Keywords in the Data Protection Act, 2019
Veronica Rose, CISA, CDPSE
IS Auditor | Certified CISO | Board Director at ISACA Foundation | Published Author | Director, ISACA Board of Directors 2021 - 2023 | Speaker | Member of NACD
On 8 November 2019, the Data Protection Act, 2019 (the DPA) was passed into Law by Kenya’s Parliament and subsequently gazetted. It is set to come into force on 25 November 2019.
When it comes to collection of personal data, the Act is alive to the fact that this can be collected indirectly, other than from the data subject. Such circumstances include from public sources, with consent from the data subject or from a source that will not prejudice the interests of the data subject. The Act recognizes that indirect collection of personal data from other sources may be necessitated in order to prevent, detect, investigate, prosecute or punish a crime; enforce a law or protect the interests of the data subject or a person.
The DPA applies to both natural and legal persons as well as to public authorities, agencies and other bodies. It also applies extra-territorially to entities not established or ordinarily resident in Kenya, but which process personal data of data subjects located in Kenya. It has far-reaching implications on the manner in which personal data is required to be handled.
Below are the keywords that you should familiarize yourself with.
Data-means information which
a) is processed by means of equipment operating automatically in response to instructions given for that purpose;
b) is recorded with intention that it should be processed by means of such equipment;
c) is recorded as part of a relevant filing system; d) forms part of an accessible record and it does not fall within a-c;
e) is recorded information which is held by a public entity and does not fall within a-d above.
Data Controller-means a natural or legal person, public authority, agency or other body which alone, or jointly with others determines the purpose and means of processing of personal data; this extends to anyone who collects data through automated processes for a certain purpose.
Data Processor- means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller; This covers third parties who do not directly collect the data from the subject but through their relationship with the data controller have access to such data and process it e.g financial service firms (controllers) who collect customer data (data subject) that partner with payment service providers or software solution vendors(processors).
Data Subject- means an identified or identifiable natural person who is the subject of personal data. Other classes of legal persons like corporates etc are not protected. Further, only Kenyan residents are protected.
Personal Data-means any information relating to an identified or identifiable natural person. This covers identifiers such as names, home address, e-mail address, I.D number, location address, advertising identifiers etc.
Personal data breach-means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, personal data transmitted, stored or otherwise processed. This obviously has implications on existing business policies.
Processing-means any operation or sets of operations which is performed on personal data or on sets of personal data such as:- a) Collection, recording, organisation, structuring; b) Storage, adaptation or alteration; c) Retrieval, consultation or use; d) Disclosure by transmission, dissemination or otherwise making available; or e) Alignment or combination, restriction, erasure or destruction. Notably, just collecting the information is regarded as processing.
Conclusion:
Given its wide applicability, the Data Protection Act, 2019 is set to affect operations across all sectors of commerce where personal data is handled including banking and financial services, healthcare, transport, telecommunications, education, media, hospitality, consumer goods and retail, etc. It also imposes civil and criminal sanctions for non-compliance with its provisions. It is therefore important for all entities that handle such data to familiarize themselves with the provisions of the Data Protection Act, 2019 and to ensure that their operations are carried out in compliance with its requirements.
Together, We Work Smart.
#sharewithV
Thank you for reading my article!