Data Subject Access Requests
KDPA s.26 grants every data subject the right to access their personal data. The Suite ships two paths: self-service from iBANK (instant) and a formal written-request workflow with a 30-day SLA tracked from the Compliance dashboard.

Self-service DSAR (instant)
Members log into iBANK, go to Profile → Privacy, click Download my data. The system compiles a JSON dossier in seconds and emails it to the member's registered address with a 24-hour signed download link.
- Personal data fields (name, ID, contacts, addresses, employment)
- Consent log — every consent action with timestamp and version
- Savings accounts + every transaction since inception
- Loan history (applications, schedules, repayments, write-offs)
- iBANK session log (last 12 months: IP, device, location)
- M-Pesa transactions
- Support cases the member opened or that were opened on their behalf
- Marketing preferences
- Linked CRB submissions
Formal written request (30-day SLA)
Members who cannot use iBANK (or who specifically request paper) write to dpo@ the institution. The DPO opens a mfi.support.case with type=dsar and the 30-day SLA timer starts.
- DPO receives request via email, post, or hand-delivered letter
- DPO opens MFI → Support → Cases → New (type = DSAR)
- Verify identity: member number + ID copy + signature match
- Run the same dossier the self-service path runs
- Choose delivery: encrypted ZIP via email OR USB at branch OR printed pack
- On delivery, close the case; SLA timer stops
- Compliance dashboard records the SLA met/missed for ODPC reporting
30-day SLA + 60-day extension
ODPC permits a 30-day extension when the request is complex or the data is voluminous. The extension MUST be communicated to the member in writing within the initial 30 days.
Worked scenarios
Scenario — Aisha files a formal DSAR after a CRB dispute
| Character | Role |
|---|---|
| Aisha Hassan | Member, the data subject |
| Florence Achieng | Data Protection Officer |
| Samuel Kibet | Compliance officer |
Timeline
- Day 0 (Mon): Aisha emails dpo@ asking for 'everything you have on me, including what you shared with CRB Africa'. (Email auto-creates mfi.support.case id=4421 type=dsar)
- Day 1: Florence acknowledges receipt, requests proof of identity. Aisha sends her ID via secure portal.
- Day 3: Identity verified. Florence runs the standard DSAR dossier.
- Day 5: Florence + Samuel review the dossier; everything Aisha disputed is included. Samuel adds a covering memo explaining what was sent to CRB Africa and when. (Case state = preparing)
- Day 7: Encrypted ZIP delivered via signed email link. Aisha confirms receipt. (Case state = delivered; SLA met at day 7 of 30)
- Day 14: Aisha files a CRB dispute using the documents. Case closed. (Case state = closed; compliance KPI counted)
Outcome — DSAR met in 7 days, well inside SLA. The dossier became Aisha's evidence in her CRB dispute.
Reference
DSAR JSON payload shape
| Section | Source | Notes |
|---|---|---|
| data_subject | res.partner + mfi.member | Identifying + contact + ID |
| consent | mfi.consent.log | Every consent action incl. version |
| savings_accounts | mfi.savings.account | All accounts ever opened |
| savings_txns | mfi.savings.transaction | Every txn (loaded lazily in encrypted ZIP) |
| loans | mfi.loan + mfi.loan.schedule | Applications, schedules, repayments |
| sessions | mfi.ibank.session | Last 12 months IP/device/locn |
| mpesa | mmm.transaction | Every M-Pesa C2B / B2C |
| support_cases | mfi.support.case | Cases where member is party |
| marketing | res.partner.consent_marketing | Current opt-in flag |
| crb_submissions | mfi.crb.submission | Every CRB upload referencing the member |
| export_metadata | synthesised | exported_at, exported_by, dossier_version |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Member's iBANK Download button greys out | Service state = service_block or member's session token rotated | Branch lifts service_block (if reason resolved). Member re-logins; force-logout token bump clears. |
| Self-service download size exceeds 100 MB | Very long-tenured member with thousands of transactions | System offers staged download (year-by-year ZIPs). Or DPO emails formal pack on USB delivered to branch. |
| DPO can't see the case in the queue | Email parser didn't classify type=dsar — wrong subject line | Open Settings → Mail aliases → dpo@ → 'rules'; add 'dsar' as a keyword. Manually re-classify the misfiled case. |
| ODPC asks 'how many DSARs in Q3 and what was your average SLA?' | Annual ODPC reporting | MFI → Compliance → Reports → DSAR statistics → filter by quarter. Export PDF + JSON. |

