THE DATA PROTECTION ACT 2019, KENYA (“THE ACT”)
12th July, 2021
INTRODUCTIONThe purpose of the Act is to give effect to Article 31(c) and (d) of the Constitution that contains the right to privacy which is a fundamental human right. Data protection is the process of safeguarding personal information, in accordance with a set of principles laid down by law.
The Data Protection Bill which has been a subject of discussion for a number of years was passed into law on 8th November 2019. There has been an increase in the adoption and implementation of data protection laws and frameworks by countries at large.
The Data Protection Act 2019, has in many ways drawn from the General Data Protection Regulation of Europe.
The frameworks and laws have developed mainly in response to technological advances which increase the collection, holding and dissemination of personal information as well as surveillance of people.
PROVISIONS OF THE ACT & APPLICATIONThe Act is extremely broad based and covers all persons and entities who deal with or store data.
|personal data||information relating to an identified or identifiable natural person this being a “data subject”|
|data controller||a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data|
|data processor||a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller|
|sensitive personal data||data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject|
The Act imposes a number of obligations on data processors and data controllers in respect of the manner in which personal data is processed and sets out their duties to the data subjects.
The Act establishes the office of the Data Protection Commissioner and mandates that any data controller or data processor be registered with the Data Commissioner.
The Data Commissioner will be required to maintain a register of the registered data controllers and data processors, which register shall be a public document, available for inspection by any person.
Collection of personal dataThe Act provides that every data controller or data processor shall ensure that personal data is:-
Notwithstanding the general rule on collection of data directly, the Act provides that personal data may be collected indirectly where the-
Duties of data controllers and data processorsBefore collecting personal data, in so far as practicable, data controllers or data processors are required to inform the data subject of -
The burden of proof for establishing a data subject's consent to the processing of their personal data for a specified purpose is borne by a data controller or data processor.
The Act provides that a data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected or a data processor who, without lawful excuse, discloses personal data processed by the data processor without the prior authority of the data controller, commits an offence under the Act.
Rights of a data subjectSection 26 of the Act provides that a data subject has a right to-
A right conferred on a data subject may be exercised-
Processing of personal data relating to children.Data controllers or data processors are prohibited from processing personal data relating to a child except where consent is given by the child's parent or guardian and the processing is in such a manner that protects and advances the rights and best interests of the child.
Data controllers or data processors shall be required to incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child, determined on the basis of-
ExemptionsThe processing of personal data is exempt from the provisions of the Act if the same is necessary for national security or its disclosure is required under any written law or an order of the court or for the prevention or detection of a crime.
Further, the Act prohibits cross-border transfer of personal data, except where there is proof of adequate data protection safeguards or consent from the data subject.
CONCLUSIONIt is essential for data controllers or processors to familiarise themselves with the provisions of the Act and to develop policies and systems that are compliant with the requirements of the Act.
Many organisations will require a Data Protection Officer whose main function will be to ensure compliance with the Act, failure to which organisations may be exposed to hefty fines.
Data controllers and processors are required to process data lawfully whilst minimise its collection and ensuring that there are sufficient safeguards in place to protect personal data.
Should you have any queries or need any clarifications with respect to data protection matters, please do not hesitate to contact Vikram C. Kanji or Ruby Njenga at A.B. Patel & Patel Advocates.
The contents of this publication are for reference purposes only. They do not constitute legal advice and should not be relied upon. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.