The Data Protection Act, 2019 came into effect from 14 July 2022.
There are other subsidiary regulations that were published in Kenya Gazette Supplement on 31 December 2021 are the:
(1) The data protection (general) regulations, 2021,
(2) The data protection (complaints and enforcement procedures) regulations, 2021 and
(3) The data protection (registration of data controllers and data processors) regulations, 2021.
These privacy laws provide a framework of processing personal data and provide rights of data subjects and obligations of controllers and processors. The objective of the privacy laws is to regulate the processing of personal data, ensure that the processing is guided by certain principles, to protect the privacy of individuals; to establish a legal and institutional mechanism to protect personal information; and to provide subjects with rights and remedies. They therefore provide a guideline to data controllers and processors on how to handle the data that they collect, process and store.
Data controllers and processors are entities processing personal info for activities including health administration, financial services, telecommunication services and transport services amongst others. These entities that collect, record, organize, classify, store, modify, amend, retrieve, broadcast or do any form of manipulation of personal info are hence required to comply to this Act. Personal data is any data that can identify a living person. This includes the name, the identification number, digital identifier, any information that could cause harm if leaked or misused.
These entities collect, maintain personal information for their clients as they manage their business activities. They are now required to ensure that there is security over personal data. They should ensure that there is no unauthorized access to information and that the data that they maintain is accurate based on the client information obtained.
Any inaccurate records should be erased or rectified. This therefore means that any information that is collected should be updated to ensure that it is accurate at all times. The Act provides rights to owners to have access to such information maintained by these entities; they should be informed of the use of the information being collected and are able to correct any misleading records as well as deleting it.
The information collected by organizations has in the past exposed their customers to fraud. In a reported case of sim swap fraud, the fraudsters pose as bank staff members they ask customers for account number, PIN numbers as well as their transaction details. These phone calls are mimicked to look like real bank employees calling to make inquiries.
On obtaining this information they are able gain access to the bank accounts using their mobile banking platforms. These cases breach regulatory requirements under the law. In May 2022, it was reported that a top Police Officer was defrauded Kshs 597,100. The funds were transferred from his bank account to his mobile phone and then to a mobile number unknown him.
In this case the fraudsters had access to the bank account and to the mobile phone number as well as his mobile banking platform. Entities should ensure that they are accountable by ensuring that they have appropriate measures to ensure information security as well as demonstrate compliance. Data security is important to guarantee the customer of their own security and that of the data and resources. Entities that fail to protect personal information and comply with privacy regulations aren’t just risking financial penalties. They also risk operational inefficiencies, intervention by regulators and most importantly permanent loss of consumer trust.
Entities should ensure that they are processing information lawfully and fairly. One of the requirements is that there should be consent from the individual to process their personal information. The Office of the Data Protection Commissioner (ODPC) directed Oppo Kenya to review its handling practices after a complaint was filed by one of its data subjects.
The complaint was that Oppo Kenya had used the subject’s photo on its social media platforms without consent contrary to the Act. Oppo Kenya was fined and penalized Kshs5million for failing to comply with the Act and its regulations. The Act provides that sensitive information can only be processed with individual express consent unless such date is required for filing legal proceeding or claims or it there is any legal, public interest or regulatory requirement.
Entities should therefore ensure that they have adequate policies, procedures and controls to ensure protection of data privacy.
Data Privacy Laws
The privacy laws empower individuals and give them control over their personal data. The data subjects have rights to access their personal information upon request; they have rights to limit personal processing; the right to object to use of their data; the right to correct personal data as well as the right to transfer personal data.
Entities that process this information should therefore develop clear policies and procedures to comply to the data privacy laws; ensure that they have adequate data retention mechanisms in place as well as minimizing operational lapses in capturing information at source, getting it right the first time.
Entities should also ensure that they can reassess the information that they maintain and ascertain whether it still lawful to maintain such data and whether there are any changes required. More importantly organizations should embark on training their staff members on the privacy laws to ensure they minimize non-compliance risks. Entities that fail to protect personal information will risk regulatory breaches that will led to financial loss and ultimately reputation amongst other risks.
READ; Data Protection Commission Probes 40 Digital Credit Providers Over Breach of Privacy
Caroline Gathii is an International Certified Risk Expert with FirstIdea Consulting Limited. Email: [email protected]
