The introduction of Kenya's first Data Protection Act 2019 (the Act), brings an end to the era of navigating the murky waters of the previous disjointed framework of data protection legislation. The commencement date of this Act is 25 November 2019.

The Act is a significant milestone of which all Kenyans should be proud. It is testimony to the country's commitment to being one of the continent's leaders in promoting innovation and at the same time, it recognises the fundamental importance placed on protecting the personal data of individuals.

There are a number of key provisions that individuals and companies operating in Kenya will need to be aware of. In this update, we have highlighted those aspects of the Data Protection Act that we consider to be particularly relevant for both our local and international clients.

What does the Act say?

What are the potential implications?

'Consent' to the processing of personal data by the data subject must be an express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action.

It is clear that data controllers and data processors will no longer be able to rely on implied consent to process personal data. However, it is not yet clear whether or not a company may be able to rely upon pre-ticked boxes or any other default method of consent, or whether or not a positive opt-in will be required instead.

We would recommend that data controllers and data processors review their existing consent practices.

The definition of 'sensitive personal data' has been widened to include property details, marital status and family details, including names of the person's children, parents, spouse or spouses.

The collection, processing and transfer of sensitive personal data is a category of data that is afforded a higher level of protection (as is the case throughout the world). By extending the definition to include property details, this could possibly include a person's physical address provided for the purposes of receiving a delivery, for example. Companies may need to review the information collected from data subjects and the manner in which such information is used; for example, address or honorific titles (which could indicate marital status).

The Act applies to the processing of personal data by a data controller or data processor by automated or non-automated means. Where personal data is processed by non-automated, means, the Act applies where the recorded data forms a whole or part of a filing system by a data controller or data processor who: (a) is established or ordinarily resident in Kenya and processes personal data while in Kenya; or (b) not established or ordinarily resident in Kenya, but processes personal data of data subjects located in Kenya.

The previous versions of the Act applied certain geographical provisions and qualifications to processing by both automated and non-automated means. The geographical restrictions now only expressly and specifically apply to processing by non-automated means.

As a result and in the absence of these clear geographic references, there is arguably some ambiguity as to whether or not the Act applies to foreign data processors or data controllers. However, we would err on the side of caution and recommend that all data controllers and data processors carrying out any processing activities involving the personal data of Kenyan data subjects, ensure that they comply with the provisions of the Act.

All data controllers and data processors (processing by both automated and non-automated means) must hold a valid registration with the Data Commissioner. The Act specifies the information to be provided by the data controller and data processor in the application for registration.

 

There are clear indications throughout the Act that data controllers and data processors must have adequate and sufficient safeguards, security measures and mechanisms in place (although this obligation may be somewhat tempered by the amount of personal data collected, the cost of processing, and the extent of processing activities, which may be of comfort to small and medium sized enterprises).

Included within the application requirements is a new proviso requiring the applicant (i.e. the data controller or data processor) to indicate what measures are in place to indemnify the data subject from unlawful use. The indemnification obligation is a further sign that data controllers and data processors will be held accountable for any encroachment of a data subject's rights and interests to his or her personal data.

The principles of data protection are well ensconced in the field of data protection legislation throughout the world. The principles, as set out in the Act, are similar to those applying to international standards (the GDPR in particular). Importantly, the Act also contains a new data protection principle prohibiting the transfer of data outside of Kenya unless there is proof of adequate data protection safeguards or, consent from the data subject has been obtained.

All data controllers and processors must adhere strictly to the principles of data protection. These principles must form the backbone of an organisation's standard operating procedures when it comes to the collection, processing, storage and use of personal data.

The cross-border transfer of personal data is a sensitive topic, with opposing views on the issue voiced by public bodies, business organisations and individuals. The concerns touch on security and technical considerations, compatibility with the current digital global marketplace within the context of multinational organisations, and the right of a data subject to determine where his or her data should be stored.

This data protection principle that we have highlighted here will need to be interpreted alongside the cross-border transfer provisions in the Act; additionally, there are certain ambiguities in the drafting of this provision that may cause some confusion when implementing the Act.

Finally, the Act gives certain rights to the Data Commissioner to suspend or prohibit any cross-border transfers. Further, the Cabinet Secretary may prescribe, on grounds of strategic interests of the State or for protection of revenue, that certain types of processing be effected through a server or data centre located in Kenya.

A data controller or data processor may designate or appoint a Data Protection Officer (DPO) where the processing is carried out in the context of certain activities, for example, where the core activities of the data controller or data processor require the regular and systematic monitoring of data subjects.

The primary role of the DPO will be to ensure that the relevant organisation processes personal data in compliance with the provisions of the Act. The Act specifies the minimum qualification criteria that the DPO must hold.

It will be possible for Group entities to appoint a single DPO but the DPO must be accessible by each entity.

International data controllers and data processors who do not have a presence in Kenya may consider appointing a local DPO to deal with any compliance issues that may arise. It should be highlighted that the requirement to appoint a DPO is not an absolute obligation.

Any persons processing the personal data of a child will be required to take steps to incorporate appropriate mechanisms for age verification and consent.

The choice of mechanisms to be incorporated can be guided by the available technology, the proportion of such personal data that is likely to be processed and the volume of personal data to be processed. That said, a data audit may enable companies to determine whether or not specific actions should be implemented prior to the processing of any personal data relating to a child.

The Act sets out a prescribed response to be provided where an unauthorised person has accessed or acquired any data and there is a 'real risk of harm' to the data subject whose personal data has been accessed. The Data Commissioner must be notified within 72 hours of becoming aware of the delay and, unless provided for otherwise under the Act, the data controller must then communicate the occurrence of such breach to the affected data subject in writing within a reasonably practicable period.

There are detailed requirements as to what the notice to the Data Commissioner and data subject must entail, including where applicable, the identity of the person who may have accessed or acquired the personal data.

 

There are new provisions which seek to protect the processing of health data and impose restrictions on who may collect such data.

Companies collecting health data, such as pharmaceutical companies, must ensure that the data is collected in accordance with the Act. It specifically restricts processing to be carried out by or under the responsibility of a healthcare provider or by a person subject to the obligation of professional secrecy.

Data subjects are entitled to file complaints with the Data Commissioner. Where the Data Commissioner finds that an individual or organisation is found to have failed or is failing to comply with the provisions of the Act, the Data Commissioner will have the right to serve an enforcement notice on the party in breach as well as a penalty notice.

The enforcement notice will set out the steps to be taken to remedy any failure identified and the period within which the breach must be remedied.

The Data Commissioner has a further right to issue a penalty notice to accompany the enforcement notice. The amount of the penalty will be determined by various factors relating to the severity of the failure, the duration of the failure, the degree of cooperation with the Data Commissioner, and the manner in which the Data Commissioner was notified of the breach. For example, it would be preferable for the data controller or data processor to have notified the Data Commissioner of the breach before the data subject did.

In addition, the Data Commissioner may impose an administrative fine for an infringement of the Act. The maximum amount of the penalty that may be imposed in a penalty notice is KES 5 million or, in the case of an undertaking, up to 1% of annual turnover in the preceding financial year, whichever is lower.

The Act makes provision for certain regulations that may be further prescribed by the Cabinet Secretary under the Act.

This includes further requirements to be imposed on a data controller or data processor when processing personal data, regulations on the processing of data through a data server or data centre in Kenya and the issuing of codes of practice and guidelines; for example, a code of practice containing practical guidance in relation to the processing of personal data for purposes of Journalism, Literature and Art.

It is clear that the Data Protection Act will be a moving piece of legislation and whilst the Act will provide the framework for compliance, we would expect that additional regulations and the codes of practice that may be issued in the future will affect the way in which the Act will be implemented according to the sector, the undertaking in question and the data processing activities undertaken.

We anticipate (and hope) that there will be a grace period for compliance, providing an opportunity for companies to carry out their own internal data audits of existing practices and processes in order to ensure that they are not caught off guard when the time for enforcement comes. It is also not clear what the stages for implementation will be and whether or not there will be a phased implementation, as had previously been suggested during the various stakeholder meetings held during the legislative process.

It is also our hope that the Data Commissioner, when appointed, or the ICT Cabinet Secretary, will provide further guidance on the practice to be applied to personal data that has already been collected and processed (for example, whether or not consents will have to be refreshed). We will continue to monitor any developments in this regard at the ICT Ministry.

Finally, we would encourage our clients to review current data processing activities and processes and to ensure that their current systems comply with the new data protection regime. Please note that this will not be a "one-size fits all" review as the law has a unique application to different types of businesses depending on whether certain operations would classify them as data collectors, data processors or data subjects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.