For a long time in Kenya, there were concerns that the lack of comprehensive personal data  protection legislation continued to expose citizens to various risks with respect to their privacy.  Whereas the right to privacy was provided for under the Constitution of Kenya, for a long time,  Kenya did not have a data protection legislation in place. This ended recently when the President  assented to the Data Protection Bill. The stated objectives of the Act are to regulate the  processing of personal data, provide for the rights of data subjects and obligations of data  controllers and processors and to establish the legal and institutional framework for protection of  personal data.

In this write up, we highlight some salient provisions of the Act.

Application 

The Act applies to data controllers or processors handling data received through all means. Data  controllers are broadly defined to mean persons (whether private or public) who determine the  purpose and means of processing of personal data while data processers are persons who process  personal data on behalf of the data controller. The Act makes it mandatory for any person  intending to act as a data controller or processor to register with the Commissioner upon  furnishing of prescribed information. Notably, this Act applies to both controllers and  processors established or resident in Kenya and who process personal data while in Kenya as  well as to those not established or resident in Kenya, but who process personal data of data  subjects located in Kenya.

Institutional Framework 

The Act establishes the Office of the Data Protection Commissioner to be appointed by PSC,  with the mandate of overseeing the implementation and enforcement of the Act, establishing and  maintaining a register of data controllers and data processors, and exercising oversight on data  processing operations. In addition, the Commissioner empowered to receive and process  complaints on infringement of rights under the Act and to carry out inspections of public and  private entities.

Principles on Data Protection 

The Act sets out principles of data protection, which we discussed in our previous publication.  These principles have been incorporated into laws governing the capital markets,  telecommunication sector, the electoral process as well as employment laws.

Rights of Data Subjects 

Section 26 of the Act sets out various rights that a data subject is entitled to. These include the  right to be informed of the use to which their personal data is to be put, to access their personal  data in custody of data controller or data processor, to object to the processing of all or part of  their personal data, to correction of false or misleading data and to deletion of false or misleading  data about them. The data subjects are also entitled to be notified of the fact that personal data is  being collected, the purpose for which the personal data is being collected, and the third parties  whose personal data has been or will be transferred to.

Collection and Processing of Data 

The Act requires a data controller or processor to collect personal data directly from the data  subject. In exceptional circumstances however, the data may be collected indirectly. These  include where the data is contained in a public record, where the data subject has deliberately  made the data public, the data subject has consented to the collection from another source, the  collection from another source would not prejudice the interests of the data subject, where the  intended collection is for the prevention, detection, investigation, prosecution and punishment of  crime or the collection is for the protection of the interests of the data subject or another person.

Concerns have been raised as to whether these exceptions defeat the purpose of the protections  given under the Act.

A data controller or data processor shall also not process personal data, unless the data subject  consents to the processing or the processing is otherwise permitted under the Act.

Commercial Use of Data 

The Act outlaws the use of data for commercial purposes unless the data subject consents to it or  the use is permitted under law and the data subject has been informed of such use. The Act  further provides that a data controller or data processor that uses personal data for commercial  purposes shall, where possible, anonymize the data in such a manner as to ensure that the data  subject is no longer identifiable. The Cabinet Secretary is required to come up with guidelines  for commercial use of personal data.

Data Breach 

Section 43 of the Act requires that where personal data has been accessed or acquired by an  unauthorized person, and there is a real risk of harm to the data subject whose personal data has  been subjected to the unauthorized access, a data controller shall notify the Commissioner within  72 hours of becoming aware of such breach and communicate to the data subject.

Data Transfer Outside Kenya 

The Act prohibits transfer of personal data to other jurisdictions unless the transferee is subject to  a law or agreement relating to protection of personal data, the data subject consents to the

transfer, or the transfer is necessary for the performance of a contract between the agency and the  transferee, and the transfer is for the benefit of the data subject.

Conclusion 

This Act is important as it is anticipated it will ensure the strengthened protection of personal  data and afford protection of the right to privacy for Kenyans. The putting in place of the  institutional framework to ensure compliance, commitment of financial and skills resources  required, as well as the support from stakeholders such as the judiciary and the industry  regulators will be key to the successful implementation of the Act.

Article by Enock Mulongo

admin