Data protection refers to the practices, policies, and legal measures designed to safeguard personal data from unauthorised access, misuse, or disclosure. In Kenya, data protection is regulated by the Data Protection Act, 2019, which enforces Article 31(c) and (d) of the Constitution of Kenya 2010. Article 31 of the Constitution guarantees the right to privacy, a fundamental human right, and requires organisations to obtain individuals’ consent before collecting, using, or disclosing their personal information.
Importance of Data Protection
Data protection is essential for the following reasons:
- It helps to comply with laws and regulations. Non-compliance with data protection laws can result in hefty fines and legal consequences.
- Data protection helps ensure that individuals’ personal information, such as social security numbers, health records, and financial data, remains private and secure. It ensures that sensitive information is not disclosed to unauthorized individuals or entities.
- Organizations that protect data effectively are more likely to gain and retain the trust of their customers. Data breaches can severely damage an organization’s reputation, leading to loss of business and revenue.
- Data protection measures help prevent identity theft and financial fraud. The cost of a data breach can be significant, including legal fees, compensation, and loss of business. Effective data protection can mitigate these costs.
- Organizations have an ethical responsibility to protect the data of their employees, customers, and stakeholders.
Children’s Data
The Data Protection Act prohibits the processing of data related to a child unless consent is provided by the child’s parent or guardian, and the processing is conducted in a way that protects and promotes the child’s rights and best interests. The General Regulations require that a Data Protection Impact Assessment must be conducted when processing children’s data. Additionally, any breach related to an adoption order or similar information must be reported as a notifiable breach.
Categories of Data
There are two categories of data, namely, personal data and sensitive data.
Personal Data
Personal data refers to any information that can identify a natural person. Examples include:
- Name.
- Phone number.
- Birth certificate.
- Ethnicity.
- Location.
Sensitive Personal Data
Sensitive Personal Data, also known as Special Category Data, refers to personal information that is considered more sensitive and therefore requires a higher level of protection. This type of data is more likely to impact the privacy rights and freedoms of individuals if it is mishandled or breached. Examples include:
- Health status.
- Biometric data.
- Ethnicity.
- Marital status.
This type of data must be handled with extra care to ensure its privacy and security.
Principles of Personal Data Protection
The following are the principles of personal data protection under the law:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
- Purpose Limitation: Personal data must be collected and processed for specific, explicit, and legitimate purposes.
- Data Minimization: Personal data should be limited to what is necessary for the specified purposes.
- Accuracy: Personal data should be accurate and kept up to date.
- Storage Limitation: Personal data should be stored only as long as necessary for the specified purposes.
- Accountability and Transparency: Organisations must take responsibility for personal data and ensure individuals can exercise their rights. They must also provide clear information on data processing.
- Integrity and Confidentiality: Personal data must be secured against unauthorised processing, loss, destruction, or damage.
Common Ways of Sharing Personal Information
People often share their data in various ways, sometimes knowingly and sometimes unknowingly. Common methods include:
- Making payments.
- Accessing services from government and private institutions (e.g., schools, hospitals)
- Accessing buildings.
- Signing up for services or accounts (physically or online).
- Filling out forms (physically or online).
- Using social media.
- Online shopping.
- Using digital apps.
Data Protection Stakeholders
Data Subject
A data subject is an identified or identifiable natural person who is the subject of personal data. This includes you and me.
Data Subject’s Rights
Data subjects have several rights under the law, including:
- To be informed of how their personal data will be used.
- To access their personal data held by a Data Controller or Processor.
- To object to the processing of all or part of their personal data.
- To correct false or misleading data.
- To delete false or misleading data about them.
- The right to erasure.
- The right to data portability.
- The right to automated decision-making.
Data Controller
A Data controller is a person or entity that collects and determines how your personal data will be used. Data controllers determine the purposes and means of processing personal data. Examples include:
- A bank collecting customer information to open accounts.
- A retail company collecting customer information for marketing emails.
- A hospital collecting patient information for medical treatment.
- A government agency collecting citizen information for tax purposes.
- A credit bureau collecting financial information for credit scoring.
Data Processor
A Data Processor is an entity that processes personal data on behalf of a Data Controller. The Data Processor does not decide the purposes or means of processing but acts under the instructions of the Data Controller. Examples include:
- A cloud storage provider storing information for a bank.
- A marketing agency sending emails on behalf of a retail company.
- A billing service processing medical claims for a hospital.
- A tax software provider processing tax returns for a government agency.
- A collection agency collecting delinquent accounts for a credit bureau.
Office of the Data Protection Commissioner (ODPC)
The Office of the ODPC is the designated government agency that is key to ensuring appropriate handling of personal data in Kenya as enshrined in the Data Protection Act, 2019.
Commercial Use of Data
The law prohibits the use of personal data by any person for commercial purposes unless:
- The person has obtained express consent from the Data Subject; or
- The person is authorised to do so under any written law, and the Data Subject has been informed of such use when the data was collected.
Additionally, a Data Controller or Data Processor that uses personal data for commercial purposes must, where possible, anonymise the data to ensure that the Data Subject is no longer identifiable.
Registration With ODPC
Data Controllers or Processors must register with the ODPC for the following reasons:
- Under the Data Protection Act, 2019, all public and non-profit entities must register, regardless of revenue. However, Civil Registration Entities are exempt.
-  Compliance builds trust and protects an organization’s brand.
- Registration ensures data accuracy and up-to-date information.
- Registration also helps organisations stay ahead of evolving data protection laws.
Registration Process
To register as a Data Controller or Processor, you must provide the ODPC with the following information:
Basic Details
- Submit audited accounts for the previous accounting period in PDF format. For newly established entities, provide a signed revenue statement or KRA returns in PDF format.
- Contact information (provide correct email addresses, institution or individual name, postal address, country, county location, telephone number, street address, building name).
- Specify the sector, such as agriculture or finance.
- Provide a Certificate of Incorporation.
- Include the name, email address, and phone number of the Data Protection Officer.
Personal Data Category
For this category:
- Identify the categories of personal data you process (e.g., employee, client, student, supplier, shareholder).
- Provide details of the types of personal data to be processed (e.g., name, address, identification number).
- Explain the purpose of processing the data (e.g., payroll, invoicing, Know Your Customer (KYC)).
Sensitive Personal Data Category
For this category, provide:
- Racial or ethnic origin.
- Religious, philosophical, conscience, and beliefs.
- Include marital status (details of spouse and children).
- Include both physical and mental health information.
- Sex/Sexual orientation.
- Biometric data.
- GPS location data.
- Genetic data.
Additionally, for each of the above categories, you are required to specify the purpose for processing that particular category of data.
Transfer of Data
If your data is stored outside Kenya, you must provide a list of all countries where the data is held. This requirement ensures transparency and helps in assessing the adequacy of data protection measures in those jurisdictions.
Measures of Protection of Personal Data
Risk Measures
Data Controllers or Processors must identify and list the potential risk areas associated with personal data. These risks may include:
- Fraud: Risks of unauthorized access or misuse of personal data leading to financial loss.
- Malware Attacks: Threats from malicious software that can compromise data security.
- Phishing Attacks: Attempts to deceive individuals into providing sensitive information through fraudulent communications.
- Social Engineering: Manipulative tactics used to gain unauthorized access to personal data.
- Ransomware: Malicious software that encrypts data, demanding payment for its release.
Safeguard Measures
Data Controllers or Processors are required to implement or plan to implement protective measures to address and mitigate these identified risks. Safeguard measures may include:
- Employing security technologies such as encryption, firewalls, and anti-malware solutions to protect data from unauthorized access and attacks.
- Developing elaborate policies and procedures to manage and secure personal data, including regular security training for employees and incident response plans.
- Develop mechanisms to ensure that only authorized individuals can access or process personal data.
- Conducting regular audits and monitoring to detect vulnerabilities and ensure that data protection measures are effective and up-to-date.
Employees and Turnover
Data Controllers or Processors are required to provide the following information:
- Indicate the turnover for the previous year (e.g., 0-5,000,000).
- Specify the number of employees (e.g., 0-9).
- For recently incorporated companies, attach KRA tax returns. If tax returns are not available, provide any other equivalent evidence.
- Submit a signed declaration confirming the number of employees.
Exemption from Mandatory Registration
If your turnover falls between 0 and 5 million, you are exempt from mandatory registration.
Mandatory Registration Requirements
Despite the exemption for turnover below 5Â million, Data Controllers or Processors must register if they are involved in the following activities:
- Engaging in activities related to canvassing political support among the electorate.
- Operating educational institutions.
- Crime prevention and prosecution (including operating CCTV systems).
- Engaging in gambling activities.
- Providing patient care and health administration services.
- Firms in the hospitality sector, excluding tour guides.
- Managing property, including the sale of land.
- Providing financial services.
- Processing genetic data. Genetic data is personal data relating to inherited or acquired genetic characteristics of a person from the analysis of a biological sample, including DNA or RNA analysis.
Issuance of Certificate
Upon submission of the required information and payment of the prescribed fees, the ODPC will review your application and either approve or refuse the application based on the review.
- If approved, the ODPC will issue a Certificate of Registration and update its register to include your organization as a compliant Data Controller or, Processor, or both.
- If the application is refused, the ODPC will provide reasons for the refusal, allowing you to address any issues before reapplying.
It is important to note that Data Controllers or Processors must notify the ODPC of any changes to their application within 14 days. This ensures that the information on record remains accurate and up-to-date.
General Penalty
The law stipulates that a person who commits an offence under the Act or otherwise contravenes the Act shall, upon conviction, be subject to a fine not exceeding three million shillings, imprisonment for a term not exceeding ten years, or both.
Complaints and Investigations
Complaints
A Complaint is a statement expressing dissatisfaction with how personal data has been handled.
- Who Can Complain?
The complainant is someone acting on their behalf, any authorised person, or anonymously.
- How to Lodge a Complaint
Complaints can be oral (must be put in writing) or written via post, email, or website.
- Required Information
Personal information, details about the respondent, nature of the complaint, supporting documents.
Investigations
The goal of investigations is to gather all relevant facts about an incident, including what happened, when it occurred, where it took place, who was responsible, and who was affected. The ODPC is authorised to order examinations, request documents, and obtain written statements as part of the investigation process. Complaints are investigated and concluded within 90 days.
Data Protection Enforcement
The ODPC is responsible for compliance with data protection laws in Kenya.
Enforcement Action
- Enforcement Notice is issued for non-compliance, specifying corrective measures, consequences, and compliance period.
- Penalty Notice is issued for failing to comply with an Enforcement Notice, stating the penalty to be paid. Parties can appeal to the High Court.
- Immediate penalty can be issued upon failure to comply, with penalties due immediately or after appeal determinations.
Steps to Ensure Compliance with Data Protection Regulations
Ensuring compliance with data protection regulations involves a comprehensive approach designed to safeguard personal data and adhere to legal requirements. Here is a structured plan to achieve and maintain compliance:
- Data Protection Officer
Appoint a Data Protection Officer (DPO) as required by law. The DPO’s responsibilities should be clearly defined. The roles of the DPO include:
- advise the Data Controller or Data Processor and their employees on data processing requirements provided under the law;
- ensure on behalf of the Data Controller or Data Processor that the law is complied with;
- facilitate capacity building of staff involved in data processing operations;
- provide advice on data protection impact assessment; and
- co-operate with the Data Commissioner and any other authority on matters relating to data protection.
- Register as a Data Controller or Processor with the Office of the ODPC.
Ensure your organisation is registered as a Data Controller or Data Processor with the Office of the ODPC. This step is essential for legal compliance and demonstrates your commitment to data protection standards.
- Data Protection Impact Assessment (DPIA)
A DPIA evaluates the potential impact of planned data processing activities on the protection of personal data. The law mandates that if a processing operation is likely to pose a high risk to the rights and freedoms of a Data Subject due to its nature, scope, context, and purposes, the Data Controller or Data Processor must conduct a DPIA before processing begins.
A DPIA must include the following elements:
- Systematic Description
This is a comprehensive description of the planned processing operations and their purposes. Where applicable, the legitimate interests pursued by the Data Controller or Data Processor.
- Necessity and Proportionality Assessment
This is an evaluation of the necessity and proportionality of the processing operations in relation to their purposes.
- Risk Assessment
This entails an assessment of the risks posed to the rights and freedoms of data subjects.
- Risk Mitigation Measures
It encompasses the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this the Data Protection Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.
If a DPIA indicates that the processing of data would result in a high risk to the rights and freedoms of a data subject, the data controller or data processor must consult the Data Commissioner before processing. DPIA reports must be submitted at least sixty days prior to the commencement of data processing.
- Develop and Implement Data Protection Policies
Develop comprehensive data protection policies and procedures as required by data protection regulations. This includes:
- Data Retention Policies. These define how long personal data will be retained and ensure it is securely deleted when no longer needed.
- Data Protection Policies. These outline how personal data will be protected, including measures for data security and access control.
- Data Privacy Statements. These create clear and transparent privacy statements for data subjects, explaining how their data will be used and their rights.
- Consent Management. This ensures that every document used to collect data includes a declaration and consent section for data subjects.
- Establish Data Breach Response Procedures
Develop a clear and effective plan for responding to data breaches. This plan should include:
-
- Notification Procedures. These outline how to notify affected data subjects and regulatory authorities promptly in the event of a data breach.
- Breach Documentation. This maintains detailed records of data breaches and the steps taken to mitigate their impact
-
- Train Employees
An organisation should conduct regular training sessions for all employees on data protection law, principles, policies, and procedures. An organisation should provide specialized training for employees who handle sensitive data or are involved in data processing activities. Furthermore, an organisation should put in place training ensures that employees understand their responsibilities and can effectively contribute to data protection efforts.
- Maintain Documentation and Records
An organisation should keep comprehensive records of all data processing activities, including Data Protection Impact Assessments (DPIAs), consents, data breaches, and compliance measures. Be prepared to provide documentation and reports to regulatory authorities upon request. Proper documentation is critical for demonstrating compliance and accountability.
- Monitor and Review Compliance
It is important to implement continuous monitoring mechanisms to detect and address compliance issues promptly. Additionally, an organisation should regularly review and update data protection policies, procedures, and practices to ensure ongoing compliance and adapt to changes in regulations. Periodic reviews help identify areas for improvement and ensure that data protection measures remain effective and up-to-date.
You may also like:Â Startups: Legal Considerations in Kenya
The information provided in this article is for general informational purposes only and does not constitute legal advice. For guidance or inquiries regarding Data Protection and Compliance in Kenya, contact us via email at info@dmklaws.co.ke and dmklaws@gmail.com or call +254 111 888 681.