In the firm’s OCO Roundtable Episode on Building a Privacy Centric Culture, we discussed key considerations that businesses ought to factor into their operations to promote data protection by design and default. Whilst it is not intended to rehash the guidelines set out in that podcast episode, we thought it prudent to dissect a Determination of the Office of the Data Protection Commissioner (the “ODPC”) on this fundamental concept.

Data protection by design and default requires data handlers to have data protection at the core of their business decisions. This entails integrating data protection at every stage of their operations. As the United Kingdom’s Information Commissioner’s Office likes to put it, data protection must be ‘baked into’ the data processing and business activities.

In the ODPC Complaint No. 1685 of 2023 – Simon Mukabane Okwomi v. National Health Insurance Fund, the ODPC was called upon to determine whether the National Health Insurance Fund (the “Respondent/NHIF”) had violated the privacy rights of Simon Mukabane Okwomi (the “Complainant’s”) by including unknown people as beneficiaries under his medical cover.

The Complainant wrote to NHIF demanding for the immediate removal of these unknown beneficiaries; however, NHIF failed to adhere to his request for rectification. Notwithstanding, that NHIF violated the Complainant’s right (as a data subject) to rectification, it was revealed that the inclusion of unknown beneficiaries was attributable to NHIF’s failure to incorporate in its ICT systems a safeguard to confirm its data subject’s identity prior to updating their beneficiaries. The result thereof was that unknown beneficiaries could be added to a member’s cover inadvertently.

Under section 41 of the Data Protection Act (Cap 411C, Laws of Kenya) (the “DPA”), data handlers are required to put in place appropriate technical and organisational measures that promote the data protection principles and integrate relevant safeguards into their processing activities. In its response to the complaint, the Respondent confirmed that it had not incorporated the necessary validation control to confirm the Complainant’s beneficiaries, for which the ODPC found that the Respondent’s systems did not pass muster with the requirements of section 41 of the DPA. Consequently, the ODPC found that the Respondent did not fulfil its obligations under section 41 of the DPA.

One way of ensuring that a business upholds data protection by design and default is conducting a Data Protection Impact Assessment (“DPIA”). A DPIA ensures that a data subject is specially considered when designing a system. This consideration not only ensures that privacy is at the centre but also ensures that the integrity of the system is maintained to avoid it being susceptible to data breaches. In the NHIF case, we can conclude that conducting a DPIA at the design stage of a project is useful in helping a data handler identify and mitigate data breach risks throughout the life cycle of data processing activities of the data handler.

Data protection by design and default requires data handlers to take proactive measures such as verification to ensure that safeguards are effectively implemented and continuously updated to respond to new risks and deficiencies. In this regard, it is imperative for a data handler to periodically audit (and if required update) its systems to improve the integrity of the systems.

In our podcast episode, we highlighted other benefits of building a culture that is centres data protection by design and default. You can listen to this podcast episode on Spotify, Apple Podcasts and YouTube using this link (Building a Privacy Centric Culture).