A SNAPSHOT OF DATA PROTECTION LAWS IN KENYA

Disclaimer : This article is meant for informational purposes only and should not be construed as a legal opinion. Should you have any questions or need clarifications on the subject matter, kindly feel free to contact us  for legal advice.

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. The basis for data protection is to be found in the text of the Constitution of Kenya 2010 at Article 31 (c) which provides, "Every person has the right to privacy which includes the right to have information relating to their family or private affairs unnecessarily required or revealed."

The statutory law for data protection in Kenya is the Data Protection Act 2019 (hereinafter referred to as, ‘the Act’), whose promulgation brought an end to the era of navigating the murky waters of the previous disjointed framework of data protection legislations. The purpose of the Act is to regulate the collection and processing of data in Kenya. It introduced elaborate obligations to persons (and organizations) who collect and process data whose infringement would lead to stiff penalties of an administrative fine of up to Ksh Five Million (Ksh. 5,000,000/=) or in case of an undertaking, up to 1% of its annual turnover of the preceding year, whichever is lower. The Act has extraterritorial application as it applies to Data Controllers and Data Processors established or resident in or outside Kenya in so far as they process personal data while in Kenya or of Data Subjects located in Kenya.

‘Data Controllers’ under section 2 of the Act means, ‘’a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.’’ ‘Data Processor’ means, ‘’a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller’’. ‘Data Subjects’ on the other hand means, ‘’an identified or identifiable natural person who is the subject of personal data’’.

In summary, Data Controllers and Data Processors have obligations under section 25 of the Act to ensure that personal data is –

1. processed in accordance with the right to privacy of the Data Subject;

2. processed lawfully, fairly and in a transparent manner in relation to any Data Subject;

3. collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;

4. adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;

5. collected only where a valid explanation is provided whenever information relating to family or private affairs is required;

6. accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;

7. kept in a form which identifies the Data Subjects for no longer than is necessary for the purposes which it was collected; and

8. not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the Data Subject

Consequently, Data Subjects have rights under section 26 of the Act which include the right–

1. to be informed of the use to which their personal data is to be put;

2. to access their personal data in custody of Data Controller or Data Processor;

3. to object to the processing of all or part of their personal data;

4. to correction of false or misleading data; and

5. to deletion of false or misleading data about them.

6. not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject.

7. to object to the processing of their personal data, unless the Data Controller or Data Processor demonstrates compelling legitimate interest for the processing which overrides the data subject's interests, or for the establishment, exercise or defence of a legal claim

Sensitive Personal Data

Accordingly, the Act has laid emphasis on the need for protection of Sensitive Personal Data. ‘Sensitive Personal Data’ under section 2 of the Act means, ‘’data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject’’.

Sensitive Personal Data can only be processed on account of well laid down principles under section 25 of the Act as already listed above and the following additional guidelines –

1. Sensitive Personal Data may be processed where the processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that — (i) the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes; and (ii) the personal data is not disclosed outside that body without the consent of the data subject.

2. Sensitive Personal Data may be processed where the processing relates to personal data which is manifestly made public by the Data Subject

3. Sensitive Personal Data may be processed where the processing is necessary for - (i) the establishment, exercise or defence of a legal claim; (ii) the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject; or (iii) protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.

4. Personal data relating to the health of a Data Subject may only be processed – (i) by or under the responsibility of a health care provider; or (ii) by a person subject to the obligation of professional secrecy under any law.

Conclusion

All in all, Data Controllers including natural persons, corporates, parastatals, NGOs and governments must put in place adequate policies as well as technical and organizational measures to safeguard personal data which they are processing from destruction, adequate loss, unauthorized access or disclosure. This way they will be compliant with the data protection law in Kenya.

THE END