Data Security & Privacy

Organization: Think Aviation Training Ltd (Kenya)

Effective Date: February 7, 2026

Version: 3.1 (Kenyan Regulatory Compliant)

1. Introduction

At Think Aviation Training, we recognize that in the modern aviation landscape, data integrity is as critical as airworthiness. This policy outlines our commitment to protecting the personal data, training records, and operational information of our pilots, cabin crew, maintenance personnel, and organizational partners. It establishes the rules for data usage, privacy rights, and acceptable online behavior within our eLearning Management System (LMS).

2. Legal & Regulatory Framework

This policy is drafted in strict adherence to the following Kenyan laws and international aviation standards:

2.1 Kenyan Legislation

  • The Constitution of Kenya, 2010: Specifically Article 31, protecting the right to privacy.
  • The Data Protection Act, 2019 (DPA): Regulating the processing of personal data and the rights of data subjects.
  • The Computer Misuse and Cybercrimes Act, 2018: Specifically governing unauthorized access, cyber-harassment (bullying), and interference with computer systems.
  • Kenya Civil Aviation Regulations (KCARs): Pertaining to Approved Training Organizations (ATOs) and personnel licensing records.

2.2 International Aviation Standards

  • KCAA (Kenya Civil Aviation Authority): Compliance with ATO record-keeping requirements.
  • ICAO Doc 9985: Guidelines on Aviation Cyber Security.
  • EASA & FAA Standards: Adherence to EASA Part-ORA and FAA 14 CFR Part 142 regarding the integrity and retention of pilot/technician training records.
  • GDPR: Compliance for any data processing involving the Kenyan and International citizens or entities.

3. Data Collection & Purpose

We collect data strictly necessary for regulatory compliance, safety verification, and effective training delivery.

3.1 Personal Identifiable Information (PII)

  • Identity Data: Full legal name, National ID/Passport Number (required for KCAA verification), Pilot License Number.
  • Contact Data: Corporate/Personal email address, phone number, and employer (Airline/MRO) details.
  • Biometric Data (Restricted): If remote proctoring is used, facial recognition data may be processed strictly for identity verification during exams, with explicit consent.

3.2 Aviation Training Data

  • Performance Metrics: Exam scores, simulation logs, time-on-task, and pass/fail status.
  • Certification Records: Digital copies of certificates, license endorsements, and recurrent training validity dates.
  • Instructor Notes: Evaluative commentary required for regulatory sign-offs.

4. Cyber Safety, Anti-Bullying & Acceptable Use

To ensure a safe learning environment, strict behavioral standards apply to all users (trainees, instructors, and staff).

4.1 Cyber-Harassment & Bullying

Pursuant to Section 27 of the Computer Misuse and Cybercrimes Act, 2018, the following actions on the Think Aviation LMS or associated communication channels (forums, chats) are strictly prohibited and may lead to criminal prosecution:

  • Posting information that is false or malicious about another trainee or instructor.
  • Using language that is threatening, abusive, or meant to cause apprehension or fear of violence.
  • Zero Tolerance: Any user found engaging in cyber-harassment will have their LMS access immediately suspended and reported to their employer and potentially the National Computer and Cybercrimes Coordination Committee (NC4).

4.2 Unauthorized Access & Interference

  • Sharing login credentials (Usernames/Passwords) is strictly prohibited.
  • Any attempt to bypass LMS security, manipulate exam scores, or access another user’s records is a criminal offense under Section 14 (Unauthorized Access) of the Computer Misuse Act.

5. Data Security Measures

We employ defense-in-depth strategies to secure the eLearning environment against cyber threats.

5.1 Encryption & Technical Security

  • In-Transit: All data transmitted is encrypted using TLS 1.3 (Transport Layer Security).
  • At-Rest: Databases containing PII and training records are encrypted using AES-256 standards.
  • Hosting: Data is hosted in secure data centers (e.g., AWS/Azure) that are ISO 27001 certified.

5.2 Access Control

  • Multi-Factor Authentication (MFA): Mandatory for all Administrator and Instructor accounts.
  • Role-Based Access Control (RBAC): Access is strictly segmented. Instructors can only view their assigned cohorts; Trainees can only view their own records.

5.3 Data Integrity (Aviation Requirement)

  • Immutable Logs: Critical training actions (e.g., marking a course as “Passed”) are recorded in an immutable audit log to prevent retroactive tampering, satisfying KCAA and EASA audit requirements.

6. Data Retention Policy

In aviation, training records are safety-critical documents.

  • Active Accounts: Data is retained for the duration of the training service agreement.
  • Regulatory Retention (5 Years): In compliance with KCARs and EASA Part-ORA, training records (certificates, exam results) are retained for a minimum of 5 years to allow for regulatory audits and accident investigation retrieval.
  • Deletion Requests: While you have a right to erasure, we cannot delete regulatory training records before the statutory period expires. These records will be archived securely and restricted from active processing.

7. Data Sharing & Third Parties

We do not sell data. Data is shared only with:

  1. Regulatory Bodies: KCAA, FAA, or EASA upon formal audit request.
  2. Employers: Your sponsoring airline or MRO to verify training completion.
  3. Sub-processors: Trusted partners for hosting (e.g., AWS) or payments (e.g., Stripe, M-PESA), all of whom are vetted for DPA 2019 compliance.

8. Incident Response

In the event of a data breach affecting your personal data:

  1. Detection: Our Security Operations Center (SOC) monitors for anomalies 24/7.
  2. Notification: We will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a significant breach, as mandated by the Data Protection Act.
  3. User Notice: If the breach poses a high risk to your rights, we will notify you directly without undue delay.

9. Your Rights (Data Subject Rights)

Under the Data Protection Act, 2019, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate personal details (e.g., spelling errors on a certificate).
  • Object: Object to the processing of your data for specific purposes (subject to aviation safety overrides).
  • Portability: Request your training history in a structured format (CSV/JSON).

10. Contact Information

For privacy inquiries, cyber safety reports, or to exercise your rights:

  • Data Protection Office (DPO): Think Main Office
  • Email: info@think.co.ke
  • Phone: +254711-483-483
  • Physical Address: Dessert Locust Hangar – Wilson Airport.

Social Share

Enroll for Classroom Lessons

Upcoming Classes

Location: DLCO Hanger, Wilson Airport.

Book our upcoming classes, view up-to-date course schedules and availability.

Get Directions
Academic Calendar