The substantive statute that governs data protection in Kenya is the Data Protection Act, 2019 (the DPA) that came into force on 8th November 2019. Pursuant to the DPA, the Cabinet Secretary for matters relating to information communication and technology (the Cabinet Secretary) has prescribed various regulations concerning data protection that elaborate on the provisions of the DPA in procedural terms. Key amongst these are the Data Protection (General) Regulations, 2021 (the General Regulations).
The General Regulations elaborate inter alia on the rights of data subjects, the restrictions on the commercial use of personal data, the obligations of data processors and data controllers, reporting on data breaches and stipulations for the transfer of data outside of Kenya. The General Regulations also expound on data protection impact assessments and provide for exemptions.
Rights of Data Subjects
The DPA outlines six (6) rights of data subjects. These are enumerated to include the right to be informed of the use of personal data; the right to have access to personal data; the right to object to the processing of personal data; the right to correct false or misleading data; the right to port or copy personal data; and the right to delete false or misleading data.
In relation to the right to be informed of the use of personal data, the General Regulations oblige data controllers and data processors who want to rely on consent as the legal basis for processing of personal data, to ensure that the data subject is informed of the identity of the data controller or data processor; the purpose of each of the processing operations for which consent is sought; the type of personal data that is collected and used; where applicable, information about the use of the personal data for automated decision-making; the possible risks of data transfers due to absence of an adequacy decision or appropriate safeguards; whether the personal data processed shall be shared with third parties; the right to withdraw consent; and the implications of providing, withholding or withdrawing consent.
It is important to note that a data processor or data controller may process data without consent if the processing is necessary for any of the reasons set out under the DPA. Such reasons include where it is necessary for the performance of a contract; compliance with any legal obligations; protection of the vital interests of the data subject; performance of a task carried out in the public interest or by a public authority; and for purposes of historical, statistical, journalistic, literature, art or scientific research. A data controller or data processor is required to establish the basis before processing any personal data and should be able to demonstrate it.
The General Regulations allow for personal data to be collected indirectly from a third party, through publications, surveillance cameras, web browsing or biometric technology. Data controllers and data processors are required to notify the data subject within fourteen (14) days of such indirect collection. Where a data controller or data processor intends to use personal data for a new purpose, the data controller or data processor is required to ensure that the new purpose is compatible with the initial purpose for which the personal data was collected. In addition, where the new purpose is not compatible with the initial purpose, a data controller or data processor is required to seek fresh consent from the data subject.
Data subjects can assert their rights under the DPA by using the prescribed procedure and prescribed forms under the General Regulations to apply for restriction of processing of their personal data; object to the processing of their personal data; access their personal data; port their personal data from one data controller or data processor to another; or have their personal data erased. Any decision to decline any of these requests must be communicated with reasons for the denial to the data subject.
It is worth noting that the rights of a data subject can be exercised by other people authorised by the data subject. In cases of data collection from children, consent of the child’s parent or guardian is required to be obtained. The DPA prohibits the profiling of a child for direct marketing purposes. The parent or guardian is required to be made aware of the inherent risks of processing the data of a child and the security measures put in place to minimize the risks.
Commercial Use of Personal Data
Commercialization of personal data occurs when the personal data of a data subject is involved in the promotion of economic interests, including inducing another person to buy, rent, lease, join, subscribe, exchange products, property, information or services that enable or complete a business transaction. The General Regulations set out instances which constitute use of personal data for the purposes of direct marketing, including sending a catalogue through any medium to a data subject; displays an advertisement on an online media site a data subject is logged onto via the use of their personal data; sending an electronic message or any other advertising material to a data subject about a sale using personal data provided by the data subject.
Commercial use of personal data is authorized if the data controller or data processor has collected the personal data from the data subject; the data subject has been informed by the data controller that part of the purposes for which the data is collected is for direct marketing; the data subject has consented to the same or the data subject has not submitted an opt-out request.
Data controllers and data processors are prohibited from sending messages for purposes of direct marketing unless such messages contain an option allowing the data subjects to restrict such communication without incurring any charges. Data subjects are also allowed to request a data controller or data processor to restrict use or disclosure of their personal data to a third party for the purpose of facilitating direct marketing at no cost. The data controller or data processor is obliged to honour such a request within seven (7) days of the request. In addition, the General Regulations prohibit sending of emails for the purposes of direct marketing where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; where a valid address to which the recipient of the communication may send a request that such communications should cease has not been provided; or where there is use of automated calling systems without human intervention.
Obligations of Data Controllers and Data Processors
The General Regulations oblige data controllers and data processors to develop, publish and update their data protection policies regularly. For instance, they are required to maintain a data retention schedule with appropriate time limits for the periodic review of the need for the continued storage of personal data that is no longer necessary or where the retention period is reached and to erase, delete, anonymise or pseudonymise personal data upon the lapse of the purpose for which the personal data was collected. The retention schedule is required to outline the purpose for retention, the retention period, provision for periodic audit of the personal data retained and actions to be taken after the audit of the personal data retained.
In relation to automated individual decision making, the General Regulations mandate data controllers or data processors to adhere to certain prescribed requirements. These include informing a data subject when engaging in processing based on automated individual decision making; providing meaningful information about the logic involved; explaining the significance and envisaged consequences of the processing; ensuring the prevention of errors; using appropriate mathematical or statistical procedures; putting appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors; and ensuring that a data subject can obtain human intervention and express their point of view
The General Regulations further require that data controllers engage data processors through a contract which contains the prescribed information. Data processors are prohibited from engaging the services of a third party without prior authorisation of the data controller. If a data controller authorises the data processor to engage a third party, the data processor is required to enter into a contract with the prescribed information with the third party. However, the data processor would remain liable to the data controller for the compliance of any third party involved.
It is important to note that a data processor or data controller may process data without consent, if the processing is necessary for any of the reasons set out under the DPA.
The General Regulations also prescribe certain types of processing that is for the purpose of strategic interest of the State. These are to be processed through a server and data centre located in Kenya or stored at least one serving copy of the concerned personal data in a data centre located in Kenya. These include administering of the civil registration and legal identity management system, overseeing any system for administering public finances by any State organ etc.
Notification of Personal Data Breaches
In instances where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller is required to notify the Data Protection Commissioner (DPC) within seventy-two (72) hours of becoming aware of such breach; and communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established. The General Regulations expound on the categories of notifiable breaches to include a data breach that relates to personal identification number, account information, passwords, security codes or biometric data etc. This excludes any personal data that is publicly available. They also prescribe the details that should be included in the notification to the DPC.
Transfer of Personal Data Outside Kenya
Generally, transfer of personal data outside Kenya is allowed if it is based on appropriate data protection safeguards; an adequacy decision made by the DPC; transfer as a necessity; or with the consent of the data subject. The General Regulations outline the elements of these conditions and allow parties to enter into agreements for the transfer of personal data.
Data Protection Impact Assessment
A data protection impact assessment (DPIA) is defined under the DPA as an assessment of the impact of the envisaged processing operations on the protection of personal data. A DPIA is required to be undertaken where the data processing operations may result in high risks to the rights and freedoms of a data subject and a report on the same is to be submitted to the DPC at least sixty (60) days before the processing of such personal data commences. The General Regulations outline examples of such activities to include large scale processing of personal data, processing biometric or genetic data, among others.
Provisions on Exemptions under the DPA
Generally, the processing of personal data is exempt from the provisions of the DPA if it relates to processing of personal data by an individual during a purely personal or household activity; it is necessary for national security or public interest; or disclosure is required by or under any written law or by an order of the Court. The General Regulations expound on this and allow for data controllers or data processors who are national security organs and require to process personal data in furtherance of their mandate to apply for an exemption from the Cabinet Secretary. The General Regulations further categorise the ground of public interest into permitted general situation or permitted health situation.