Approval and Review 



Planning and Development 


Data Protection Office 

Policy Name 

Data Privacy Policy 

Policy Number/Version 

Version 1 

Policy Owner 

DVC, Partnership & Development 

Implementing Officer 

Data Protection Officer 

Approval and Amendment History 


Recommended by 

Quality Assurance Steering Committee  

Date Recommended: 8/11/2023 

Adopted by 

Management Board                                         

Adoption Date: 9/11/2023 

Approved by     

Internal Audit and Strategy Committee of Council                    

Approval Date 15/11/2023 

Original Approval Authority  

Approved by the University Council             Approval Date       : 6/12/2023 

Effective Date 

6 /12/2023 

Review Date 

Effective   6/12/2023 + 3 years 




1.1. “You”, “Your” means

1.1.1. Students enrolled at Strathmore University;

1.1.2. Parents, Legal Guardians and Sponsors of Students;

1.1.3. Staff working at Strathmore University;

1.1.4. Visitors to Strathmore University;

1.1.5. Stakeholders working with Strathmore University in any capacity;

1.2. “University”, “We”, “Us” “Our” means Strathmore University and its affiliates.



The purpose of this Data Privacy Policy is to establish clear guidelines for the collection, use, storage and disclosure of personal data by Strathmore University and its affiliates. This policy aims to safeguard the privacy and security of personal data and ensure compliance with the Data Protection Act, 2019 and the regulations thereto.




3.1. Collection of Information 

We collect your personal information with your knowledge and consent when you do any of the following (please note that this list is not exhaustive):

3.1.1. Apply for admission to the University;

3.1.2. Enroll into the University;

3.1.3. Enroll a student who is a minor into the University;

3.1.4. Apply for a job at the University;

3.1.5. Gain employment at the University;

3.1.6. Utilise various services at the University such as cafeteria, medical center, career development among others;

3.1.7. Apply for Financial Aid assistance;

3.1.8. Participate in research studies or respond to surveys conducted by the University;

3.1.9. Access the University IT systems, website or online platforms;

3.1.10. Join the Alumnae Association;

3.1.11. Attend University events both physically and virtually;

3.1.12. Give a donation to the University;

3.1.13. Pay school fees for a student enrolled in the University;

3.1.14. Physically visit the University premises.


3.2. What information is collected

                3.2.1     Identification Data 

                3.2.2     Contact Information

                3.2.3     Academic Data

                3.2.4     Financial Data

                3.2.5     Employment Data

                3.2.6     Health Data

                3.2.7     Biometric Data

                3.2.8     Communication Data

                3.2.9     Technical Data

3.2.10 Consent and Authorization Data

3.2.11 Social and Demographic Data

3.2.12 Campus Access Data


3.3 Use of Information

                3.3.1     Admission and Enrollment 

                3.3.2    Academic Support

                3.3.3     Teaching and Learning

                3.3.4     Recruitment and Employment

                3.3.5     Research and Scholarly Activities

                3.3.6     Campus Services and Operations

                3.3.7     Financial Management

                3.3.8     Institutional Planning and Reporting

                3.3.9     Alumni Relations and Development

3.3.10 Security within the University

3.3.11 Communication and Marketing

3.3.12 Fundraising

3.3.13 Strategic Partnerships

3.3.14 Compliance and Legal Obligations


3.4 Lawful basis of processing information

3.4.1 Contractual Necessity: Processing personal data that is necessary for the performance of a contract with you. This includes data required for employment contracts, enrollment agreements or contractual obligations related to services provided by the University.

3.4.2 Legal obligation: Processing personal data to comply with legal obligations imposed on the University. This includes obligations related to employment laws, tax regulations, health and safety regulations and other applicable laws.

3.4.3 Legitimate Interests: Processing personal data based on the legitimate interests pursued by the University or a third party, provided that such interests are not overridden by the individual’s rights and interests. This may include internal administrative purposes, security management, academic research or fundraising efforts.

3.4.4     Consent: Obtaining explicit and informed consent from you to process your personal data for specific purposes.

3.4.5 Vital Interests: Processing personal data in situations where it is necessary to protect your vital interests. This applies in cases of emergencies, health crises or situations where someone’s life or physical well-being is at risk.

3.4.6 Public Task or Official Authority: Processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University.



4.1 We retain personal data only for as long as reasonably necessary to fulfill the purposes for which it was collected. This includes meeting legal, regulatory, tax, accounting or reporting requirements. 

4.2 In determining the appropriate retention period for personal data, we consider the following factors: 

                4.2.1     The amount, nature and sensitivity of the personal data collected. 

                4.2.2     The potential risks of unauthorized use or disclosure of the personal data.

4.2.3 The specific purposes for which we process the personal data and whether those purposes can be achieved through alternative means.

                4.2.4     Compliance with our internal policies and procedures.

4.2.5     The applicable legal, regulatory, tax, accounting or other requirements that dictate data retention periods.

4.3 In certain circumstances, we may retain personal data for a longer period if there is a complaint or a reasonable prospect of litigation related to our relationship with the individual. This extended retention allows us to address any legal claims or defend our legal rights effectively.

4.4 When personal data is no longer needed and its retention period has expired, we ensure its secure disposal to prevent unauthorized access, loss or disclosure.

4.5 Anonymized information that can no longer be associated with you may be held indefinitely.



5.1 University Personnel  

5.1.1 Internal departments and staff who require access to personal data to carry out their duties, such as administrators, teaching staff and support staff. 

5.2 Students and Parents

5.2.1 In the case of students, personal data may be shared with the students themselves or their parents/legal guardians, particularly when it relates to academic progress, financial matters or student support services.

5.3 Educational Partners and Institutions

5.3.1 In cases of collaborative programs, study abroad arrangements or research collaboration, personal data may be shared with other educational institutions or partners involved in these activities.

5.4 Service Providers

5.4.1 Third-party service providers may be engaged by the University to assist with various functions such as IT support, cloud storage, payment processing, mailing services or other administrative tasks. These providers may have access to personal data as necessary to perform their contracted services.

5.5 Government Authorities and Regulatory Bodies

5.5.1 Personal data may be disclosed to government authorities, regulatory bodies or law enforcement agencies as required or permitted by law, such as for compliance with tax obligations, responding to legal requests or fulfilling reporting obligations.

5.6 Research Collaborators

5.6.1 In the context of academic research projects, personal data may be shared with other researchers or institutions collaborating on the research study, subject to appropriate safeguards and ethics approval.

5.7 Alumni Associations and Donors

5.7.1 Personal data of alumni may be shared with alumni associations or fundraising entities to maintain connections, engage in alumni activities or seek philanthropic support.

5.8 External Examiners and Assessors

5.8.1 Personal data of students or faculty may be shared with external examiners or assessors involved in academic assessments, thesis evaluations or accreditation processes.

5.9 Professional Bodies and Accreditation Agencies

5.9.1     Personal data may be disclosed to professional bodies or accreditation agencies for purposes such as certification, accreditation or compliance with professional standards.



6.1 We may store some information (using “cookies“) on your computer when you visit our websites. This enables us to recognize you during subsequent visits. The type of information gathered is non-personal (such as: the Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully. 



7.1 We have put in place technical and operational measures to ensure integrity and confidentiality of your data through controls such as data encryption, access control, network security, secure data storage, secure application development, data anonymization, data minimization, data transfer security, regular security and patching as well as staff training and awareness. 



8.1 The University will ensure that any international data transfers comply with applicable data protection laws and take appropriate safeguards to protect the privacy and security of personal data. 



9.1 Subject to legal and contractual exceptions, you have rights under the Data Protection Act, 2019 in relation to your personal data. These rights are as follows: 

                9.1.1     Right to be informed of the use to which your personal data is to be put; 

                9.1.2    Right to access your personal data in our custody;

                9.1.3    Right to object to the processing of all or part of your personal data;

                9.1.4     Right to correction of false or misleading data; and

                9.1.5     Right to deletion of false or misleading data about you.

9.2 If you wish to exercise any of the rights set out above, please contact us through



10.1 Please contact our Data Protection Officer through on any topic regarding this Data Privacy Policy. 



11.1 You have a right to lodge a complaint with the Office of the Data Protection Commissioner as established under the Data Protection Act, 2019. 



12.1 We have a right to terminate any agreement or services offered to you for failure to comply with the provisions of this Data Privacy Policy. 



13.1 We reserve the right to amend or modify this Data Privacy Policy from time to time. Any modification or amendment to this Data Privacy Policy will take effect from the date of notification on the University website.