Year: 2025

We would like to bring to your attention a recent decision (ODPC Complaint No. 1667 of 2024: Everlyn Lavuha Mugita Suing On Behalf of NSM (Minor) vs Nova Pioneer Kenya Limited) which underscores the importance of obtaining parental consent before sharing a minor’s personal information with third parties. The Nature of the Complaint The Complainant alleged that Nova Pioneer issued a letter containing her child’s personal information to third parties, specifically a travel agency and the U.S. Embassy Consulate, without obtaining prior parental consent. Nova Pioneer students had participated in the World Scholars Debate Championship and advanced to the global rounds, scheduled to take place at Yale University. As part of the visa application process, Nova Pioneer claimed that it had requested parents of participating students to sign a parental consent form to authorize the sharing of personal data with the travel agency and the U.S. Embassy. However, the school failed to provide evidence that the Complainant had granted such consent. Data Commissioner’s Determination The Data Commissioner ordered Nova Pioneer to pay the Complainant Kenya Shillings Five Hundred Thousand (KES 500,000/-) for the following violations: Failure to obtain parental consent before sharing the minor’s personal data with third parties (the travel agency and the U.S. Embassy), in contravention of Sections 30 and 33 of the Data Protection Act. Breach of key data protection principles, including: Respect for privacy Lawfulness, transparency, and fairness Purpose limitation Data minimization and proper justification for data collection Should you need any assistance in reviewing your data protection practices or implementing proper consent procedures, please do not hesitate to reach out.

Today, we turn our focus to the recently proposed Data Sharing Code, 2024, which aims to establish a structured and ethical framework for the sharing of personal data across various sectors. Once adopted, these guidelines will have significant implications for organizations involved in data processing and sharing.Key Highlights of the Proposed Data Sharing Code1. Principles of Personal Data Sharing The Data Sharing Code establishes the following fundamental principles for sharing personal data: Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and transparently to the data subject. In addition, the purpose of data sharing activities and engagements should be transparent to all stakeholders. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes. Data minimization: Only the minimum data necessary for the specified purpose should be collected or processed. Accuracy: Data must be kept accurate and up to date. Storage limitation – Data must be retained only as long as necessary for the specified purpose. Integrity and confidentiality: Data processing must ensure appropriate security, integrity, and confidentiality. Timeliness: data should be shared in a timely manner Interoperability: Where necessary, data should be structured to allow for interoperability across systems. In addition, the Code imposes restrictions on the following: Data stewardship: data ownership should not be transferred pursuant to a data sharing agreement. Redistribution of data: Recipients of data cannot resell or further sell the data without authorisation. Reidentification of anonymised data: reidentification of deidentified data is strictly prohibited. Consent: Data cannot be associated with other data sets without explicit consent. Publicly funded data: In certain cases, access to publicly funded data and datasets may be restricted for a limited period if adequately justified. Justifiable restrictions may include protections for national security, personal privacy, intellectual property, or confidentiality. 2. Compliance Obligations for Private Sector EntitiesPrivate organizations will need to implement key compliance measures, including: 2.1. Establishing a Legal Basis for Data Sharing: Organizations must document the lawful basis for sharing data. 2.2. Scope of Sharing: The scope of sharing envisaged under the Code includes routine data sharing for established purposes as well as exceptional, one-off decisions to share data for ad hoc or emergency purposes, 2.3. Duties of a transferring entity: Organizations transferring personal data must: Ensure compliance with data protection principles and consider data subject rights. Determine the purpose and means of data sharing. Enter into data-sharing agreements before sharing data. Obtain written data-sharing requests per the Data Protection (General) Regulations, 2021. Inform data subjects that their personal data will be or is being stored. 2.4. Duties of Receiving Entities: Before personal data is shared, the party receiving the data must: Implement measures to protect data confidentiality and consult with the data controller on confidentiality concerns. Limit data use to the specified purpose and avoid matching shared data with other datasets for reidentification. Provide a self-assessment, site inspection, or audit upon request from the data controller. Return or securely destroy personal data upon the expiration of the sharing period. Ensure data sharing is justified by evaluating proportionality, necessity, and safeguards. 2.5. Elements of Data Sharing Agreements: Data Sharing Agreements must include the following elements: Definitions of parties Purpose and legal basis for sharing Categories of data involved Roles and responsibilities of parties Processing details and security measures Retention, deletion, and agreement period Access controls and custodial responsibilities Costs, warranties, and indemnification clauses 2.6. Data Protection Policy and Contracts: Organizations should publish and regularly update their data protection policies. Data controllers and processors must engage in written contracts. 3. Data Sharing by Public Sector Organizations3.1. Public sector organizations must: Establish a clear legal basis for data sharing per the Data Protection Act, 2019.> Implement data protection by design and default. Justify each data-sharing activity and inform individuals about data-sharing purposes. Apply proportionate measures and share only necessary data. Enforce strict access controls and ensure secure disposal of shared data. Conduct benefit-risk assessments before sharing data. 3.2. Principles for Emergency Data SharingPublic bodies may request personal data to prevent serious physical harm or loss of life, protect public health, respond to crises, safeguard vulnerable children or adults, ensure national security, or take appropriate action against unlawful activities. Such requests must be made in writing and must clearly specify the nature of the emergency, the type of data required, the deadline for data provision, the frequency of access, and any conditions under which the data holder may be contacted. 3.3. Obligations of public sector data recipientsA public sector body having received data pursuant to a request shall: – Not use the data in a manner incompatible with the data request. Implement necessary technical and organizational measures that safeguard the rights and freedoms of data subjects. Destroy data once it is no longer needed for the stated purpose and inform the data holder that the data has been destroyed. 3.4. Data Sharing for Research and Analytics: Data shared for research should be anonymized and restricted to nonprofit organizations. In addition, Personal data cannot be sold or transferred outside Kenya without explicit consent and security safeguards.4. Cross-Border Data Sharing Cross-border transfers of personal data must comply with the requirements set under Kenya’s data protection laws and the proposed Data Sharing Code, 2024. The key provisions include: 4.1. Lawful and Secure Transfers All cross-border data transfers must be conducted lawfully, fairly, and transparently, ensuring that data subjects are informed of the transfer and their rights are protected. Personal data must only be collected and transferred for specified, explicit, and legitimate purposes. If the recipient country or organization lacks adequate data protection laws, the data controller or processor must implement appropriate safeguards to protect personal data during transfer and processing. 4.2. Data Subject Consent and Safeguards Cross-border data transfers should be based on the data subject’s informed consent. The data subject must be made aware of any risks associated with the transfer and retain the right to withdraw consent at any time. • Organizations must implement reasonable technical and organizational measures, including contractual safeguards, to prevent unlawful international transfers or unauthorized government access..

In 2024, the Office of the Data Protection Commissioner (ODPC) published two sets of draft regulations, and a guidance note aimed at enhancing data protection compliance: The Data Protection (Conduct of Compliance Audit) Regulations, 2024 The Data Sharing Code (Guidance Note) In this update, we focus on the Data Protection (Conduct of Compliance Audit) Regulations. Our next update will cover the Data Sharing Code. Overview: Data Protection (Conduct of Compliance Audit) Regulations, 20241. Object and Purpose of Regulations: The proposed Regulations aim to: establish a structured framework for conducting data protection audits promote audit quality and consistency establish accreditation criteria for data protection auditors 2. Types of Audits: The Regulations make provision for two types of audits: periodic audits and special audits.3. Initiation of Audits: The ODPC may conduct a data protection audit on its own, outsource the conduct of the audit or affirm a data protection audit report submitted to it by an accredited auditor. In addition, a data controller or processor may initiate audits on their own volition. a) Audits Initiated by the Data Commissioner: The Data Commissioner may initiate a compliance audit in the following circumstances: upon receiving a complaint regarding an entity’s data protection practice as part of broader regulatory investigation based on a risk assessment; or in response to a perceived or real privacy risk or data breach notification Prior to initiating an audit, the Data Commissioner shall provide a 30-day notice to the data controller or data processor.b) Audits Initiated by data controllers or data processors: A data controller or processor may, on their own volition, initiate a data protection audit to: – proactively assess their data protection compliance posture; or as part of a corrective measure following a data breach or other data protection concerns. A data controller or processor initiating a voluntary audit may engage an auditor accredited under the Act to conduct the audit.4. Accreditation of Data Protection Auditors: The Regulations establish a requirement for accreditation of independent data protection auditors. To be accredited, auditors must submit the following details to the ODPC: – Firm/establishment details Proof of academic and professional qualifications in data protection. Relevant experience in data protection audits. Evidence of adequate professional indemnity cover. Accreditation will attract a fee of Kes. 150,000/-. The accreditation is valid for a certain period of time although this period has not been defined in the Regulations. Upon expiry, the accreditation is renewable at a fee of Kes. 100,000/-The ODPC will maintain a public register of accredited auditors and may reject or revoke an application for accreditation. 5. The Audit Process: The Data Commissioner or the accredited data protection auditor shall, in conducting the audit, follow a structured process which shall include: – developing a detailed audit plan outlining the methodology, scope and timeline for the audit. conducting relevant interviews with data controllers or processors reviewing relevant documentation and records related to data processing activities including: data protection policies and procedures records of data processing activities data security measures and records of data subject requests and responses. The auditors may also perform necessary tests or assessments to evaluate compliance with the requirements of the Act.7. Data Controller Responsibilities in the Audit Process: Data controllers or data processors must provide the auditor with reasonable access to all relevant information and documentation necessary for conducting the audit, designate a contact person and fully cooperate with the auditor to address any non-compliance issues.8. The Auditor’s Responsibilities: Accredited auditors must: – conduct the audit in accordance with professional standards and best practices. plan the scope of the audit effectively based on specific needs employ appropriate audit methodologies to assess compliance with data protection requirements maintain confidentiality and security of all information received during the audit process. Avoid conflict of interests. 9. Reporting Audit Findings: Auditors must prepare a written audit report detailing the scope and methodology of the audit, as well as the findings and recommendations for corrective action. The data controller must receive the report and be given a reasonable timeframe to respond to the findings and recommendations.10. Enforcement Actions: Following an audit, the Data Commissioner may: – issue recommendations for improvement to the data controllers or processors, issue enforcement or penalty notices requiring the data controller to take specific corrective action initiate further investigation for non-compliance 11. Cooperation and Confidentiality: The Data Commissioner, the auditor, and the data controller or data processor shall all cooperate in a professional and timely manner throughout the audit process. All information obtained in the audit shall be treated as confidential except where disclosed with the authorisation of the data controller or processor or required to be disclosed by law. In addition, auditors must implement appropriate safeguards to protect the confidentiality of personal data accessed during the audit process 12. Reporting by the ODPC: The ODPC shall prepare and publish an annual report on the implementation of the Regulations, including the number of audits conducted and the audit findings and actions taken. The report shall be made available to the public to promote transparency and accountability. Next Steps:: The draft regulations are currently undergoing public participation before being tabled in Parliament for adoption. We will keep you informed of further developments. In the meantime, we recommend that you continue enhancing your privacy compliance program to minimise regulatory risks.New Book Alert!:As data protection compliance continues to evolve, we are excited to announce the upcoming release of our book, “Data Protection in Kenya: Case Law”. This book provides: A detailed analysis of key data protection cases in Kenya. Insights into regulatory enforcement trends. Lessons for businesses, legal professionals, and compliance officers. This resource will be an essential guide for anyone looking to navigate Kenya’s data protection landscape effectively. Order your copy here