The Kenya Data Protection Act (“DPA“)applies to all persons who handle personal data. For effective compliance, it is necessary to understand the Act’s key terms. Outlined below, is my take on some of the key terms that may be relevant in your compliance journey.
Data Protection Key Terms
1. Data Subject
The DPA defines a data subject as any identified or identifiable natural person who is the subject of personal data. In other words, a data subject is any human being whose data is being collected, held or processed.
2. Personal Data
Any information relating to an identified or identifiable natural person i.e. a human being. The illustration below shows some common forms of personal data.
3. Sensitive Personal Data
In addition to the forms of personal data described above, the DPA establishes a special category of data known as Sensitive Personal Data. In essence, this is any information that reveals a human being’s, race, health status, social origin, property details, marital status, conscience, belief, genetic data, biometric data, family details including the name of the person’s spouse, children, sex or sexual orientation.
4. Data Controller
A data controller is an individual, body corporate, public authority, agency or any other similar body which, alone or jointly with others, determines the purpose and ways of processing personal data.
Examples:
In summary, a data controller is any person or organization that determines the purpose and means by which data is processed.
5. Data Processor
This is an individual, body corporate, public authority, agency or similar body that processes data on behalf of the Data Controller.
6. Consent
The DPA defines consent as “any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.” Data Subject consent should be:-
- express – it should not be implied nor should it be done on the basis of automated processing.
- unequivocal and free – it should be given without duress or coercion.
- specific – the purpose of the consent should be clearly defined and explained to the data subject.
- informed – it should be given pursuant to the purposes set out by the data collector or processor.
7. Data Retention
This refers to the period of time that data can be held by a controller or a processor. The DPA provides that data controllers and processors may only retain data for as long as may be reasonably necessary but it does not prescribe specific timeframes for retention of data. Instead, data processors and controllers should develop organisational measures that adequately address data retention. In practice, development and implementation data retention policies and processes may suffice.
8. Data Commissioner
This is the regulatory body responsible for regulating/enforcing compliance with provisions of the DPA. As I write this, the appointment and establishment of the Data Commissioner’s office has not been effected. However, there are indications that the appointment may be done within the second half of 2020.
9. Data Protection Officer (DPO)
The primary obligation of DPO’s appointed pursuant to the Act is to provide oversight on compliance. In particular, DPO’s advise the business on the requirements of the Act but to also oversee compliance and facilitate capacity building of staff involved in Data Protection activities. Finally, the DPO is the liaison between the Data Controller and Data Processor on all matters relating to Data Protection
10. Personal Data Breach
Under the DPA, a “personal data breach” means a breach of security leading to the accidental and unlawful destruction, loss alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Personal data breaches can occur in many ways. Firstly, a personal data breach may happen accidentally e.g. an email sent to the wrong recipients. It can also arise through deliberate actions or omissions of data controllers or data processors. Other examples include breaches arising from the theft of computer devices and the alteration of personal data.
Data controllers should report data breaches to the Data Commissioner within 72 hours of occurrence. In addition, inform the concerned data subject of the breach within a reasonably practical period. Data processors must report breaches within 48 hours of occurrence. Section 43 of the DPA sets out the procedure for reporting personal data breaches.