Legal Alert: Proposed Data Sharing Guidelines

Today, we turn our focus to the recently proposed Data Sharing Code, 2024, which aims to establish a structured and ethical framework for the sharing of personal data across various sectors. Once adopted, these guidelines will have significant implications for organizations involved in data processing and sharing.
Key Highlights of the Proposed Data Sharing Code
1. Principles of Personal Data Sharing

The Data Sharing Code establishes the following fundamental principles for sharing personal data:

  • Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and transparently to the data subject. In addition, the purpose of data sharing activities and engagements should be transparent to all stakeholders.
  • Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes.
  • Data minimization: Only the minimum data necessary for the specified purpose should be collected or processed.
  • Accuracy: Data must be kept accurate and up to date.
  • Storage limitation – Data must be retained only as long as necessary for the specified purpose.
  • Integrity and confidentiality: Data processing must ensure appropriate security, integrity, and confidentiality.
  • Timeliness: data should be shared in a timely manner
  • Interoperability: Where necessary, data should be structured to allow for interoperability across systems.
In addition, the Code imposes restrictions on the following:
  • Data stewardship: data ownership should not be transferred pursuant to a data sharing agreement.
  • Redistribution of data: Recipients of data cannot resell or further sell the data without authorisation.
  • Reidentification of anonymised data: reidentification of deidentified data is strictly prohibited.
  • Consent: Data cannot be associated with other data sets without explicit consent.
  • Publicly funded data: In certain cases, access to publicly funded data and datasets may be restricted for a limited period if adequately justified. Justifiable restrictions may include protections for national security, personal privacy, intellectual property, or confidentiality.
2. Compliance Obligations for Private Sector Entities
Private organizations will need to implement key compliance measures, including:
2.1. Establishing a Legal Basis for Data Sharing: Organizations must document the lawful basis for sharing data.
2.2. Scope of Sharing: The scope of sharing envisaged under the Code includes routine data sharing for established purposes as well as exceptional, one-off decisions to share data for ad hoc or emergency purposes,

2.3. Duties of a transferring entity: Organizations transferring personal data must:

  • Ensure compliance with data protection principles and consider data subject rights.
  • Determine the purpose and means of data sharing.
  • Enter into data-sharing agreements before sharing data.
  • Obtain written data-sharing requests per the Data Protection (General) Regulations, 2021.
  • Inform data subjects that their personal data will be or is being stored.
2.4. Duties of Receiving Entities: Before personal data is shared, the party receiving the data must:
  • Implement measures to protect data confidentiality and consult with the data controller on confidentiality concerns.
  • Limit data use to the specified purpose and avoid matching shared data with other datasets for reidentification.
  • Provide a self-assessment, site inspection, or audit upon request from the data controller.
  • Return or securely destroy personal data upon the expiration of the sharing period.
  • Ensure data sharing is justified by evaluating proportionality, necessity, and safeguards.

2.5. Elements of Data Sharing Agreements: Data Sharing Agreements must include the following elements:

  • Definitions of parties
  • Purpose and legal basis for sharing
  • Categories of data involved
  • Roles and responsibilities of parties
  • Processing details and security measures
  • Retention, deletion, and agreement period
  • Access controls and custodial responsibilities
  • Costs, warranties, and indemnification clauses
2.6. Data Protection Policy and Contracts:
  • Organizations should publish and regularly update their data protection policies.
  • Data controllers and processors must engage in written contracts.
3. Data Sharing by Public Sector Organizations
3.1. Public sector organizations must:
  • Establish a clear legal basis for data sharing per the Data Protection Act, 2019.>
  • Implement data protection by design and default.
  • Justify each data-sharing activity and inform individuals about data-sharing purposes.
  • Apply proportionate measures and share only necessary data.
  • Enforce strict access controls and ensure secure disposal of shared data.
  • Conduct benefit-risk assessments before sharing data.
3.2. Principles for Emergency Data Sharing
Public bodies may request personal data to prevent serious physical harm or loss of life, protect public health, respond to crises, safeguard vulnerable children or adults, ensure national security, or take appropriate action against unlawful activities. Such requests must be made in writing and must clearly specify the nature of the emergency, the type of data required, the deadline for data provision, the frequency of access, and any conditions under which the data holder may be contacted.
3.3. Obligations of public sector data recipients
A public sector body having received data pursuant to a request shall: –
  • Not use the data in a manner incompatible with the data request.
  • Implement necessary technical and organizational measures that safeguard the rights and freedoms of data subjects.
  • Destroy data once it is no longer needed for the stated purpose and inform the data holder that the data has been destroyed.
3.4. Data Sharing for Research and Analytics: Data shared for research should be anonymized and restricted to nonprofit organizations. In addition, Personal data cannot be sold or transferred outside Kenya without explicit consent and security safeguards.
4. Cross-Border Data Sharing
Cross-border transfers of personal data must comply with the requirements set under Kenya’s data protection laws and the proposed Data Sharing Code, 2024. The key provisions include:
4.1. Lawful and Secure Transfers
  • All cross-border data transfers must be conducted lawfully, fairly, and transparently, ensuring that data subjects are informed of the transfer and their rights are protected.
  • Personal data must only be collected and transferred for specified, explicit, and legitimate purposes.
  • If the recipient country or organization lacks adequate data protection laws, the data controller or processor must implement appropriate safeguards to protect personal data during transfer and processing.
4.2. Data Subject Consent and Safeguards
  • Cross-border data transfers should be based on the data subject’s informed consent. The data subject must be made aware of any risks associated with the transfer and retain the right to withdraw consent at any time.
  • • Organizations must implement reasonable technical and organizational measures, including contractual safeguards, to prevent unlawful international transfers or unauthorized government access to personal data.
4.3. Requests from Foreign Authorities
  • Requests from foreign courts, tribunals, or administrative authorities for access to personal data held in Kenya will only be honored if:
    • There is an existing international agreement between Kenya and the requesting country, or
    • A Kenyan court has recognized and validated the request.
  • In the absence of such an agreement or court validation, cross-border data access requests will only be considered if:
    • The requesting country’s legal framework ensures the request is necessary, proportionate, and linked to specific suspected persons or legal violations.
    • The request is subject to review by a competent court or tribunal in the requesting country.
    • The issuing authority considers the legal interests of the Kenyan data controller or processor.
Where necessary, organizations may seek the opinion of the Office of the Data Protection Commissioner (ODPC) to determine compliance with these conditions, particularly when dealing with commercially sensitive data or matters affecting national security.

4.4. Notification and Compliance Monitoring

  • Data controllers and processors transferring personal data outside Kenya must notify the ODPC of the transfer to ensure compliance with the Data Protection Act, 2019.
  • The ODPC will monitor and investigate cross-border data transfers, imposing sanctions on entities that fail to comply with the prescribed requirements.
Conclusion
The proposed Data Sharing Code is still undergoing public participation, and we will provide updates once stakeholder feedback and regulatory revisions are published. In the meantime, organizations should proactively assess their data-sharing frameworks to ensure alignment with evolving compliance expectations.
If you require assistance in reviewing your data-sharing policies or implementing compliance measures, please do not hesitate to contact us.