DATA PROTECTION OVERVEW IN KENYA

The right to privacy is guaranteed as a fundamental right in Kenya’s Constitution (‘the Constitution’). The Data Protection Act, 2019 (‘the Act’) was enacted and came into effect on November 25, 2019, to give effect to this constitutional right under Article 31(c) and (d). The Act applies to all personal data processing by any data controller or data processor established or residing in Kenya and processing personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya.

  1. LEGAL STATUTES THAT GUIDE THE DATA PROTECTION ACT

The Data Protection Act is guided by the following statues

  1. The Kenya Information and Communications Act.

This Act came into effect in February 1999. The Kenya Information and Communications Act governs Kenya’s information and communications technology industry. It specifies the requirements and compliance standards that must be met by licensed information and communication service providers who are data collectors and controllers. The Kenya Information and Communications Act’s provisions are enforced through its regulations, which include the Kenya Information and Communications (Consumer Protection) Regulations of 2010 (‘the Consumer Protection Regulations’) and the Kenya Information and Communications Act (Registration of SIM Cards) Regulations of 2015 (‘the SIM Cards Regulations’).

The Kenya Information and Communications Act applies to telecommunication service providers who have received an operating license from the Communications Authority (‘CA’). Mobile network operators, content service providers, application service providers, submarine cable landing rights holders, and international gateway system service providers are all licensed providers.

  • The National Payment System Act.

The National Payment System Act, 2011 (‘the NPSA’) and the National Payment System Regulations, 2014 (‘the NPSR’) govern the processing of financial data in the financial sector. Payment systems and payment system providers are governed by the National Payment System Act. A ‘payment system’ is defined as a system or arrangement that allows payments to be made between a payer and a beneficiary, or that facilitates the circulation of money, and includes all instruments and procedures associated with the system.

The NPSA and the NPSR apply to payment systems and payment service providers (which include mobile service providers through their mobile money services). Payment service providers are regulated and licensed by the CBK under the National Payment System Act.

  • Consumer Protection Act

Consumers of all services are protected under the Consumer Protection Act of 2012. The Act’s provisions are applicable to all sectors.

  • KEY TERMS IN THE DATA PROTECTION ACT.

Data controller: This means a natural or legal person, public authority, agency, or other body which alone, or jointly with others, determines the purpose and means of processing of personal data.

Data processor: This means a natural or legal person, public authority, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller.

Personal data: This means any information relating to an identified or identifiable natural person. Under the Kenya Information and Communications Act, ‘personal information’ includes a person’s full name, identity card number, date of birth, gender, physical and postal address.

Sensitive personal data: This means data revealing a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person’s children, parents, spouse or spouses, sex, or sexual orientation.

Health data: This means data related to the state of physical or mental health of the data subject, and includes records regarding the past, present, or future state of the health, data collected in the course of registration for, or provision of, health services, or data which associates the data subject to the provision of specific health services.

Biometric data: This means any personal data resulting from specific technical processing based on physical, physiological, or behavioral characterisation including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition.

Pseudonymisation: This is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s race, sex, pregnancy, marital status, health status, ethnic social origin, color, age, disability, religion, conscience, belief, culture, dress, language, birth, personal preferences, interests, behavior, location, or movements

  • THE DATA PROTECTION AUTHORITY

The Office of the Data Protection Commissioner is established under Part II of the Act. The Commissioner was appointed in November 2020.

The provisions of the various sectoral laws are enforced by the respective sectoral regulatory bodies, which are also increasingly requiring their licensees to comply with the Act in terms of internal processes. The Communication Authority, established under Kenya Information and Communications Act, is the oversight body in the technology and telecommunications sector. The CBK regulates all financial service providers as well as payment systems providers. Health institutions are under the regulation of the Director of Medical Services at the Ministry of Health. The Director of Medical Services regulates medical institutions and personnel, and oversees compliance with the laws, regulations, and policies in the health sector.

  1. The Data Protection Commissioner.

The Commissioner’s powers, duties, and responsibilities include;

  • enforcement of the provisions of the Act;
  • the maintenance of the register of data controllers and data processors;
  • oversight and assessment on data processing to ensure it is in accordance with the Act either on its own motion or on request by a data subject or on request of a private or public body;
  • the promotion of self-regulation among data controllers and processors;
  • investigation of complaints by any person on infringement of rights under the Act;
  • to raise public awareness of the provisions of the Act;
  • to set the requirements for the appointment of data protection officers (‘DPO’);
  • to act as a bridge for, and promote, international cooperation in matters relating to data protection, and to ensure Kenya complies with its international obligations in relation to data protection; and
  • to undertake research on developments in data processing of personal data to mitigate any risks of such developments on the rights of data subjects.
  • The Data Controller

Data controller rights and responsibilities include:

  • the obligation to apply for registration or renewal or certificate/licence;
  • the obligation to designate a DPO as directed by the Commissioner;
  • the obligation to process data in accordance with the provisions of the Act;
  • the obligation to conduct impact assessments where a processing operation is likely to result in high risk to the rights and freedoms of a data subject;
  • to bear the burden of proof for establishing data subject consent to the processing of personal data for a specified purpose;
  • to incorporate an appropriate mechanism for the processing of personal data relating to children including consent of the child’s parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the obligation to retain data only for as long as is necessary to satisfy the purpose/s of collection, as provided by law, for any lawful purpose, with the consent of the data subject, or for historical, statistical, journalistic, literature, art, or research purposes;
  • the obligation to implement appropriate technical and organizational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to data subjects;
  • to put in place protective measures for the processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Commissioner of the appropriate safeguards with regard to the transfer of personal data outside Kenya.

All licensed providers under the Kenya Information and Communications Act have obligations, stated in the Kenya Information and Communications Regulations, the SIM-Card Registration Regulations, and the licensing terms and conditions to:

  • obtain and retain information required for the registration of subscribers and SIM cards;
  • generate and retain accurate billing information;
  • ensure the information obtained and generated is stored in a manner that is secure and confidential;
  • adhere to the prescribed retention periods stipulated by the CA for registration details, call data records, and financial information;
  • keep customer information accurate, up to date, confidential, and secure;
  • disclose customer data only when required by customer consent, by law through a court order or Act of Parliament, when disclosed to law enforcement agencies, or to the CA for reporting purposes;
  • inform the customer of the processing of information and intended/ potential purpose/s of processing and no objection to this is made by the customer; and to
  • establish a mechanism by which a customer may opt-out, opt-in, or withdraw consent to the processing of their data.

Service providers must ensure the security and confidentiality of their customers’ information and transactions under the National Payment System Act, the National Payment System Regulations, and the Prudential Guidelines. To protect the patient/data subject’s privacy, the Health Act and the HIV and AIDS Prevention and Control Act require that customer data be anonymized before processing.

  • The Data Processors

In many cases, data controllers will also be data processors, and data processor obligations will apply in the same way. Furthermore, data processors are subject to the following obligations:

  • to apply for registration and application for renewal of the certificate as required;
  • to designate a DPO as directed by the Commissioner;
  • to process data in accordance with the provisions of the Act;
  • to conduct impact assessments where a processing operation is likely to result in high levels of risk to the rights and freedoms of a data subject;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child’s parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the duty to notify, which is similar to that of data controllers;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child’s parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • to retain data only for as long as is necessary to satisfy the purpose of collection, as provided by law, for any lawful purpose, with the consent of the data subject or for historical, statistical, journalistic, literature, art, or research purposes;
  • to implement appropriate technical and organisational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to a data subject;
  • to put in place protective measures for processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Data Commissioner of the appropriate safeguards with regard to transfer of personal data outside Kenya.
  • DATA SUBJECT RIGHTS
    • Right to be Informed.

The Act simply states that a data subject has the right to be informed about how their personal data will be used. The data controller or processor is required to notify the data subject: of their rights; that personal data is being collected; of the purpose of the collection; of any third parties with whom the data will be shared; of the safeguards adopted in the case of third party sharing; of the contact information for the processor or controller; and of the technical and organizational measures taken by the controller or processor to protect the data collected, whether the data is collected by the controller or processor.

  • Right to Access

The data subject has the right to access their data that is in the custody of the data controller or data processor.

  • Right to Rectification.

The Act provides for the data subject’s right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data.

  • Right to Erasure.

The right to erasure is not absolute and only applies in the following circumstances, as defined by the Act: where the data is inaccurate, outdated, incomplete, or misleading; where the data controller or processor is no longer authorized to retain the data; or where the data is irrelevant, excessive, or obtained unlawfully.

  • Right to Data Portability.

A data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible.

The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others.

5.         DATA PROTECTION IMPACT ASSESSMENT

Section 31 of the Act requires that when a processing operation is likely to result in a high risk to a data subject’s rights and freedoms, the data controller or processor conduct a Data Protection Impact Assessment (‘DPIA’).

The Act does not specify the types of processing that are subject to DPIA, but it generally states that DPIA applies to any processing that, by its nature, scope, context, or purposes, poses a high risk to the data subject’s rights and freedoms. The general steps that will be undertaken in a DPIA are as below:

  • Description of the data processing activities;
    • Analysis of each processing activity;
    • Analysis of all the activities as a whole;
    • Risk determination;
    • Reporting to management;
    • Monitoring and evaluation.

 6.        DATA BREACH NOTIFICATION

A personal data breach is a breach of security leading to the accidental or unlawful destruction, alteration, unauthorized disclosure of and access to personal data transmitted, stored or otherwise processed. These breaches may occur inadvertently, negligently or maliciously. Where a breach, is suspected, an initial review should be undertaken to ascertain whether it is a security incident or a personal data breach, with the former being an event that compromises the integrity, confidentiality or availability of data while the latter is the same but requires notification to the Data Commissioner. Where there is a real risk of harm to the data subject in case of a breach involving their personal data, there is an obligation to notify:

  • the Commissioner within 72 hours; and
  • the data subject within a reasonable time.

Once the assessment of the event is completed and ascertained to be a breach, the breach notification to the Data Commissioner is sent and should include the date and time of the breach, how the breach arose, the number of data subjects affected, the classes and volume of data affected and the actioons taken to contain it and prevent future breaches.

Under the Kenya Information Communications Act, service providers are required by the Kenya Information Communications Regulations to notify the customer/data subject if there is a risk of a security breach on their network. If the risk is beyond the scope of the provider’s measures, the provider must inform the data subject of the possible remedies (including an indication of the likely costs involved). The notification must be in the form of a message sent to the data subject.

Disclaimer: Kindly note that this write-up does not constitute legal advice but is provided for information purposes only. If you have any specific inquiries on the subject and other related matters, please contact us at info@omusolomungai.co.ke.

DATA PROTECTION OVERVEW IN KENYA

The right to privacy is guaranteed as a fundamental right in Kenya’s Constitution (‘the Constitution’). The Data Protection Act, 2019 (‘the Act’) was enacted and came into effect on November 25, 2019, to give effect to this constitutional right under Article 31(c) and (d). The Act applies to all personal data processing by any data controller or data processor established or residing in Kenya and processing personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya.

  1. LEGAL STATUTES THAT GUIDE THE DATA PROTECTION ACT

The Data Protection Act is guided by the following statues

  1. The Kenya Information and Communications Act.

This Act came into effect in February 1999. The Kenya Information and Communications Act governs Kenya’s information and communications technology industry. It specifies the requirements and compliance standards that must be met by licensed information and communication service providers who are data collectors and controllers. The Kenya Information and Communications Act’s provisions are enforced through its regulations, which include the Kenya Information and Communications (Consumer Protection) Regulations of 2010 (‘the Consumer Protection Regulations’) and the Kenya Information and Communications Act (Registration of SIM Cards) Regulations of 2015 (‘the SIM Cards Regulations’).

The Kenya Information and Communications Act applies to telecommunication service providers who have received an operating license from the Communications Authority (‘CA’). Mobile network operators, content service providers, application service providers, submarine cable landing rights holders, and international gateway system service providers are all licensed providers.

  • The National Payment System Act.

The National Payment System Act, 2011 (‘the NPSA’) and the National Payment System Regulations, 2014 (‘the NPSR’) govern the processing of financial data in the financial sector. Payment systems and payment system providers are governed by the National Payment System Act. A ‘payment system’ is defined as a system or arrangement that allows payments to be made between a payer and a beneficiary, or that facilitates the circulation of money, and includes all instruments and procedures associated with the system.

The NPSA and the NPSR apply to payment systems and payment service providers (which include mobile service providers through their mobile money services). Payment service providers are regulated and licensed by the CBK under the National Payment System Act.

  • Consumer Protection Act

Consumers of all services are protected under the Consumer Protection Act of 2012. The Act’s provisions are applicable to all sectors.

  • KEY TERMS IN THE DATA PROTECTION ACT.

Data controller: This means a natural or legal person, public authority, agency, or other body which alone, or jointly with others, determines the purpose and means of processing of personal data.

Data processor: This means a natural or legal person, public authority, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller.

Personal data: This means any information relating to an identified or identifiable natural person. Under the Kenya Information and Communications Act, ‘personal information’ includes a person’s full name, identity card number, date of birth, gender, physical and postal address.

Sensitive personal data: This means data revealing a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person’s children, parents, spouse or spouses, sex, or sexual orientation.

Health data: This means data related to the state of physical or mental health of the data subject, and includes records regarding the past, present, or future state of the health, data collected in the course of registration for, or provision of, health services, or data which associates the data subject to the provision of specific health services.

Biometric data: This means any personal data resulting from specific technical processing based on physical, physiological, or behavioral characterisation including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition.

Pseudonymisation: This is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s race, sex, pregnancy, marital status, health status, ethnic social origin, color, age, disability, religion, conscience, belief, culture, dress, language, birth, personal preferences, interests, behavior, location, or movements

  • THE DATA PROTECTION AUTHORITY

The Office of the Data Protection Commissioner is established under Part II of the Act. The Commissioner was appointed in November 2020.

The provisions of the various sectoral laws are enforced by the respective sectoral regulatory bodies, which are also increasingly requiring their licensees to comply with the Act in terms of internal processes. The Communication Authority, established under Kenya Information and Communications Act, is the oversight body in the technology and telecommunications sector. The CBK regulates all financial service providers as well as payment systems providers. Health institutions are under the regulation of the Director of Medical Services at the Ministry of Health. The Director of Medical Services regulates medical institutions and personnel, and oversees compliance with the laws, regulations, and policies in the health sector.

  1. The Data Protection Commissioner.

The Commissioner’s powers, duties, and responsibilities include;

  • enforcement of the provisions of the Act;
  • the maintenance of the register of data controllers and data processors;
  • oversight and assessment on data processing to ensure it is in accordance with the Act either on its own motion or on request by a data subject or on request of a private or public body;
  • the promotion of self-regulation among data controllers and processors;
  • investigation of complaints by any person on infringement of rights under the Act;
  • to raise public awareness of the provisions of the Act;
  • to set the requirements for the appointment of data protection officers (‘DPO’);
  • to act as a bridge for, and promote, international cooperation in matters relating to data protection, and to ensure Kenya complies with its international obligations in relation to data protection; and
  • to undertake research on developments in data processing of personal data to mitigate any risks of such developments on the rights of data subjects.
  • The Data Controller

Data controller rights and responsibilities include:

  • the obligation to apply for registration or renewal or certificate/licence;
  • the obligation to designate a DPO as directed by the Commissioner;
  • the obligation to process data in accordance with the provisions of the Act;
  • the obligation to conduct impact assessments where a processing operation is likely to result in high risk to the rights and freedoms of a data subject;
  • to bear the burden of proof for establishing data subject consent to the processing of personal data for a specified purpose;
  • to incorporate an appropriate mechanism for the processing of personal data relating to children including consent of the child’s parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the obligation to retain data only for as long as is necessary to satisfy the purpose/s of collection, as provided by law, for any lawful purpose, with the consent of the data subject, or for historical, statistical, journalistic, literature, art, or research purposes;
  • the obligation to implement appropriate technical and organizational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to data subjects;
  • to put in place protective measures for the processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Commissioner of the appropriate safeguards with regard to the transfer of personal data outside Kenya.

All licensed providers under the Kenya Information and Communications Act have obligations, stated in the Kenya Information and Communications Regulations, the SIM-Card Registration Regulations, and the licensing terms and conditions to:

  • obtain and retain information required for the registration of subscribers and SIM cards;
  • generate and retain accurate billing information;
  • ensure the information obtained and generated is stored in a manner that is secure and confidential;
  • adhere to the prescribed retention periods stipulated by the CA for registration details, call data records, and financial information;
  • keep customer information accurate, up to date, confidential, and secure;
  • disclose customer data only when required by customer consent, by law through a court order or Act of Parliament, when disclosed to law enforcement agencies, or to the CA for reporting purposes;
  • inform the customer of the processing of information and intended/ potential purpose/s of processing and no objection to this is made by the customer; and to
  • establish a mechanism by which a customer may opt-out, opt-in, or withdraw consent to the processing of their data.

Service providers must ensure the security and confidentiality of their customers’ information and transactions under the National Payment System Act, the National Payment System Regulations, and the Prudential Guidelines. To protect the patient/data subject’s privacy, the Health Act and the HIV and AIDS Prevention and Control Act require that customer data be anonymized before processing.

  • The Data Processors

In many cases, data controllers will also be data processors, and data processor obligations will apply in the same way. Furthermore, data processors are subject to the following obligations:

  • to apply for registration and application for renewal of the certificate as required;
  • to designate a DPO as directed by the Commissioner;
  • to process data in accordance with the provisions of the Act;
  • to conduct impact assessments where a processing operation is likely to result in high levels of risk to the rights and freedoms of a data subject;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child’s parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the duty to notify, which is similar to that of data controllers;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child’s parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • to retain data only for as long as is necessary to satisfy the purpose of collection, as provided by law, for any lawful purpose, with the consent of the data subject or for historical, statistical, journalistic, literature, art, or research purposes;
  • to implement appropriate technical and organisational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to a data subject;
  • to put in place protective measures for processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Data Commissioner of the appropriate safeguards with regard to transfer of personal data outside Kenya.
  • DATA SUBJECT RIGHTS
    • Right to be Informed.

The Act simply states that a data subject has the right to be informed about how their personal data will be used. The data controller or processor is required to notify the data subject: of their rights; that personal data is being collected; of the purpose of the collection; of any third parties with whom the data will be shared; of the safeguards adopted in the case of third party sharing; of the contact information for the processor or controller; and of the technical and organizational measures taken by the controller or processor to protect the data collected, whether the data is collected by the controller or processor.

  • Right to Access

The data subject has the right to access their data that is in the custody of the data controller or data processor.

  • Right to Rectification.

The Act provides for the data subject’s right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data.

  • Right to Erasure.

The right to erasure is not absolute and only applies in the following circumstances, as defined by the Act: where the data is inaccurate, outdated, incomplete, or misleading; where the data controller or processor is no longer authorized to retain the data; or where the data is irrelevant, excessive, or obtained unlawfully.

  • Right to Data Portability.

A data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible.

The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others.

5.         DATA PROTECTION IMPACT ASSESSMENT

Section 31 of the Act requires that when a processing operation is likely to result in a high risk to a data subject’s rights and freedoms, the data controller or processor conduct a Data Protection Impact Assessment (‘DPIA’).

The Act does not specify the types of processing that are subject to DPIA, but it generally states that DPIA applies to any processing that, by its nature, scope, context, or purposes, poses a high risk to the data subject’s rights and freedoms. The general steps that will be undertaken in a DPIA are as below:

  • Description of the data processing activities;
    • Analysis of each processing activity;
    • Analysis of all the activities as a whole;
    • Risk determination;
    • Reporting to management;
    • Monitoring and evaluation.

 6.        DATA BREACH NOTIFICATION

A personal data breach is a breach of security leading to the accidental or unlawful destruction, alteration, unauthorized disclosure of and access to personal data transmitted, stored or otherwise processed. These breaches may occur inadvertently, negligently or maliciously. Where a breach, is suspected, an initial review should be undertaken to ascertain whether it is a security incident or a personal data breach, with the former being an event that compromises the integrity, confidentiality or availability of data while the latter is the same but requires notification to the Data Commissioner. Where there is a real risk of harm to the data subject in case of a breach involving their personal data, there is an obligation to notify:

  • the Commissioner within 72 hours; and
  • the data subject within a reasonable time.

Once the assessment of the event is completed and ascertained to be a breach, the breach notification to the Data Commissioner is sent and should include the date and time of the breach, how the breach arose, the number of data subjects affected, the classes and volume of data affected and the actioons taken to contain it and prevent future breaches.

Under the Kenya Information Communications Act, service providers are required by the Kenya Information Communications Regulations to notify the customer/data subject if there is a risk of a security breach on their network. If the risk is beyond the scope of the provider’s measures, the provider must inform the data subject of the possible remedies (including an indication of the likely costs involved). The notification must be in the form of a message sent to the data subject.

Disclaimer: Kindly note that this write-up does not constitute legal advice but is provided for information purposes only. If you have any specific inquiries on the subject and other related matters, please contact us at info@omusolomungai.co.ke.