Data Protection & Compliance Statement for OpenCHS

Last Updated: October 1, 2025

This document outlines the commitment of Bitz IT Consulting Ltd. and the OpenCHS platform to robust data protection standards and legal compliance. As a digital public good serving vulnerable populations, OpenCHS is architected and operated with privacy and security as core principles.

This statement is intended for donors, government partners, and implementing organizations to provide assurance of our adherence to international and domestic legal frameworks.

1. Commitment to Data Protection

Bitz IT Consulting Ltd. affirms that the OpenCHS platform is designed to comply with the highest standards of data protection. We are committed to safeguarding the personal and sensitive information of all data subjects, particularly children, in every jurisdiction where our system is deployed.

2. Adherence to Legal Frameworks

OpenCHS is designed to be compliant with the following key data protection and privacy laws in its countries of operation:

Uganda: The Data Protection and Privacy Act, 2019.
Kenya: The Data Protection Act, 2019.
Tanzania: The Personal Data Protection Act, 2022.
Lesotho: The Data Protection Act, 2011.

Furthermore, we use the EU General Data Protection Regulation (GDPR, 2016/679) as a global benchmark for our data protection practices, ensuring a high standard of privacy regardless of location.

3. Alignment with International Human Rights Standards

Our commitment extends beyond legal compliance to upholding fundamental human rights. We align our policies and system design with:

United Nations Convention on the Rights of the Child (UNCRC): We recognize the special need for protection of children's data and privacy. Our system is designed to support the "best interests of the child" principle.
United Nations Convention on the Rights of Persons with Disabilities (CRPD): We are committed to ensuring that OpenCHS is accessible and usable by people with disabilities, and that their data is handled with dignity and respect.

4. Operationalizing Compliance: How We Do It

Compliance is not just a policy; it is built into our technology and operational procedures.

4.1. Privacy by Design and by Default

Data Minimization: The system is configured to collect only the data that is strictly necessary for the specific purpose of case management.
Anonymization & Pseudonymization: Personal Identifiable Information (PII) is masked or removed by default in analytics and reporting modules. We provide tools to de-identify data for statistical analysis.
Purpose Limitation: Data collected for case management is not used for any other purpose without explicit consent or legal mandate.

4.2. Security Measures

Role-Based Access Control (RBAC): Users can only access information necessary for their role (e.g., an operator cannot access system administration settings).
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Secure Hosting: We partner with hosting providers who meet international security standards (e.g., ISO 27001, SOC 2). [Implementers should specify their hosting provider's compliance].
Audit Trails: The system maintains detailed logs of all actions performed on sensitive data, including access, creation, modification, and deletion.

4.3. Data Protection Impact Assessments (DPIAs)

Before deploying OpenCHS in a new context or introducing a new feature that involves processing PII, we conduct DPIAs to identify and mitigate privacy risks. This process is conducted in collaboration with the local implementing partner.

4.4. Training and Capacity Building

We provide training to all system users (helpline operators, supervisors) on their data protection responsibilities, secure data handling practices, and the rights of data subjects.

5. Data Sovereignty and Cross-Border Transfers

Data Residency: We support deployments that ensure data is stored within the borders of the country of operation, respecting data sovereignty laws and preferences. [Implementer to confirm their hosting location].
Cross-Border Transfers: No personal data is transferred across borders unless it is in full compliance with the laws of the originating country and adequate data protection safeguards are in place.

6. Continuous Improvement

The data protection landscape is constantly evolving. We are committed to continuously monitoring legal and technological developments to ensure OpenCHS remains a trusted and compliant platform.

For further details, please refer to our Privacy Policy and Terms of Service.

Contact: For questions regarding our compliance program, please contact: [Insert Compliance Officer/Department and Email]

Data Protection & Compliance Statement for OpenCHS ​

1. Commitment to Data Protection ​

2. Adherence to Legal Frameworks ​

3. Alignment with International Human Rights Standards ​

4. Operationalizing Compliance: How We Do It ​

4.1. Privacy by Design and by Default ​

4.2. Security Measures ​

4.3. Data Protection Impact Assessments (DPIAs) ​

4.4. Training and Capacity Building ​

5. Data Sovereignty and Cross-Border Transfers ​

6. Continuous Improvement ​