UEAB TENDERS

Terms of Reference (ToR) for Engagement of a Data Protection Auditing Firm

Client: University of Eastern Africa, Baraton (UEAB)

Reference Number: UEAB-DPA-2025/01

Date of Issue: 15^th May 2025

Deadline for Submission: 22^nd May 2025

1. Background

The University of Eastern Africa, Baraton (UEAB) is subject to an impending inspection by the Office of the Data Protection Commissioner (ODPC) under the Data Protection Act, 2019. In line with this, the university is seeking to engage the services of a registered and competent data protection auditing firm to carry out a pre-inspection compliance audit and assist in preparing documentation, risk assessments, remediation plans, and final reports for submission to ODPC.

2. Objective of the Assignment

To conduct an independent data protection compliance audit at UEAB and provide a comprehensive report and road map aligned with the ODPC Data Protection Audit Guidelines. The assignment will also support the university in achieving full compliance with the Data Protection Act, 2019 and its accompanying regulations.

3. Scope of Work

3.1 Governance and Accountability

• Review and evaluate the existence, adequacy, and effectiveness of the university’s data protection policies, procedures, and accountability mechanisms.
• Review data inventory/mapping, internal compliance monitoring, and reporting mechanisms.

3.2 Staff Training and Awareness

• Assess existing training programs on data protection awareness for staff.
• Review HR practices for compliance with data protection requirements.

3.3 Security of Personal Data

• Assess technical and organizational measures implemented to secure personal data.
• Evaluate privacy by design and by default principles and review breach management procedures.

3.4 Data Subject Rights

• Evaluate mechanisms for handling data subject rights such as access, correction, deletion, and objection to processing.

3.5 Records Management

• Review data retention policies, storage limitation compliance, and data disposal practices.

3.6 Data Protection Impact Assessments (DPIAs)

• Identify high-risk processing activities and assess whether DPIAs have been conducted in line with section 31 of the Act.

3.7 Data Sharing and Transfers

• Review procedures for lawful data sharing with third parties and cross-border data transfer compliance.

3.8 Vendor and Processor Management

• Evaluate contracts, data sharing agreements, and monitoring of compliance by third-party service providers.

4. Deliverables

• Inception Report: Audit plan, tools, and methodology within the first 5 days.
• Data Protection Audit Report: Structured per ODPC’s format, including Executive Summary, Audit Methodology, Key Findings, Compliance Status, Legal references, Actionable Recommendations, and Compliance Roadmap.
• Evidence Annex: Documents, interview notes, and system screenshots.
• Final Preparedness Report: Incorporating feedback and steps for rectification.

5. Methodology

The auditing firm shall employ industry best practices, including interviews with department heads, document reviews, sampling databases, and reference to ODPC laws and international standards (ISO 27701/27001).

6. Duration

The assignment shall be completed within one week from the audit start date.

7. Minimum Qualifications of the Auditor

• Registered/accredited by ODPC.
• At least five years of experience in data protection or information security audits.
• Experience with higher learning institutions preferred.
• At least one certified lead auditor in data protection or information security.

8. Confidentiality

The auditor shall maintain strict confidentiality of all data accessed or reviewed. A non-disclosure agreement will be signed prior to commencement.

9. Reporting and Supervision

The auditor will report to the University Data Protection Officer and coordinate with the ICT Manager, providing periodic updates to UEAB’s legal and administrative board.

10. Evaluation Criteria

• Company documents: Registration/Incorporation certificate, valid Tax Compliance Certificate, CR12 letter.
• Proof of ODPC registration.
• Proof of previous ODPC audits.
• Technical proposal compliance with scope and methodology.
• Firm and team experience.
• Cost proposal.