The DPA was enacted in November, 2019 in main, give
effect to Article 31 of the Kenyan Constitution on the “Right to Privacy.” Its
subjects for the most part are Data Controllers and Data Processors.
However, it has been found to be ambiguous and has
invited differing interpretations.
Subsequently, there was need to issue regulations to
give clarity.
In November, 2020, the Data Commissioner was appointed
and immediately embarked on developing Regulations.
In April 2021, the Commissioner issued the Draft Data
Protection Regulations, 2021 consisting of:
i.
The Data Protection (General) Regulations,
2021
ii.
The Data Protection (Registration of Data
Controllers and Data Processors) Regulations, 2021
iii.
The Data Protection (Compliance and
Enforcement) Regulations, 2021
The Regulations are currently undergoing public
hearings for input and finalization. On 27th April, 2021, the Office
of the Data Protection organized a virtual public hearing to discuss the
General Regulations.
The General Regulations
These are meant to guide subjects on how to comply
with the Act.
i.
Part I deals with preliminaries like
interpretations and exemptions
ii.
Part II -Enabling the Rights of a Data
Subject
Part II deals with how entities enable the rights of
persons whose data they collect or process.
The DPA grants individual persons with several data
subject rights regarding the collection and processing of their personal data
which the Regulations spell out:
The Rights of a Data Subject
Organizations will be required to adhere to the rights
of the subject whose data they collect or process. These are covered under
Regulations 4-12.
Consent – Regulation no 4
provides that for compliance, a data controller or processor must clearly
inform what personal data they are collecting from an individual and for what
purposes including whether it shall be handled by third parties. While consent
may be oral or written, an entity cannot presume consent because the data
subject has not objected or their response is ambiguous.
Obligations:
Entities should ensure they seek consent
of the data subject clearly indicating what the data is to be used for and by
whom.
Regulation 5 expands the meaning of collection to
include availing oneself of the personal data of another person by any means
including:
-
From another person
-
From publications and databases
-
Surveillance cameras where one’s features
are identifiable
-
Internet cookies from websites
-
Biometrics such as finger, face or voice
recognition
Implications:
Organizations or entities will have to formalize any
personal data collection activity. This means that even where a subject has
willingly brought themselves to a place of business or interaction where any of
their personal data may be collected, entities will need to come up with
consent documents such as forms clearly indicating that personal data will be
collected.
Entities should also beware that subject data that
they come across that is not directly submitted by the owner can nonetheless
qualify as data collection and is subject to restrictions. Regulation 5b
requires that sensitive personal information can only be collected directly
from the data subject.
This effectively also prohibits anonymous data
collection or tracking of users such as mobile handset users, mobile
subscribers, social media platforms such as Google, Facebook etc, websites and
so on.
Also, data collected should be used for the purpose
stated only. For new uses, fresh consent has to be sought from the subject.
The guidance principles therefore here are:
Data minimization – Entities should only collect
necessary data for the purposes stated to the subject.
Data quality – Personal data collected must be
accurate.
Data Security – Entities must ensure they secure the
data they collect. This applies from collection, storage, and event transfer of
data.
The Office of the Data Commissioner provides a form which
the subject can fill to request for this information. However, a subject can
also make request for access in any other method and the entity should comply
with that request.
Right to Restrict Processing
– Contained under Regulation 6, a data subject who feels they did not willingly
give their personal information, or that their data held by an entity might have
errors, or that the time which the entity is allowed to hold the information
has expired, can restrict that data from being processed and the entity holding
that data must comply.
Right to object to processing
– Related to the right to restrict processing, a person can request an entity to
stop doing anything with their data. This can be if they believe they never
gave consent for the same, or that they feel the entity obtained it illegally,
or that the entity has no basis for holding it. This request should be complied
with immediately and at no cost.
The same form is used for restriction or objection to
processing and is found annexed to the General Regulations.
Rectification
– A subject has a right to have their data rectified by the entity that holds
it. This could be if they believe the data is misleading or outdated.
The subject will have to show proof that the data is
outdated for example by producing an up-to-date Identification Card or Huduma
Card.
Data Portability - A
subject has a right to have their data ported from one data controller to
another such as a mobile operator at minimal cost.
Erasure – Also
known as the right to be forgotten, a subject can request a data controller to
erase their personal data and upon request the entity shall respond within 14
days.
The ODPC provides Form 5 for this purpose and
compliance with the request shall be free of charge.
Right to opt out
A data processor or controller must comply with a request by a subject to opt out of a data collecting process. The option to opt out must be simple, clear, visible e.g. in one word such as UNSUBSCRIBE
Restrictions on Commercial Use of Personal Data
Part III is likely to draw intense interest especially
when it comes to compliance with consent or restrictions.
Sending a catalogue addressed to a subject through any
medium, advertising on an online platform a subject is logged into using their
personal data or data collected via cookies and used to target a subject is
deemed cosmmercial use of personal data. So is sending a message about a sale
or advertising material using personal data given by the subject.
Direct marketing may be permitted where no sensitive
personal data is used but the marketer has collected the personal data from the
subject, and the subject has been notified that direct marketing is one of the
purposes of the data collection.
In the Covid era, with in-house restaurant dining
prohibited and many other retail outlets operating at slowed down pace, online
marketing especially through offers sent via SMS to users has been on the rise.
Compliance with this provision then, will require such
eateries, online retailers, supermarkets, taxi companies to cease sending
unsolicited direct marketing messages to users whose data or contacts they have
gathered in the course of doing business.
The Regulations will allow direct marketing only where
the recipient has been informed, and has consented to the use of their
information for the same.
Obligations of Data controller and Data
processor
Concomitant with the rights of a data subject are
further obligations to entities that control or process personal data.
Contained in Part IV of the General Regulations, these include:
Limitation on retention
– Entities should say how long they will hold a subject’s personal data beyond
which time they should erase the same.
Requests to anonymize or pseudo-anonymize
– Entities should accede to requests to anonymize personal data by a subject.
Sharing of personal data –
Entities can share personal data with other entities or third parties provided
such request shall be in writing clearly stating the reasons for the data to be
shared. A data sharing agreement between the two entities shall be made.
Sharing of such data within an organizational
structure of a data controller or data processor shall not be taken data
sharing.
Automated individual decision making
– Where a data controller or processor uses non-human automated processing of
subject data, they should inform the subject of the same, provide the logic or
algorithmic process used, explain the significance of doing the same and where
large amounts of data are involved, carry out a data impact assessment. They
should also ensure the automated process is without errors.
At any point, a subject can seek intervention of a
human being.
Data Protection Policy
– Data controllers and processors will be required to have in place a Data
Protection Policy which must be publicly available. Among other things, the
Policy must tell subjects which data they are collecting, how subjects can
access their data, the process for handling complaints, how long they intend to
hold that data, and whether they collect data on vulnerable people such as
children and the criteria used.
Agreements between Data Controllers and
Data Processors – Subject to Section 42(2) of the DPA, a
data controller can engage a data processor via a written agreement containing
theinstructions from the controller to the processor. This could be for example
a Mobile Network Operator or a Bank, and an Agent.
Such a processor, should they further wish to engage a
third party in the processing activities must obtain the consent of the Data
Controller.
Data Localization
Regulation 25 provides that data that is collected and
processed for a public good as defined in paragraph (2) of the same, shall be processed
through a server and data center located in Kenya. This includes civil
registration, revenue administration, schools, national payments systems and so
on.
Private data processing therefore is not subject to
this requirement. However, the Cabinet Secretary can require such data be
processed in Kenya if in the processing, the data is breached or violates the
DPA and no rectification measures have been taken by the entity.
Data Protection by Design and by Default
Regulation 26 provides for data protection by design
and by default which essentially means that data protection concerns must be
integrated into every step of the data processing.
To demonstrate compliance to the Data Commissioner, an
entity will need to demonstrate the technical and organizational measures it
has taken to ensure for example, data minimization – only the necessary data is
collected and processed, pseudo-anonymization, the retention period,
accessibility to the data and data sharing restrictions.
Notification of Personal Data Breach
Where sensitive and identifying data held by an entity
is breached or unintentionally becomes publicly available or available to
unauthorized persons, then a notifiable data breach is deemed to have occurred
as per Section 43 of the Data Protection Act.
Such data includes:
-
the
subject’s full name or ID number,
-
Bank information
-
Health information
-
Electronic passwords
The entity must notify the Data Commissioner of the
data breach within 72 hours of becoming aware of it describing:
-
The date, nature and circumstances of
occurrence of the breach
-
Chronology of the entity’s response after
they became aware of the breach
-
Number of persons affected and likely harm
to them
-
Any action taken to eliminate or mitigate
such harm and rectify the cause of the said breach
Transfer of Data outside Kenya
Transferring data to entities outside Kenya is not
allowed without the subject’s consent. Further, the destination country must
either have reciprocal agreement with Kenya, or has comparable data protection
rules as determined by the Data Commissioner, or is signatory to the Malabo
Protocol.
The transferring entity must also ensure that the
recipient of the data accords it the required protection.
This particular provision may prove tenuous for
entities to comply with especially the consent part. It has been suggested that
entities who already have data processing consent from subjects such as
customers, should only be required to ensure the data is transferred to a
country with adequate data protection laws.
Data Protection Impact Assessment
Prior to high-risk data processing of data, entities
will be required to carry out a data protection impact assessment.
This is for example processing of biometric or genetic
data, large-scale use of data for a purpose other than that for which it was
initially collected, a change in the way the entity processes data and so on as
provided for under Regulation 42.
DPIA may be
necessary for all data controllers and processors to perform prior to seeking
compliance with Data Protection by Design and by Default requirements.
The Data Commissioner may also, subject to Section 23
of the Data Protection Act carry out periodic audits to assess compliance.
Provision of Exemptions
The regulations in Part VIII provide for when
exemptions can occur:
-
For National Security purposes, there is a
very high threshold which is for public entities covered under Article 239 (1) of
the Constitution. These are the Kenya Defense Forces, the National Police Service,
and the National Intelligence Service.
Anyone
else will seeking exemption for reason of National Security will need to apply
to the Cabinet Secretary for Information for exemption.
-
Public Interest purposes such as to report
missing persons, preventing unlawful activity, asserting a legal or equitable
claim and son on,
-
Permitted health reasons such as
collecting and processing data for purposes of providing a health service or to
carry out a health study or research.
General Provisions
Compounding of offences - the Data Commissioner with
the concurrence of the Director of Public Prosecutions can compound a sentence
with the written consent of the offender.
This avoids court procedure and the offender can be
ordered to pay up to two-thirds of the maximum fine that would have been
imposed upon conviction. The fine shall be payable within 14 days failure to
which the Data Commissioner shall institute proceedings against the offender.
No comments:
Post a Comment