Over the last few years, data has become a precious asset for businesses. Data allows us to know who our customers are, understand what they need, how they purchase and how to get in touch with them.
Businesses are increasingly collecting more and more data about individuals and use this data for various actions, including marketing, analysis and the sharing of information.
The misuse of data has become prevalent, as the owners of the data have had little to no say as to how their data shall be used, what decisions can be made about them and when they can request for their data to be deleted.
The Data Protection Act essentially sets out guiding principles for all businesses to implement to ensure that they collect, use and maintain client data in a manner that protects the client’s data rights.
The Principles:
The Act sets out the following data protection policies:
- Information shall be collected, processed, stored or dealt with in any other manner if it is necessary for or directly related to a lawful, explicitly defined purpose and shall not intrude on the privacy of the data subject;
- Information shall be collected directly from and with the consent of the data subject;
- Where information relating to the data subject is held by a third party, the information may only be released to another person or put to a different use with the consent of the data subject;
- The data subject shall be informed of the purpose to which information shall be put and the intended recipients of that information at the time of collection;
- Information shall not be kept for a longer period than is necessary for achieving the purpose for which it was collected;
- Information shall not be distributed in a manner that is incompatible with the purpose for which it was collected with the consent of the person and subject to any notification that would attract objection;
- Reasonable steps shall be taken to ensure that the information processed is accurate, up-to date and complete;
- Appropriate technical organizational measures shall be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorized access to personal information; and
- Data subjects have a right of access to their personal information and a right to demand correction if such information is inaccurate.
The rights of data subjects
The Act provides for the rights of data subjects in relation to their personal information. These include;
- Right to be informed by the agency of the use to which the data is to be put;
- Right to access their data which is in possession of an agency;
- Right to object to the collection or processing of all or part of data by an agency;
- Right to correction of false or misleading data;
- Right to deletion of misleading, false or data which has been objected to;
- Right to information relating to the person processing the data and any other person to whom the data is to be transmitted;
- Right to know the place and origin of the data; and
- Right to an explanation in respect of the processing of data and the outcome of such processing.
Duties of companies
The Act sets out various duties of companies and other agencies collecting or processing personal data. These include, the duty to;
- Notify the data subjects of the fact that their information is being collected and the purpose for which the data is being collected, the contact details of the company and intended recipient of the information, the consequences of failure to provide the required information and their right of access to and correction of the data collected.
- Not to profile data subjects based on the information collected or processed unless the information was collected for purposes of maintaining law and order by any public body.
- Adopt the necessary measures to ensure protection and security of personal data i.e. by identifying foreseeable internal and external risks and establishing, maintaining and updating appropriate safeguards against identified risks.
- Observe generally acceptable security practices and procedures including specific industry or professional rules and regulations.
- Notify the data subject and the Kenya National Commission on Human Rights of any security compromises i.e. where personal data has been accessed or processed by unauthorized persons.
- Take the necessary steps to restore the integrity of their information system where personal data has been compromised.
- Correct, delete or destroy false or misleading data upon request (in writing) by the data subject. The company must consider the request and inform the data subject of the decision within seven days of receipt of the request.
- Not to use personal data for commercial purposes without the consent of the data subject or unless authorized by law.
Therefore before you collect and use client data it is important that you have a data privacy policy that encompasses the data rights of your clients, embodies that principles as provided by law, and ensures that your business has met its duty under the law.