THE DATA PROTECTION ACT Kenya

Data Protection Act: Introduction

The purpose of the Act is to give effect to Article 31(c) and (d) of the Constitution that contains the right to privacy which is a fundamental human right. Data protection is the process of safeguarding personal information, in accordance with a set of principles laid down by law.

The Data Protection Bill which has been a subject of discussion for a number of years was passed into law on 8th November 2019. There has been an increase in the adoption and implementation of data protection laws and frameworks by countries at large.

The Data Protection Act 2019, has in many ways drawn from the General Data Protection Regulation of Europe.

The frameworks and laws have developed mainly in response to technological advances which increase the collection, holding and dissemination of personal information as well as surveillance of people.

Download Data Protection Act 2019 | Data Protection Act 201 Training in Kenya Data Protection Act Training in Kenya

PROVISIONS OF THE ACT & APPLICATION

Data Protection Act: Objectives

  • To regulate the processing of personal data;
  • To ensure that the processing of personal data of a data subject is guided by the principles set out in section 25 of the Kenya Constitution
  • To protect the privacy of individuals
  • To establish the legal and institutional mechanism to protect personal data; and
  • To provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.

Data Protection Act: Key Definitions

Person DataInformation relating to an identified or identifiable natural person this being a “data subject”
Data ControllerA natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data
Data ProcessorA natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data
Data(a) is processed by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with intention that it should be processed by means of such equipment;
(c) is recorded as part of a relevant filing system;
(d) where it does not fall under paragraphs (a), (b) or (c), forms part of an accessible record; or
(e) is recorded information which is held by a public entity and does not fall within any of paragraphs (a) to (d).
Sensitive Personal DataData revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, Biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject
Processing(a) collection, recording, organization, structuring;
(b) storage, adaptation or alteration;
(c) retrieval, consultation or use;
(d) disclosure by transmission, dissemination, or otherwise making available; or
(e) alignment or combination, restriction, erasure or destruction.
Key Definitions

The Act imposes a number of obligations on data processors and data controllers in respect of the manner in which personal data is processed and sets out their duties to the data subjects.

The Act establishes the office of the Data Protection Commissioner and mandates that any data controller or data processor be registered with the Data Commissioner.

The Data Commissioner will be required to maintain a register of the registered data controllers and data processors, which register shall be a public document, available for inspection by any person.

Data Protection Act: Collection of Personal Data

The Act provides that every data controller or data processor shall ensure that personal data is:-

  • processed lawfully, fairly and transparently in accordance with the right to privacy;
  • collected for specified and legitimate purposes;
  • limited to what is necessary;
  • collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay; and
  • kept in a form which identifies the data subjects for no longer than is necessary.

As a rule, a data controller or data processor ought to collect personal data directly from the data subject.

Notwithstanding the general rule on collection of data directly, the Act provides that personal data may be collected indirectly where the-

  • data is contained in a public record, or the data subject has deliberately made the data public;
  • data subject or their duly appointed guardian has consented to the collection from another source;
  • collection from another source would not prejudice the interests of the data subject;
  • collection of data from another source is necessary for the-
    a) prevention, detection, investigation, prosecution and punishment of crime;
    b) enforcement of a law which imposes a pecuniary penalty; or
    c) protection of the interests of the data subject or another person.

Training for Data Protection Officers in Kenya: Data Protection Act Training in Kenya

As a rule, a data controller or data processor ought to collect personal data directly from the data subject.

Notwithstanding the general rule on collection of data directly, the Act provides that personal data may be collected indirectly where the-

  • data is contained in a public record, or the data subject has deliberately made the data public;
  • data subject or their duly appointed guardian has consented to the collection from another source;
  • collection from another source would not prejudice the interests of the data subject;
  • collection of data from another source is necessary for the-
    a) prevention, detection, investigation, prosecution and punishment of crime;
    b) enforcement of a law which imposes a pecuniary penalty; or
    c) protection of the interests of the data subject or another person.

The Act imposes stringent conditions for processing of sensitive personal data which is distinguished from personal data.

The burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose is borne by a data controller or data processor.

The Act provides that a data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected or a data processor who, without lawful excuse, discloses personal data processed by the data processor without the prior authority of the data controller, commits an offense under the Act.

Explore: Data Protection Act Training in Kenya

Data Protection Act: Rights of a data subject

Section 26 of the Act provides that a data subject has a right to-

  • be informed of the use to which their personal data is to be put;
  • access their personal data which is in the custody of data controller or data processor;
  • object to the processing of all or part of their personal data;
  • correction of false or misleading data; and
  • deletion of false or misleading data about them.

Further, a data subject shall have the right to withdraw consent at any time. However, the such withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal.

A right conferred on a data subject may be exercised-

  • If a minor, by a person who has parental authority or by a guardian;
  • where the data subject has a mental or other disability, by a person duly authorized to act as their guardian or administrator; or
  • in any other case, by a person duly authorized by the data subject.

Data Protection Act Training in Kenya

Processing of personal data relating to children.

Data controllers or data processors are prohibited from processing personal data relating to a child except where consent is given by the child’s parent or guardian and the processing is in such a manner that protects and advances the rights and best interests of the child.

Data controllers or data processors shall be required to incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child, determined on the basis of-

  • available technology;
  • volume of personal data processed;
  • proportion of such personal data likely to be that of a child;
  • possibility of harm to a child arising out of processing of personal data; and
  • such other factors as may be specified by the Data Commissioner.

However, the Act provides that a data controller or data processor that exclusively provides counselling or child protection services to a child, may be exempted from the requirement to obtain parental consent.

Exemptions

The processing of personal data is exempt from the provisions of the Act if the same is necessary for national security or its disclosure is required under any written law or an order of the court or for the prevention or detection of a crime.

Further, the Act prohibits cross-border transfer of personal data, except where there is proof of adequate data protection safeguards or consent from the data subject.

Download the DPA Act

Leave Comment

Your email address will not be published. Required fields are marked *

OCL Learning | Training, Consulting, Certification