Data protection in the financial services industry

DATA PROTECTION IN THE FINANCIAL SERVICES INDUSTRY

Data Privacy and Protection is not a new conversation for financial institutions. Banks and financial institutions have always had an obligation to maintain and protect client confidentiality. The Data Protection Act of 2019 together with the Data Protection (General) Regulations, 2021; the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021; and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 provide a comprehensive guide to the capture, use and management of client data.

The financial sector in Kenya has experienced growth, moving away from the traditional banking industry to incorporating SACCOS, Micro- Finance Institutions, Fin- Techs, Mobile Money and Non Bank Financial Institutions. Under Kenyan law, each of these institutions are governed by government agencies and arms, which includes their interaction with their clients.

Over the last few years, wIth the growth of the financial sector, the protection of client data has undergone challenges in this sector. The most glaring breach of data protection, has perhaps been seen in the fintech space, where mobile loan providers were requesting increasingly more access to the clients private data, and indeed infringing on the private data of client’s contacts.

However, data breaches have been happening continuously. Consider the Mpesa record book, which contains your name, phone number and ID Number, all private data that is now in the hands of a 3rd party, but not in a secure manner.

But before we can consider how the safeguards the financial sector need to put in place with regards to client data, we need to consider what the basic principles of data privacy are.

Data protection relates to Personal Data which is defined under the Act as follows:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, age, physical, psychological or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;
  • Information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
  • Any identifying number, symbol or other particular assigned to the individual;
  • The fingerprints, blood type, address, telephone or other contact details of the individual;
  • A person’s opinion or views over another person;
  • Correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • Any information given in support or in relation to an award or grant proposed to be given to another person; and
  • Contact details of an individual.

The premise of the Data Laws is that each individual in Kenya has a right to control the use of their personal data. This means that I have to know, agree and deserve protection when it comes to the handling of my private data, wherever it may be held.

All personal data in Kenya must be collected, stored and used as guided by the following principles:

  1. To only collect process and store information that is necessary and lawful for the organization to carry out it’s objectives;
  2. Information shall be collected directly from and with the consent of the data subject;
  3. Release of information to a 3rd party must only occur with the consent of the individual;
  4. The individual must be informed at the point of collection the purpose to which the information shall be put;
  5. Not to keep the client Information for a longer period than is necessary for achieving the purpose for which it was collected;
  6. Information shall not be distributed in a manner that is incompatible with the purpose for which it was collected with the consent of the person and subject to any notification that would attract objection;
  7. Reasonable steps shall be taken to ensure that the information processed is accurate, up-to date and complete;
  8. Appropriate technical organizational measures shall be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorized access to personal information; and
  9. Data subjects have a right of access to their personal information and a right to demand correction if such information is inaccurate.

The rights of data subjects

The Act provides for the rights of data subjects in relation to their personal information. These include;

  1. Right to be informed by the agency of the use to which the data is to be put;
  2. Right to access their data which is in possession of an agency;
  3. Right to object to the collection or processing of all or part of data by an agency;
  4. Right to correction of false or misleading data;
  5. Right to deletion of misleading, false or data which has been objected to;
  6. Right to information relating to the person processing the data and any other person to whom the data is to be transmitted;
  7. Right to know the place and origin of the data; and
  8. Right to an explanation in respect of the processing of data and the outcome of such processing.

 

Duties of companies and other agencies

The Act sets out various duties of companies and other agencies collecting or processing personal data. These include, the duty to;

  1. Notify the data subjects of the fact that their information is being collected and the purpose for which the data is being collected, the contact details of the company and intended recipient of the information, the consequences of failure to provide the required information and their right of access to and correction of the data collected.
  2. Not to profile data subjects based on the information collected or processed unless the information was collected for purposes of maintaining law and order by any public body.
  3. Adopt the necessary measures to ensure protection and security of personal data i.e. by identifying foreseeable internal and external risks and establishing, maintaining and updating appropriate safeguards against identified risks.
  4. Observe generally acceptable security practices and procedures including specific industry or professional rules and regulations.
  5. Notify the data subject and the Kenya National Commission on Human Rights of any security compromises i.e. where personal data has been accessed or processed by unauthorized persons.
  6. Take the necessary steps to restore the integrity of their information system where personal data has been compromised.
  7. Correct, delete or destroy false or misleading data upon request (in writing) by the data subject. The company must consider the request and inform the data subject of the decision within seven days of receipt of the request.
  8. Not to use personal data for commercial purposes without the consent of the data subject or unless authorized by law.

Section 35 of the Data Protection Act:

Every data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject.”

Financial Institutions must take steps to ensure that they are compliant with S.35 of the Act to ensure that all automated processing of personal data that produces a decision with no human intervention, has the proper appeals and safeguards in place.

Compliance Under the Data Protection Laws for Financial Industry:

In order for a financial services organization to be compliant under the Data Protection Laws they need undertake the following:

  1. Audit their current data collection, processing and storage methods;
  2. Undertake data mapping of the current and future use of data in the organization;
  3. Undertake a Data Protection Impact Assessment;
  4. Appoint a Data Protection Officer
  5. Train all staff members on the Data Protection Policies of the organization
  6. Register as Data Controllers and Data Processors and ensure the registration of all third party data processors.

For further information, you can get in touch with us on info@kioi.co.ke

Duties of directors under the company’s act
Data Protection Act, 2019

Leave A Comment

We are young and innovative, and understand that businesses continuously need a legal partner that will work with them from start-up, through growth to its maturity.