Data Protection Act, 2019

DATA PROTECTION IN KENYA

BACKGROUND

8th November, 2019 marked a great milestone in the history of Kenyan legislation with the enactment of the long-awaited Data Protection Act, 2019 (the Act). The purpose of the Act is to inter alia regulate the collection and processing of data in Kenya. The Act has introduced elaborate obligations to persons who collect and process data whose infringement would lead to stiff penalties of an administrative fine of up to KES 5 million or in case of an undertaking, up to 1% of its annual turnover of the preceding year, whichever is lower.

The Act establishes the office of the Data Protection Commissioner which is to be headed by a Data Commissioner. The role of the office of the Data Protection Commissioner includes overseeing the implementation of the Act, establishing and maintaining a register of data controllers and data processors, exercising oversight on data processing operations, and receiving and investigating any complaint by any person on infringement of the rights under the Act.

The Act has extraterritorial application as it applies to data controllers and processors established or resident in or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya.

All data controllers and data processors who meet the thresholds to be prescribed will now be required to be registered with the Data Commissioner. Failure to register is an offense, whose fine on conviction is KES 3 million or an imprisonment term not exceeding ten (10) years or both.

INTRODUCTION

Due to massive development in the field of information, communication, and technology experienced the world over and the increase in the collection of personal information by government and private bodies, the need to protect personal information has gained prominence, Therefore, there is an urgent need to put in place rules to regulate the collection, use, storage and processing of personal information.

Without a general data protection framework, it is up to entities that collect personal data to employ internal strategies to protect data. Failure to properly collect and use data will expose the entity to risks such as identity theft, misuse of personal information, unauthorized distribution or sale of data, financial loss, and erosion of privacy. The data may therefore be repurposed and used for purposes other than what it was collected for, attracting penalties to be imposed under the Act.

Why Data Privacy?

Privacy laws are more relevant today than ever before. With data crossing borders following the increased internet penetration and increased use of social media and other digital information platforms, it is becoming more important to ensure that personal data is protected, processed, and used for the correct purpose. While these protection laws are (sometimes) good news for those who have data stored or transferred online, it may not be so for those who have to navigate this mass of regulation

CURRENT LEGISLATION  ON DATA PROTECTION

The existing legislation that governs the collection and use of personal data includes:

  • The Constitution of Kenya, 2010 (the “Constitution”) recognizes the right to privacy including, the right not to have a citizen’s personal information in relation to their family or private affairs, unnecessarily required or revealed.
  • Data Protection Act 2019 The aim of the Act is to promote the protection of personal data, the provision of rights and remedies with regard to the protection of personal data, and the provision of rights and remedies with regard to the protection of personal data.
  • The Access to Information Act No. 31 of 2016 (the “AIA”) was passed to give effect to Article 35 of the constitution which recognizes the right to access certain information. The AIA provides a framework for both public and private bodies to disclose information in line with constitutional principles relating to accountability and transparency.
  • The Consumer Protection Act No. 46 of 2012 (the “CPA”) protects information obtained in the course of exercising any power related to the administration of the Act.
  • The Kenya Information and Communications (Registration of Sim -Cards) Regulations, 2015 (the “Regulations”) were passed in pursuance of a directive requiring the registration of personal information of holders of all sim cards issued in Kenya. To protect the sensitive personal data provided, the Regulations provide that an operator should take all reasonable steps to ensure the security and confidentiality of its subscribers’ registration particulars.
  • The National Payment System Act No.39 of 2011 (“NPSA”) and its subsidiary regulations apply to payment systems and payment service providers including mobile service providers. It criminalizes the use of confidential information for personal gain.

DATA PROTECTION ACT, 2019 (This Being the Primary Act Enacted For Data Protection)

The Data Protection Act which sets out the principles of data protection attempts to:

  • Provide a framework of rights for individuals with a focus on the consent of the individual whose information is being processed;
  • Impose strong obligations on data controllers reflecting the responsibilities associated with collecting, storing, using, and analysing data; and
  • Impose effective enforcement mechanisms such as the establishment of a data protection authority.

PERSONAL DATA DEFINED

The Act defines personal data to include:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, age, physical, psychological or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the individual;
  • Information relating to the education or the medical, criminal, or employment history of the individual or information relating to financial transactions in which the individual has been involved;
  • Any identifying number, symbol, or other particular assigned to the individual;
  • The fingerprints, blood type, address, telephone or other contact details of the individual;
  • A person’s opinion or views over another person;
  • Correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • Any information given in support or in relation to an award or grant proposed to be given to another person; and
  • Contact details of an individual.

PROVISIONS OF ACT

Fundamentally, the Act seeks to guarantee privacy and protect data by giving the owner of data (Data Subject) extensive rights to control how the Data Subject’s personal data can be processed, applied, or consumed by a user. In particular, the Act requires that the consent of the Data Subject is provided at all times when personal information that has been collected is being utilized. Further, Data Subjects will have the right access to their personal information and a right to demand the correction of any inaccurate information.

The Act regulates the collection, storage, disclosure, retention period, and accuracy of personal data.

One of the principles guiding the interpretation and application of the Act is that information is to be collected from the Data Subject and released to a third party only with the consent of the Data Subject. This comes in to fill a glaring loophole in the law because currently there is no express legal requirement for organizations collecting data (data controllers) to obtain consent from Data Subjects.

The Act also regulates the flow of personal information across the borders of the country.  Personal data of a Data Subject is only to be transferred outside Kenya where:

  • The party receiving the data is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
  • The Data Subject consents to the transfer;
  • The transfer is only necessary for the performance or conclusion of a contract between the agency and the third party; and
  • The transfer is for the benefit of the Data Subject.

THE CRYSTALS AND MUD OF THE DATA PROTECTION ACT 2019.

  1. Key definitions

Data subject”- an identifiable natural person who is the subject of personal data.

Personal data”- any information relating to an identified or identifiable natural person.

Data controllers”- natural or legal persons, public authorities, agencies, or other bodies which, alone or jointly with others, determine the purpose and means of the processing of personal data.

Data processors”- natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

  1. Office of the Data Protection Commissioner

The Act establishes the office of the Data Protection Commissioner (“DPC”) to be recruited and employed by the Public Service Commission upon appointment by the President subject to the approval of the National Assembly.

The Commissioner’s office is mandated with overseeing the implementation of the Act together with establishing and maintaining a register of data controllers and data processors; receiving and investigating any complaints on infringements of the rights under the Act; carrying out inspections of public and private entities with a view to evaluating the processing of personal data; imposing administrative fines for failures to comply with the Act, amongst other functions.

  1. Registration of Data Controllers and Processors

It is an offense to act as a data processor or data controller unless one is registered with the DPC. The Commissioner is required to prescribe thresholds for mandatory registration and is to consider the nature of the industry; the volumes of data processed; whether sensitive personal data is being processed amongst other matters. Until such thresholds are prescribed, mandatory registration does not come into play.

  1. Data Processing

Data must be processed in a manner that: upholds the data subject’s right to privacy; lawfully; limited to the purpose for which it is collected; limited to the purpose for which it is collected; accurate and up to date; kept in a form that identifies the data subjects for no longer than is necessary, and not transferred outside Kenya save as permitted in the Act.

  1. Notification of Breach

Data controllers must employ appropriate security measures to prevent the unauthorized access, disclosure, or loss of the personal data collected by them. In the event of a breach, they are required to report it to the DPC within 72 hours and to the affected data subjects without undue delay.

  1. Transfer of Data outside Kenya

Personal data may only be transferred outside Kenya with the approval of the DPC upon proof of the existence of appropriate safeguards for the data being transferred.

  1. Penalties for non-compliance

General penalty- a fine not exceeding Kenya Shillings Three Million Shillings (Ksh. 3,000,000/- (US$30,000) or imprisonment for a term not exceeding 10 years, or both.

  1. Data Protection

Every data controller or processor is required to ensure that all personal data is processed lawfully, fairly and in a transparent manner in relation to any data subject. The Act applies to data controllers and processors established or resident in or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya.

The data subjects have the right to be informed of the use to which their personal data is to be put; to access their personal data; to object to the processing of all or part of their personal data; to correction of false or misleading data; and to deletion of false or misleading data about them.

Care should be taken in the manner in which data is collected, used, and processed. The primary overarching principle is that personal data should only be collected directly from the data subject and used (be it for processing, commercial use, or otherwise) with the express consent of the subject. There are certain exclusions on the collection of personal data such as data already contained in public records, collection from a different source authorized by the subject, and so on. 

  1. Sensitive Data

Data that reveals race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of children, parents, spouse or spouses, and sex or sexual orientation are deemed sensitive data. Specific provisions apply to the collection, storage, and processing of such data. For example, personal data relating to the health of a data subject may only be processed by or under the responsibility of a healthcare provider.

The Principles guiding data protection

The Act sets out the following data protection policies:

  1. Information shall be collected, processed, stored, or dealt with in any other manner if it is necessary for or directly related to a lawful, explicitly defined purpose and shall not intrude on the privacy of the data subject;
  2. Information shall be collected directly from and with the consent of the data subject;
  3. Where information relating to the data subject is held by a third party, the information may only be released to another person or put to a different use with the consent of the data subject;
  4. The data subject shall be informed of the purpose for which information shall be put and the intended recipients of that information at the time of collection;
  5. Information shall not be kept for a longer period than is necessary for achieving the purpose for which it was collected;
  6. Information shall not be distributed in a manner that is incompatible with the purpose for which it was collected with the consent of the person and subject to any notification that would attract objection;
  7. Reasonable steps shall be taken to ensure that the information processed is accurate, up-to-date, and complete;
  8. Appropriate technical organizational measures shall be taken to safeguard the data subject against the risk of loss, damage, destruction of, or unauthorized access to personal information; and
  9. Data subjects have the right access to their personal information and a right to demand correction if such information is inaccurate.

The rights of data subjects

The Act provides for the rights of data subjects in relation to their personal information. These include;

  1. Right to be informed by the agency of the use to which the data is to be put;
  2. Right to access their data which is in the possession of an agency;
  3. Right to object to the collection or processing of all or part of data by an agency;
  4. Right to correction of false or misleading data;
  5. Right to deletion of misleading, false, or data which has been objected to;
  6. Right to information relating to the person processing the data and any other person to whom the data is to be transmitted;
  7. Right to know the place and origin of the data; and
  8. Right to an explanation in respect of the processing of data and the outcome of such processing.

Duties of companies and other agencies

The Act sets out various duties of companies and other agencies collecting or processing personal data. These include the duty to;

  1. Notify the data subjects of the fact that their information is being collected and the purpose for which the data is being collected, the contact details of the company and intended recipient of the information, the consequences of failure to provide the required information, and their right of access to and correction of the data collected.
  2. Not to profile data subjects based on the information collected or processed unless the information was collected for purposes of maintaining law and order by any public body.
  3. Adopt the necessary measures to ensure the protection and security of personal data i.e. by identifying foreseeable internal and external risks and establishing, maintaining, and updating appropriate safeguards against identified risks.
  4. Observe generally acceptable security practices and procedures including specific industry or professional rules and regulations.
  5. Notify the data subject and the Kenya National Commission on Human Rights of any security compromises i.e. where personal data has been accessed or processed by unauthorized persons.
  6. Take the necessary steps to restore the integrity of their information system where personal data has been compromised.
  7. Correct, delete, or destroy false or misleading data upon request (in writing) by the data subject. The company must consider the request and inform the data subject of the decision within seven days of receipt of the request.
  8. Not to use personal data for commercial purposes without the consent of the data subject or unless authorized by law.

However, there are circumstances under the Act where companies and other agencies will not be required to obtain the consent of the data subject when retrieving or processing data. These include; where the information is publicly available, where the user has authorized the collection of the data from a third party or where non-compliance does not prejudice the interests of the user, or where the information being collected is meant to help detect or prevent a crime or threatens national security.

Transfer of personal data

The Act prohibits the transfer of personal data of a data subject to other jurisdictions unless the transferee is subject to a law or agreement relating to the protection of personal data (such as the GDPR), the data subject consents to the transfer, the transfer is necessary for the performance of a contract between the agency and the transferee, and the transfer is for the benefit of the data subject. The criteria must be met for the transfer to be valid.

Processing of special personal information

The Act prohibits the processing of special personal information and data relating to minors. Special personal information includes information relating to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, biometric information of a data subject or relating to the alleged commission of an offense or any proceedings in respect of any offense allegedly committed by a data subject.

Such information may only be processed in the following circumstances:

  1. With the consent of the data subject, parent or guardian
  2. Where it is required under national or international law or for the purpose of statistical or research purposes or when it is publicly available.
  3. For information relating to the religious or philosophical beliefs, the agency is a spiritual or religious organization and the data subject is an employee/member of the organization who has consented to the processing of the data.
  4. For information relating to a data subject’s race or ethnic origin, data processing it is essential to the identification of the data subject and is not aimed at discriminating the data subject unfairly.
  5. For information relating to trade union memberships, the agency is a trade union to which the data subject belongs and the processing
  6. For information relating to health, the agency is a medical or social service institution, insurance company or a medical scheme, a school, a public or private body acting under a lawful duty to manage the welfare of the data subject or an administrative body, pension fund or employer processing data for purposes of implementation of the law relating to the health of the data subject.
  7. For information relating to political persuasion, the agency is a political party formed under the Political Parties Act or a public body whose functions are political in nature and the data subject is a member of the agency and the information is necessary to the formation or carrying out of the agency’s activities.

Enforcement of the Act

All complaints under the Act shall be lodged with the Secretary to the Commission in writing or orally. Where upon investigations the Commission is satisfied that a person has or may contravene any of the provisions of the Bill (if enacted), the Commission may issue a notice to that person requiring them to refrain from such contravention i.e. requiring the person to rectify, block, erase or destroy any inaccurate data.

Offences and penalties

The Act creates the following offences and penalties;

  1. Interference with personal data of a data subject or infringement on the right to privacy which will attract a fine not exceeding Kshs. 500,000 or to imprisonment for a term not exceeding 2 years or to both.
  2. Obstructing the Commission or any other person from the performance of their functions without reasonable cause, knowingly giving false or misleading information to the Commission or any other person, failure to comply with any notice issued under the Act. This will attract a fine not exceeding Kshs. 100,000 or to imprisonment for a term not exceeding 2 years or to both.
  3. Processing of data in any other manner contrary to the provisions of the Act which will attract a fine not exceeding Kshs. 500,000 or to imprisonment for a term not exceeding 5 years or to both.

The offences and penalties apply to body corporate and any officers responsible for the commission of the offences. Any person who discloses data or publishes disclosed data in good faith pursuant to the provisions of the Act  will be exempt from any civil or criminal liability.

Data breaches: case law

In December 2016, the High Court in Nairobi declared unconstitutional a presidential directive seeking to collect names of people living with HIV, including names of school age children, among others. Along with other organizations, the Kenya Legal & Ethical Issues Network (KELIN) had filed a case against a directive, arguing that the creation of this list was in violation with Article 31 and 53(2) of the Constitution, respectively, the right to privacy and the position that the “child’s best interests are of paramount importance in every matter concerning the child.”

In December 2014, the Kenyan government arrested and expelled 77 Chinese citizens on suspicion of “preparing to raid the country’s communication systems“, according to the Police. Kenyan media reported that police raids had uncovered equipment capable of infiltrating bank accounts and government servers, as well as a popular banking system and ATM machines.

Reports from April 2016 indicate that hacker collective Anonymous breached the Kenyan Ministry of Foreign Affairs’ servers and published 1 terabyte of files online. The Ministry later confirmed the hack as genuine and the result of junior staff members unknowingly giving access to the hackers by changing their passwords.

Kenya Human Rights Commission v Communications Authority of Kenya & 4 others [2018] eKLR at paragraph 54 of the judgment, it was held that, ‘The processing of information by the data user/responsible party threatens the personality in two ways: [22] a) First, the compilation and distribution of personal information creates a direct threat to the individual’s privacy; and (b) second, the acquisition and disclosure of false or misleading information may lead to an infringement of his identity.

Recommendations

Entities need to invest in awareness and training, continuous monitoring and log analysis, continuous risk assessment, vulnerability and patch management, and independent reviews.

Most importantly, these regulations demand sweeping changes in how organizations must now obtain consents from clients to use their information.

The GDPR demands that such consents must be clear and distinguishable from other matters and be provided in a clear and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give consent.

There are five best practices that GDPR will expect organizations to adhere to:

  1. Entities must not re-use or disclose personal information for purposes that do not link back to its original intended purpose. Organizations are required to be transparent with individuals about how their data will be used, under a lawful basis;
  2. Entities will be required to take steps to ensure that personal information is kept secure and backed up through organizational and technical security measures;
  3. Data must only be kept for as long as it is needed – restricting the storage of personal information;
  4. Personal data will need to be accurate. In cases where it is not, corrections must be made. Individuals will have the right to update any of their personal information that is incorrect; and
  5. The collection and storage of any data must be kept minimal; collecting only what is adequate and relevant for the intended purpose.

Conclusion

At a time when user information is increasingly at risk from hackers, the Act will hold entities and persons responsible for data breaches. The recent Facebooks data breach that affected 87 million users is a good example of how important it is to protect user information and the implications such data breaches can have on a business.

Entities that use of data to operate or enhance their business operation will need to take stock of this legislation and implement data management systems hence the importance of the said training.

Data protection in the financial services industry
Contracts: Why you should have written agreements

Leave A Comment

We are young and innovative, and understand that businesses continuously need a legal partner that will work with them from start-up, through growth to its maturity.