Legal Alert on the Data Protection Act
1. What is the Data Protection Act, 2019 (DPA) and what is its purpose?
- The DPA is Kenya’s law governing the processing of personal data. It is anchored on Article 31 of the Kenyan Constitution which guarantees the right to privacy.
- It came into force on 25 November 2019.
- The DPA contains specific provisions that regulate how personal data is used by private and public bodies including the rights of data subjects, the legal justification for processing personal data, and the precautions that handlers of personal data must observe when handling the data.
- The DPA addresses a growing desire for people to control how their personal data is being used, and the need to foster greater transparency around its processing.
- It also addresses challenges and confusion around issues such as, seeking, obtaining and managing consent to process data. Because of ever growing technological capabilities in handling data, such as automated processing and profiling of individuals, the DPA sets out clear stipulations on how these capabilities should be exercised in the context of data protection.
- The DPA is based on the UK Data Protection Act, 1998 and its provisions mirror to a large extent, the data protection legal framework of the EU contained in the GDPR (General Data Protection Regulation, 2018).
2. Key concepts
a. Personal data
Is data that identifies individuals (called ‘data subjects’), such as names, addresses, telephone numbers, emails, ID numbers, location, IP address, and browser meta data.
The DPA takes a broad view of personal data, if identifies an individual directly or indirectly, then it is likely to be personal data.
b. Special categories of personal data; Sensitive personal data (SPD) (S. 44 & 45):
- SPD is personal data that needs more protection because it is sensitive.
- Includes race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
- Processing of SPD is strictly prohibited, unless one or more special conditions are met. You must identify both a lawful basis and a separate condition for processing under S. 25.
- You must collect data that is adequate, relevant and limited to what is necessary.
- Processing sensitive personal data out of Kenya should only be done upon obtaining consent of the data subject and confirmation of appropriate safeguards, which includes jurisdictions with commensurate data protection laws.
- You may need to have an appropriate policy document in place.
- You need to consider whether processing will pose high risks to the SPD and therefore whether you need to carry out a DPIA prior to the processing
c. Data Controller (DC), Data Processor (DP) & Data Processing
- A DC is a person who is responsible for how data is processed by an organization. They are responsible for overseeing how DPs handle data, and they are responsible for collecting data about how data is processed.
- A DP means any person who handles data on behalf of the DC (but does not include an employee of the DC) and does so on contract.
- Data processing includes collecting, storing, retrieving, deleting, amending, sharing and archiving data. That is, pretty much anything that is done with the data.
- Data Controllers and Data Processors are required to be registered with the Data Commissioner (the draft data protection general regulations exempt State Corporations and County Corporations from registration, the draft regulations are currently undergoing public participation).
d. Principles of data processing and protection (S. 25)
The principles of data processing are the legal bases or justification for processing personal data. The DPA stipulates that personal data must be:
- processed in accordance with the right to privacy of the data subject;
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
- collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
- not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.
e. Five Rights of a data subject (S.26). The rights are not absolute.
- to be informed of the use to which their personal data is to be put;
- to access their personal data in custody of data controller or data processor;
- to object to the processing of all or part of their personal data;
- to correction of false or misleading data; and
- to deletion of false or misleading data about them
f) Data Protection Officer (DPO) (S. 24)
- A DPO is a person who is appointed by a DC or a DP to ensure that personal data is handled in compliance with the DPA. Regulations will be enacted to stipulate specific instances when a DPO will need to be appointed. However, the DPA stipulates that where the handling involves regular and systematic monitoring of data subjects, or the core activities of a DC or DP consist of processing of sensitive personal data, then a DPO must be appointed.
- A data protection officer shall:—
i) advise the data controller or data processor and their employees on data processing requirements provided under this Act or any other written law;
ii) ensure on behalf of the data controller or data processor that this Act is complied with;
iii) facilitate capacity building of staff involved in data processing operations;
iv) provide advice on data protection impact assessment; and
v) co-operate with the Data Commissioner and any other authority on matters relating to data protection.
3. Penalties & Compensation for breach (S. 63)
- The Data Commissioner may fine a person who infringes the DPA provisions a maximum administrative fine of KES 5 million, or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.
- A general penalty may be imposed where no specific penalty applies. The general penalty comprises imprisonment for up to 10 years, or a fine of KES 3 million, or to both.
- A DC or DP may also be ordered to compensate any person who suffers damage by reason of a contravention of their obligation to that person under the DPA.
- A DC or DP may be ordered by Court to forfeit any equipment or any article used or connected in any way with the commission of an offence or may be ordered or prohibited to do any act or to stop a continuing contravention.
- The Data Commissioner may apply to a court for a preservation order for the expeditious preservation of personal data including traffic data, where there is reasonable ground to believe that the data is vulnerable to loss or modification.
4. Implementation of the DPA
- A Data Commissioner has been appointed under the DPA to enforce its provisions. The Commissioner has broad powers.
- Subsidiary legislation to provide mechanisms for enforcement of the DPA have been drafted and are currently undergoing public participation.
- Guidelines are also expected to be formulated by the Commissioner to guide DCs, DPs and data subjects on how to comply. It is expected that guidelines will be drawn for the implementation approaches taken in respect of the GDPR.
5. How might the DPA affect the way your organization works?
You need to consider how your organization handles personal data and what needs to change. You therefore need to consider the following:
- what practices are in place for handling personal data;
- the nature of personal data or sensitive personal data collected by your organization and for what purpose;
- how you would respond to a complaint of personal data breach;
- what is the retention period of collected personal data; and
- the criteria applied in the collection of personal data for a vulnerable segment of the community, including children.
To conclusively respond to the above a data controller or data processor will require to have in place a Data Protection Policy that clearly stipulates in detail the organizations personal data handling practices.
6. Road Map to compliance
- Have in place a data protection policy which clearly stipulates the organization data handling practices.
- Appoint a data protection office especially where:-
- the processing of data is carried out by a public body or private body, except for Courts acting in their judicial capacity;
- the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects; or
- the core activities of the data controller or the data processor consist of processing of sensitive personal data.
- A group of entities may appoint a single data protection officer provided that such officer is accessible by each entity.
- Undertake data protection impact assessment where (S. 31):
- A processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to processing the data, carry out a data protection impact assessment.