Understanding the Data Protection Act

Understanding the Data Protection Act

Following the increased internet and social media use and other digital information platforms, it is becoming more crucial to ensure that personal data is protected, processed and used for the right purpose.

Attention and care should be taken in the way data is collected, used and processed.

Protection

The purpose of the Act is to regulate and lay down the principles under which processing of personal data ought to be done. It further establishes the legal and institutional mechanisms for protection of personal data to protect the privacy of individuals.

Collection

Personal data should only be collected directly from the data subject and used with the express consent of the subject. It should be gathered for a specified and lawful purpose, limited to only information necessary for the intended use.

Data that reveals race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of children, parents, spouse or spouses, sex or the sexual orientation is deemed sensitive data. Specific provisions apply to the collection, storage and processing of such data. For example, personal data relating to the health of a data subject may only be processed by or under the responsibility of a health care provider. Data controllers and processors must justify the need to process health and sensitive personal data.

Rights

The Act applies to all persons located in Kenya, both residents and non-residents. It grants greater control over our privacy and personal data. As data subjects we need to:

1. Be informed of any personal and sensitive data collected and the purpose for collection,
2. Be informed of the applicable processing methods and retention periods,
3. Be informed when our personal data will be shared with any third parties,
4. Rights to object to the processing of part or all of our data,
5. Request access and receive all personal data held by data controllers and processors,
6. Request for the correction of personal data,
7. Fault previous consent given for collection and processing of data, and
8. Curb the processing and request the erasure of personal data.

Retention

The Act does not set boundaries to the retention duration of personal data by data controllers. Personal data may be retained beyond its intended purpose if it is required by law or for evidence purposes. Personal data will not be transferred outside of Kenya unless there are adequate data protection measures enforced, and the data subject has given permission.

Limitation

International regulations, policies and agreements not sanctioned in Kenya will not affect data controllers or processors. However, they are free to cooperate with international bodies in matters relating to data protection.

Responsibility of Data Controllers

Data controllers and processors must inform the Data Commissioner and affected data subjects of any unauthorised access to personal data that may result in harm to an individual. The notification should not exceed 72 hours, but a data controller may withhold providing notice of the gap to investigate and forbid further unauthorised access.

Conclusion

You can report a data breach or file a complaint to the office of the Data Protection Commissioner. You can check the ‘how to’ on https://www.odpc.go.ke/data-subjects/.