Simplified Data

Protection Impact
Assessment
FOR SMALL ORGANISATIONS
TABLE OF CONTENTS

Introduction.............................................................................................................. 3

Step 1: Describing Your Data Processing Activities.............................. 5

Step 2: Analysing your data processing activities................................. 6

2.1 Principles Analysis................................................................................ 7

2.2 Legitimate Interest Test...................................................................... 9

2.3 Necessity And Proportionality Test.............................................. 10

2.4 Profiling Analysis.................................................................................... 11

2.5 Privacy By Design And Default Test............................................ 12

2.6 Rights Analysis........................................................................................ 13

Step 3: Analysis Of All The Activities As A Whole.................................. 15

Step 4: Risk Determination .............................................................................. 16

Step 5: Data Protection Impact Assessement (DPIA) Report ........ 17

Step 6: Monitoring And Evaluation .............................................................. 18

Annex 1: Further Questions For Principles Analysis ............................ 19

Introduction

A Data Protection Impact Assessment (DPIA) is a

systematic analysis of your data processing activities to help
you identify and mitigate risks to people affected by your data
processing activities.

The Kenya Data Protection Act requires that

a DPIA be carried out where a data process- Steps For A Data
ing activity creates high risk to the rights and
Protection Impact
freedoms of a data subject.
Asssessment (DPIA)
Examples of high risk data activities include:

• Credit scoring
STEP 01
• Profiling of customers
Description of the data
• Processing involving sensitive personal processing activities
data which is defined under the Data Pro-
tection Act to include: ‘data revealing the STEP 02
natural person’s race, health status, ethnic
Analysis of each processing
social origin, conscience, belief, genetic
activity
data, biometric data, property details,
marital status, family details including
STEP 03
names of the person’s children, parents,
spouse or spouses, sex or the sexual ori- Analysis of all the activities as a
entation of the data subject’ whole

• CCTV monitoring of a public area STEP 04

• Database matching, particularly where Risk determination
third parties are involved

• Biometric data processing eg use of fin- STEP 05

gerprints or facial recognition software
Reporting to management.
• DNA processing

• Health data processing

STEP 06
• Services given to children or persons with Monitoring and evaluation.
mental incapacity

• Data processes that repurpose data

previously collected for one purpose eg
research using existing datasets

3
A NOTE ON THE ACTORS IN A DATA PROTECTION
IMPACT ASSESSEMENT (DPIA)

The Data Protection Act1 defines process-

ing to include:
The Data Protection Act uses the
terms Data Subject, Data Controller, “(a) collection, recording, organisation,
and Data Processor. structuring;

(b) storage, adaptation or alteration;

A Data Subject
(c) retrieval, consultation or use;
A Data Subject is the person to
whom data refers to. In this booklet, (d) disclosure by transmission,
we use the term ‘client’ to refer to dissemination, or otherwise making
data subjects. Clients in a small or- available; or
ganisation setting in a broad sense
(e) alignment or combination,
refers to anyone who is served by the
restriction, erasure or destruction. ”
organisation, including employees,
customers, relatives of employees From this definition, some examples of
(e.g. for human resource functions), data processing work in small organisa-
suppliers, partners, and contractors. tions include:

The Data Controller • processing the employee payroll

• analysing customers to learn

The Data Controller is the person something about their spending
who decides, in a strategic man- habits
ner, how data is processed. In many
NGOs, this could be the manage- • sending messages to customers
ment and at times the board. In an • taking details of clients who
SME, it could be the management attend a training
or the business owner.
• destroying old files containing
The Data Processor client details

The Data Processor is any person • archiving old files

who processes the data. In some
instances, this is a different entity,
for example where an SME uses an
accounting system that is partly op-
erated and fully owned by the ac-
counting firm.

1 See section 2 of the Data Protection Act

4
STEP Describing Your Data Processing Activities
ONE

WHAT
Describe the data you are processing. This could include: employee
details, details of people who attend your legal aid clinic, lists of peo-
ple who attend your community workshops, details of your clientele
including their names, contact information, modes of payment et-
cetera.

WHY
List down all the reasons you require the data you are processing.
Some reasons could be: organisational management, human re-
source processes, programme management, accounting to donors.

HOW
For each data processing activity, describe the actual processing ac-
tivity e.g. how the data is collected, recorded, organised, stored, and
even used. Is the data ever shared, disseminated, altered, combined
with others, archived, or destroyed?

WHERE
For each data processing activity, list all the physical and virtual plac-
es that data is processed.

WHEN
Describe when data processing takes place. Are there any activities
that take place every month or every year or at the beginning of a
contract?

WHO
List all the people and companies involved in the data processing.

Description of data processing activities will help the organisation to

be aware of all data processing activities. It is also important in creat-
ing accountability structures. Although generally the management
has overall responsibility over data processing activities, during this
exercise, the organisation will identify the person in charge of the
activity as well as others who are involved in the processing.

5
Table 1 shows an example of an accountability matrix:
Table 1: Responsibility matrix for a human resource management system

Data processing Accountable

Informed of
functions Overall for actual Consulted in
data processing
responsibility processing of data processing
activities
Actors data

Business owner

Management

IT department

Finance
department

Human resources
department

Technology /
system provider

Employees

After going through the data protection impact analysis, the responsibility matrix may change.
For example, you may realise that employees need to be consulted in data processing activities
or that the IT department needs to be accountable for some data processing activities.

A NOTE ABOUT SPECIAL GROUPS

When analysing your data processing activities, pay special attention to vulnerable groups such
as children. Increasingly, governments are requiring that any data processing that targets chil-
dren be carried out under special conditions. For example, the UK has a Code2 that requires
organisations processing children’s data to incorporate the best interests of the child. This in-
cludes taking into account the different ages of children and protect children from harmful
use of data. In practice, an organisation processing children’s data must make the processing
child specific, and apply the data protection principles to the highest, for example, explain the
purpose of processing the data in a very simple way. It must also provide avenues for parental
controls, restrict nudging the children and make considerations for connected data for example
where there are connected toys and devices.

2 ICO, ‘Age Appropriate Design: A Code of Practice for Online Services’ <https://ico.org.uk/
for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-de-
sign-a-code-of-practice-for-online-services/>

6
 STEP Analysing your data processing activities
TWO

There are different tests you could use to assess the impact of your data processing activities.
These include: principles analysis, the legitimate interest test, necessity and proportionality test,
privacy by design and default test, rights analysis, profiling, and risk mitigation.

2.1 Principles Analysis

There are eight principles of data protection under the Data Pro-
tection Act. These principles are laid out and described in Table
2 below.

Table 2: Principles of data protection under the Data Protection

Act, section 25

Process data with regard to the

Privacy
privacy of individuals An organisation
processing
Be fair and transparent to clients personal data
Fairness & lawfulness
whose data you are processing should adhere to
the principles of
Purpose
Have a specified purpose for data protection
processing data
set out in the Data
Protection Act.
Only collect what is sufficient for
Adequacy
your specified purpose

Explain to your client why you

Valid explanation are collecting data on family or
private affairs

Keep personal data accurate and

Accuracy upto date. Rectify or erase incor-
rect personal data

Do not keep data longer than

Retention necessary. Anonymise data that
is no longer in active use

Ensure data in your custody that

is processed outside kenya is
Transfer outside Kenya
processed in countries with ade-
quate data protection laws.

7
 A basic step for a DPIA is to assess your Some measures you would have to take
data processing activities against the after this analysis include:
data protection principles. The queries
in the principles test analysis include the • Redesigning data collection to in-
following: clude only relevant data for your
purpose
• Do you collect any data relating to
private or family affairs? • Explaining to clients your reasons for
collecting and processing their data
• For each data point, e.g. name, loca-
tion, date of birth, what is the specific • Creating mechanisms for your clients
reason for data collection and pro- to review whether the data you have
cessing? on them is accurate

• What processes would have to be • Reviewing your archiving protocols

followed for the data to be used for to ensure that archived data is secure
other purposes? and does not reveal personal informa-
tion
• For each data form, e.g. a client en-
rolment form, is all the data collected • Destroying data that is no longer
relevant and necessary for the job it needed
will be used for? • Reviewing contracts and services for
• Do you explain to clients why their storage and processing of data to
data is being collected and how it is ensure that data is stored in countries
used? that have adequate data protection
laws
• Is the client data in your possession
accurate? • Periodically monitoring cybersecurity
measures
• Is data processed and stored secure-
ly? • Training staff on data protection prin-
ciples
• How long do you keep your client
data?
• Do you archive data?
• What measure are taken to protect
identification of clients when ar-
chiving data?
• Is any data destroyed?
• How do you communicate with your
clients regarding their data rights?
• Is any of your client data processed
or stored in servers outside Kenya? In
which country? 3

3 For a more detailed set of questions for each principle, see Annex 1

8
2.2 Legitimate Interest Test

A legitimate interest is the basis for the col-

lection of data. Some examples of such ba-
sis could include: an NGO collecting data of
people who attended an activity for financial
accountability, and an SME collecting client
contact information for future communica-
tions.

Some of the questions to guide the legiti-

mate interest test include:

• What are your data processing activities?

• What data is collected in each data pro-

cessing activity?

• How long will the data be retained?

• If already collecting data, what data is

not required? An organisation
• How do you ensure that the data collect-
processing personal
ed is of good quality? data should have
• For each data processing activity, why do
justifiable reasons
you collect the data you collect? Is it in for processing the
pursuance of a law? Is it for accounting data.
purposes? Or is some data processing
out of practise?

Once the reason for data processing has

been established, steps that could be taken
include:

• Where some of the data processing is

unjustifiable, it should be stopped; and

• Where a decision is taken to halt data

processing, create a plan for retirement
of the data that was previously collected
to mitigate against misuse of that data.

9
2.3 Necessity And Proportionality Test

This test is complementary to the legitimate inter-

est test. While you may have a legitimate interest
for processing data, your interest needs to be bal-
anced against the rights and interests of your cli-
ents.

Some important issues to include in the necessity

and proportionality test include:
• What is the lawful basis (legitimate interest) for
the processing?
• What data is required in order to achieve the le-
gitimate interest?
• Which client rights are potentially affected by
the data you collect?
• In the event of a data breach, how many per- Necessity asks the
sons would be affected? question, does your
• In the event of a data breach, what could be in- data processing
ferred from the data you have?
go beyond your
• How do you protect the privacy of not just your
clients but everyone else to whom the data re-
legitimate interest?
lates? List the measures taken. Proportionality asks,
After the necessity and proportionality analysis,
are there any other
some of the steps you may need to take include: ways to achieve the
• Halting collection of unnecessary data same result that
• Creating a plan for retirement of data that will would better protect
no longer be necessary your clients’ rights
• Introducing sunset clauses or expiry terms on and interests?
data processing
• Creating notification procedures to communi-
cate with clients in case of data breaches or any
other events that they should know of
• Creating procedures for clients who may want
to opt out of some data processing e.g. employ-
ees who may not want to declare their family
• Creating governance mechanisms such as data
protection committees to periodically monitor
data processing activities

10
2.4 Profiling Analysis

Profiling is the automated processing of data

for personal evaluation. If your organisation
uses artificial intelligence (AI) or automation
in data processing, you should carry out a pro-
filing analysis. In a profiling analysis, describe
the personal data analysed in the profiling
process, the considerations taken in the auto-
mated process, and then assess the risk. The Data Protection Act
The Data Protection Act describes profiling as protects your clients
the use of automated processing to analyse from decisions made
or predict a person through their race, sex, only on the basis of
pregnancy, marital status, health status, eth-
nic social origin, colour, age, disability, religion,
automated decision
conscience, belief, culture, dress, language making, including
or birth, personal preferences, interests, be- profiling. You can only
haviour, location or movements 4 . use automated decision
Questions for profiling test include: making:
• What data processing activities use auto- • If it is for purposes
mated processing? Describe them.
of a contract where
• Are there processes where decisions are automated decision
made solely based on automated deci-
sions?
making is required
in order to fulfil the
• Are clients aware that automated decision
making is used?
contract
• Can clients appeal if they are dissatisfied • Where there is a
with the automated decision? law that safeguards
Steps to take once the profiling analysis has the interests of your
been done could include: client or
• Creating procedures for human interven- • Where your client
tion/review of automated decisions
has consented to
• Creating procedures for clients to appeal
use of automated
automated decisions
decision making
• Creating communication mechanisms to
inform clients of automated decision mak-
ing and available appeal procedures

4 See section 2, Data Protection Act

11
2.5 Privacy By Design And Default Test

Privacy by design and default means incorporating

privacy in the building, management, and opera-
tion of any given data processing system or activity.
Privacy by design calls for incorporation of privacy
during development of a system. Privacy by default
means that once the system is in place, the highest
standards of privacy should apply by default, with-
out any input from the user.

Some guiding questions in considering privacy by

design and default include:

• What is the data lifecycle in your organisation?

• What privacy measures exist in each stage of

the data lifecycle?

• What are the privacy measures in the data pro-

cessing system? Do they anticipate, identify, An organisation
and prevent invasion of the system?
processing
• Is data automatically protected once it is col- personal data must
lected?
incorporate privacy
• Are the staff aware of privacy and data protec- by design in its
tion? systems. For systems
• How are privacy incidences e.g. breach report- already in place,
ed and resolved? they should default
• Are clients made aware of privacy incidences? to privacy even
Once the privacy by design and default analysis is
without any input
done, some measures to take could include: from the user.
• Reconceptualising privacy as a proactive, and
not reactive practice during system design

• Including privacy by design and default analy-

sis in the procurement of systems

• Creating and testing privacy measures where

they do not exist in the data lifecycle

• Training staff on privacy and data protection to

inculcate privacy in all organisation activities

• Creating procedures for communicating priva-

cy incidences with clients

• Undergo privacy certification from privacy and

security professionals

• Create privacy governance mechanisms such

as creation of data protection committees and
appointment of a data protection officer

12
2.6 Rights Analysis

The rights analysis may complement the necessity

and proportionality test as it considers the rights
of data subjects in relation to the data processing
activities. The rights analysis involves both privacy
and data protection rights as well as other rights.

Table 3: Privacy rights under Data Protection Act,

Section 26

Privacy rights Description

Right to Clients should be informed

information on how their data is being
used

Access to Clients should be able to

personal data view the data you have
about them
Data processing
activities should
Objection to Clients have a right to op- promote other
processing pose to all or part of their rights of your
data being processed, and clients and not
the organisation should
provide means through
expose the rights
which clients can make of your clients or
such requests their families.

Correction You should provide mech-

of false or anisms through which cli-
misleading data ents can request correction
of false or misleading data

Deletion of false Clients can request dele-

or misleading tion of false or misleading
data data from your records

13
Questions to guide the analysis include: • Who makes decisions related to data
requests from clients and others? Is it
• Do you collect or process sensitive data the system?
such as people’s race, health status,
ethnic social origin, conscience, belief, • What rights are affected in your data
genetic data, biometric data, property processing activities? This requires list-
details, marital status, family details in- ing of other rights and not just privacy.
cluding names of the person’s children, Examples of rights that could be affect-
parents, spouse or spouses, sex or the ed include rights of children, freedom
sexual orientation? of expression, freedom of association,
economic rights, family rights etc.
• Can sensitive information be inferred
from data that you have in your posses- Some steps to be taken after a rights analy-
sion? sis include:

• How many people would be affected if • Creation or enhancement of procedures

the data you have was exposed? through which clients and others can
access their data rights
• How would people be affected if your
data is exposed- could sensitive details • Incorporation of human intervention
about their lives be revealed or inferred? where client requests are automated
(refer to profiling analysis)
• Has your organisation suffered data
breaches in the past? • Establishment of data governance
mechanisms eg a committee to consid-
• What are the threats to the data you er complex requests from clients and
hold? others
• What technical measures have you put
in place to protect against threats to the
data?

• What are organisational measures re in

place to protect the data from exposure?

• How are data subject rights incorporat-

ed in your data processing activities or
in the data life cycle?

14
 STEP Analysis of all the activities as a whole
THREE

Analysing the data of all activities carried ◊ Restructuring of organisation

out enables the identification of risk which processes for more efficient data
is used to flag down any existing vulnera- processing
bilities to the data collection, assessment, ◊ Restructuring of data security
and storage systems. This helps in focusing protocols to enhance protection
on closing the privacy gaps that may be of personal data
identified during the process. Key factors to
consider during the overall analysis include: ◊ Redesigning data processing sys-
tems to default to privacy
• Systems and process: All the systems
where data is collected, how data is l For data governance:
shared across systems, and all actors ◊ Review of contracts with third
within the organisation who access the party processors
data for various functions
◊ Creation of data protection com-
• The data life cycle in the organisation: mittees
how data enters the organisation, how it ◊ Creation of data protection re-
is processed, how it changes, when it is porting hierarchies
retired, and how it is destroyed.
◊ Restructuring information securi-
• Vulnerabilities of the data processing ty committees to undertake data
systems: scope, extent of data and im- protection tasks as well
pact of data breaches within and out- ◊ Carrying out of system audits
side the organisation ecosystem.
◊ Appointment of a data protection
• System security commissioner to oversee data
governance
• The extent to which the people in the
organisation, as well as partners, under- ◊ Training of all staff on data pro-
stand and practice data protection tection
◊ Development of an internal data
• Governance of data, including relation- protection manual
ships with third party data processors,
engagement with clients and public.

Once analysis of all activities is done, possi-

ble actions that may follow include:

l With regards to the data:

◊ Consultation with clients whose
data you possess
◊ Collection of further data for ac-
curacy of data
◊ Merging datasets
◊ Erasure or destruction of data
that are no longer necessary or
justifiable
◊ Deleting of some datasets

15
 STEP Risk Determination
FOUR

Risk determination is an assessment on the • system failure, which could result in data
likelihood of a risk. Data processing comes being unavailable or exposed for longer
with reputational, financial, and rights than necessary
related risks. For example, data can be lost
or stolen, anonymised data can be re-iden- • unauthorised secondary use of data
tified, and sensitive data can be leaked, • corruption of data
leading to emotional damage.
• malicious interference by internal or
Process in risk assessment can involve: external actors
• identification of the risk • accidental human interference for ex-
• development of a risk classification ample inadvertent copying, erroneous
method deletion

• establishment of mitigation measures to • natural disasters affecting physical infra-

match the risk classification structure

Examples of risks include:

Risk determination could either follow industry standards or be developed collaboratively in the
organisation.

Below is an example of a risk identification matrix:

Figure 1: Risk Identification Matrix. Source: ICO

16
Once a data processing activity is deter- Data Protection Impact
mined to be either high, medium or low risk,
the organisation needs to identify measures
STEP Assessement (DPIA)
FIVE
that will mitigate the risks. Examples of miti- Report
gation steps could include:

l Preventative measures such as:

• Staff training to stop habits such Once a determination has been made, a DPIA
as data sharing report is prepared for consideration by man-
• Sunset clauses on data that does agement. It is important for management to
not require to be retained perpet- deliberate on the DPIA for:
ually l Overall accountability: The manage-
• User management ment needs to be aware of all data pro-
cessing activities as they have overall
• Separation of sensitive personal responsibility for data processing within
data from other data to spread the the organisation.
risk across different repositories
l Publication: Although this is not man-
l Repressive measures such as datory, some organisations publish the
• Monitoring processing operations DPIA for transparency.
to detect anomalies and breaches
l Prior consultation requirement: The
as soon as possible
Data Protection Act requires prior con-
• Procedures for revocation of com- sultation with the Data Protection Com-
promised credentials missioner, where data processing activi-
ties are determined to be high risk6 .
l Corrective measures for example:

• Backups with which status quo

can be restored What Should Be Included
• Communication with clients and In The DPIA Report?
other affected people in event of
a data breach The report will inform management of its com-
pliance obligations and whether it has met pro-
It is important to note that the Data Pro-
vided regulatory specifications. Further, the re-
tection Act 5 provides that where data pro-
port needs to inform management of any risks,
cessing risk is determined to be high, you
threats, and measures that have been taken or
are required to consult the data protection
need to be taken to minimize risk. It should con-
commissioner at least sixty days prior to
tain:
that processing.
l Description of all data processing activ-
ities

l Analysis of each activity and test used

l Overall analysis of all processing activi-

ties in the organisation

Once a determination has been made, a l A risk determination

DPIA report is prepared for consideration by
l Recommendations on steps the organi-
management. It is important for manage-
sation needs to take to comply with the
ment to deliberate on the DPIA for:
data protection act and to mitigate risk
for clients whose data they hold
5 Section 31(3) Data Protection Act

6 Section 31(3) Data Protection Act

17
 STEP Monitoring and Evaluation
SIX

Data protection is not a one-off activity 7. Data practices in the organisation must be continually
assessed to inculcate a culture of privacy and data protection within the organisation and with
those the organisation interacts with.

Monitoring involves tracking data processing activities to anticipate incidences that could im-
pact on the rights of clients. Evaluation means testing how well data protection practices are
working.
Table 4: Monitoring and evaluation of the DPIA

Monitoring Evaluation

Track data processing activities Examine the relevance of data protection

mechanisms in the organisation.
Identify data protection incidents
Analyse if data protection measures meet ob-
Anticipate incidents jectives of the Act.
Output: Recommend changes to manage- Output: Lessons and recommendations for
ment as appropriate future DPIA

Conclusion
In summary, a DPIA is the process through which an organisation describes their processing
activities, assesses the risk those activities pose to the rights and freedoms of persons and puts
in place measures to address those risks.

While a DPIA should be carried out prior to data processing, many organisations in Kenya will
conduct the process on existing systems. We hope that this resource is useful in conducting
your DPIA as well as increasing your knowledge on Kenya’s data protection laws.

7 See European Commission (2017) Guidelines on Data Protection Impact Assessment

(DPIA)

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236

18
 Annex 1: Further questions for principles analysis
Fairness

• Can clients expect you to have the data you have on them, even if they did not read the
information you provided them with?
• If consent is your basis for data processing, did you give an explanation before it was
given? Was it freely given? How do you document that people gave it? How can they
revoke their consent?
• Could the data you have on your clients generate chilling effects?
• Could the data you have, lead to discrimination?
• Is it easy for your clients to exercise their rights to access, rectification, erasure etc.?

Transparency

• Is the information you provide complete and easy to understand?

• How do you ensure that the information you provide actually reaches the individuals
concerned?
• Have you tailored information to different audiences? e.g. children may require tailored
information
• Where you have not provided information, how do you justify data collection or process-
ing?

Purpose Limitation

• Have you identified all purposes of your data processing?

• Are all purposes compatible with the initial purpose for which data was collected?
• Is there a risk that the data could be reused for other purposes (function creep)?
• How can you ensure that data is only used for their defined purposes?
• In case you want to make available / re-use data for scientific research, statistical or his-
torical purposes, what safeguards do you apply to protect the individuals concerned?

Data Minimisation

• Do the data you collect measure what you intend to measure?

• Are there data items you could remove without compromising your purpose?
• Do you clearly distinguish between mandatory and optional items in forms?
• In case you want to keep information for statistical purposes, how do you manage the
risk of re-identification?

Accuracy

• Are the data of good quality for the purpose?

• How would inaccurate information affect your clients in your data processing?

• How do you ensure that the data you collect yourself is accurate?

19
 • How do you ensure that data you obtain from third parties is accurate?

• Do your tools allow updating / correcting data where necessary?

• Do your tools allow consistency checks?

Storage Limitation

• Is there any law, e.g Data Protection Act, Insurance Act, Income Tax Act etc that defines
durations for which you must keep data?

• How long do you need to keep which data? For which purpose(s)?

• Can you distinguish storage periods for different parts of the data?

• If you cannot delete the data just yet, can you restrict access to it?

• Will your tools allow automated permanent erasure at the end of the storage period?

Security

• Do you have a procedure to perform an identification, analysis and evaluation of the in-
formation security risks potentially affecting personal data and the IT systems support-
ing their processing?

• Do you target the impact on people’s fundamental rights, freedoms and interests and
not only on the risks to the organisation?

• Do you take into consideration the nature, scope, context and purposes of processing
when assessing the risks?

• Do you manage your system vulnerabilities and threats for your data and systems?

• Do you have resources and staff with assigned roles to perform the risk assessment?

• Do you systematically review and update the security measures in relation to the context
of the processing and the risks?

20
 Ole Sangale Rd, Madaraka Estate.
PO Box 59857-00200, Nairobi, Kenya.
Tel +254 (0)703 034612

Email: cipit@strathmore.edu
Website:www.cipit.strathmore.edu

AUTHORED BY GRACE MUTUNG’U AND FLORENCE OGONJO.

EDITED BY MELISSA OMINO.

© 2021 by Center of Intellectual Property and Technology Law (CIPIT). This work is licensed
under a Creative Commons Attribution – NonCommercial – ShareAlike 4.0 International
License (CC BY NC SA 4.0). This license allows you to distribute, remix, adapt, and build upon
this work for non – commercial purposes, as long as you credit CIPIT and distribute your
creations under the same license: https://creativecommons.org/licenses/by-nc-sa/4.0/