Data Subject Access Requests

KDPA s.26 grants every data subject the right to access their personal data. The Suite ships two paths: self-service from iBANK (instant) and a formal written-request workflow with a 30-day SLA tracked from the Compliance dashboard.

iBANK self-service
DSAR requests originate from /ibank/profile.

Self-service DSAR (instant)

Members log into iBANK, go to Profile → Privacy, click Download my data. The system compiles a JSON dossier in seconds and emails it to the member's registered address with a 24-hour signed download link.

  • Personal data fields (name, ID, contacts, addresses, employment)
  • Consent log — every consent action with timestamp and version
  • Savings accounts + every transaction since inception
  • Loan history (applications, schedules, repayments, write-offs)
  • iBANK session log (last 12 months: IP, device, location)
  • M-Pesa transactions
  • Support cases the member opened or that were opened on their behalf
  • Marketing preferences
  • Linked CRB submissions

Formal written request (30-day SLA)

Members who cannot use iBANK (or who specifically request paper) write to dpo@ the institution. The DPO opens a mfi.support.case with type=dsar and the 30-day SLA timer starts.

  1. DPO receives request via email, post, or hand-delivered letter
  2. DPO opens MFI → Support → Cases → New (type = DSAR)
  3. Verify identity: member number + ID copy + signature match
  4. Run the same dossier the self-service path runs
  5. Choose delivery: encrypted ZIP via email OR USB at branch OR printed pack
  6. On delivery, close the case; SLA timer stops
  7. Compliance dashboard records the SLA met/missed for ODPC reporting

30-day SLA + 60-day extension

ODPC permits a 30-day extension when the request is complex or the data is voluminous. The extension MUST be communicated to the member in writing within the initial 30 days.

Note — The Compliance dashboard surfaces SLA risk at 25 days. Set a calendar reminder in the case to prevent silent overruns.

Worked scenarios

Scenario — Aisha files a formal DSAR after a CRB dispute

Setting: Member disputes a negative CRB listing and asks for proof of every data point shared with the bureau.

CharacterRole
Aisha HassanMember, the data subject
Florence AchiengData Protection Officer
Samuel KibetCompliance officer

Timeline

  1. Day 0 (Mon): Aisha emails dpo@ asking for 'everything you have on me, including what you shared with CRB Africa'. (Email auto-creates mfi.support.case id=4421 type=dsar)
  2. Day 1: Florence acknowledges receipt, requests proof of identity. Aisha sends her ID via secure portal.
  3. Day 3: Identity verified. Florence runs the standard DSAR dossier.
  4. Day 5: Florence + Samuel review the dossier; everything Aisha disputed is included. Samuel adds a covering memo explaining what was sent to CRB Africa and when. (Case state = preparing)
  5. Day 7: Encrypted ZIP delivered via signed email link. Aisha confirms receipt. (Case state = delivered; SLA met at day 7 of 30)
  6. Day 14: Aisha files a CRB dispute using the documents. Case closed. (Case state = closed; compliance KPI counted)

Outcome — DSAR met in 7 days, well inside SLA. The dossier became Aisha's evidence in her CRB dispute.

Reference

DSAR JSON payload shape

SectionSourceNotes
data_subjectres.partner + mfi.memberIdentifying + contact + ID
consentmfi.consent.logEvery consent action incl. version
savings_accountsmfi.savings.accountAll accounts ever opened
savings_txnsmfi.savings.transactionEvery txn (loaded lazily in encrypted ZIP)
loansmfi.loan + mfi.loan.scheduleApplications, schedules, repayments
sessionsmfi.ibank.sessionLast 12 months IP/device/locn
mpesammm.transactionEvery M-Pesa C2B / B2C
support_casesmfi.support.caseCases where member is party
marketingres.partner.consent_marketingCurrent opt-in flag
crb_submissionsmfi.crb.submissionEvery CRB upload referencing the member
export_metadatasynthesisedexported_at, exported_by, dossier_version

Troubleshooting

SymptomLikely causeFix
Member's iBANK Download button greys outService state = service_block or member's session token rotatedBranch lifts service_block (if reason resolved). Member re-logins; force-logout token bump clears.
Self-service download size exceeds 100 MBVery long-tenured member with thousands of transactionsSystem offers staged download (year-by-year ZIPs). Or DPO emails formal pack on USB delivered to branch.
DPO can't see the case in the queueEmail parser didn't classify type=dsar — wrong subject lineOpen Settings → Mail aliases → dpo@ → 'rules'; add 'dsar' as a keyword. Manually re-classify the misfiled case.
ODPC asks 'how many DSARs in Q3 and what was your average SLA?'Annual ODPC reportingMFI → Compliance → Reports → DSAR statistics → filter by quarter. Export PDF + JSON.

See also

Was this page helpful?