Data Retention Policy - Duncano Foundation

1. Introduction

This Data Retention Policy outlines how Duncano Foundation ("we", "our", or "us") collects, retains, manages, and securely disposes of personal data obtained through www.duncanofoundation.org and related services.

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including operational, legal, regulatory, and reporting requirements. This policy is designed to ensure compliance with the Kenya Data Protection Act, 2019 and related regulations.

2. Purpose and Scope

This policy applies to all personal data processed by Duncano Foundation, whether collected through our website, email communications, donation platforms, program applications, or any other means. It covers data relating to:

Website visitors and users
Donors and supporters
Program applicants and beneficiaries
Volunteers and partners
Job applicants and employees
Other stakeholders who interact with our foundation

3. Data Retention Principles

We adhere to the following principles when determining retention periods:

3.1 Purpose Limitation

We retain personal data only for specified, explicit, and legitimate purposes. Once the purpose for collecting data has been fulfilled, we will securely dispose of the information.

3.2 Storage Limitation

Personal data is kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed.

3.3 Legal Compliance

We retain data for periods required by Kenyan law, including but not limited to tax laws, employment laws, and other regulatory requirements.

3.4 Operational Necessity

Data may be retained for reasonable periods to support our ongoing operations and mission-related activities.

4. Retention Periods by Data Category

Retention periods vary depending on the type of data, legal obligations, and operational needs. Below are our standard retention periods:

4.1 Contact Information and Communications

General inquiries: 3 years from last contact
Newsletter subscribers: Until unsubscribe request is processed
Event registrations: 2 years from event date
Partnership communications: 7 years from end of partnership

4.2 Donation and Financial Records

Donation records: 7 years for tax and audit purposes
Payment information: Until transaction is complete and verified
Tax receipts: 7 years as required by Kenyan revenue authority
Financial reports: 10 years for historical and audit purposes

4.3 Program and Scholarship Data

Application records: 5 years from application date
Beneficiary records: 10 years from program completion
Scholarship agreements: 7 years after agreement termination
Program performance data: 10 years for impact assessment

4.4 Employment and Volunteer Data

Job applications (unsuccessful): 2 years from application date
Employee records: 7 years after employment ends
Volunteer records: 5 years after last activity
Performance reviews: 7 years from review date

4.5 Technical and Website Data

Website analytics: 26 months from date of collection
Server logs: 12 months from date of generation
Backup data: 3 months from backup creation

5. Legal and Regulatory Requirements

We retain certain data for specific periods as required by Kenyan law and regulations:

Tax records: 7 years as per Kenya Revenue Authority requirements
Employment records: 7 years as per Employment Act
Contractual agreements: 6 years after contract termination
Health and safety records: 10 years as required by OSHA
Child protection data: Until the child reaches 25 years of age

6. Data Storage and Security

6.1 Secure Storage

All personal data is stored securely using appropriate technical and organizational measures:

Encrypted databases and servers
Access controls and authentication mechanisms
Regular security updates and patches
Secure backup procedures

6.2 Access Controls

Access to personal data is restricted to authorized personnel only. We implement:

Role-based access controls
Regular access reviews
Employee training on data protection
Confidentiality agreements

7. Data Disposal and Destruction

7.1 Disposal Methods

When retention periods expire, we securely dispose of personal data using appropriate methods:

Digital data: Secure deletion using industry-standard data wiping tools
Paper records: Cross-cut shredding or secure incineration
Storage media: Physical destruction or degaussing

7.2 Disposal Procedures

Our data disposal process includes:

Regular review of stored data against retention schedules
Documentation of disposal activities
Verification of complete data destruction
Maintenance of disposal records for audit purposes

7.3 Anonymization Option

In some cases, we may anonymize data instead of deletion, removing all personally identifiable information while retaining the data for statistical or research purposes.

8. Data Subject Rights

Under the Kenya Data Protection Act, 2019, you have several rights regarding your personal data:

8.1 Right to Access

You may request information about what personal data we hold about you and how it is being processed.

8.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure

You may request deletion of your personal data in certain circumstances, subject to legal and operational requirements.

8.4 Right to Restrict Processing

You may request temporary restriction of processing in specific situations.

8.5 Right to Data Portability

You may request transfer of your data to another organization in a machine-readable format.

8.6 Right to Object

You may object to certain types of processing, including direct marketing.

9. Exceptions to Retention Periods

In certain circumstances, we may need to retain data beyond standard retention periods:

Legal proceedings: Data relevant to ongoing or anticipated legal actions
Regulatory investigations: Data required by regulatory authorities
Historical research: Anonymized data for statistical analysis
Public interest: Data necessary for important public interest purposes

10. Policy Review and Updates

This Data Retention Policy is reviewed annually or whenever there are significant changes to:

Legal or regulatory requirements
Our organizational structure or operations
Technology systems and processes
Data protection best practices

Any updates to this policy will be communicated to relevant stakeholders and published on our website.

11. Responsibilities and Accountability

11.1 Data Protection Officer

Our designated Data Protection Officer oversees implementation of this policy and ensures compliance with data protection laws.

11.2 Employee Responsibilities

All employees and volunteers who handle personal data are:

Trained on data retention requirements
Required to follow data handling procedures
Accountable for proper data management
Required to report any data protection concerns

12. Monitoring and Compliance

We regularly monitor compliance with this policy through:

Internal audits and reviews
Data protection impact assessments
Staff training and awareness programs
Incident reporting and investigation

13. Contact Information

If you have any questions about this Data Retention Policy or wish to exercise your data protection rights, please contact us:

Data Protection Officer

Email: info@duncanofoundation.org

Address: Landmark Plaza, 13th Floor, Argwings Kodhek Rd, Nairobi, Kenya

Phone: +254 700 000 000

Office of the Data Protection Commissioner

If you believe your data protection rights have been violated, you may lodge a complaint with the Office of the Data Protection Commissioner in Kenya.

14. Document History

Version	Date	Changes	Approved By
1.0	December 15, 2017	Initial policy creation	Board of Directors
1.1	November 21, 2025	Comprehensive update for Data Protection Act compliance	Data Protection Officer