On 8th November 2019, the President signed the Data Protection Bill into law. The commencement date of the Act was 25th November 2019. The law establishes requirements for the protection and privacy of personal data. The Act gives effect to Article 31of the Constitution of Kenya, which enshrines the right to privacy.
The data protection principles encompassed in the Act require data processing to be lawful, fair, and transparent. Data collection should be for a specified and legitimate purpose, relevant, and limited to what is necessary. Data should not be kept for longer than is necessary. It should also not be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.The rights of data subjects and the obligations arising out of this are clearly outlined in Part IV of the Act. When personal data is mishandled or stolen, data subjects have channels for redress of such breaches. The general penalty prescribed in the Act for offences under the Act is a fine not exceeding Kenya Shillings Three Million or an imprisonment term not exceeding ten years or both.
Personal data is described as information that relates to an identified or identifiable natural person and therefore distinguishes people from each other. Examples of personal data include passports, identity cards, driving licenses, biometric information, videos, photos, IP addresses and user names.
Sensitive personal data means data that reveals a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation.
The key players are:
- The Data Subject- This is the individual who is subject to the personal data.
- The Data Controller- The party that determines the process and means of processing personal data. This can be an individial or an organization.
- The Data Processor- The party that processes data on behalf of the controller.
- The Data Commissioner- The office established under the Act with the responsibility of ensuring implementation and enforcement of the Act.
Critique of the Act
Consent to processing of personal data must be express, unequivocal free, specific and informed by a clear indication of the data subject’s wishes by a statement or clear affirmative action. Therefore, implied consent will no longer be relied on. This brings into doubt the reliance on pre-ticked boxes on websites or other default methods of consent.
b- Sensitive Personal Data
This type of data is afforded a higher level of protection. The scope has been widened from the description in the Bill to include property details (which information is usually required by the courier and packaging delivery service companies), marital status and family details.
c- The Offices of the Data Protection Officer, Controller, Processor and Commissioner
The Commissioner is mandated with the responsibility of ensuring implementation and enforcement of the provisions of the Act, which include creation and maintenance of the register of all data processors and controllers. Data controllers and processors must be validly registered with the Commissioner for them to operate. This, among other safeguards and security measures such as the indemnification of data subjects from unlawful use of their data, are indicators that the officers, controllers and processors will be held accountable for any breaches of a subject’s rights and interests.
A DPO shall be appointed in the context of certain activities such as those requiring regular monitering of data subjects. Their primary role is to ensure that organizations process data in compliance with the Act. They are therefore tasked with the responsibility of advising on compliance with the Act.
d- Prohibition of data transfer outside of Kenya
The proviso to this prohibition is where there is proof of adequate protection safeguards and consent by the data subject is provided. Opposing views are offered by public bodies and business organizations with concerns on security and technical considerations and the right to know where the data subject’s personal data shall be stored.
e- Processing data of a child
This will require incorporation of approriate mechanisms for age verification and consent to be provided by the parents or guardians of the child. Organizations such as academic institutions need to implement mechanisms for this.
f- Prescribed response for breaches
Where there is access to personal data by unauthorized persons and there is a real risk of harm to the data subject whose data has been accessed, the Commissioner is notified within 72 hours then he should communicate in detail as prescribed in the Act, the occurence of the breach to the data subject in writing within a reasonable practicable period.
g- Protection of processing of health data
Processing of such data is restricted to it being undertaken under the responsibility of a healthcare provider or a person subject to professional standards of secrecy and a duty of care.
h- Filing complaints with the Data Commissioner
Where a data subject’s rights under the Act are infringed, the subject has the right to file a complaint with the Commissioner. Thereafter, the Commissioner has the right to serve an enforcement notice as well as a penalty notice and a further administrative fine for infringement of the provisions of the Act.
The impact of this Act is that persons who collect, control, manage and store data will need to review their terms and conditions and operations to avoid the risks of non-compliance. A grace period shouold be provided for implementation to provide organizations and businesses an opportunity to carry out their own internal data audits of existing practices and processes in order to ensure that they are not caught off guard when the time for enforcement comes. It is also not clear what the stages for implementation will be if any.