and Data Subjects Rights.

Data security

The firm’s staff shall also take steps to protect the personal information it
holds against:
i. loss,
ii. unauthorized access, use, modification, or
iii. Disclosure and against other misuse.

These steps include reasonable physical, technical, and administrative

security safeguards for electronic and hard copy or paper records as
identified below.

Reasonable physical safeguards include:

 Locking filing cabinets and unattended storage

 Physically securing the areas in which the personal information is stored
 Not storing personal information in public areas
 Limiting access to computer devices storing data by unauthorized
individuals or members of the public.
 Any other reasonable physical safeguard deemed necessary to the
objectives of the Data Protection Act, 2019.

Reasonable technical safeguards include:

 Using passwords to restrict computer access, and requiring regular

changes to passwords
 All databases are secure, reliable and password protected

 Establishing different access levels so that not all staff can view all
information Ensuring information is transferred securely where
possible or where not possible ensuring that appropriate safeguard
measures have been taken.
Access and correction

Individuals may request access to their personal information. Access will

be provided unless there is a sound reason under the Data Protection Act,
2019, or other relevant law to withhold access. Other situations in which
access to information may be withheld include:
 There is a threat to the life or health of an individual
 Access to information creates an unreasonable impact on the privacy of
others
 The request is clearly frivolous or vexatious or access to the
information has been granted previously
 There are existing or anticipated legal dispute resolution proceedings
 Denial of access is required by legislation or law enforcement agencies.

Data Subjects have the right to request access to, and correction of, their personal
information.

The Firm shall require the Data Subject to put this request in writing by filling
out our information action request form.
The firm will take reasonable steps to correct the personal information where the
information is not accurate or up to date.

Breach of privacy or confidentiality

If staff members are dissatisfied with the conduct of a colleague

regarding privacy and confidentiality of information, the matter
should be raised with the Managing Department.

If a client or stakeholder is dissatisfied with the conduct of staff, a complaint

should be raised as per the compliments and complaints procedure.
We take complaints and concerns regarding privacy seriously. You should
express any privacy concerns you may have in writing. We will then attempt
to resolve it in accordance with our resolution procedure.

The complaints shall be made either through our online contact details or
physical complaint.