🔐 Privacy Notice at a Glance
The National Forum Party is committed to protecting your personal data. Here is a plain-language summary of the key facts — full details are in the sections below.
Reg. with ORPP Kenya
ODPC Data Protection Registration
Organisation: National Forum Party (NFP)
Registration Number: ODPC/DP/REG/2026/00247
Supervisory Authority: Office of the Data Protection Commissioner (ODPC), Kenya
Data Protection Officer: NFP DPO · dpo@nfp.co.ke
Registration Basis: Kenya Data Protection Act 2019, Sections 17–19 (Data Controller & Processor registration)
Registered & Compliant · Kenya DPA 20191. Who We Are
The National Forum Party (NFP) is a registered Kenyan political party operating under the Office of the Registrar of Political Parties (ORPP). Our registered offices are located in Nairobi, Kenya.
NFP is the Data Controller for personal data collected through this website (www.nfp.co.ke), our membership registration system, and any party communications.
This Privacy Policy is compliant with the Kenya Data Protection Act 2019 (DPA 2019)
Data Protection Officer: For data-related queries, contact our Data Protection Officer at: dpo@nfp.co.ke
2. What Personal Data We Collect
We collect the following categories of personal data:
2.1 Membership Registration Data
| Data Type | Examples | Required? |
|---|---|---|
| Identity Information | Surname, other names, ID/Passport number, date of birth | Yes |
| Contact Information | Email address, phone number | Yes |
| Demographic Information | Sex, religion, ethnicity, date of birth | Yes |
| Location Information | County, constituency, ward, polling station, postal address | Yes (county/constituency/ward) |
| Account Credentials | Password (stored in encrypted form only) | Yes |
| Special Interest Groups | Youth, Women, PWD, Marginalised Communities | Yes |
| Professional Information | Occupation | No (optional) |
2.2 Website Usage Data
- IP address and browser information (collected automatically)
- Pages visited, time spent on pages, referring URLs
- Device type, operating system, and screen resolution
- Cookie identifiers (see Section 5)
2.3 Communication Data
- Messages sent through our contact form
- Email correspondence with our offices
- Newsletter subscription preferences
2.4 Special Category Data
We collect certain special category data (sensitive personal data) for our membership register, specifically: religion, ethnicity, and disability status (PWD wing membership). Under the DPA 2019 and GDPR, we only process this data with your explicit consent, and it is used solely for the purposes of party representation and ORPP-mandated membership categorisation.
3. How We Use Your Personal Data
- Membership Administration: Processing your membership registration, issuing membership numbers and cards, maintaining the party's official register as required by ORPP.
- Party Communications: Sending party news, announcements, event invitations and newsletters (only where you have opted in or it is a legitimate interest).
- Electoral Purposes: Submitting member data to IEBC or ORPP as required by law for electoral registration and party compliance.
- Service Improvement: Analysing how the website is used to improve our digital services (analytics cookies, with consent).
- Security: Protecting our systems and preventing fraudulent registrations.
- Legal Compliance: Meeting our obligations under Kenyan law, including political party regulations.
4. Legal Basis for Processing
| Processing Activity | Legal Basis (DPA 2019 / GDPR) |
|---|---|
| Processing membership registration | Contract performance; Legitimate interests (party administration) |
| Processing special category data (religion, ethnicity, disability) | Explicit consent |
| Sending newsletters | Consent (opt-in) |
| Sharing data with ORPP/IEBC | Legal obligation (Political Parties Act 2011) |
| Analytics cookies | Consent |
| Necessary cookies | Legitimate interests (website functionality) |
| Contact form responses | Legitimate interests; Consent |
5. Cookies & Tracking Technologies
Our website uses cookies — small text files stored on your device. We use three categories of cookies:
5.1 Strictly Necessary Cookies
These are essential for the website to function. They include session management and security cookies. These cannot be disabled.
5.2 Analytics Cookies
These help us understand how visitors use the site (pages visited, time on page, etc.). We use this data to improve the website. These are only set with your consent.
You can manage your cookie preferences at any time by clicking . Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.
6. Data Sharing & Disclosure
NFP does not sell, rent or trade your personal data. We may share your data only in the following circumstances:
- ORPP and IEBC: As required by the Political Parties Act 2011 and electoral law, we submit member registers to the Office of the Registrar of Political Parties and the Independent Electoral and Boundaries Commission.
- Service Providers: We use trusted third-party providers for website hosting, email delivery, and analytics. These providers process data only on our instructions and under confidentiality agreements.
- Legal Requirements: We may disclose data if required by a court order, law enforcement, or other legal obligation under Kenyan law.
- With Your Consent: In any other circumstance, we will obtain your explicit consent before sharing your data.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The table below sets out our retention schedule:
| Data Category | Retention Period | Basis for Retention | Disposal Method |
|---|---|---|---|
| Membership registration data (active members) | Duration of membership | Contract; Legal obligation (ORPP) | Secure deletion / ORPP archive transfer |
| Membership data (resigned/expired) | 3 months post-resignation | Legal obligation (Political Parties Act 2011, electoral audit trail) | Encrypted archive, then secure deletion |
| Special category data (religion, ethnicity, disability) | Duration of membership | Explicit consent; ORPP statutory requirements | Immediate deletion on withdrawal of consent or resignation |
| Account passwords (hashed) | Duration of membership | Security & account integrity | Cryptographic wipe on account deletion |
| Contact form enquiries | 2 years from submission | Legitimate interests (query resolution) | Secure deletion |
| Newsletter subscriptions | Until unsubscribe + 30 days | Consent | Secure deletion + unsubscribe confirmation |
| Website analytics data | 26 months (anonymised at 14 months) | Consent; Legitimate interests (site improvement) | Anonymisation, then automatic deletion |
| Audit log records | 5 years | Legal obligation; Security (Computer Misuse & Cybercrimes Act 2018) | Secure archive, then deletion |
| Cookie consent records | 13 months from consent date | Accountability obligation (DPA 2019) | Automatic expiry and deletion |
| OTP / authentication records | 5 minutes (live) · 30 days (log) | Security; Fraud prevention | Automatic expiry |
| Encrypted data backups | 90 days rolling | Business continuity | Overwritten with encrypted replacement on each cycle |
At the end of any retention period, data is disposed of securely in a manner that prevents reconstruction or recovery. Requests for early deletion are handled under Section 8 (Your Rights).
Data Protection Impact Assessment (DPIA) Summary
NFP has conducted Data Protection Impact Assessments for all high-risk processing activities, as required by Section 31 of the Kenya Data Protection Act 2019. A summary of assessed activities is provided below.
| Processing Activity | Risk Level | Key Mitigations | DPA Necessity |
|---|---|---|---|
| Membership registration & storage of special category data (religion, ethnicity, disability) | MEDIUM | AES-256-GCM encryption at rest; RBAC access controls; explicit consent; ODPC registration; staff training | Yes — Art. 31, DPA 2019 |
| Identity verification against IPRS/IEBC | MEDIUM | Minimal data queried; results not stored beyond session; TLS in transit; audit logging | Yes — Art. 31, DPA 2019 |
| Transfer of member register to ORPP/IEBC | HIGH | Legal obligation basis; encrypted transfer; data minimisation; member notification; DPA compliant data sharing agreement | Yes — Art. 31, DPA 2019 |
| Membership digital archive & backup | LOW | AES-256-GCM encrypted backups; passphrase-protected exports; 90-day rolling retention; immutable audit trail | Recommended |
| Website analytics (with consent) | LOW | Cookie consent gate; anonymisation at 14 months; no sale of data; opt-out available at any time | Recommended |
Full DPIA documentation is maintained by the NFP Data Protection Officer and available to the ODPC on request. DPIAs are reviewed annually or when processing activities change materially.
8. Your Rights
Under the Kenya Data Protection Act 2019 and, where applicable, the GDPR, you have the following rights:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Ask us to correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data (subject to legal retention obligations).
- Right to Restrict Processing: Ask us to limit how we use your data in certain circumstances.
- Right to Data Portability: Receive your data in a machine-readable format.
- Right to Object: Object to processing based on legitimate interests, including for direct marketing.
- Right to Withdraw Consent: Withdraw any consent you have given at any time (this does not affect previous lawful processing).
- Right to Lodge a Complaint: Complain to the Office of the Data Protection Commissioner (ODPC) Kenya if you believe your rights have been violated.
To exercise any of these rights, you can use our Data Rights Self-Service Portal to submit a request online and receive a reference number for tracking. Alternatively, contact our Data Protection Officer at dpo@nfp.co.ke or write to: NFP Data Protection Officer, NFP National Secretariat, Nairobi, Kenya. We will respond within 30 days of receiving your request.
9. Data Security
NFP implements appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- SSL/TLS encryption for all data transmitted via this website
- Password hashing and salting for account credentials
- Access controls limiting data access to authorised staff only
- Regular security audits and staff data protection training
- Data breach response procedures in place
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ODPC within 72 hours as required by law.
10. Children's Privacy
NFP membership is open only to Kenyan citizens aged 18 years and above. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has submitted data to us, please contact us at dpo@nfp.co.ke and we will delete the data promptly.
11. International Data Transfers
Your personal data is primarily processed and stored within Kenya. Where any data is transferred outside Kenya (for example, to cloud hosting providers), we ensure that adequate protections are in place, including standard contractual clauses or equivalent safeguards, in compliance with Section 48 of the Kenya Data Protection Act 2019.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. We will notify you of significant changes by posting a notice on our website and, where appropriate, by email. The "Last Updated" date at the top of this policy indicates when it was last revised.
We encourage you to review this policy periodically. Continued use of our website after changes have been posted constitutes acceptance of the revised policy.
13. Contact Us & Complaints
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
- Email: dpo@nfp.co.ke
- General: info@nfp.co.ke
- Phone: +254 700 000 000
- Post: Data Protection Officer, National Forum Party, NFP Secretariat, Nairobi, Kenya
You also have the right to lodge a complaint with Kenya's data protection supervisory authority:
- Office of the Data Protection Commissioner (ODPC)
- Website: www.odpc.go.ke
- Email: info@odpc.go.ke