Toggle navigation

Data protection

Case scenarios

We live in a data-driven world. Almost every transaction and interaction you have involves you sharing personal data. You share data online too, every time you visit a website, search for or buy something, use social media or send an email. On daily basis, vast amounts of personal data are collected, transmitted and stored globally by ever growing computing and communication technologies. Generally, much of today’s data consists of personal data relating to individuals.

As a result personal data protection is increasingly becoming a critical area that requires to be managed carefully. Kenya like other countries has been experiencing technological growth that has impacted the way personal data is generated, processed, stored and distributed.

Both the public and private sectors collect, use and transfer Personal Data at an unprecedented scale and for multiple purposes. Sharing data helps make life easier, more convenient and connected, however, the unregulated and arbitrary use of Personal Data has raised concerns regarding the privacy and control over such data by the data subject. Data protection law makes sure everyone’s data is used properly, legally and safeguarded.

What constitutes ‘data’?

It is important to understand that the term ‘data’ encompasses a very large and non-exhaustive list of any personal data held by any company, institution or State body.
A few examples are of
  • Data collected during birth and subsequent registration of a person
  • Government bodies retain personal data such as your name address, ID number, birth data, issuing of passport
  • Data collected when a child starts schools
  • Data collected by a telecommunication company when buying a sim card
  • Health data collected by Hospitals and clinic
  • Banks retain personal data, credit history, data about financial transactions,
  • Advocates retain files containing a large amount of personal data such as identification, bank statements, etc.,
  • If you are signed up to a gym or a sports club, recruitment agency they will retain a large amount of your personal data on their data bases

Sensitive personal Data categories Section 2 of DPA

In Kenya ‘sensitive personal data’ is a specific set of “special categories of personal data” that must be treated with extra security and subject to specific processing conditions. These is what constitutes Sensitive personal data as per section 2 of the DPA:-

  • race;
  • health status,
  • ethnic social origin;
  • conscience,
  • belief
  • genetic data,
  • biometric data
  • property details
  • Marital status
  • Family details including names of the persons children, parents ,spouse or spouses
  • Sex or sexual orientation

The Key players in the DPA

Data Subject

Means an identified or identifiable natural person who is the subject of personal data, such as a name, home address or credit card number.

Data Controller

The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. This could be a natural or legal person, public authority, agency or other body which, alone or jointly with others.

Data Processor

By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). This could be a natural or legal person, public authority, agency or other body which, alone or jointly with others

Third party

As per the DPA, “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

SCOPE DPA section 4

The DPA will apply to all companies, agencies, organization, persons processing the personal data of data subjects residing in Kenya, regardless of the company’s location.

Rights of data subjects under Section 26 of DPA

Data subjects can request confirmation whether or not their personal data is being processed, where and for what purpose. These are the rights of data subjects.

  • Right to access personal data
  • Right to restrict processing section 34
  • Right to object to processing section 36
  • Right of rectification
  • Data portability request section 35
  • Right of erasure section 40
  • Exercise of rights by others section 27

Obligations and duties of Data controller and Data processor

Register now

Data controllers and data processors have a six (6) months grace period from the date of publication of the Registration Regulations to get their house in order. There has been some confusion on the registration date, and we now understand that the requirement to register will take effect from 14th July 2022 as opposed to by 14th July 2022.

Get your tips on the registration eligibility process and procedure here

The Registration Regulations are an urgent call for data processors and data controllers to take deliberate steps to ensure compliance with the DPA. Such steps would typically include a review of data processing frameworks, activities and policies, putting in place data protection agreements with third parties and generally seeking legal advice where necessary.

Every data controller and data processor who processes personal data needs to pay a data protection registration fee to the Office of Data Commissioner (ODPC), unless they are exempt. Check Data Protection (Registration of Data Controllers Data Processors Registration) Regulations 2021

Data protection for organizations

You have the right to be confident that organisations handle your personal data responsibly. The data they hold should be:

  • kept secure;
  • accurate;
  • not disclosed without your consent;
  • not be kept  longer than is necessary; or

collected and used for the purpose and reason it was collected for;

Designation of a Data Protection Officer Section 24 DPA

Depending on the type of personal data and purpose of processing activities, an organisation may be required to appoint a Data Protection Officer to facilitate the need to demonstrate compliance to the Act.

Does your business have a privacy policy? sub regulation 22 of the DPA General Regulations 2021

When organisations collect your data, they should usually be open about why they are collecting it, only use it in a reasonable way that you would expect, and shouldn’t use it in way that is unfair to you. When your data is collected you should be given a fair processing notice or privacy notice that tells you what will be done with your data and why, unless it’s already obvious who has collected your details and what they are going to be used for.

Privacy by design and default

Section 41 of DPA and sub regulation 26-34

This is a legal requirement for the consideration and inclusion of data protection from the onset of the designing of systems and organizational operations, rather than a retrospective addition.

Penalties for non compliance

Section 56-66 of DPA and Complaints handling and Enforcement Regulations 2021

Infringement of provisions of the Kenya Data Protection Act (DPA) will attract a penalty of not more than KES 5 million or, in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower. Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.

Sharing personal data section 48-50 of DPA

A data controller or data processor may transfer personal data to another country only where —

  1. the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data;
  2. the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws;
  3. the transfer is necessary —
  4. for the performance of a contract between the data subject and the data controller or data processor or implementation of precontractual measures taken at the data subject’s request;
  5. for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
  6. for any matter of public interest;
  7. for the establishment, exercise or defense of a legal claim;
  8. in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  9. for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects

Transfer of personal data outside Kenya shall be based on:

  1. Appropriate Data Protection safeguard.
  2. An adequacy decision made by the Data Commissioner
  3. Transfer as a necessity

Consent of the data subject

Deeming of appropriate safeguards

  1. Ratified the African Union Convention on Cyber Security and Personal Data Protection;
  2. Reciprocal data protection agreement with Kenya
  3. Contractual binding corporate rules among a concerned group of undertakings or enterprises.

During subsequent transfers, the personal data shall not be transferred further to a third country or territory without authorization of a transferring entity or a competent authority

Provision for the agreement to cross boarder transfer

Data localization section 50 and sub regulation 25

The Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected

  • through a server and data centre located in Kenya, or
  • At least one serving copy of the personal data is stored in a data centre located in Kenya.

As per section 25 these are the categorizes as prescribed by the CS

  1. administering of the civil registration and legal identity management systems;
  2. facilitating the conduct of elections for the representation of the people under the Constitution;
  3. overseeing any system for administering public finances by any state organ; or
  4. running any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018;
  5. offering any form of early childhood education and basic education under the Basic Education Act; or
  6. Provision of primary or secondary health care for a data subject in the country.

Personal data for children section 33

The Act prohibits the processing of data relating to a child unless consent is given by the child’s parent or guardian and the processing is in a manner that protects and advances the rights and best interests of the child (Section 33 of the Act).

Do you have to conduct a Data Protection Impact Assessment?

Let us help you

What is a DPIA and why you need to conduct one section 31 and sub regulation 42-44 of General Regulations

A Data Protection Impact Assessment (DPIA) describes a process designed to identify high risks activities arising out of the processing of personal data and to minimise these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the Act.

High risk activities requiring Data Protection Impact Assessment are.

  1. Automated decision making with legal or similar significant effect.
  2. Use of personal data on a large-scale for a purpose other than that for which it was initially collected.
  3. processing biometric or genetic data
  4. where there is a change in any aspect of the processing that may result in higher risk to data subjects;
  5. processing sensitive personal data or data relating to children or vulnerable groups;
  6. combining, linking or cross-referencing separate datasets where the data sets are combined from different sources and where processing is carried out for different purposes;
  7.  large scale processing of personal data;
  8. a systematic monitoring of a publicly accessible area on a large scale;
  9.  innovative use or application of new technological or organizational solutions; or
  10. Where the processing itself prevents a data subject from exercising a right.

Conduct of a Data Protection Impact Assessment – Template provided under the regulations

Prior consultation with the Data Commissioner – 60 days from the date of receipt of the Impact assessment report

Nuisance SMS Section 37 of DPA

Nuisance marketing SMS are unwanted phone calls that attempt to promote a product, service, aim or ideal to you where you haven’t given permission to be contacted.

What can I do to avoid unwanted spam texts?

  • Be careful who you give your telephone number to.
  • Don’t advertise your telephone number, for example by putting it on the internet.
  • Check privacy policies and marketing opt outs carefully. Use them to tell the organisation not to contact you by text.

What can I do if I’m getting unwanted marketing texts?

If you receive marketing by text that you don’t want from an identifiable and legitimate Kenyan based organisation that you know and trust, you should first follow the opt-out instructions provided on the text – which typically involves texting ‘STOP’ to the telephone number or 5-digit short code shown in the text message. The organisation should then stop sending you marketing texts. Legitimate, well-known companies will offer opt-outs, and in many cases things can be resolved quickly without us getting involved.

However, if you continue to receive marketing text messages from the organisation despite following the opt-out instructions you may wish to report this to the ODPC:

Spam texts are marketing text messages (also known as SMS) sent to you without your consent.

Not all marketing text messages sent without consent are spam marketing texts. Marketing text messages can be sent without prior consent by organisations who obtained your email address when you bought something from them and are advertising similar products or services. However, these marketing text messages must abide by strict rules regarding their content and provide you with the opportunity to opt out.

Exemptions

The processing of personal data is exempt from the provisions of the Data protection Act if —

  1. exemption is necessary for national security or public interest;
  2. Permitted general situation
  3. Journalism, literature
  4. Research, history and statistics
  5. Domestic and household activities
  6. Exemption by the data commissioner

Questionnaires to data controller and data processor

  1. When do you need to store data related to a person and how it is stored?
  2. What type of personal data does your company deals with?
  3. What software / platforms do you use to manage and access the personal data?
  4. How is the access to these software / platform distributed and managed?
  5. How long do you keep the personal data into the system that you used?
  6. Do you have an up-to-date privacy policy that your customers can view?
  7. How much you are compliance with the Data Protection Act in your company at present?
  8. What issue is Talk Telecom facing when you are applying Data Protection Act in your company?

Book a training with us

The right to privacy has acquired new significance in the digital age. With the ratification of its Data Protection Act in 2019 and the creation of the Office of the Data Protection Commissioner (ODPC) in 2020, Kenya has made important steps towards ensuring that the privacy of its citizens is protected online.

Let Posh IT be your leading partner in helping you understand and becoming compliant under the new law.

  • To raise awareness about the importance of data protection. Together with civil society partners
  • Support data processors and controllers – from the private sector but also from government – to implement the data protection standards set out by the new law.

Report a data breach section 43 DPA

BREACH NOTIFICATION WITHIN 72 HOURS Notify the Data Commissioner within seventy-two hours of becoming aware of a breach and to the data subject in writing within a reasonably practical period.

Some questions you might ask yourself:

  • What would your organisation do if it had a data breach incident?
  • Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
  • How would you know that your organisation had suffered a data breach? Does staff at all levels understand the implications of losing personal data?
  • Has your organisation specified whom staff tell if they have lost control of personal data?
  • Does your policy make clear who is responsible for dealing with an incident?
  • Does your policy meet the requirements of the DPA