THE INS AND OUTS OF THE KENYAN DATA PROTECTION ACT
Data protection can be defined as the mechanism of safeguarding personal data and entails protections granted with respect to collection, processing, dissemination and use of the data. The Data Protection Act (the Act) came into force on the 8th of November 2019 and is currently in the implementation phase.
The Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller and data processor. Further, the Data Protection Act establishes the Office of the Data Protection Commissioner (‘the ODPC’), which will be responsible for ensuring effective implementation and compliance with the Act.
This article seeks to provide an overview of the Data Protection Act and key insight into what compliance looks like with regards to Data Protection Law in Kenya.
The main regulator in terms of the Data Protection Act is the ODPC as provided for under Section 5.
Main powers, duties and responsibilities
The Act provides that the ODPC must do all such things as are necessary to protect the personal rights of individuals with regard to their personal data and must ensure the effective application of and compliance with the Data Protection Act and, in particular, the right to protection of personal data, access, rectification, objection, and cancellation of such data.
The ODPC is authorized to:
a. Oversee the implementation of and be responsible for the enforcement of the Act.b. Establish and maintain a register of data controllers and data processors.
b. Exercise oversight on data processing operations, either of own motion or at the request of a data subject and verify whether the processing of data is done in accordance with the Act.
c. Promote self-regulation among data controllers and data processors.
d. Conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of the Act or any other relevant law.
e. Receive and investigate any complaint by any person on infringements of the rights under the Act.
f. Take such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public.
g. Carry out inspections of public and private entities with a view to evaluating the processing of personal data.
h. Promote international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements.
i. Undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals; and
j. Perform such other functions as may be prescribed by any other law or as necessary for the promotion of object of the Act.
Key definitions under Section 2 of the Act are set out below;
a. Data controller: A natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means by which personal data is to be processed, regardless of whether such data is processed by such person or agent on that person’s behalf.
b. Data processor: A natural or legal person, public authority, agency, or other body which processes data on behalf of the data controller.
c. Personal data: Personal data means information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, by reference to an identification number, or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural, or social identity.
d. Sensitive data: Personal data relating to a data subject which reveals his or her:
- racial or ethnic origin.
- political opinions.
- religious beliefs or philosophical beliefs.
- membership of a trade union.
- physical or mental health or condition.
- sexual life.
- filiation; or
- personal financial information.
Sensitive data also includes:
- any commission or alleged commission by him or her of any offence.
- any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings, or the sentence of any court in such proceedings; and
- genetic data, biometric data, and the personal data of minors.
e. Health data: data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected during registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.
f. Biometric data: Any information stemming from the statistical analysis of biological data.
g. Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
h. Data subject: an identified or identifiable natural person who is the subject of personal data.
LEGAL BASIS FOR PROCESSING DATA
Personal data must be processed with freely given, specific, and informed consent of the data subjects. Section 30 (a) of the Act provides that personal data may be processed where the data subject has given his or her written consent. The same applies to sensitive personal data as provided for in Section 44 of the Act. Per Section 32 (2) of the Act, consent may, at any time, in writing, be withdrawn by the data subject at any time based on legitimate, reasonable, and compelling grounds.
Contract with the data subject
Section 30(b) (i) of the Act outlines that personal data may be processed where processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Section 30(b) (ii) of the Data Protection Act provides that personal data may be processed where processing is necessary for compliance with a legal obligation to which the data controller is subject.
Interests of the data subject
Section 30(b) (iii) of the Act sets out that that personal data may be processed where processing is necessary in order to protect the vital interests of the data subject.
In terms of Section 30(b) (iv) of the Act, processing may be carried out if it is necessary for the performance of an activity that is carried out in the public interest or in the exercise of an official authority vested in the data controller or in a third party to whom the data is disclosed. The personal interests of the data subject must still be considered.
Legitimate interests of the data controller
Section 30 (b) (v) of the Act provides that personal data may be processed where processing is necessary for a purpose that concerns a legitimate interest of the data controller or of a third party to whom personal data is provided. However, this cannot be relied upon where such interest is overridden by the fundamental rights and freedoms of the data subject, with particular attention to the right to privacy.
Additionally, for the purpose of historical, statistical, journalistic, literature and art or scientific research.
Personal data must be processed, by people and entities, in accordance with the principles specified in Section 25 of the Act. The principles of data processing provide:
a. Lawfulness-Personal data must be processed lawfully, transparently, and fairly.
b. Purpose Limitation– Data should be collected only for specific legitimate purposes and limited to what is necessary, relevant, and accurate.
c. Storage Limitation– Data should be kept up to date, stored only for as long as is necessary, and with appropriate security; and
d. Data Minimization– Data should be collected for adequate and relevant purposes and is limited to what is necessary in relation to the purposes for which it is processed.
e. Accuracy– Data should be collected is accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure inaccurate data is erased or rectified promptly.
personal data must be protected by reasonable security safeguards against risks, such as loss, unauthorized access, destruction, use, disclosure, etc.
CONTROLLER AND PROCESSOR OBLIGATIONS
1.Data processing notification
Section 8 (b) of the Data Protection Act provides that the Commissioner shall create and maintain a public register of all data controllers. Under the Act, data controllers and data processors are required to be registered with the Commissioner. The Commissioner has the mandate to prescribe the threshold for registration based on various factors, including:
- the nature of industry of the data controller or data processor.
- the volumes of data processed.
- whether sensitive personal data is being processed; and
- any other factor the Commissioner may consider relevant.
The Commissioner is tasked with maintaining a register of data controllers and data processors, and with issuing data controllers and processors with certificates of registration.
Data controllers must notify data subjects of:
- their rights under the Act.
- what data is being collected.
- whether the collection is voluntary or mandatory.
- the consequences of failure to provide all or any part of the requested data.
- the fact that their data is being collected and processed; and
- the uses to which their data will be put.
Data subjects also have the right to be informed of the third parties to whom their personal data will be transferred, including details of safeguards adopted and whether the data may be shared with any other entity. Data controllers and data processors must notify data subjects of their contacts and provide a description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data. In the event of a breach where there is a real risk of harm to data subjects, data controllers must notify data subjects of the breach (after notification to the Commissioner) in writing within a reasonably practical period.
Where an automated processing decision produces legal effects or significantly affects a data subject, the data processor must notify the data subject in writing that a decision has been taken based solely on automated processing.
2. Data transfers
The Act provides for conditions that must be met for the transfer of data outside Kenya, and these are where the data controller or data processor has:
- the consent of the data subject where there is processing of sensitive personal data and confirmation of appropriate safeguards.
- given proof to the Commissioner on appropriate safeguards with respect to the security and protection of the personal data involved; and
- given proof to the Commissioner with respect to appropriate safeguards including jurisdictions with commensurate data protection laws.
Moreover, data transfers may be permissible where necessary:
- for the performance or implementation of pre-contractual measures of a contract between the data subject and data controller or data processor.
- for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another person.
- for any matter of public interest.
- for the establishment, exercise, or defense of a legal claim.
- to protect the vital interests of a data subject or other persons where the data subject is legally incapable of giving consent; or
- for compelling legitimate interests pursued by the data controller or data processor that are not overridden by the rights of the data subject.
Section 50 of the Act further provides that the Cabinet Secretary may determine certain types of processing which may only be conducted through a server or data center located in Kenya on the basis of strategic interests of the State or for the protection of revenue. Under the Health Information System Policy, there is a requirement that health data should not be stored outside Kenyan territory. As a matter of law, the Health Information System Policy, while not binding, is persuasive, and in the absence of statute provisions courts are likely to be guided by policy considerations in so far as they are interpreted in line with the Constitution and legal precedent.
3. Data processing records
Section 23 of the Act creates the duty of the Commissioner to conduct periodical audits on processes and systems of data controller or processor uses. This may require controllers and processors to maintain their processing records for purposes of providing sufficient information for such audits.
While there is no express requirement for data controllers or processors to maintain processing records, the other obligations in the Act will likely give rise to the maintenance of data processing records to ensure compliance.
4. Data protection impact assessment
Section 31 of the Act requires that where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, the data controller or processor must carry out a Data Protection Impact Assessment (‘DPIA’). The Act does not set out the types of processing subject to DPIA but generally provides that the DPIA would apply to any processing that by its nature, scope, context, or purposes would result in high risk to the rights and freedoms of the data subject.
5. Data protection officer appointment (DPO)
The Act requires data controllers and data subjects to appoint DPOs. The requirement is however not couched in mandatory terms, and DPO appointments are dependent on the conditions and activities of the data controller or processor. For the appointment of a DPO, the Act requires a data controller or data processor to designate a DPO on terms and conditions it may determine where:
- processing is carried out by a public or private body, except for courts acting in their judicial capacity.
- the core activities of the data controller or data processor if by virtue of their nature, scope, or purposes require regular and systematic monitoring of data subjects; or
- the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data.
The data controller or processor does not need to carve out a specialized DPO position. The DPO may be a staff member and may fulfil other tasks and responsibilities, provided this does not result in conflicts of interest. In addition, a group of entities may appoint a single DPO, provided such position-holder is accessible by/available to each entity. The contact details of the DPO must be communicated to the Commissioner as well as published on the official website of the data controller or data processor.
6. Data breach notification
Where there is a real risk of harm to the data subject in case of a breach involving their personal data, there is an obligation to notify:
- the Commissioner within 72 hours; and
- the data subject within a reasonable time.
7. Data retention
The Act provides for retention of data under various circumstances which are (Section 39 of the Act):
- as long as is reasonably necessary to satisfy the purpose for which the data is collected and processed.
- as required or authorized by law including sectoral laws.
- as consented to by the data subject; or
- for historical, statistical, journalistic, literature, art, or research purposes.
8. Children’s data
The Act prohibits the processing of data relating to a child unless consent is given by the child’s parent or guardian and the processing is in a manner that protects and advances the rights and best interests of the child (Section 33 of the Act).
9. Special categories of personal data
Processing of sensitive data is restricted, and sensitive data includes the data defined under the key definitions above. In addition, under Section 47 of the Act, the Commissioner has the power to determine further categories of personal data that may be classified as sensitive data, as well any special grounds that such data may be processed considering:
- the risk of significant harm that may be caused to the data subject as a result of processing.
- the expectation of confidentiality that may be attached to such category of data.
- whether a significant and discernible class of data subjects may suffer harm from such processing; and
- the adequacy of protection afforded by ordinary provisions applicable to personal data.
It is worth noting that court records are public records and many of the court cases are reported online. As such, data related to a person’s court case, including criminal convictions, would not be protected under the Act. Only information regarding children is concealed in the publication of court records.
10. Controller and processor contracts
As part of the organizational measures a data controller or processor is required to implement for the protection of personal data, the Act requires that where a data controller is using the services of a data processor, the parties must have a written contract that specifies that the data processor may only act on instructions received from the data controller. In addition, the contract must specify that the data processor shall be bound by the obligations of the data controller.
DATA SUBJECT RIGHTS
a. Right to be informed– The Act simply provides that a data subject has the right to be informed of the use to which their personal data is to be subject. The data controller or processor has the obligation to notify the data subject: of their rights; that personal data is being collected; of the purpose of the collection, of any third parties with whom the data will be shared with; of the safeguards adopted in case of third party sharing; of the contact information about the processor or controller; of the technical and organizational measures taken by the controller or processor to protect the data collected, whether the collection is pursuant to any law, voluntary or mandatory; and of the consequences if any of refusal to provide some or all of the data
b. Right to access– The data subject has the right to access their data that is in the custody of the data controller or data processor, similar to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)
c. Right to rectification– The Act provides for the data subject’s right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data, similar to the GDPR. The data controller or processor has an obligation to provide means for the data subject to make requests for rectification.
d. Right to erasure– As in the GDPR, the right to erasure is not absolute and applies under specific circumstances which under the Act are; where the data is inaccurate, outdated, incomplete, or misleading; where the data controller or processor is no longer authorized to retain the data; or the data is irrelevant, excessive, or has been obtained unlawfully.
e. Right to object/opt-out– As in the GDPR, a data subject has the right to object to the processing of all or part of their personal data. However, the legitimate interest for the processing which overrides the data subject’s rights may be applicable in limiting this right.
f. Right to data portability– Much like the GDPR, a data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible. The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others.
g. Right not to be subject to automated decision-making– The data subject has the right to request the data processor to reconsider the decision or take a new decision that is not based solely on automated processing. As a result, the data controller or processor has an obligation to consider the request, comply with it, and notify the data subject of the steps taken to comply with the request and the outcome of compliance. There is no set standard for the process of the request by a data subject, but this is expected to be outlined in detail in the regulations that will supplement the Act. Unlike the GDPR, the Act does not require a data controller or processor to provide the data subject with prior information about processing with regard to automated decision-making and does not implicitly require processors to ensure the systems are working as intended through regular checks, even though this is expected from the obligations of the data controller and processor.
The Act provides for various offences and sanctions. These include:
- where the Commissioner is satisfied that a person has failed or is failing to comply with any provision of the Act, the Commissioner may serve an enforcement notice and a penalty notice requiring the person to pay a penalty of an amount specified in the notice. The maximum penalty that may be imposed in penalty notice is up to KES 5 million or up to 1% of the annual turnover of the preceding financial year, whichever is lower.
- failure to comply with an enforcement notice is an offence and upon conviction, a person is liable to a fine not exceeding KES 5 million or imprisonment for a term not exceeding two years, or both.
- obstruction of a Commissioner in exercising its functions is an offence that attracts a fine not exceeding KES 5 million (or imprisonment for a term not exceeding two years, or both.
- in relation to the failure to register with the Commissioner as a data controller or data processor, unlawful disclosure, processing of personal data without lawful purpose, the sale of personal data and publication of false or misleading information to the Commissioner, penalties are not specified and for this reason the general penalty of a fine not exceeding KES 3 million or imprisonment for a term not exceeding ten years, or both is applicable; and
- a data subject is entitled to compensation for damage from the data controller or data processor for any violation of their rights.
In conclusion, while reflecting on the aforementioned, two critical aspects should emerge with regards to responsible parties. Firstly, responsible parties should consider, as part of demonstrating accountability, the appointment of a data protection officer. Secondly, the need to ensure that accountability documents (i.e., policies, procedures and practices) and trade documents (contracts with customers and suppliers) are drafted, implemented, monitored and maintained in compliance with the Act.
It would also be prudent that organizations to comply with the Act by means of risk assessments being conducted and sufficient data protection policies, procedures and practices being implemented.