Publications

THE DATA PROTECTION ACT 2019, KENYA (“THE ACT”)

12th July, 2021
Dowload Publication

INTRODUCTION
The purpose of the Act is to give effect to Article 31(c) and (d) of the Constitution that contains the right to privacy which is a fundamental human right. Data protection is the process of safeguarding personal information, in accordance with a set of principles laid down by law.

The Data Protection Bill which has been a subject of discussion for a number of years was passed into law on 8th November 2019. There has been an increase in the adoption and implementation of data protection laws and frameworks by countries at large.

The Data Protection Act 2019, has in many ways drawn from the General Data Protection Regulation of Europe.

The frameworks and laws have developed mainly in response to technological advances which increase the collection, holding and dissemination of personal information as well as surveillance of people.


PROVISIONS OF THE ACT & APPLICATION
The Act is extremely broad based and covers all persons and entities who deal with or store data.

Key Definitions
personal data information relating to an identified or identifiable natural person this being a “data subject”
data controller a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data
data processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller
sensitive personal data data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject

The Act imposes a number of obligations on data processors and data controllers in respect of the manner in which personal data is processed and sets out their duties to the data subjects.

The Act establishes the office of the Data Protection Commissioner and mandates that any data controller or data processor be registered with the Data Commissioner.

The Data Commissioner will be required to maintain a register of the registered data controllers and data processors, which register shall be a public document, available for inspection by any person.

Collection of personal data
The Act provides that every data controller or data processor shall ensure that personal data is:-
  • processed lawfully, fairly and transparently in accordance with the right to privacy;
  • collected for specified and legitimate purposes;
  • limited to what is necessary;
  • collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay; and
  • kept in a form which identifies the data subjects for no longer than is necessary.
As a rule, a data controller or data processor ought to collect personal data directly from the data subject.

Notwithstanding the general rule on collection of data directly, the Act provides that personal data may be collected indirectly where the-
  • data is contained in a public record, or the data subject has deliberately made the data public;
  • data subject or their duly appointed guardian has consented to the collection from another source;
  • collection from another source would not prejudice the interests of the data subject;
  • collection of data from another source is necessary for the-
    a) prevention, detection, investigation, prosecution and punishment of crime;
    b) enforcement of a law which imposes a pecuniary penalty; or
    c) protection of the interests of the data subject or another person.
Duties of data controllers and data processors
Before collecting personal data, in so far as practicable, data controllers or data processors are required to inform the data subject of -
  • the rights of the data subject (specified under section 26 of the Act);
  • the fact that personal data is being collected;
  • the purpose for collection;
  • the third parties whose personal data has or will be transferred to and details of safeguards adopted;
  • their contacts and on whether any other entity may receive the collected personal data;
  • their contacts and on whether any other entity may receive the collected personal data;
  • the data being collected pursuant to any law and whether such collection is voluntary or mandatory; and
  • the consequences if any, where the data subject fails to provide all or any part of the requested data.
The Act imposes stringent conditions for processing of sensitive personal data which is distinguished from personal data.

The burden of proof for establishing a data subject's consent to the processing of their personal data for a specified purpose is borne by a data controller or data processor.

The Act provides that a data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected or a data processor who, without lawful excuse, discloses personal data processed by the data processor without the prior authority of the data controller, commits an offence under the Act.

Rights of a data subject
Section 26 of the Act provides that a data subject has a right to-
  • be informed of the use to which their personal data is to be put;
  • access their personal data which is in the custody of data controller or data processor;
  • object to the processing of all or part of their personal data;
  • correction of false or misleading data; and
  • deletion of false or misleading data about them.
Further, a data subject shall have the right to withdraw consent at any time. However, the such withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal.

A right conferred on a data subject may be exercised-
  • If a minor, by a person who has parental authority or by a guardian;
  • where the data subject has a mental or other disability, by a person duly authorised to act as their guardian or administrator; or
  • in any other case, by a person duly authorised by the data subject.
Processing of personal data relating to children.
Data controllers or data processors are prohibited from processing personal data relating to a child except where consent is given by the child's parent or guardian and the processing is in such a manner that protects and advances the rights and best interests of the child.

Data controllers or data processors shall be required to incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child, determined on the basis of-
  • available technology;
  • volume of personal data processed;
  • proportion of such personal data likely to be that of a child;
  • possibility of harm to a child arising out of processing of personal data; and
  • such other factors as may be specified by the Data Commissioner.
However, the Act provides that a data controller or data processor that exclusively provides counselling or child protection services to a child, may be exempted from the requirement to obtain parental consent.

Exemptions
The processing of personal data is exempt from the provisions of the Act if the same is necessary for national security or its disclosure is required under any written law or an order of the court or for the prevention or detection of a crime.

Further, the Act prohibits cross-border transfer of personal data, except where there is proof of adequate data protection safeguards or consent from the data subject.

CONCLUSION
It is essential for data controllers or processors to familiarise themselves with the provisions of the Act and to develop policies and systems that are compliant with the requirements of the Act.

Many organisations will require a Data Protection Officer whose main function will be to ensure compliance with the Act, failure to which organisations may be exposed to hefty fines.

Data controllers and processors are required to process data lawfully whilst minimise its collection and ensuring that there are sufficient safeguards in place to protect personal data.


Should you have any queries or need any clarifications with respect to data protection matters, please do not hesitate to contact Vikram C. Kanji or Ruby Njenga at A.B. Patel & Patel Advocates.



The contents of this publication are for reference purposes only. They do not constitute legal advice and should not be relied upon. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.

Updates & Publications