Data Protection requirements are mainly provided for in the Data Protection Act of 2019. In the Act data handlers are to be referred to as Data Controllers or Processors. Data Controllers are defined as natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.[1] Data Processors on the other hand are defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. For the purpose of this research a business could fall in either category depending on how it handles the data.[2]
General Requirements of the Data Protection Act
Entities/Person handling data are first required to register with the Data Protection Commissioner.[3] The registration can be done on the portal via this link https://dataportal.odpc.go.ke/. Failure to register is an offence punishable with a fine not exceeding three million shillings or imprisonment for up to ten years.
Most importantly, the Data Protection Act expects data handlers to adhere to the following principles when processing Data:[4]
- Process data in accordance with the right to privacy of the data subject
- Ensure the data is processed in a manner compatible with specified purpose it was collected for.
- Ensure that it collects the data that is only adequate, relevant and limited to what is necessary in relation to the purpose for collection
- Ensure the data is only stored for the necessary period in relation to the purpose of collection, after which the data is anonymized or completely erased.
- Ensure the data is not transferred outside of Kenya unless there is proof of adequate protection safeguards.
Entities are expected to collect data directly from the data subject unless:[5]
- The data is contained in a public record or the subject has deliberately made the data public
- The data subject or their guardian has consented to the collection from another source
- Collecting from another source does not prejudice the interests of the data subject.
- The collection from another source is necessary-
- For the prevention, detection, investigation, prosecution and punishment of a crime
- For the enforcement of a law which imposes a pecuniary penalty
- For the protection of the interests of the data subject or another person
Further, entities have a duty to, in so far as is practicable to:[6]
a. notify the data subject of the intended collection.
- Inform the subject of their rights
- Communicate the purpose of collection,
- Outline the protection safeguards available and the possibility of transferring the data to third parties.
Where the data is being used for commercial purposes, the business should notify and seek consent of the data subject prior to the collection.[7] Further, it is required that the business should erase or rectify the data at the request of the data subject.
Generally, Data Controllers and Processors are required to implement the principles mentioned above and to integrate necessary safeguards. This includes having proof of using the latest technological development available.[8]
In case of breach of the data, data handlers are expected to assess the likelihood of harm of the breach and notify the Data Commissioner within seventy-two hours of becoming aware.[9] Where it is difficult to comply with the seventy-two-hour requirement, the notification should be accompanied with the reason for the delay.[10] Where the business is a Data Processor, it should inform the data controller within 48 hours.[11]
How the Kenyan Courts have Decided Cases on Data Protection
From case law the most critical requirement that business should adhere to is seeking consent of the data subject. In the case Shakunt Rajnikant Shah v Bhupendra Motichand Shah t/a John Cumming & Company & another [2021] eKLR the petitioner sought to have an audio recording acquired during a meeting with the respondents exempted in accordance with section 51 (2) of the Data Protection Act.[12] The Petitioner had recorded the Respondents during a meeting without their consent. It was the Petitioner’s submission that the recording would help the court determine what transpired accurately. The Respondent disputed the existence of the recording. The court held that since the Respondent’s consent had not been sought prior to recording, the audio was illegally acquired and could not be exempted as it was void ab initio.
This case places the responsibility on the data controllers and processors to ensure that the consent acquired from the data subject is express, free and unequivocal.
The jurisprudence on the processing of data by data controller and processors is nascent. This is because for the Data Commissioner or the court to rule on the legality or lack thereof of processing of data there has to be a complaint lodged by the data subject. The Data Commissioner is yet to give a report of individual cases decided on in relation to processing of data. The only case that has gone public in relation to processing of data was Allen Waiyaki Gichuhi and 2 others vs the Data Protection Commisioner and 2 others. Despite the case being about processing of data through sharing with third parties, the court was only tasked to decide on the period the data commissioner takes to investigate a complaint.[13]
It is advisable that every business, prepares a policy document either online or physical, that ensures compliance with Data Protection Act as enumerated above.
Contact us with any query or comments.
[1] Section 2 of the Data Protection Act No 24 of 2019
[2] Section 2 of the Data Protection Act No 24 of 2019
[3] Section 18 of the Data Protection Act No 24 of 2019
[4] Section 25 of the Data Protection Act No 24 of 2019
[5] Section 28 of the Data Protection Act No 24 of 2019
[6] Section 29 of the Data Protection Act No 24 of 2019
[7] Section 37 of the Data Protection Act No 24 of 2019
[8] Section 42 of the Data Protection Act No 24 of 2019
[9] Section 43(1) of the Data Protection Act No 24 of 2019
[10] Section 43(2) of the Data Protection Act No 24 of 2019
[11] Section 43(3) of the Data Protection Act No 24 of 2019
[12] Shakunt Rajnikant Shah v Bhupendra Motichand Shah t/a John Cumming & Company & another [2021] eKLR
[13] Allen Waiyaki Gichuhi and 2 others vs the Data Protection Commisioner and 2 others