Data Protection Act: The Regulator’s Guidelines

The right to privacy is guaranteed as a fundamental right in Kenya’s constitution. The Data Protection Act cap 2019 was enacted and went into effect on November 25, 2019, to give effect to this constitutional right under Article 31(c) and (d). The regulations were published in the National Gazette on January 14, 2022, with the following sets of regulations approved;

1. The Data Protection (General) Regulations of 2021, which went into effect immediately.
2. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, which are now in effect.
3. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, which went into effect on July 14, 2022.

Why was the Data Protection Act Enacted?

What was the purpose of enacting the Act?

The Act was passed by Kenya’s parliament to:

1. Give effect to Article 31(c) and (d) of the Constitution;
2. To establish the Office of the Data Protection Commissioner;
3. To make provisions for the regulation of personal data processing;
4. To establish data subjects’ rights and obligations;

i). Data controller?– A natural or legal person, public authority, agency, or other body that determines the purpose and means of processing personal data, either alone or in collaboration with others.

ii). Data Processor?– A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller, either alone or in collaboration with others.

Purpose of the Act

1. To govern the handling of personal data;
2. To protect individuals’ privacy;
3. To establish a legal and institutional mechanism to protect personal data; and
4. To provide data subjects with rights and remedies to protect their personal data from improper processing under this Act.
5. To ensure that the processing of a data subject’s personal data is guided by the principles outlined in Section 25; That is, every data controller or data processor must ensure that personal data is:

• Processed in accordance with the data subject’s right to privacy;
• Processed lawfully, fairly, and transparently in relation to any data subject;
• Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected.
• Accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified as soon as possible;
• Retained in a form that identifies the data subjects for no longer than is necessary for the purposes for which it was collected; and
• Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Data Protection Principles

?Every data controller or data processor shall ensure that personal data is;

1. Processed in accordance with the right to privacy of the data subject;
2. Processed lawfully, fairly and in a transparent manner in relation to any data subject;
3. Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
4. Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
5. Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
6. Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
7. Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
8. Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Registration Requirements

The Act requires that any person who acts as a?data controller?or?data processor?must be registered with the Data Commissioner for data processing and controlling license which is renewable every 3 years.

?Exemptions

The processing of personal data is exempt from the provisions of this Act if;

1. It relates to processing of personal data by an individual in the course of a purely personal or household activity;
2. If it is necessary for national security or public interest; or
3. Disclosure is required by or under any written law or by an order of the court.

Transfer of personal data outside Kenya

A data controller or data processor may transfer personal data to another country only where;

1. The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data;
2. The data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws;
3. The transfer is necessary —

• For the performance of a contract between the data subject and the data controller or data processor or implementation of precontractual measures taken at the data subject’s request;
• For the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
• For any matter of public interest;
• For the establishment, exercise or defense of a legal claim;
• In order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
• For the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.

?Implications for non-compliance

1. Kenya’s Data Protection Act dictates that for companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to 5 Million Kenya Shillings.
2. Kenya’s Data Protection Act dictates that in the case of an undertaking, the fine will be that of 1% of the company’s annual turnover of the preceding financial year, unless that is more than 5 Million Kenya Shillings. In that case, they will pay 5 Million Kenya Shillings.
3. Kenya’s Data Protection Act makes individuals liable to a fine of maximum 3 Million Shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Recent Developments

1. The Data Protection Act (DPA) establishes the Office of the Data Protection Commissioner (the “ODPC”) headed by a Data Commissioner (Ms. Immaculate Kassait).
2. The ODPC has launched its official website-?odpc.go.ke?which aims to be a resource tool for provision of data protection information such as guidelines compliance requirements and rights of data subjects.
3. In January 2021, the Cabinet Secretary for Information, Communications, Technology, Innovation and Youth Affairs constituted the Taskforce on the Development of Data Protection General Regulations to develop data protection regulations, conduct a comprehensive audit of the DPA, identify gaps in the law and propose amendments.
4. The Data Commissioner has issued two Guidance Notes: (1) Guidance Note on Consent and (2) Guidance Note on Data Protection Impact Assessment. The Guidance Note on Consent provides guidance on the processing of personal data on the basis of consent whereas the Guidance Note on Data Protection Impact Assessment provides guidance to data controllers and data processors on when and how to conduct Data Protection Impact Assessments.
5. In addition, the Data Commissioner has prepared the following draft Guidelines:

• Guidelines on Registration of Data Controllers and Processors;
• Certification of Data Controllers and Processors;
• Appointment of Data Protection Officers;
• Data Sharing Code and Enforcement.

?

For more assistance

To determine whether the act affects your industry and to determine your level of compliance, please contact the below for assistance;

?

Mayfair Business Centre,2nd Floor

Off Parklands Road.

P.O. Box 6358-00100 Nairobi,

+254 715 248882 | +254 733 533449

[email protected] | www.mgkconsult.co.ke