What is Kenya’s Data Protection Act?

The Data Protection Act (DPA) got passed into law on 8th November 2019 and came into effect on 25th November 2019, making Kenya the third country in East Africa to enact data protection legislation. The data protection act serves multiple purposes: to regulate the processing of personal data; gives effect to Article 31 (c) and (d) of the constitution that contains the right to privacy; highlights the obligations of data controllers and data processors; and the establishment of the Office of the Data Commissioner.

The Act seeks to: provide for the regulation of the processing of personal data, ensure that personal data is processed following data protection principles, protect the privacy of individuals, establish the legal and institutional mechanism to protect personal data, and provide data subjects with rights and remedies. The Act places obligations on all data controllers/processors living in Kenya, and those living outside Kenya, but that process the personal data of data subjects located in Kenya.

What is a data subject?

A data subject is any individual whose data gets collected, held, or processed by an organization. Personal data can include any information that uniquely identifies the individual, such as credit card number, home address, or legal name.

What are a data processor and a data controller?

A data controller is an entity that determines the means through which personal data gets processed, and for which purpose. A data processor is an entity that processes personal data on behalf of the data controller.

What data subject rights are protected by the act?

The data protection act highlights rights accorded to the data subject. First, the data subject has a right to get informed of the use for which data collected is put. The data collector and processor have a duty to duly inform the subject how they intend to use the data collected and to notify them if there are any changes to the original terms of use. Additionally, the data processor/controller must collect data directly from the data subject, not from a third party, presenting proof to the subject to establish consent for any processing. Critically, the data controller/processor has to explicitly obtain consent from the data subject whenever they intend to use the collected personal data for commercial use.

The data subject also has a right to withdraw consent to the processing. If a data subject decides to withdraw consent regarding the use of their data, the data controller/processor must immediately cease processing the data.

The data subject also has a right to access the personal data in the controller’s or processor’s custody. Access must be granted to the subject immediately they require to access and the data should be in a structured, machine-readable format that the data subject can easily understand.

The data subject also has a right to object to the processing of all, or part of their data. In such scenarios, the data controller/processor must immediately cease processing the data. However, there is an exception to this rule, in cases where the controller/processor demonstrates compelling overriding legitimate interest, or the processing is related to a legal claim by the controller.

The data subject also has a right to correct any false or misleading data, with the data controller/processor liable to keep the data updated whenever necessary.

The data subject has a right to erase their data. In tandem, the data controller/processor must delete false or misleading data after authorization from the subject. Additionally, they must also limit the duration of which they hold a subject’s personal data. The data controller/processor must also delete any data that they are no longer authorized to hold.

The data subject also has a right to notification of a data breach. Whenever there is a breach, there are certain protocols followed by the data controller/processor to all relevant parties. The processor must notify the controller of the breach within 48 hours, and thereafter, the controller must notify the commissioner within 72 hours of the breach. The controller must also notify the subject of the breach within a reasonable period.

The data subject has a right to object to being subjected to a decision based on automated processing (including profiling). For this, the data controller/processor must duly notify the subject of any decision based solely on automated processing. Consequently, the controller/processor must comply with a request to reconsider an automated decision, within a reasonable time, or altogether, take a new decision that is not based solely on automated processing.

The data subject also has a right to the integrity and safety of personal data. The data controller/processor must provide adequate security safeguards when processing, storing and transferring data. Additionally, they also must demonstrate the adequacy of safety controls in foreign jurisdictions if data is to be transferred there.

Which data controllers and processors are required to register? Which ones are exempted? And which ones must register?

Data controllers and processors handling data beyond a certain threshold must get registered by the Commissioner. According to the data protection act, an individual shall register as a data controller if they can determine the purpose and means of processing personal data. On the other hand, an individual can register as a data processor if they process personal data on behalf of the data controller, excluding employees of the data controller. Additionally, registration is for individuals in a contractual relationship with the data controller, and those without any decision-making power on how personal data gets processed, nor knowledge of the purpose for which the personal data shall be used.

A data controller may also register as both a controller and processor with regard to any processing operations, and must pay the requisite fees payable for both controller and processor. A data processor that processes data other than instructed by the data controller will get considered a data controller concerning that processing activity.

A data controller or processor is exempted from mandatory registration if they have an annual turnover or annual revenue of fewer than five million shillings, and if they employ less than ten people. However, this exemption shall not apply to any data controller or data processor processing personal data for purposes specified under the Third Schedule, even if they fulfill the exemption requirements.

Under the third schedule, the data protection act underlines the thresholds for mandatory registration. Based on this, data controllers and processors that fall under the following categories MUST register with the Office of the Data Protection Commissioner (ODPC):

·      Canvassing political support among the electorate.

·      Operating Credit Bureaus.

·      Crime prevention and prosecution of offenders (including operating security CCTV systems).

·      Debt administration and factoring.

·      Gaming and betting operators.

·      Provision of education.

·      Health administration and provision of patient care.

·      Hospitality industry firms.

·      Insurance administration and undertakings.

·      Faith-based or religious institutions.

·      Retirement benefits administration.

·      Property management, including the sale of land.

·      Provision of financial services.

·      Telecommunications network or service providers.

·      Businesses that are wholly or mainly in direct marketing.

·      Internet access provider.

·      Transport services firms (including online passenger hailing

·      applications)

·      Public sector bodies.

·      Businesses that process genetic data.

The Life Cycle of Data as defined by the act

Data protection strategies should address the integrity, availability, and confidentiality of the data collected, with the protection necessary throughout all the stages of the data life cycle. Data protection seeks to mitigate all the risks associated with data, with appropriate controls getting implemented to lower the risk to an acceptable level for the data owner. The data goes through four main stages; collection, handling, transmission, and destruction.

Data collection is where the data controller collects data from the data subject, following the issuance of consent. The data controller should ensure that their collection materials are in order, with relevant backups (if permitted) for redundancy.

Once the data gets collected successfully, it gets stored with critical security considerations to maintain its integrity. There should be physical protections against theft or tampering, as well as appropriate safeguards against unauthorized online access. This can be done by utilizing firewalls or encrypting the data.

Data transmission involves sharing of the data or altering the data according to the subject’s requirements. During data transmission, the data processor and the data controller must ensure that the data’s integrity remains intact, with necessary access controls in place to prevent unauthorized access. Data transfer can only get conducted with explicit consent from the data subject, and if the recipient demonstrates appropriate safety safeguards.

Data destruction involves purging all information collected from a data subject. The data should get destroyed as soon as it is no longer in use, and no copy should get retained.

How does the act define personal data?

Personal data under the DPA refers to any information about the data subject that directly or indirectly allows them to get identified. Such data include names, identification numbers, location data, genetic material, physical and postal addresses, GPS coordinates, employee numbers, online identifiers, and IP addresses, amongst other indicators. On the other hand, sensitive personal data is data that reveals the data subject’s health status, race, ethnic social origin, belief, conscience, sexual orientation, property details, genetic data, and marital status. The DPA expressly prohibits the processing of sensitive personal data, except in clearly defines circumstances. In the DPA, only healthcare data specifically has elevated protection, with this data only processed by healthcare providers or any other individuals obligated by professional secrecy under the law, for instance, a lawyer.

Under the Act, sensitive personal data may also be processed where:

·      The processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association, or any other non-profit body with political, philosophical, religious, or trade union aims, on the condition that the data relates solely to members of the organization (or members the organization regularly has contact with).

·      The processing relates to sensitive personal data which is manifestly made public by the data subject.

·      The processing is necessary for the establishment, exercise, or defense of a legal claim.

·      The processing is necessary for carrying out the obligations and exercising the specific rights of the controller or the data subject.

·      Processing is necessary for protecting the vital interests of the data subject.

Is the personal data of dead people protected by the act?

The Data Protection Act of 2019 does not address deceased persons but focuses primarily on living individuals. The act does not give any legislative arrangement that protects the interests of deceased individuals, unlike directives available in the EU’s General Data Protection Regulation (GDPR), from which the law gets closely modeled. In the GDPR, individuals can issue general or specific directives to data controllers regarding how they would like their data handled after their demise. These directives can get executed by an individual designated by the deceased data subject, who can request the controller to implement them.