Legal Alert: Proposed Data Sharing Guidelines

Today, we turn our focus to the recently proposed Data Sharing Code, 2024, which aims to establish a structured and ethical framework for the sharing of personal data across various sectors. Once adopted, these guidelines will have significant implications for organizations involved in data processing and sharing.Key Highlights of the Proposed Data Sharing Code1. Principles of Personal Data Sharing The Data Sharing Code establishes the following fundamental principles for sharing personal data: Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and transparently to the data subject. In addition, the purpose of data sharing activities and engagements should be transparent to all stakeholders. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes. Data minimization: Only the minimum data necessary for the specified purpose should be collected or processed. Accuracy: Data must be kept accurate and up to date. Storage limitation – Data must be retained only as long as necessary for the specified purpose. Integrity and confidentiality: Data processing must ensure appropriate security, integrity, and confidentiality. Timeliness: data should be shared in a timely manner Interoperability: Where necessary, data should be structured to allow for interoperability across systems. In addition, the Code imposes restrictions on the following: Data stewardship: data ownership should not be transferred pursuant to a data sharing agreement. Redistribution of data: Recipients of data cannot resell or further sell the data without authorisation. Reidentification of anonymised data: reidentification of deidentified data is strictly prohibited. Consent: Data cannot be associated with other data sets without explicit consent. Publicly funded data: In certain cases, access to publicly funded data and datasets may be restricted for a limited period if adequately justified. Justifiable restrictions may include protections for national security, personal privacy, intellectual property, or confidentiality. 2. Compliance Obligations for Private Sector EntitiesPrivate organizations will need to implement key compliance measures, including: 2.1. Establishing a Legal Basis for Data Sharing: Organizations must document the lawful basis for sharing data. 2.2. Scope of Sharing: The scope of sharing envisaged under the Code includes routine data sharing for established purposes as well as exceptional, one-off decisions to share data for ad hoc or emergency purposes, 2.3. Duties of a transferring entity: Organizations transferring personal data must: Ensure compliance with data protection principles and consider data subject rights. Determine the purpose and means of data sharing. Enter into data-sharing agreements before sharing data. Obtain written data-sharing requests per the Data Protection (General) Regulations, 2021. Inform data subjects that their personal data will be or is being stored. 2.4. Duties of Receiving Entities: Before personal data is shared, the party receiving the data must: Implement measures to protect data confidentiality and consult with the data controller on confidentiality concerns. Limit data use to the specified purpose and avoid matching shared data with other datasets for reidentification. Provide a self-assessment, site inspection, or audit upon request from the data controller. Return or securely destroy personal data upon the expiration of the sharing period. Ensure data sharing is justified by evaluating proportionality, necessity, and safeguards. 2.5. Elements of Data Sharing Agreements: Data Sharing Agreements must include the following elements: Definitions of parties Purpose and legal basis for sharing Categories of data involved Roles and responsibilities of parties Processing details and security measures Retention, deletion, and agreement period Access controls and custodial responsibilities Costs, warranties, and indemnification clauses 2.6. Data Protection Policy and Contracts: Organizations should publish and regularly update their data protection policies. Data controllers and processors must engage in written contracts. 3. Data Sharing by Public Sector Organizations3.1. Public sector organizations must: Establish a clear legal basis for data sharing per the Data Protection Act, 2019.> Implement data protection by design and default. Justify each data-sharing activity and inform individuals about data-sharing purposes. Apply proportionate measures and share only necessary data. Enforce strict access controls and ensure secure disposal of shared data. Conduct benefit-risk assessments before sharing data. 3.2. Principles for Emergency Data SharingPublic bodies may request personal data to prevent serious physical harm or loss of life, protect public health, respond to crises, safeguard vulnerable children or adults, ensure national security, or take appropriate action against unlawful activities. Such requests must be made in writing and must clearly specify the nature of the emergency, the type of data required, the deadline for data provision, the frequency of access, and any conditions under which the data holder may be contacted. 3.3. Obligations of public sector data recipientsA public sector body having received data pursuant to a request shall: – Not use the data in a manner incompatible with the data request. Implement necessary technical and organizational measures that safeguard the rights and freedoms of data subjects. Destroy data once it is no longer needed for the stated purpose and inform the data holder that the data has been destroyed. 3.4. Data Sharing for Research and Analytics: Data shared for research should be anonymized and restricted to nonprofit organizations. In addition, Personal data cannot be sold or transferred outside Kenya without explicit consent and security safeguards.4. Cross-Border Data Sharing Cross-border transfers of personal data must comply with the requirements set under Kenya’s data protection laws and the proposed Data Sharing Code, 2024. The key provisions include: 4.1. Lawful and Secure Transfers All cross-border data transfers must be conducted lawfully, fairly, and transparently, ensuring that data subjects are informed of the transfer and their rights are protected. Personal data must only be collected and transferred for specified, explicit, and legitimate purposes. If the recipient country or organization lacks adequate data protection laws, the data controller or processor must implement appropriate safeguards to protect personal data during transfer and processing. 4.2. Data Subject Consent and Safeguards Cross-border data transfers should be based on the data subject’s informed consent. The data subject must be made aware of any risks associated with the transfer and retain the right to withdraw consent at any time. • Organizations must implement reasonable technical and organizational measures, including contractual safeguards, to prevent unlawful international transfers or unauthorized government access..