Close Menu
    Wednesday, December 10
    SUBSCRIBE

    Privacy Policy and Data Protection Policy for ACSAIR

    Introduction

    Afrique Center for Statistics, Artificial Intelligence & Innovation Research (ACSAIR) is committed to protecting the privacy and data rights of individuals. As a pan-African non-profit focused on harnessing technology and data responsibly for the continent’s development, we recognize that privacy and data protection are paramount. This Privacy and Data Policy explains how we collect, use, store, and protect data in the course of our activities. It also outlines our compliance with applicable data protection laws across Africa and our respect for the rights of data subjects. By engaging with ACSAIR – whether through our website, participating in our research, or using our services – you agree to the practices described in this policy.

    Scope of Policy

    This policy applies to all personal data processed by ACSAIR in any format (digital or physical). It covers data collected via our website, data gathered through field research or projects across Africa, as well as information obtained from publicly available sources. It applies to ACSAIR staff, contractors, and partners who handle personal data on our behalf. This policy is designed to meet or exceed the requirements of all jurisdictions in Africa where we operate, and to uphold international best practices in data protection. We adhere to fundamental principles of lawful, fair, and transparent data processing in line with global standards such as the EU General Data Protection Regulation (GDPR) and Africa’s own frameworks for privacy.

    Key definitions: In this policy, “personal data” means any information relating to an identified or identifiable natural person. “Sensitive personal data” (also known as special category data) refers to data like health, genetic, biometric, financial, or otherwise highly personal information. “Processing” means any operation performed on personal data (collecting, storing, analyzing, transferring, etc.). “You” or “data subject” refers to the individual whom the data is about, whether you are a website visitor, research participant, client contact, or any person whose data we handle.

    Data Collection and Sources

    We collect personal data through several channels, in line with our mission and services:

    • Data You Provide via Our Website: When you interact with our website (acsair.org), you may provide personal information directly. For example, when subscribing to updates, contacting us through a form or email, or registering for an event or bulletin, we may collect information such as your name, email address, organization, and any details you choose to share. We only collect what is necessary for the intended purpose – e.g. your email for sending newsletters, or your contact details to respond to inquiries. We may also collect feedback or survey responses through our website from time to time (using tools like online forms). Additionally, our website may collect some technical data (as described under Cookies and Usage Data below).
    • Data Collected in Field Research and Projects: ACSAIR frequently conducts on-the-ground data collection across Africa as part of our research projects and consultancy services. This can include surveys, interviews, focus group discussions, and other research methodologies carried out in person. In many cases, we collect such data on behalf of or in partnership with clients (e.g. governments, NGOs, development agencies) to inform policy or program design. The types of data collected will depend on the project but often include personal information about participants (such as names or identifiers, demographics like age, gender, location, education level, etc., and responses to research questions). For instance, we might gather community health information in a rural survey, financial inclusion data in an economic study, or opinions and experiences in a social research project. Participation in our studies is voluntary and based on informed consent – individuals are informed about the purpose of the data collection and how their data will be used, and they agree to participate. We ensure that data collected for research is kept confidential and secure (see Data Security below), and when we act on behalf of a client, we abide by any additional protocols or ethics requirements in place.
    • Data from Public Sources: In addition to primary data collection, ACSAIR also compiles and uses publicly available data to support our research and advisory work. This includes open data and statistics from government publications, international databases, academic or research institution datasets, news and reports, and information available on the internet or social media that is lawfully accessible to the public. When gathering data from public sources, we ensure that we respect any terms of use and that the data is indeed public or open-source. If such public data contains personal information (for example, public social media posts or public government records about individuals), we handle it with the same care as any personal data, in accordance with applicable privacy laws. We strive to anonymize or aggregate public-source personal data when using it for our analyses, unless using identifiable information is necessary for the research purpose and lawful to do. By integrating public data with our collected data, we can enrich our insights while still safeguarding individual privacy.
    • Automatic Collection (Cookies and Usage Data): When you visit our website, certain data may be collected automatically. This can include your device’s IP address, browser type, operating system, referring website, pages accessed, dates/times of access, and browsing actions on our site. We use cookies and similar tracking technologies to collect some of this usage data. Cookies are small text files that a website saves on your browser; they help us remember your preferences, understand how visitors use our site, and improve user experience. For example, we might use analytics cookies to gather information about page traffic and site interactions (via tools like Google Analytics) so we can enhance our content and layout. Any analytics on our site collect usage data in an aggregated and anonymized form – no personally identifying information is revealed through analytics (we do not, for instance, record your name or email via analytics, only general usage patterns). You have choices regarding cookies: most web browsers allow you to refuse or delete cookies. Note that if you disable cookies, some site features (like language preferences or embedded media) might not function optimally, but you will still be able to access the basic content.

    Types of Data Collected

    Depending on your interaction with ACSAIR, we may collect and process the following categories of data:

    • Personal Identification and Contact Details: Such as name, title, affiliation/organization, email address, telephone number, and postal address. For example, when you subscribe to our bulletin or contact us, we collect your name and email; if you are a partner or client, we may collect contact details of your representatives.
    • Demographic Information: In research projects or surveys, we might ask for demographic data like age or date of birth, gender, nationality, country or region of residence, language, education level, occupation or income range. This helps in analyzing data by relevant demographic segments and ensuring samples are representative. We minimize demographic data collection to what is needed for the study objectives.
    • Research Data and Responses: If you participate in a study, any information or opinions you provide in survey answers, interview responses, focus group discussions, etc., will be collected. This may include qualitative insights (e.g. descriptions of experiences, free-form answers) and quantitative data (e.g. selections on a questionnaire). Some research data can be sensitive – for instance, health-related information (if we conduct a public health survey), financial or economic data (if we study household income, purchasing power, etc.), or personal beliefs and attitudes (if relevant to the research). We treat all such data with strict confidentiality and use it only for research/statistical purposes as described to participants.
    • Sensitive Personal Data: In certain projects, we may handle sensitive categories of personal data, such as health status and medical information, genetic or biometric data, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, political opinions, or membership in organizations (e.g. trade union membership). Financial information (like household income, expenditures, or bank account ownership) can also be sensitive. We only collect sensitive data if it is absolutely necessary for the project at hand and with extra precautions. Typically, sensitive data collection will be accompanied by an explicit consent process, and where required by law, we will obtain written consent from data subjects for processing such data. We also implement enhanced security for sensitive data (encryption, pseudonymization, limited access – see Data Security section). Any use or disclosure of sensitive data will be in accordance with the consent provided and applicable law.
    • Public Data Attributes: For data gathered from public sources, the types can vary widely. Examples include: economic indicators and statistics (e.g. GDP figures, trade volumes), development indices, census data, or public personal data such as names and titles of public officials, published research findings, news articles, or social media content that is publicly viewable. When we incorporate data about individuals from public sources (like a public professional profile or a quote from a news piece), we ensure that we have a legitimate basis to use that data and that using it will not unjustly infringe on the individual’s privacy. Often, publicly available personal data used in our work will relate to public figures in their public capacity or aggregated insights where individual identities are not the focus.
    • Technical and Usage Data: As noted, we collect certain technical data from website visitors – IP addresses, device identifiers, browser type and version, pages visited, and so on. We do not normally link this technical data to an identified person, and we do not collect precise geolocation or any sensor data from your device via our website. This usage data is mainly for analytics and security (e.g., to detect unusual access patterns that might indicate malware or to troubleshoot website issues). We may also log information when you correspond with us (for instance, if you email us at info@acsair.org, we will have records of that communication including the email address and content).

    How We Use Personal Data

    ACSAIR uses the collected data to further our non-profit objectives, to provide services to our stakeholders, and to maintain our operations in a manner consistent with privacy protection. The purposes for which we process personal data include:

    • Research, Analysis and Publication: The primary use of data we collect (whether directly from individuals or from secondary sources) is to conduct statistical analyses, research studies, and generate insights that inform decision-making. We analyze survey data and datasets to produce reports, bulletins, policy recommendations, and innovation strategies. Personal data collected is used in our analysis, but our published outputs typically contain aggregated or anonymized results. For example, we might use individual health survey responses to calculate an immunization rate in a region, but our published bulletin will only show the overall rate and trends, not individual people’s data. Personal data is thus transformed into statistical information that can improve lives and governance – fulfilling ACSAIR’s mission to turn data into actionable knowledge. We ensure that individuals are not identified in any public report without their explicit permission.
    • Providing Services to Clients and Partners: When a client (such as a government agency, NGO, or private entity) engages ACSAIR to perform a project, we use collected data to deliver the agreed services. This may involve processing data to create tailored analyses, dashboards, or recommendations specific to the client’s needs. If we collect data on behalf of a client (e.g. conducting a field survey for a government program evaluation), we will use that data solely for the purposes of that project and as instructed by the client, in line with the consent obtained from data subjects. We may combine the client’s provided data with data we collected to carry out advanced analyses or insights. After fulfilling the service, we handle the data according to our agreement – in many cases, this means transferring the data and results back to the client and either deleting our copies or storing them securely if we’re expected to retain them for a certain period. We do not use client project data for any ACSAIR purpose outside the scope of that project, unless it has been fully anonymized or we have explicit permission.
    • Communication and Engagement: We use contact information (such as email addresses) to communicate with our network. If you subscribe to our updates or bulletin, we will use your email to send you newsletters, reports, and relevant news about ACSAIR’s work. We may also send important announcements or policy updates. All such communications are opt-in – we require your consent to subscribe, and you can unsubscribe at any time. If you reach out with an inquiry, we will use your contact details to respond. We might also invite you to events or inform you of opportunities if you have expressed interest. We ensure that any marketing or outreach communication complies with anti-spam and data protection laws (and you will always have the ability to opt out or manage your preferences). We will only send you communications that you have agreed to receive or that are directly relevant to your relationship with us (for example, if you are a partner or donor, we might send you progress reports).
    • Website Functionality and User Experience: The technical and usage data we collect via cookies and logs are used to maintain and improve our website. We analyze this data to understand how users navigate our site, which content is most read, and how we can enhance usability. For instance, usage statistics help us reorganize content or fix navigation issues. We may also use cookies to remember your site preferences (like language selection if our site offers content in multiple languages) to provide a more personalized experience. Any personalization, however, is minimal and based on non-intrusive data – we do not profile users for advertising or serve targeted ads. Usage data may also be used to ensure security, such as monitoring for malicious visits or troubleshooting technical problems.
    • Operational and Administrative Purposes: Internally, we might use personal data of staff, consultants, or partners for administration (this could include personal data in contracts, payroll information, etc., though that is generally outside the scope of external-facing policy, it is covered by our confidentiality and security practices). If you apply for a job or fellowship with ACSAIR, we will use the information in your application to process that recruitment and will treat it as confidential, only using it for recruitment purposes. We also maintain records necessary for corporate governance and reporting (such as lists of partners or donors for accountability, including any personal contact points, which we handle with privacy in mind).
    • Legal Compliance and Protection: Where necessary, we may use or disclose personal data to comply with a legal obligation or to protect our rights, property, or the safety of our employees, data subjects, or the public. For example, if required by a lawful request or subpoena, we might provide data to regulatory authorities or law enforcement (after verifying the legitimacy of the request). We may also process data to meet audit or insurance requirements. In all such cases, we will only share the minimum data necessary and in line with applicable laws.

    ACSAIR will never use your personal data for purposes that are incompatible with the original purpose for which it was collected, unless we obtain your consent. We do not engage in commercial sale or rental of personal data – we do not sell, rent, or trade your personal information to third parties for marketing or profit. All processing of personal data is done in a manner that ensures its security and confidentiality.

    Legal Bases for Processing

    Because ACSAIR operates in multiple jurisdictions, we adhere to the legal grounds for processing personal data as required by each applicable law. In general, our processing of personal data is justified on one or more of the following legal bases:

    • Consent: In many cases, especially for research participation and communications, we rely on consent. For example, we obtain consent from individuals before collecting data through surveys or interviews (typically via written or recorded consent forms), and we ask for your consent when you subscribe to our mailing list or agree to cookies on our website. When we process sensitive personal data, we will usually rely on explicit consent (unless another specific legal basis for sensitive data applies under local law). Data subjects have the right to withdraw consent at any time (see Your Rights section below), and if you do so, we will stop the processing that was based on consent going forward.
    • Performance of a Contract: If you are directly in a contractual relationship with us, we may process your data as needed to fulfill that contract. For instance, if you are a consultant or vendor we hired, we process your payment information to pay you. In terms of our clients, when we have a contract to perform research or analysis, we process any personal data involved as necessary to deliver the contracted services. Similarly, if you apply for a training program or event that we organize, any data we collect from you may be processed in preparation for or execution of that program (which is a form of contract performance).
    • Legitimate Interests: We may process personal data for the purposes of legitimate interests pursued by ACSAIR or a third party, except where such interests are overridden by the individual’s data protection rights. “Legitimate interests” can include uses such as improving our services and website, ensuring IT security, preventing fraud, seeking support for our mission (e.g., reaching out to potential partners in a targeted way), or even using publicly available personal data for research that has societal benefit. When relying on this basis, we make sure to carry out a balancing test to ensure our interest is not outweighed by your rights and expectations. For example, it may be our legitimate interest to analyze how users use our website (to improve it), but we do so in a privacy-friendly way (aggregated data, no invasive tracking) so that your rights are not infringed.
    • Legal Obligation: In certain situations, we must process personal data to comply with a legal or regulatory obligation. This could include maintaining records for tax and accounting purposes, honoring data subject rights requests under various national laws, or complying with court orders or lawful requests from authorities. When processing is necessary for compliance with a law, that law is the basis (e.g., data retention requirements under a data protection law or providing information to authorities under an anti-corruption law).
    • Public Task/Public Interest: When ACSAIR works with government entities or on projects aimed at public good (such as statistical projects or policy development initiatives), our processing may be considered as carried out in the public interest or in the exercise of official authority (if delegated to us). For example, if a national statistics office partners with us to conduct a survey, processing that survey data might be under the lawful basis of performing a task in the public interest (as defined by that country’s law). We will align with the specific legal provisions of each country in this regard.

    Note: The legal basis we rely on may vary by country due to differences in laws. We ensure that for each processing activity, we identify and document the appropriate legal basis. If you have questions about the specific basis for a particular processing of your data, you can contact us (see Contact section).

    Cookies and Tracking Technologies

    As mentioned in the data collection section, our website uses cookies and similar technologies to function effectively and to enhance user experience. This section provides more detail on our cookie use:

    • Types of Cookies We Use: We primarily use essential cookies and analytics cookies. Essential cookies enable core functionality of the site (such as page navigation or access to secure areas). Without these, the site may not perform properly. Analytics cookies (from trusted providers like Google Analytics) collect anonymous information about how visitors use our site – for instance, which pages are most frequently visited, how long users stay on a page, and if users encounter errors. This information helps us improve the site’s content and structure. We do not use advertising cookies or tracking pixels for third-party advertising. We also do not use cookies to collect sensitive information or to track you across other sites.
    • Cookie Consent: When you first visit our site, you may see a notification about our use of cookies. By continuing to use the site or clicking “Accept” if a cookie banner is present, you agree to our use of cookies as described. If you prefer not to accept non-essential cookies, you can adjust your browser settings to refuse cookies. Most browsers allow you to block cookies from specific sites or all sites and to clear cookies. Please note that if you block all cookies, some site preferences might not be saved.
    • Third-Party Tools: Some of our online services may incorporate third-party tools that use cookies (for example, if we embed a map or video, those providers might set cookies). We will inform you whenever you are interacting with content that might set third-party cookies. For instance, if you register for an event via a third-party platform like Eventbrite or fill a survey via Google Forms, those platforms have their own cookie and privacy policies. We will provide links or references to those policies when such tools are used, and we choose reputable providers that comply with privacy standards.
    • Do-Not-Track Signals: Our website currently does not respond to “Do Not Track” (DNT) signals from browsers, due to the lack of an industry standard for DNT. However, we only use cookies as outlined above. If standards emerge, we will re-evaluate our practices.

    For more details on our cookie usage or to change your preferences, you may contact us or refer to any dedicated Cookie Notice on our site (if provided). We treat any data collected via cookies with the same care as other personal data, even if it is pseudonymous.

    Data Sharing and Disclosure

    ACSAIR understands the importance of keeping personal data confidential. We do not share your personal data with third parties except in the following circumstances and always in accordance with applicable law:

    • With Clients or Sponsors of a Project: If we collect data as part of a project funded or commissioned by a client, we will share the relevant data and findings with that client. For instance, if we conduct a survey for an NGO’s program evaluation, the survey dataset and analysis will be delivered to that NGO. In doing so, we ensure that the client is contractually bound to use the data only for the intended purposes and to protect it in line with privacy laws. Often, data shared with clients is in aggregated form, but if individual-level data is shared (e.g., for an internal analysis by the client), we require the client to maintain confidentiality and security. ACSAIR will not disclose participant identities in any public forum without consent; any personal identifiers might be removed or coded before sharing, unless sharing identifiable data is necessary (in which case, it will be limited to authorized recipients only).
    • With Partners and Collaborators: We sometimes work with partner organizations, research institutions, or consultants in executing projects. In such cases, it may be necessary to share certain data with them. We only do so on a need-to-know basis and under agreements that oblige our partners to protect the data. For example, if we collaborate with a university on a research study, the researchers from the university might access the data under strict protocols. All partners must adhere to our data protection standards or higher, and they cannot use the data for any purpose outside the scope of the collaboration.
    • Service Providers (Processors): ACSAIR utilizes trusted third-party service providers for various support functions – such as cloud storage and database hosting, email newsletter distribution, survey platforms, data analytics tools, and IT support. When these service providers process personal data on our behalf (for example, when we store datasets on a secure cloud server, or use Mailchimp to send emails, or use a data analysis software in the cloud), they are considered “data processors.” We select service providers that implement strong security measures and privacy practices. We sign data processing agreements with them to ensure they only process the data under our instructions and for our purposes, not for their own use. They are not permitted to sell or disclose your data, and they must assist us in upholding individuals’ rights. Some typical service providers we use include: cloud infrastructure providers, email service providers, and analytics services. A current list of major processors can be provided on request. We ensure all processors are compliant with relevant data protection laws (for example, if they are overseas, we address cross-border transfer requirements as described below).
    • Publications and Open Data: As part of our commitment to open knowledge, we may publish datasets or findings for public use. However, we only publish data that is anonymized or aggregated such that individuals cannot be identified. Before releasing any dataset publicly, we remove personal identifiers and, if necessary, apply techniques (like redaction or coarsening of detail) to prevent re-identification. We might share anonymized microdata with the research community for transparency and further analysis, but this will never include names, contact info, or any direct identifiers. In some cases, even aggregate data might be withheld or limited if there’s a privacy risk for individuals (e.g., very small sample sizes in a region). We carefully review any data for public release to ensure compliance with privacy standards and any consent provided by participants.
    • Legal Requirements and Vital Interests: We may disclose personal data if required by a lawful court order, subpoena, or other legal process, but only after verifying the request’s validity and scope. We will strive to inform the affected individuals (if permissible) before disclosing their data, unless legally forbidden. Additionally, if disclosure is necessary to prevent an imminent threat to life, health, or security of an individual or the public (for example, to warn of a serious public health danger), we may do so as a matter of vital interest. Such cases are extremely rare and would be handled in line with both legal requirements and ethical considerations.
    • Internal and Organizational Transfers: Within ACSAIR, personal data may be shared among departments or offices on a need-to-know basis. For instance, our research team might share data with our data analytics team for processing. All staff and contractors are bound by confidentiality agreements and our internal data protection policies, so this internal sharing is tightly controlled. If ACSAIR ever undergoes a structural change (such as a merger with another non-profit or creation of a successor entity), personal data may be transferred to the new entity, but we will ensure continuity of protection and will notify individuals of any significant changes to how their data is handled.

    Importantly, ACSAIR does not sell or disclose personal data to third-party advertisers or unrelated entities. We do not engage in list trading or unauthorized use of personal information. Any third party that receives personal data from us will have a legal and ethical obligation to protect that data. We remain responsible for the processing of personal data by any third party acting on our behalf and will take steps to remedy any unauthorized processing. If you have questions about whether a particular third party has your data, you can contact us for more information.

    International Data Transfers

    Given ACSAIR’s pan-African operations and global partnerships, personal data we collect may be transferred across national borders. For example, data collected in one African country might be analyzed or stored on servers in another country (or outside Africa), and our team members or service providers in different locations may need access to the data. We recognize that many countries have laws restricting cross-border transfer of personal data, requiring certain safeguards. ACSAIR is committed to ensuring lawful and secure international data transfers in the following ways:

    • Compliance with Transfer Restrictions: We identify and comply with all applicable data export requirements. If a country’s law mandates that personal data cannot leave the country without certain protections (or can only go to countries with “adequate” data protection laws), we will abide by those rules. For instance, Nigeria’s data protection regulation and new Act require conditions for transferring data abroad; Kenya’s law has provisions for cross-border transfers, as do several others. We will thus either keep data in-country or implement the required safeguards when transferring.
    • Adequacy and Safeguards: Whenever we transfer personal data from one country to another, we look at whether the destination country is deemed to have an “adequate” level of data protection. In Africa, regional frameworks and the African Union encourage the free flow of information alongside privacy protection. If data is moving to a country without a comparable data law, we will use contractual and technical safeguards. These may include standard data protection clauses (contracts binding the recipient to protect the data), encryption in transit and at rest, and data minimization (sending only what is necessary). For example, if we store backup data on a cloud server located in Europe or the U.S., we will ensure that provider is certified or we have a contract that meets EU/African standards for data transfer, and the data will be encrypted. We also consider frameworks like the ECOWAS Supplementary Act which mandates member states to establish legal protections and authorities for data – aligning with such frameworks helps facilitate safe regional data flows.
    • African Union Convention (Malabo) Alignment: We support the principles of the African Union’s Convention on Cyber Security and Personal Data Protection (the Malabo Convention). The Convention emphasizes both the protection of personal data and the principle of free flow of information across borders, provided rights are safeguarded. As it comes into force across African Union member states, ACSAIR will follow any specific cross-border transfer rules or regulatory cooperation mechanisms that arise from it. In practice, this means if a certain transfer requires notification to a Data Protection Authority (DPA) or approval (under a country’s implementation of Malabo or other laws), we will take those steps.
    • Consent for Cross-Border Transfer: In cases where we have any doubt or where required by law, we may seek the consent of data subjects for transferring their data to another jurisdiction. For example, a consent form for a survey might explicitly state that the data will be analyzed by ACSAIR’s team in Uganda (or elsewhere) and ask for agreement to this. This way, individuals are informed and can choose not to participate if they object to the data moving outside their country.
    • Transparency: We will be transparent with our partners and data subjects about where their data might be processed. You may inquire and we can inform you if your data is likely to be stored or accessed in another country. We also publish this information in project disclosures when relevant (for instance, a project’s privacy notice might say “Survey data will be stored on secure servers located in [Country].”).

    In summary, while data may flow across borders as part of our work, we treat all personal data with the same high level of protection regardless of location. We consider the entire African continent and beyond as a unified sphere of responsibility for data security and privacy. Should any conflict of law arise (for example, one country’s law vs. another’s), we will strive to meet the stricter requirement to ensure individuals’ data is safe and rights are respected.

    Data Security Measures

    ACSAIR takes data security very seriously and employs a range of technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We continually improve our security practices to keep up with evolving threats. Key measures include:

    • Access Control and Confidentiality: We restrict access to personal data strictly to authorized personnel who need it for their job duties. Different levels of access are granted based on role – for instance, a research analyst may access raw survey data, whereas a communications officer might only access subscriber emails. All staff, interns, and contractors with access to personal data sign confidentiality agreements and are trained in data protection principles. We have an internal policy that all research data collected is highly confidential and treated as such, with access granted only to team members who are explicitly authorized. Unauthorized access or misuse of data by any staff is a serious offense that can lead to disciplinary action.
    • Encryption and Data Storage Security: Personal data in electronic form is stored on secure systems. We use encryption to protect data both in transit and at rest. For example, our databases and laptops use encryption; when we send sensitive data to partners, we use encrypted channels or password-protected files. Our website and online forms are protected by HTTPS/TLS encryption to ensure that data you submit is securely transmitted. We also employ firewalls and network security monitoring to guard against external intrusions. If data is stored in cloud services, we ensure the providers offer robust encryption and security certifications (such as ISO 27001 or SOC 2 compliance).
    • Physical Security: For any physical records (paper forms, etc.) or devices, we maintain physical security controls. Our main office in Kampala, Uganda and any field offices have controlled access. Documents containing personal data are kept in locked cabinets when not in use, and we limit making physical copies. Field data collection devices (like tablets) are protected with strong authentication and are kept securely by our field teams. When traveling with devices or data, staff follow strict protocols (e.g., not leaving devices unattended, using privacy screens, etc.).
    • Data Anonymization and Pseudonymization: Wherever possible, we reduce the identifiability of personal data in our datasets. For instance, once data collection is completed, we may replace names with codes (pseudonymization) in working datasets. For analysis purposes, analysts might work with de-identified data (with direct identifiers removed) and only re-identify if necessary for data cleaning or follow-up. Before sharing data internally or externally, we consider whether we can use aggregated or anonymized forms. By minimizing the use of directly identifying information, we reduce the risk in case of any inadvertent access. We also use aggregation in reporting, as noted earlier.
    • Regular Training and Awareness: We conduct periodic training for all ACSAIR team members on data privacy and security. This includes training on how to handle personal data properly, how to recognize and prevent phishing or social engineering attacks, and our protocols for data breach response. We foster a culture of respect for privacy – everyone involved in data handling is made aware of the sensitivity and importance of their role as data stewards.
    • Vendor Security Assessments: Before onboarding service providers or third-party tools that will handle personal data, we review their security measures and privacy policies. We choose reputable partners and may conduct risk assessments. For critical systems, we ensure there are backup and recovery plans, and that the vendor has no history of data breaches or if they have, that they addressed them well.
    • Data Breach Response: Despite our best efforts, if a security incident occurs (such as unauthorized access or a data breach), we have a response plan. This involves immediately securing the system, assessing the scope of the breach, and mitigating any ongoing risk. We will notify the affected individuals and relevant authorities as required by law. Different African jurisdictions have varying breach notification requirements (for example, South Africa’s POPIA and Nigeria’s NDPR/Act require notifying authorities and possibly individuals in certain cases). We commit to transparency in such events and will provide guidance to individuals on steps to protect themselves if needed (for instance, if their data was exposed). Our goal is to respond swiftly and effectively to any incident and learn from it to further strengthen security.
    • Continuous Monitoring and Improvement: We regularly update our software and systems to patch vulnerabilities. We utilize anti-virus and anti-malware tools. Access logs are monitored to detect suspicious behavior. Periodic audits are performed on our data protection practices, sometimes in collaboration with external experts or as part of compliance checks. Findings from audits or risk assessments are used to enhance our measures. We also keep abreast of new security threats and adapt accordingly.

    In summary, we employ state-of-the-art security appropriate to the sensitivity of the data. While no system can be 100% secure, ACSAIR uses all reasonable and industry-standard measures to protect personal data. We also expect equivalent standards from any third parties handling data on our behalf. If you have specific questions about our data security, feel free to contact us.

    Data Retention and Destruction

    ACSAIR retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, contractual, or reporting obligations. We have retention guidelines that vary based on the type of data:

    • Research Data: Personal data collected in research studies (e.g. survey responses) is typically retained for the duration of the project and a defined period thereafter. This allows us to complete analysis, issue reports, and address any follow-up questions or validations. Once the project is completed and the data is no longer needed in identifiable form, we either securely delete the personal data or anonymize it for archival. For instance, we might keep an anonymized version of a dataset for historical comparison or future research, but remove or irreversibly encrypt identifiers. If a client contract specifies a data retention period or deletion timeline, we follow that. We also consider local regulations – some research grants or ethics boards require data to be kept for a minimum time (e.g., 5 years) for audit purposes, while some privacy laws might encourage not keeping data longer than needed. We balance these by keeping identifiable data only as long as justified. All disposals of research data (whether shredding physical surveys or deleting digital files) are done securely.
    • Website and Subscriber Data: If you subscribe to our newsletter or updates, we will retain your contact information until you unsubscribe or until we discontinue the mailing list service. Every email you receive will include an easy way to opt out. If you opt out, we will remove your contact from the active mailing list promptly (and in any case within any timeframe required by law). However, we may keep a suppression list (email addresses of those who unsubscribed) to ensure we don’t accidentally send you emails in the future – this list is maintained solely for compliance. For inquiry emails, we retain correspondence for a short period in case we need to refer back, typically not more than a couple of years, unless the nature of the correspondence requires longer retention (for example, important agreements or legal matters might be kept longer).
    • Operational Records: Data related to partnerships, contracts, and personnel are kept as long as needed for administrative or legal purposes. For example, if you signed a contract with us, we will retain that contract and related personal data for the duration of the contract plus any period required by law (such as the statute of limitations for any legal claims, or mandatory document retention laws). Financial records containing personal data (e.g. receipts with names) are kept per accounting regulations. These records are kept secure and access limited.
    • Legal Requirements for Retention: Some laws require certain data to be kept for minimum periods. For instance, company law might require retention of certain records for 7 years; some data protection laws allow keeping data as needed for compliance with legal obligations. We will adhere to such requirements. Conversely, data protection laws often also include requirements not to keep personal data longer than necessary – we regularly review the data we hold and erase or anonymize data that is no longer needed. If destruction is not immediately possible (e.g., because of backup archives), we ensure it’s isolated and protected until deletion is feasible.
    • Destruction Methods: When we delete personal data, we do so safely. Physical papers are shredded or incinerated via a secure disposal service. Electronic data is deleted in a manner that makes recovery unlikely (simple deletion of files may not remove data completely, so we use secure wipe techniques for sensitive data or ensure encryption keys are destroyed). Devices that contained personal data are wiped before re-use or destroyed if being discarded. We maintain logs of data deletions for accountability when appropriate (especially for sensitive data, we document that it was properly destroyed).

    If you would like us to delete your personal data sooner (and if we don’t have a legal obligation to retain it), you have the right to request erasure – see Your Rights below. We will honor such requests in line with applicable law. Keep in mind that if you participated in a research study, once data is aggregated and anonymized, we cannot link it back to you to delete specifically, but in identifiable form it will be deleted as described.

    Your Rights as a Data Subject

    ACSAIR is dedicated to upholding the rights of individuals over their personal data. Because we operate across various African countries (and beyond), we recognize that data protection laws grant individuals specific rights. We strive to facilitate all such rights to the fullest extent possible. These rights include:

    • Right to be Informed: You have the right to clear and transparent information about how your data is collected and used. This Privacy Policy is part of fulfilling that right. In research projects, we also provide participants with information sheets or consent forms explaining the data collection. We will inform you of the purposes, data types, sharing, and your rights at the time of data collection (for example, on a survey form or on our website privacy notice).
    • Right of Access: You can request confirmation of whether we are processing your personal data, and if so, ask for a copy of that data (commonly known as a Subject Access Request). You are entitled to receive information on what data we have about you, the purposes of processing, the categories of data, any third parties who have received it, and how long we plan to keep it, among other details. We will provide this information free of charge within a reasonable timeframe (typically within 30 days, as many laws require, and no later than any legal deadline). If your request is complex or numerous, we may extend the deadline as permitted by law, but we will inform you of this and the reason.
    • Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. Upon verification, we will promptly correct the information. For example, if you change your email address or notice we recorded your name incorrectly, you can ask us to fix it. We may need to verify the correct information (especially for critical identifiers) before making the change.
    • Right to Erasure: Also known as the “right to be forgotten,” this allows you to request that we delete your personal data. You can do this, for instance, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and no other legal basis for processing applies. We will honor erasure requests provided there is no overriding lawful reason to retain the data (some exceptions may include if we must keep data to comply with a legal obligation or if the data has been anonymized already). If the data has been shared with a third party (e.g., a research partner), we will communicate the erasure request to them where feasible. Note that this right is not absolute; if an exception applies, we will explain it to you (for example, we cannot delete data that is part of a published aggregate statistic, but that data is not personally identifiable at that point).
    • Right to Restrict Processing: You can ask us to limit the processing of your data in certain circumstances. For instance, if you contest the accuracy of your data, you can request we pause processing (aside from storing it) until we verify accuracy. Or if you object to processing and we are considering your objection, you can have processing restricted in the interim. When processing is restricted, we will not use the data except for storage and certain exempt purposes (like legal claims) until the issue is resolved.
    • Right to Object: You have the right to object to our processing of your personal data when it is based on legitimate interests or public interest, and you have personal reasons to do so. If you object, we will evaluate whether our reasons to process outweigh your privacy rights. For direct marketing communications from us, you can object at any time and we will stop using your data for that purpose immediately (this includes newsletter emails – essentially unsubscribing). If you object to a research use of data (and the data was collected on a basis that allows objection), we will consider your request and comply unless we have a compelling legitimate ground to continue (which is rare in our context, as most research is based on consent or public interest).
    • Right to Data Portability: Where applicable (usually when processing is based on consent or contract and done by automated means), you have the right to obtain a copy of the personal data you provided to us in a structured, commonly used, machine-readable format (for example, a CSV file), and you can request that we transmit it to another data controller if technically feasible. In simpler terms, if you gave us data and it’s processed electronically, you can ask for a portable copy to reuse elsewhere. This could apply if, say, you provided a large amount of information as part of a project and want to reuse it for your own purposes. We will assist with such requests to the extent required and technically possible.
    • Right not to be Subject to Automated Decisions: ACSAIR generally does not make any decisions about individuals that are solely by automated means (without human involvement) and that have legal or similarly significant effects. Most of our data processing is for research, not to make decisions about you personally. However, if this were to occur (for example, an AI system screening applications without human review, which we currently do not do), you would have the right to request human intervention and to contest the decision. We include this for completeness; in practice, any important decision involving personal data at ACSAIR involves human judgment.
    • Right to Withdraw Consent: If we are processing your data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing we did before withdrawal, but it means we will stop the processing moving forward. For example, you can withdraw consent for receiving our newsletter and we will stop sending it. Or you can withdraw consent to participate in a study, in which case we will stop collecting your data for that study and, if you request, delete any identifiable data already collected (unless it’s already been anonymized or there’s another legal basis to retain it). We make it as easy to withdraw consent as it was to give it.
    • Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to file a complaint with the relevant supervisory authority (Data Protection Authority) in your country. We encourage you to contact us first so we can address your concerns directly, but you are entitled to go to the authority. Given our presence in Uganda, one of our lead regulators is the Personal Data Protection Office under the National Information Technology Authority (for Uganda’s Data Protection and Privacy Act, 2019). However, if you are in another country, you can approach your national DPA or privacy commission. For example, in Kenya you may contact the Office of the Data Protection Commissioner; in Nigeria, the Nigeria Data Protection Commission; in South Africa, the Information Regulator; in Ghana, the Data Protection Commission; etc. We will cooperate fully with any official inquiries and work with authorities to resolve issues.

    To exercise any of these rights, please contact us using the contact details provided in the Contact Us section of this policy. We will need to verify your identity to prevent unauthorized access (for instance, we don’t want to give your data to someone else who impersonates you). Verification might involve confirming information we already have on file or asking for identification in a secure manner. We will respond to your request as quickly as possible and at most within the timeframe set by applicable law. There is usually no fee for these requests, but if a request is manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse the request (explaining our reasons). Rest assured, our aim is to honor your rights and foster trust through transparency and responsiveness.

    Compliance with African Data Protection Laws

    ACSAIR operates under a multi-jurisdictional compliance framework given our work spans across the African continent. We are firmly committed to complying with all applicable data protection and privacy laws in Africa, at national, regional, and continental levels. We recognize that data protection is a growing and important field in Africa, with 37 out of 54 African countries having enacted data protection laws as of recent years. Our policies are designed to meet the strongest requirements among these laws, ensuring a uniformly high standard of privacy protection. Below we outline some key legal frameworks and our compliance stance:

    • National Laws: In each country where we collect or process personal data, we adhere to that country’s privacy laws. For example:
      • In Uganda, where our headquarters is located, we comply with the Data Protection and Privacy Act, 2019 and its regulations. This includes principles of transparency, fairness, and accountability, as well as respecting the rights provided to data subjects under that Act.In Kenya, we operate in accordance with the Data Protection Act, 2019 and the guidelines of the Office of the Data Protection Commissioner. We ensure that we have a lawful basis for processing Kenyan residents’ data and conduct Data Protection Impact Assessments (DPIAs) when required by Kenyan law (for instance, for high-risk processing).In Nigeria, we comply with the Nigeria Data Protection Regulation of 2019 and the new Nigeria Data Protection Act, 2023 which enhances the legal framework. We follow directives from Nigeria’s Data Protection Bureau/Commission, such as requirements for organizational data protection policies, breach reporting, and adherence to data subject rights in Nigeria’s context.In South Africa, we align with the Protection of Personal Information Act (POPIA) 2013 (fully in force as of 2021). For any data involving South African data subjects, we ensure conditions for lawful processing (like consent or justification), and we have appointed a representative in South Africa if needed. We handle any cross-border transfer from South Africa as per Section 72 of POPIA (ensuring equivalent protection or consent).In Ghana, we abide by the Data Protection Act, 2012, including registration with Ghana’s Data Protection Commission if applicable, and adherence to the principles of accountability, lawfulness, minimality, purpose, compatibility, openness, security, and data subject participation as specified in that Act.Other countries’ laws we comply with include, but are not limited to: Egypt’s Personal Data Protection Law (Law No. 151 of 2020) governing data processing and cross-border transfers; Morocco’s Law 09-08 (2009) on personal data protection overseen by the CNDP; Tunisia’s Law 2004-63 (and any updates) on personal data protection; Rwanda’s Law on the Protection of Personal Data and Privacy (2021); Botswana’s Data Protection Act (2018, in force 2021); Zambia’s Data Protection Act (2021); Zimbabwe’s Data Protection Act (2021); Mauritius’s Data Protection Act (2017); Nigeria’s Cybercrimes Act (as it relates to data) and so on. We also monitor and prepare to comply with new legislation in countries that are in the process of drafting or passing data protection bills (for instance, countries like Tanzania or others that may introduce new laws).
      In practical terms, compliance means we incorporate the core principles common to these laws: we obtain consent where required, respect purpose limitation and data minimization, ensure accuracy, implement security safeguards, avoid unlawful disclosures, and uphold data subject rights. We also register with or notify authorities when obligated (for example, registering as a data controller in countries that require it), and, if required, we appoint local representatives or data protection officers in line with local rules. Our internal policies are continuously reviewed to ensure they map to each applicable law’s requirements.
    • Regional Frameworks: ACSAIR supports and complies with regional data protection instruments:
      • In West Africa, we adhere to the ECOWAS Supplementary Act on Personal Data Protection (2010) which is a binding framework for ECOWAS member states. This Act requires countries to establish strong privacy laws and independent data protection authorities. When handling data in West African states, we operate in harmony with the Act’s provisions – essentially treating the region with a harmonized approach to consent, security, and transfers. If operating in a West African country that might not yet have a comprehensive law, the ECOWAS Act’s principles still guide our practices.In Southern Africa, we acknowledge the influence of the SADC Model Law on Data Protection (2013). While a model law is not binding, it informs the national laws in several SADC countries. We therefore incorporate its best practices (like Privacy by Design, data subject rights, etc.) in our processes. Many SADC countries (South Africa, Mauritius, Zimbabwe, Botswana, Namibia, etc.) now have laws, which we follow as noted above.In East Africa, we pay attention to initiatives by bodies like the East African Community (EAC) to harmonize data protection. For instance, Kenya, Uganda, and Rwanda have laws, and EAC has had consultations on regional cooperation. If any EAC frameworks or mutual recognition mechanisms are in place, we will utilize them. Similarly, we stay aware of the Economic Community of Central African States (ECCAS) and Economic and Monetary Community of Central Africa (CEMAC) regulations (e.g., CEMAC has a 2019 regulation on personal data protection) and ensure compliance in Central African contexts.African Union (Continental) Standards: ACSAIR strongly supports the African Union’s Convention on Cyber Security and Personal Data Protection (Malabo Convention). Now that the Malabo Convention has attained the required ratifications and entered into force, it serves as a continent-wide benchmark. We align our practices with the Convention’s requirements, which include establishing legal bases for processing (like consent), protecting privacy as a fundamental right, and ensuring oversight by DPAs. We treat the principles in Malabo Convention Article 8 and related articles as minimum standards – for example, we uphold individuals’ rights, ensure confidentiality and security, and promote transparency in processing. As AU member states update their laws to comply with Malabo, our compliance will naturally translate into compliance with those updated national laws as well.
      Additionally, the African Union has issued Personal Data Protection Guidelines (in partnership with institutions like Smart Africa) to help implement the Convention. ACSAIR’s internal policies take guidance from these documents, emphasizing a rights-based approach to data protection across all our programs.
    • International Standards: While our focus is African laws, we also consider international standards because we believe in best practices globally. We take inspiration from the EU’s GDPR (many African laws are GDPR-like) in areas such as conducting Data Protection Impact Assessments for high-risk projects, having a lawful basis for all processing, and ensuring accountability through documentation and possible appointment of a Data Protection Officer (DPO) internally. We also consider guidelines from the UN and OECD regarding privacy and data usage in research. Being a research entity, we comply with ethical standards for research involving human subjects, which often include privacy and confidentiality components (e.g., informed consent, Institutional Review Board approvals where needed, etc.).

    In essence, no matter where we operate in Africa, ACSAIR will comply with the local data protection law or, in its absence, follow the highest standard of privacy protection available. We maintain a register of applicable laws and ensure our team is aware of their obligations under each. If you are in a country not explicitly named above, you can be assured we are either already compliant there (if a law exists) or we treat your data with the same care as we would in a country with a strict law. Our commitment to privacy is proactive, not just reactive – even if enforcement is still developing in some regions, we self-regulate to meet what we know is right and respectful of your rights.

    If you have any questions about our legal compliance in your jurisdiction, feel free to reach out. We can provide additional detail on how we meet specific legal requirements if needed.

    Updates to this Policy

    We may update this Privacy and Data Protection Policy from time to time to reflect changes in our practices, adapt to new legal requirements, or incorporate improvements. When we make significant changes, we will notify users in an appropriate manner. For example, we might post a notice on our website’s homepage, or send an email notification to our subscribers, or inform research participants through the contact information we have on file (depending on the context of the data). The “last updated” date at the top of the policy will always indicate the latest revision.

    Changes will take effect from the date of the update going forward (unless otherwise required by law). We encourage you to review this policy periodically to stay informed about how we are protecting your information. If we were to make a material change in how we use personal data (for instance, if we decided to begin a new type of processing that you might not reasonably expect based on this current policy), we would seek re-consent where required or appropriate.

    By continuing to engage with ACSAIR after a policy update, you acknowledge the revised policy. Nonetheless, we value your trust and will not reduce your rights under this Policy without your consent. If any part of our Policy is unclear, we welcome questions.

    Contact Us

    ACSAIR has designated a team responsible for data protection and privacy compliance. If you have any questions, concerns, or requests regarding your personal data or this Policy, please contact us:

    Afrique Center for Statistics, Artificial Intelligence & Innovation Research (ACSAIR)
    Secretariat/Main Office – Kampala, Uganda (Kyebando Road, Kamwokya II)
    Email: info@acsair.org (Attn: Data Protection Officer / Privacy Inquiry)
    We will provide a phone contact if required by local law or upon request.

    Our team will respond as promptly as possible to your inquiries. Using email is usually the fastest way to reach us regarding privacy matters. When you contact us, we may need to verify your identity especially for requests involving personal data (to ensure we don’t disclose information to the wrong person).

    If you are not satisfied with our response, and depending on your location, you may also contact your national Data Protection Authority as noted in the Your Rights section above.

    Our Bulletins

    ACSAIR

    © 2025 Afrique Center for Statistics, Artificial Intelligence & Innovation Research (ACSAIR). Powered by Orphic Enterprises.