LESINKO NJOROGE
& GATHOGO
ADVOCATES
LNG INSIGHTS
2019, NO 2
NEW DATA PROTECTION LAW NECESSITATES COMPLIANCE POLICIES IN ORGANISATIONS
DrTom Kabau
Partner I tomkabau@lesinkonjoroge.com
Senior Lecturer, School of Law, JKUAT
‘…corporations and organisations have to, inevitably, develop legally sound and comprehensive data protection and usage policies and statements to guide their staff, agents, assignees and licensees on the acceptable data management practices in order to avoid legal liability.’
Personal data has become an extremely vital economic and governance resource in the contemporary information age. Vast amounts of personal data of Kenyans is collected, processed, shared and exploited by public organisations, private entities and business corporations locally and globally on a daily basis. This has necessitated regulation of the collection and management of personal data by organisations and corporations, resulting in the enactment of the Data Protection Act. It was assented into law by President Uhuru Kenyatta on I November 2019.
There are immense economic, investment and governance op-
portunities that management and analysis of personal data presents, globally and locally. For instance, financial technology, often referred to as ‘fintech’, involves automated analysis of personal data to provide banking, insurance and trading services.Through the cloud computing technology, organisations and corporations based in Kenya are now outsourcing the storage of data relating to their clients, customers, employees and associates in databases located in foreign countries. The analysis of ‘big data’, which generally refers to large volumes of information, provides valuable insights for more strategic and profitable business and better governance decision making.
The new Act is premised on the increasing need to create flexible regulatory mechanisms that support the exploitation of data for economic, investment and governance purposes in Kenya, while upholding the constitutional right to privacy and preventing unethical use of personal information. The legislation is also consistent with the emerging regional and international codes regulating the management of personal data.
It is essential that organisations and corporations comply with the provisions of the Act since their violation may result in criminal and civil sanctions that include imprisonment, fines, and other monetary damages at the instance of the person whose personal data has been violated. This is in addition to the risk of undesirable reputational loss for the concerned organisation or business entity.
SALIENT FEATURES
Some of the salient features of the new law include the enunciation of diverse rights of Kenyans in relation to their personal data, and the proscription of various activities relating to the collection, storage, management and sharing of such information. Data controllers and processors are obliged to ensure that personal information of Kenyans is not transferred to foreign countries unless there is evidence of effective data protection safeguards, or the concerned individuals provide consent.
Considering that organisations and businesses are increasingly storing personal information of their clients, customers and associates in data centres and servers located outside Kenya, compliance with this requirement is essential.
Individuals should be informed of the purpose for which the data is collected and the third parties with whom the information will be shared with, including the safeguards that such subsequent transferees have in place to safeguard the received data. Further, individuals have an overriding right to object to the processing of their personal information, unless there is a compelling legitimate interest, or it is in the process of asserting or defending a legal claim.
Personal data is not to be utilised for commercial purposes without the prior informed consent of the subject individuals. Personal identifiers should also be removed from the data when utilised for commercial purposes so that it is rendered anonymous. Such information is to be retained by organisations and corporations for only the period that is reasonably necessary to satisfy the purpose for which it was obtained.
The Act establishes the office of the Data Protection Commissioner who is endowed with diverse duties and powers for purposes of effective implementation and enforcement of the legislation. Where personal data is accessed by an unauthorised third party and there is a risk of its harmful use, the Data Commissioner and in some circumstances, the individual whose data is subject to the breach, should be notified.
DATA POLICIES
Since business and governance activities involve interactions with and between individuals, corporations and organisations, personal data is unavoidably shared with third parties, or uti-lised for more than a single purpose. Consequently, corporations and organisations have to, inevitably, develop legally sound and comprehensive data protection and usage policies and statements to guide their staff, agents, assignees and licensees on the acceptable data management practices in order to avoid legal liability. The policies and statements may also be the basis upon which the clients and associates of the business entities and governance institutions are informed of the diverse usages of the personal information to be provided. Further, they may be the medium upon which the clients and associates provide informed consent for the collection, use and sharing of the data by the corporations and organisations.
For more information on data protection and privacy regulatory mechanisms, policies and statements, please get in touch with Tom Kabau at: tomkabau@lesinkonjoroge.com