Data protection: A brief overview

A few months ago precisely on 28th January the world celebrated Data Privacy Day. Data privacy is still scarcely known albeit the effort put by various stakeholders to spread information on data privacy. In this newsletter episode I will give a brief summary as well as key concepts on it. In Kenya the Data Protection Act(DPA) establishes the Office of the Data Protection Commissioner(ODPC) as per section 5 of the Act.

The office is currently held by Data Commissioner Immaculate Kassait, MBS. This office contains same characteristics as any other corporate office. This means it has a capacity of suing and being sued, has perpetual succession and the ability to enter into contracts. It is responsible for ensuring compliance with data protection laws. The Public Service Commission appoints the Data Commissioner through a competitive process aimed at attracting only the best/most qualified.

The Data Protection Act gives effect to the right to privacy enshrined in the Constitution under Article 31. Specifically Article 31(c) protects against any information relating to one's family or private affairs being unnecessarily revealed. The object and purpose of this Act is—

(a) to regulate the processing of personal data;

(b) to ensure that the processing of personal data of a data subject is guided by the principles set out in section 25;

(c) to protect the privacy of individuals;

(d) to establish the legal and institutional mechanism to protect personal data; and(e) to provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.

The functions of this office is spelt out in section 8 of the Data Protection Act as follows:

The Office shall—

(a) oversee the implementation of and be responsible for the enforcement of this Act;

(b) establish and maintain a register of data controllers and data processors;

(c) exercise oversight on data processing operations, either of own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with this Act;

(d) promote self-regulation among data controllers and data processors;

(e) conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law;

(f) receive and investigate any complaint by any person on infringements of the rights under this Act;

(g) take such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public;

(h) carry out inspections of public and private entities with a view to evaluating the processing of personal data;

(i) promote international cooperation in matters relating to data protection and ensure country's compliance on data protection obligations under international conventions and agreements;

(j) undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals; and

(k) perform such other functions as may be prescribed by any other law or as necessary for the promotion of object of this Act.

The key concepts in data protection include:

1. Data controller

2. Data processors

3. Data subjects

   Data controller

   A data controller is responsible for how and why personal data is being collected and processed

   Data processors

   These are entities that is concerned with the actual processing.The principles involved in data processing include

   a. Data subjects should have constant access to the data collected

   b. Data should be collected for only an explicit and legitimate particular purpose

   Data subjects

   This refers to individuals or persons in whom their data is being collected and processed. For example in a situation where your data is being collected for purposes of registration by a government entity e.g. Kenya Revenue Authority then you are the data subject. In terms of data there is personal data and sensitive personal data. Personal data is data that can be linked to a person. This includes mobile number and ID number etc. Sensitive personal data include DNA information, ethnic origin and health information.

   The principles of data protection include:

   1. Lawfulness

   2. Integrity

   3. Confidentiality

   4. Accountability

   5. Purpose limitation

   6. Data minimization

   7. Fairness and transparency

   8. Storage limitation

   9. Accuracy

      Here's a summary of these key principles:

      1. Lawfulness, Fairness, and Transparency:

      Lawfulness: Data must be processed for a legitimate reason, such as consent, legal obligation, or contractual necessity.

      Fairness: Processing should be fair to the individual and not deceptive or manipulative.

      Transparency: Individuals should be informed about how their data is being used.

      2. Purpose Limitation: Data should only be collected for specified, explicit, and legitimate purposes. It shouldn't be used for anything else without further consent.

      3. Data Minimization: Collect only the data that is absolutely necessary for the intended purpose. Avoid collecting excessive or irrelevant information.

      4. Accuracy: Keep data accurate and up-to-date. Provide mechanisms for individuals to correct inaccuracies.

      5. Storage Limitation: Store data only for as long as necessary for the specified purpose. Establish clear retention policies.

      6. Integrity and Confidentiality (Security):Protect data from unauthorized access, use, disclosure, alteration, or destruction. Implement appropriate security measures.

      7. Accountability: The organization responsible for the data must be able to demonstrate compliance with these principles.

      Additional Considerations:

      Consent: When relying on consent as a lawful basis for processing, it must be freely given, specific, informed, and unambiguous. Data Protection by Design and Default: Consider data protection from the initial design of systems and processes, and ensure that privacy-friendly settings are the default. Individual Rights: Individuals have rights regarding their data, such as access, rectification, erasure, restriction of processing, and data portability.

      Consequences of Non-Compliance:

      Failure to comply with data protection principles can lead to an administrative fine of up to Kshs 5 million (Kenya Shillings), or 1% of the company's annual turnover, whichever is lower. In the next newsletter I will delve deeper into data protection nitty gritties, past and current case laws on the topic as well as a breakdown on the penalties.