EXECUTIVE SUMMARY

President of Kenya, Honorable Uhuru Kenyatta recently gave his assent to the Data Protection law 2019. The new data law establishes the office of the Data Commissioner, make provision for the regulation of the processing of personal data, provide for the rights of data subjects and obligations of data controllers and processors and for connected purposes.

ESTABLISHMENT OF THE OFFICE OF DATA PROTECTION COMMISSIONER

The Data Protection Law seeks to establish the office of the Data Protection Commissioner which shall be a body corporate that will have the power to:

(a)oversee the implementation of and be responsible for the enforcement of this Act; (b)establish and maintain a register of data controllers and data processors; (c)exercise oversight on data processing operations, promote self-regulation among data controllers and data processors; (e) conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law; (f) receive and investigate any complaint by any person on infringements of the rights under this Act; (g) take such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public;(h) promote international cooperation in matters relating to data protection and ensure country’s compliance on data protection; (i) undertake research on developments in data processing of personal data and ensure that there is no significant risk.

The office will be headed by the Data Commissioner, accounting officer and other staff as appointed by the Data Commissioner.

REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

The Law also states that no person shall act as a data controller or data processor unless registered with the Data Commissioner. In this context, data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

Before an individual or entity can be registered as data controllers, they are required to provide the description of data collected, how they purpose to use it and if there are any security measures to ensure its protection.

PRINCIPLES AND OBLIGATIONS OF PERSONAL DATA PROTECTION

The law also outlines how data controllers or data processors ought to process personal data in terms of privacy, transparency, legitimate purposes and what security measures are put in place to ensure its protection. In fact transfer of data is restricted unless the security of data is assured.

The law also outlines the rights of the data subject in regards to any personal collected and processed about them by the data controllers. Some of which are:

  • to be informed of the use to which their personal data is to be put
  • to access their personal data in custody of data controller or data processor
  • to object to the processing of all or part of their personal data;
  • to correction of false or misleading data
  • to deletion of false or misleading data about them.

GROUNDS FOR PROCESSING OF SENSITIVE PERSONAL DATA

This section states the grounds on which sensitive data of a data subject may be processed. These are:

  • The processing should be carried out in the course of legitimate activities with appropriate safeguards by a foundation.
  • The processing relates to personal data which is manifestly made public by the data subject
  • processing is necessary for—
    • the establishment, exercise or defense of a legal claim
    • the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject
    • protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent

TRANSFER OF PERSONAL DATA OUTSIDE KENYA

This section outlines the guidelines of personal data outside Kenya. A data controller or data processor may transfer personal data to another country only where—

  • The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data
  • The data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data
  • If the transfer is necessary for —
    • For the performance of a contract between the data subject and the data controller or data processor
    • For the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person
    • For any matter of public interest
    • For the establishment, exercise or defense of a legal claim
    • In order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
    • For the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.

EXEMPTIONS

No data controller or data subject will be exempted from complying with data protection principles relating to lawful processing, minimization of collection, data quality, and adopting security safeguards to protect personal data.

  • The processing of personal data is exempt from the provisions of this Act if—
  • It relates to processing of personal data by an individual in the course of a purely personal or household activity
  • If it is necessary for national security or public interest
  • Disclosure is required by or under any written law or by an order of the court.

ENFORCEMENT PROVISIONS

The Act also outlines the various data handling offenses and their repercussions.

Also, it has no qualms about a data subject lodging a complaint with the Data Commissioner in accordance with this Act and may lodge a complaint, orally or in written form.

CONCLUSION

The ICT Industry commends the president for assenting to this new law, even we are having it 5 years after other countries.

At the ongoing three-day CIO100 Symposium & Awards at the Lake Naivasha Resort, some of the attendees conveyed their sentiments, which are completely justifiable. Robert Nyamu, Partner and Digital Solutions, Financial Services and Risk Advisory, EY (Ernst Young), East Africa, said that the government should fast-track the composition of the guidelines and regulations around the data protection law by engaging the industry on their sentiments.

Louis Otieno, former Corporate Affairs Director, Microsoft4Africa, said the data protection law would help promote trust between businesses and data subjects. However, self-regulation will be necessary for the organizations who are the principal data holders. And he is right. Just because Kenya has a Data Protection law does not mean you should trust an entity or individual with your personal data.

Policies in Africa or lack of it has made doing business difficult compared to the rest of the world. And though the government has a long way in enacting favourable policies that will spur the growth of the digital economy, we still applaud the new Data Protection law and we hope it will be taken as serious as it should be.