Skip to main content
CommercialData Protection

Data Protection Act and Your Business

By September 26, 2021November 23rd, 2023No Comments

Does your business collect personal information from clients? Do you seek consent before collecting it? Do you explain the purpose for collecting such information? How long do you store the information?

BACKGROUND

Article 31 of the Constitution of Kenya 2010 guarantees the right to privacy which includes the right not to have information relating to one’s family or private affairs unnecessarily revealed or the privacy of one’s communications infringed. With technological advancement and the growth of delivery of goods and services through the internet, it became necessary to lay down principles under which processing of personal data ought to be done. On 8th November 2019, the Data Protection Act No. 24 of 2019 (the “Act”) was signed into law to establish a comprehensive data protection regime in Kenya.

The Act came in the wake of the European Union General Data Protection Regulations and largely mimics its provisions. The Act provides the legal framework for protection of a person’s privacy in instances where personal data is collected, stored, used or processed by another person. The Act applies to any person who collects or processes personal data.

KEY PROVISIONS OF THE ACT

Definitions in The Act

The following words have been defined in the Act as follows: –

  1. Data” means information, which is processed automatically by means of equipment, recorded with the intention that it should be processed, recorded as part of a relevant filing system, is part of an accessible record, recorded information held by a public entity.
  2. A “Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determine the purpose and means of processing of personal data.
  3. A Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller.
  4. A Data Subjectis mean a person from whom personal data is obtained.
  5. Personal data is defined to mean information relating to an identified or identifiable person.
  6. Personal Data Breach” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, personal data transmitted, stored or otherwise processed.
  7. Processing means collection, organization, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other means, alignment, combination, blocking, deletion or destruction of information or data.

Office of the Data Protection Commissioner (the “DPC”)

The Act establishes the office of the Data Protection Commissioner who has wide ranging powers with regards to ensuring compliance to the Act which include investigation of offences and penalizing offenders.

Data processors and Data Controllers are required to be registered with the DPC and it is an offence to act as such unless one is registered.

The principles guiding data protection

The Act requires Data Controllers and Data Processors to process personal data within certain principles. These include: –

  1. Processing in accordance to right to privacy;
  2. Lawful, fair and transparent processing;
  3. Explicit, specific and legitimate purposes in collecting data;
  4. Adequacy, relevance and limitation as to what data is necessary;
  5. Collection after a valid explanation is provided;
  6. Accuracy and up to date, with availability of correction without delay;
  7. Kept only for timelines necessary for purpose it was collected;
  8. Portability outside Kenya only upon consent or proof of adequate safeguards;

The implication is that entities must now be proactive to ensure that they process data lawfully, minimize collection of data, restrict further processing of data, ensure data quality and to establish and maintain security safeguards to protect personal data. It is prudent to undertake a data mapping exercise to establish the amounts and classification of data they collect and store in their systems or manually. If the data already stored in your database is irrelevant, unnecessary, or even procured without the data subject’s consent, it will be necessary to consider how to deal with such data.

The rights of data subjects

The Act provides for the rights of data subjects in relation to their personal information. These include;

a. Right to be informed of the use to which the data is to be put;

b. Right to access their data which is in possession of a data controller or data processor;

c. Right to object to the collection or processing of all or part of data;

d. Right to correction of false or misleading data;

e. Right to deletion of misleading or false data about them;

f. Data portability in a machine-readable format within reasonable time;

These rights basically fall within the general areas of consent and accuracy. Entities must restructure their business to facilitate these rights in case a Data Subject chooses to exercise them. Entities have a duty to notify the Data Subject on all their rights regarding data processing. The burden of proof that consent was obtained lies with the Data Processor or Controller.

Duties of companies and other agencies

The Act sets out various duties of entities collecting or processing personal data. These include the duty to: –

  1. Notify the data subjects of the fact that their information is being collected and the purpose for which the data is being collected, the contact details of the company and intended recipient of the information, the consequences of failure to provide the required information and their right of access to and correction of the data collected.
  2. Not to profile data subjects based on the information collected or processed unless the information was collected for purposes of maintaining law and order by any public body.
  3. Adopt the necessary measures to ensure protection and security of personal data by identifying foreseeable internal and external risks and establishing, maintaining, and updating appropriate safeguards against identified risks.
  4. Observe generally acceptable security practices and procedures including specific industry or professional rules and regulations.
  5. Notify the data subject and the Data Protection Commissioner of any security compromises where there has been a data breach.
  6. Take the necessary steps to restore the integrity of their information system where personal data has been compromised.
  7. Correct, delete, or destroy false or misleading data within a reasonable time of request (in writing) by the data subject.
  8. Not to use personal data for commercial purposes without the consent of the data subject or unless authorized by law.
  9. Not to transfer personal data to another country without giving the DPC proof on the appropriate safeguards with regards to security and protection of the data.

However, there are circumstances under the Act where entities would be exempt from some of these duties. These include; where the information is already publicly available, where the user has authorized the collection of the data from a third party or where the information being collected is meant to help detect or prevent a crime or threatens national security.

Offences and penalties

The Act creates the following offences and penalties that apply to body corporates and any officers responsible for the commission of the offences: –

  1. Obstructing the DPC from the performance of their functions attracts a fine of up to Kshs. 5,000,000/= or to imprisonment for a term not exceeding 2 years or to both.
  2. Processing of data in any manner contrary to the provisions of the Act could attract an administrative fine of up to Kshs. 5,000,000/= or in the case of an undertaking up to 1% of its annual turnover of the preceding year, whichever is lower.

Data Protection Officer

The Act creates the position of Data Protection Officer as the data controller’s/processor’s internal liaison on data protection matters. Their role is to ensure compliance with the Act and coordinate with the DPC’s Office.

The Data Protection Officer must have the relevant academic or professional qualifications which include may include knowledge in matters relating to data protection. The Data Controller or Data Processor must publish the contact details of the data protection officer on their website and communicate them to the DPC.

CONCLUSION

It is up to entities that collect personal data to employ internal strategies to protect data. Failure to properly collect and use data will expose the entity to risks such as identity theft, misuse of personal information, unauthorized distribution or sale of data, financial loss and erosion of privacy. The data may therefore be repurposed and used for purposes other than what it was collected for, attracting penalties to be imposed under the Act. Entities need to invest in awareness and training, continuous monitoring and log analysis, continuous risk assessment, vulnerability and patch management, and independent reviews.

Please reach out to ponyango@aliumlaw.com if you require specific advice on the Data Protection Act, 2019.