Linden-Spes
May 10, 2022
The right to privacy is guaranteed as a basic right in Kenya’s Constitution. The Data Protection Act 2019, (the “DPA”) was enacted and went into effect on November 25, 2019, to give effect to this constitutional right under Article 31(c) and (d).
The Act establishes a set of comprehensive legislation to protect people’s personal information. It established the Office of the Data Protection Commissioner, that is responsible for regulating the processing of personal data, and specifies data subjects’ rights as well as the obligations of data controllers and processors.
Subsequently, the following regulations came into effect on 31 December 2021:
The ascension to the bill gave way for the appointment of the first Data Commissioner of the Republic of Kenya, Ms. Immaculate Kassait, MBS in 16th November 2020.
As highlighted in Part IV of the act, all data processors/controllers are required to follow the data protection principles, which are:
2. Duty to Notify (section 29)
Before collecting any personal data, data processors / controllers must inform the data subject of the following:
3. Lawful Processing (section 30)
A data controller or data processor shall not process personal data, unless:
4. Data Retention Obligations
Personal data must be retained for a valid purpose and only for as long as is reasonably necessary for that purpose.
Data controllers and processors must develop a data retention schedule with adequate time limitations for reviewing the need for continuing storage under the Regulations. Data retention must be audited on a regular basis.
After the purpose for which the personal data was acquired has expired, data controllers and processors must erase, destroy, anonymize, or pseudonymize the personal data that has been maintained.
5. Data Protection
In relation to any data subject, every data controller or processor is obligated to ensure that all personal data is processed lawfully, fairly, and transparently. Insofar as they process personal data while in Kenya or of data subjects located in Kenya, the Act applies to data controllers and processors established or resident in Kenya or outside Kenya.
6. Storage of Data
There are no time limits on how long personal data must be kept. When determining retention periods, data controllers and processors must follow a reasonableness test.
7. Sensitive Data
Race, health, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marriage status, family details including names of children, parents, spouse or spouses, sex, or sexual orientation are all considered sensitive data. The collection, storage, and processing of such data are all subject to specific rules. Personal data on a data subject’s health, for example, may only be handled by or under the supervision of a health care provider.
8. Transfer of Personal Data Outside Kenya
Data controllers and processors will be permitted to transfer personal data to another country only where the data controller or processor has demonstrated to the Commissioner that all the necessary controls for the security and protection of personal data have been implemented.
9. Exemptions
In cases where data disclosure would be in the public interest, such as journalism, literature and art, research, history, and statistics, general exemptions from the Act apply (all under specific circumstances).
10. Enforcement
The Act gives the Commissioner investigative powers, including the ability to enter and search premises and levy administrative fines. When personal data has been accessed or acquired by an unauthorized person and there is a serious risk of harm to the data subject whose personal data has been accessed, a data controller is required to notify the Commissioner immediately, within 72 hours of becoming aware of the breach.
Offenses under the Act can result in a fine of up to KES5 million and/or a ten-year prison sentence.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Useful links