After a lengthy wait, Kenya finally approved comprehensive data protection legislation, the Data Protection Act of 2019, which was signed into law on November 8, 2019 by the President of the Republic of Kenya (the “Act”). The Act establishes a set of comprehensive legislation to protect people’s personal data. It creates the Office of the Data Protection Commissioner, regulates the processing of personal data, and specifies the rights of data subjects as well as the responsibilities of data controllers and processors.
The act provides for a set of positions and provisions that have to do with data and its handling. Below are some examples:
Registration of Data Controllers and Data Processors
The Commissioner requires all data controllers and processors to register with him. The Commissioner must set mandatory registration criteria based on the nature of the industry, the volume of data handled, and whether or not sensitive personal data is processed, among other factors. Mandatory registration does not apply until such criteria are established.
Establishment of the Office of the Data Protection Commissioner
The Data Protection Commissioner is established by the Act (the “Commissioner”). A commissioner has since been appointed. This was a lengthy procedure that took months to complete.
The Commissioner’s office is in charge of overseeing the Act’s implementation, as well as creating and maintaining a register of data controllers and processors; receiving and investigating any complaints about infringements of the Act’s rights; conducting inspections of public and private entities with the goal of evaluating personal data processing; and imposing administrative sanctions.
Storage of Data
There are no time limits on how long personal data must be kept. When determining retention periods, data controllers and processors must use a reasonableness test.
In regard to any data subject, every data controller or processor is expected to guarantee that all personal data is treated lawfully, fairly, and transparently. Insofar as they process personal data while in Kenya or of data subjects situated in Kenya, the Act applies to data controllers and processors established or resident in Kenya or outside Kenya.
The data subjects have the right to be informed about how their personal data will be used, to have access to their personal data, to object to the processing of all or part of their personal data, to have inaccurate or misleading data corrected, and to have inaccurate or misleading data deleted.
The collection, usage, and processing of data should all be done with caution. The main guiding principle is that personal data should only be acquired directly from the data subject and used (for processing, commercial purposes, or otherwise) with the subject’s full consent. There are several exceptions to the acquisition of personal data, such as data already in public records, data collected from a different source with the subject’s permission, and so on.
Race, health, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marriage status, family details including names of children, parents, spouse or spouses, sex, or sexual orientation are all considered sensitive data. The collection, storage, and processing of such data are all subject to certain rules. Personal data on a data subject’s health, for example, may only be handled by or under the supervision of a health care provider.
Transfer of data outside Kenya
Data controllers and processors will only be allowed to transmit personal data to another country if they can prove to the Commissioner that they have put in place adequate controls to ensure the security and protection of the data. It’s unclear what procedure must be followed in this case. Furthermore, the Cabinet Secretary may prescribe some types of processing that can only be carried out through a server or data center situated in Kenya, depending on the state’s strategic interests or revenue protection. There is no indication of when or if such a limitation will be put in place.
Administration & Prosecution
The Act grants the Commissioner broad investigative powers, including the ability to enter and search premises and levy administrative fines, in the event of a data breach. When personal data has been accessed or obtained by an unauthorized person and there is a genuine risk of damage to the data subject whose personal data has been accessed, a data controller is obligated to notify the Commissioner immediately, within 72 hours of becoming aware of the breach.
Offenses under the Act can result in a fine of up to KES 5 million and/or a ten-year jail sentence.
In instances where data dissemination would be in the public interest, such as journalism, literature and art, research, history, and statistics, general exemptions from the Act apply (all under specific circumstances).
In closing, we at Fourtech Global Solutions provide consultation for all manner of computer services. This piece of legislation was established to provide a way for stakeholders in the industry to streamline legal operations and normalize relations between them.