1.1 STRATHMORE SCHOOL collects and uses personal information about staff, students, parents or guardians and other individuals who come into contact with the school. This information is gathered in order  to enable it to provide education and other associated functions. In addition, there may be a legal  requirement to collect and use information to ensure  that the school complies with its statutory obligations.

This policy is intended to ensure that personal  information is dealt with correctly and securely and in  accordance with the Data Protection Act, 2019, the  Regulations made under the Act and other related  legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and  destroyed, and irrespective of whether it is held in  paper files or electronically. All staff involved with the  collection, processing and disclosure of personal data  will be aware of their duties and responsibilities by  adhering to these guidelines.


3.1. Strathmore School may ask you as parents or  guardians to provide us with certain personally  identifiable information that can be used to contact or  identify you. Personally identifiable information  collected from parents or guardians may include, but is  not limited to:
– names;
– names of spouses;
– names of children;
– religion;
– profession;
– place of work;
– Physical Home address;
– telephone numbers;
– post office addresses;
– email addresses;
– identification card numbers;
– photographs and audiovisual recordings taken during school events

3.2. In the course of your son’s stay at the school, the  school will collect personal information and also  generate and process data specific to your son. This  information includes and is not limited to the following: – names;
– date of Birth;
– religion;
– birth certificates;
– academic certificates such as KCPE certificates;
– medical history such as allergies;
– hobbies;
– passport-size photographs
– academic performance;
– discipline profile;
– learners’ photographs

3.3 Use of personal data by Strathmore School

3.3.1. Strathmore School processes personal data on  learners, staff and other individuals such as visitors. In each case, the personal data is processed in accordance with the data protection principles as  outlined below.

3.3.2. The personal data held regarding learners  includes contact details, assessment/examination  results, attendance information, characteristics such  as religion, any relevant medical information,  photographs and audio-visual recordings.

3.3.3. The data is used in order to support the education of the learners, to monitor and report on their progress, to provide appropriate pastoral care, to  assess how well the school as a whole is doing,  together with any other uses normally associated with  this provision in a school environment.

3.3.4. Strathmore School may make use of limited  personal data (such as contact details) relating to learners, and their parents or guardians for fundraising, marketing or promotional purposes, to maintain relationships with learners of Strathmore School, and to provide alumni-related services to former learners such as communicating opportunities and celebrating alumni achievements, but only where consent has been provided for these uses of their personal data.

3.3.5. In particular, Strathmore School may: transfer information to any association, society  or club set up for the purpose of maintaining contact with learners or for fundraising, marketing or promotional purposes relating to the school but only where consent from the relevant data subject has been obtained first; make personal data, including sensitive personal data, available to staff for planning curricular  or extra-curricular activities; Any wish to limit, object to any use of personal data or to exercise any of the data subject rights detailed in Section 5 of this Policy should be addressed to the school Data Protection Officer in  writing, which notice will be acknowledged in writing.  If, in the view of the school Data Protection Officer, the  objection or attempt to exercise the data subject’s  rights cannot be maintained, the individual will be  given written reasons why the school cannot comply  with their request.

3.4. Personal data shall be retained for a period no  longer than is necessary for the purposes for which it  is obtained and processed. Data retention will be done  in line with legal requirements and Strathmore  School’s operational needs. Where personal data has satisfied the purpose for which it was obtained and  processed, Strathmore School may still retain the data  if the retention is required or authorized by law, where  the retention is reasonably necessary for a lawful  purpose, where the retention is consented to by the  data subject, or where the retention is necessary for  historical, statistical, journalistic literature and art or research purposes.


4.1. Strathmore School will ensure that the following principles governing data protection are adhered to at all times. That personal data is:

4.1.1. processed in accordance with the right to  privacy;

4.1.2. processed lawfully, fairly and in a transparent  manner;

4.1.3. collected for explicit, specified and legitimate  purposes and not further processed in a manner  incompatible with those purposes;

4.1.4. adequate, relevant and limited to what is  necessary;

4.1.5. collected only where a valid explanation is  provided whenever information relating to family or  private affairs is required;

4.1.5. accurate and where necessary, kept up to date  with every reasonable step being taken to ensure that  any inaccurate personal data is erased or rectified without delay;

4.1.6. kept in a form which identifies the data subjects  for no longer than is necessary for the purposes which it was collected; and

4.1.7. not transferred outside Kenya, unless there is  proof of adequate data protection safeguards or  consent from the data subject.


5.1. Personal data shall be processed in accordance  with the rights of data subjects under the Data  Protection Act, 2019 and all the Regulations made  under the Data Protection Act 2019.

5.2. Data subjects from whom Strathmore School  collects personal data shall have the right:

5.2.1. to be informed of the use to which their personal data is to be put;

5.2.2. to access their personal data;

5.1.3. to object to the processing of all or part of their  personal data;

5.1.4. to correct false or misleading data;

5.1.5. to deletion of false or misleading data about them.

5.3. The above rights shall be subject to the  requirements and limitations set out in the Data  Protection Act 2019 and the Regulations made under  the Data Protection Act 2019.

5.4. The rights of a learner who is a minor shall be  exercised by their parent/guardian. Where the learner  is not a minor, their rights shall be exercised by the  person duly authorized by the learner to exercise  these rights.

6.1. Strathmore School is committed to maintaining  the above principles at all times. Strathmore School  will strive to ensure:

6.1.1. That individuals are informed why the  information is being collected when it is collected;

6.1.2. That individuals are informed when their  information is shared, and why and with whom it was  shared;

6.1.3. That the quality and accuracy of the information  collected is of the highest standards;

6.1.4. That when obsolete information is destroyed  that it is done so appropriately and securely;

6.1.5. That clear and strong safeguards are in place to protect personal information from loss, theft and  unauthorized disclosure;

6.1.6. That information with others is only shared when it is legally and professionally appropriate to do so;

6.1.7. That all members of Strathmore School staff are aware of, and understand, policies and procedures related to Data protection.

6.2. While Strathmore School will be taking reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete and current, they will rely on their data subjects to assist in providing accurate updates of their personal data.


7.1. The following list includes the most usual reasons that Strathmore School will authorise disclosure of personal data to a third party:

7.1.1 to give a confidential reference relating to a  current or former employee, volunteer or learner;

7.1.2. for the prevention or detection of crime;

7.1.3. where it is necessary to exercise a right or obligation conferred or imposed by law upon Strathmore School (other than an obligation imposed by contract);

7.1.4. for the purpose of, or in connection with, legal  proceedings (including prospective legal proceedings);

7.1.5. for the purpose of obtaining legal advice;

7.1.6. for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);

7.1.7. to publish the results of public examinations or other achievements of learners of the School;

7.1.8. to disclose details of a learner’s medical condition where it is in the learner’s interests to do so and there is a legal basis for doing so, for example for medical advice, insurance purposes or to organisers of school trips. The legal basis will vary in each case but will usually be based on explicit consent, the vital interests of the child or reasons of substantial public interest (usually safeguarding the child or other individuals);

7.1.9. to provide information to another educational establishment to which a learner is transferring; and

7.1.10. to provide information to the Examination Authority as part of the examination process;

7.2. Strathmore School may receive requests from third parties to disclose personal data it holds about learners, their parents or guardians, staff or other individuals. This information will not generally be disclosed unless one of the specific exemptions under data protection legislation which allow disclosure applies or where necessary for the legitimate interests of the individual concerned.

7.3. All requests for the disclosure of personal data must be sent to the Principal, Strathmore School, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making any disclosure.


9.1. Strathmore School will strive to perform an annual Data Protection Impact Assessment which will include:

9.1.1. A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by Strathmore School;

9.1.2. An assessment of the necessity and proportionality of Strathmore School’s data processing operations in relation to the purposes of the processing;

9.1.3. An assessment of the risks to the rights and  freedoms of the data subjects governed by this Policy; and

9.1.4. The measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Data  Protection Act, taking into account the rights, and legitimate interests of data subjects.

9.2. Strathmore School will also conduct Data Protection Impact Assessment on a case-to-case basis where the processing of personal data is likely to result in a high risk to the rights and freedoms of data subjects.


10.1. Where there is a data breach caused by the accidental or unlawful destruction,loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, Strathmore School will implement immediate incident response mechanisms to prevent any such actions.

10.2. Strathmore School’s incident response will be done in the following four steps:
10.2.1. Step 1: Report and notify the data subject of sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach;
10.2.2. Step 2: Detection of breach and analysis;
10.2.3. Step 3: Containment, eradication and recovery;
10.2.4. Step 4: Post incident investigation and report

10.3. To mitigate or address any such incidents,  Strathmore school will notify and work with the Office  of the Data Protection Commissioner to take any  actions required of Strathmore School under the Data  Protection Act 2019 and the Regulations made under  the Data Protection Act 2019.

10.4. Any suspected or actual data breaches may be  reported to Strathmore School as a complaint in  accordance with Section 11 of this Policy.

General enquiries relating to data handling should be  addressed to:
Complaints may be referred to the principal using the  email address: