1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
The overarching legislation on data privacy in Kenya is the Data Protection Act, 2019 (DPA), which was assented to by the president on 8 November 2019. The DPA governs the collection, handling, transfer and destruction of data of natural persons.
The following regulations which supplement the DPA were published on 14 January 2022 and came into effect on 11 February 2022:
- the Data Protection (General) Regulations, 2021;
- the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; and
- the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations will come into effect in July 2022.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Yes, to a limited extent. The banking sector is bound by additional confidentiality and data privacy provisions contained in the Central Bank of Kenya Act and the Central Bank of Kenya's Prudential Guidelines.
The insurance sector is bound by confidentiality and data privacy provisions contained in the Insurance Regulatory Authority's Guideline on Market Conduct for Insurers.
Telecommunications providers are bound by the confidentiality and data privacy requirements contained in the National Payment Systems Act and the National Payment Systems Regulations 2014.
There are no sector-specific laws relating to data privacy applicable to the healthcare or advertising sectors.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
No. Kenya is a member of the African Union, but is yet to sign the African Union Convention on Cyber Security and Personal Data Protection (‘Malabo Convention').
Although Kenya is not a signatory to the Malabo Convention, under the Data Protection (General) Regulations, 2021, a country or a territory that has ratified the Malabo Convention is deemed to have adequate safeguards for the purposes of cross-border data transfers.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The DPA established the Office of the Data Protection Commissioner (ODPC) for the implementation and administration of the DPA. The ODPC has the power to:
- conduct investigations on its own initiative or based on a complaint made by a data subject or a third party;
- facilitate conciliation, mediation and negotiation on disputes arising from the DPA;
- issue summons to a witness for the purposes of investigation;
- require any person that is subject to the DPA to provide explanations, information and assistance;
- impose administrative fines for failures to comply with the DPA;
- undertake any activity necessary for the fulfilment of any of the functions of the office; and
- exercise any powers prescribed by any other legislation.
The ODPC has broad powers of oversight relating to the provisions of the DPA and is empowered to investigate and impose administrative fines for contravention of the provisions of the DPA. It is also responsible for the registration of data controllers and data processors.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
The DPA allows the ODPC to issue guidelines or codes of practice for data controllers, data processors and data protection officers. In addition, the ODPC may develop sector-specific guidelines in consultation with relevant stakeholders in different industries such as health, financial services, education, social protection and any other area that it determines. However, the data protection regulatory framework is still in its infancy and we are yet to see such sector-specific guidelines being issued. Since the DPA borrows heavily from the EU General Data Protection Regulation, industry standards and best practices adopted by EU member states will be of persuasive value in Kenya.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The Data Protection Act (DPA) applies to all data controllers and processors, regardless of the legal form taken by the entity (natural or legal person, public authority, agency or other body) that processes the personal data of data subjects located in Kenya, whether or not the data controller or processor is located in or ordinarily resident in Kenya. However, the protection under the DPA extends only to ‘personal data', which is defined in the act as data relating only to identified or identifiable natural persons.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Section 51 of the DPA provides for the following exemptions:
- processing in the course of a purely personal or household activity;
- processing that is necessary for national security or the public interest; and
- disclosure under any written law or by an order of the court.
The principles of processing personal data do not apply where:
- the processing is undertaken for the publication of literary or artistic material and the data controller reasonably believes that publication will be in the public interest and in accordance with any self-regulatory or issued code of ethics; or
- the processing is done for historical, statistical or research purposes (provided that the data is not published in an identifiable form).
The Data Protection (General) Regulations, 2021 go on to create two new exemptions on the ground of public interest:
- in a permitted general situation – that is, where the data is processed to:
-
- lessen or prevent a serious threat to a data subject;
- take action in relation to unlawful activity;
- locate a missing person;
- assert a legal or equitable claim;
- conduct an alternative dispute resolution process; or
- perform diplomatic or consular duties; or
- in a permitted health situation – that is, where the data is processed to provide a health service and for health research within defined parameters.
Despite these exemptions, a data controller or data processor will not be exempt from the requirement to comply with data protection principles relating to:
- lawful processing;
- minimisation of collection;
- data quality; and
- the adoption of safeguards.
2.3 Does the data privacy regime have extra-territorial application?
Yes. Section 4(b) of the DPA sets out the territorial scope of the act. The DPA applies to the processing of personal data by data controllers and data processors that are not established or ordinarily resident in Kenya, but that process the personal data of data subjects located in Kenya.
3 Definitions
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:
- collection, recording, organisation or structuring;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination or otherwise making available; or
- alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
(d) Data subject
An identified or identifiable natural person who is the subject of personal data.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Data revealing a natural person's:
- race;
- health status;
- ethnic social origin;
- conscience;
- beliefs;
- genetic data;
- biometric data;
- property details;
- marital status;
- family details, including the names of his or her children, parents, spouse or spouses;
- sex; or
- sexual orientation.
(g) Consent
Any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
- Biometric data: Personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation, including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning and voice recognition.
- Third party: A natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or person that, under the direct authority of the data controller or data processor, is authorised to process personal data.
- Health data: Data relating to the physical or mental health of the data subject, including:
-
- records regarding the past, present or future state of the data subject's health;
- data collected in the course of registration for, or provision of health services; and
- data which associates the data subject with the provision of specific health services.
4 Registration
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
Data controllers and processors must be registered with the Office of the Data Protection Commissioner (ODPC) if they meet the threshold for mandatory registration. As such, a data controller or processor must be registered if any of the following conditions is met:
- It has an annual turnover of more than KES 5 million;
- It has more than 10 employees; or
- It processes personal data for any of the purposes specified in the Third Schedule of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. These are:
-
- canvassing political support;
- crime prevention and prosecution of offenders (including operation of closed-circuit television systems);
- gambling;
- operating an educational institution;
- health administration;
- hospitality (excluding tour guides);
- property management;
- provision of financial services;
- provision of telecommunications networks or services;
- direct marketing;
- provision of transport services; or
- processing of genetic data.
4.2 What is the process for registration?
Data controllers and data processors that meet the registration threshold must apply online for registration with the ODPC using a standard form, accompanied by the registration fees. The registration fees are based on the scale of the applicant's operations (which is determined by the number of employees and the annual revenue of the applicant). The current categories are as follows.
Category | Size definition | Registration and (renewal) fees |
Micro and small data controllers/processors | 1–50 employees and below KES 5 million of annual revenue | KES 4,000 (KES 2,000) |
Medium data controllers/processors | 51–99 employees and between KES 5 million and KES 50 million of annual revenue; | KES 16,000 (KES 9,000) |
Large data controllers/processors | 99 employees and a turnover of above KES 50 million | KES 40,000 (KES 25,000) |
Public entities | No limit on employees or annual revenue | KES 4,000 (KES 2,000) |
Charities and religious entities |
The ODPC will verify the details provided in the application and, if satisfied that the applicant fulfils the requirements for registration, will issue a certificate, which will remain valid for a period of 24 months from the date of issuance.
4.3 Is registered information publicly accessible?
The ODPC must maintain a register of data controllers and processors. There are no provisions for public access to the register of controllers and processors.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Section 30 of the Data Protection Act (DPA) sets out the lawful bases for processing personal data, as follows:
- The data subject has consented to the processing;
- The processing is necessary to perform a contract (or pre-contractual obligations) to which the data subject is a party;
- The processing is necessary to comply with a legal obligation to which the controller is subject;
- The processing is necessary to protect the vital interests of the data subject or another natural person;
- The processing is necessary to perform a task carried out in the public interest or in the exercise of the controller's official authority;
- The processing is necessary to perform any task carried out by a public authority;
- The processing is necessary for the exercise by any person, in the public interest, of any functions of a public nature;
- The processing is necessary for legitimate interests pursued by the data controller, data processor or third party to which the data is disclosed, unless the processing is warranted or is prejudicial to the rights, freedoms or legitimate interests of the data subject; or
- The processing is necessary for the purposes of historical, statistical, journalistic, literature and art or scientific research.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
The DPA sets out the basic principles for the processing of personal data, as follows:
- Lawfulness, fairness, and transparency: Personal data must be processed fairly and in a transparent manner, and may only be processed in line with a specific lawful basis.
- Purpose limitation: Personal data must be collected for explicit, specified and legitimate purposes, and must not be used for purposes other than those specified at collection.
- Data minimisation: Collected data must be adequate, relevant and limited to what is necessary in relation to the purposes for processing.
- Accuracy: Personal data must be accurate and be kept updated, with steps being taken to ensure that inaccurate data is erased or rectified.
- Storage minimisation: Data must not be kept in a form that identifies the data subject for longer than is necessary for the purposes of collection.
- Integrity and confidentiality: Data must not be transferred unless there is proof of adequate data protection safeguards and the data controller/processor must ensure the security of the data in transit and in storage.
These principles remain consistent regardless of the type of data and do not depend on whether the processing is outsourced. Data controllers must ensure that all data processors abide by the same principles.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Under the Data Protection (General) Regulations, 2021, a data controller or data processor that processes personal data for the purpose of the ‘strategic interest' of the state must either:
- process such personal data through a server and data centre located in Kenya; or
- store at least one serving copy of the personal data in a data centre located in Kenya.
‘Strategic interest ‘has been defined to include:
- processing personal data for the purpose of administering a civil registration or legal identity management system;
- facilitating the conduct of elections in the country;
- overseeing any system for administering public finances by any state organ;
- running any system designated as a protected computer system in terms of the Computer Misuse and Cybercrime Act, 2018; and
- offering any form of early childhood education and basic education or the provision of primary or secondary healthcare for a data subject in the country.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
The Data Protection Act (DPA) imposes no restrictions on the transfer of data to third parties. However, the data controller is ultimately responsible for the personal data collected that is transferred to third parties. Thus, contracts between data controllers and third parties accessing data should, at a minimum, set out:
- the reasons for the transfer;
- the types of personal data and the categories of data subjects;
- the obligations and rights of the data controller;
- appropriate technical and organisational measures to keep the data secure;
- a provision stipulating that all personal data must be permanently deleted or returned on termination or lapse of the agreement;
- auditing and inspection provisions by the data controller;
- the mode of actioning data subject requests; and
- the mode of reporting data breaches.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Part VI of the DPA, read together with Part VII of the Data Protection (General) Regulations, 2021, provides that data can be transferred outside of Kenya only if the following requirements are met:
- The data controller or data processor has given proof to the Office of the Data Protection Commissioner (ODPC) on adequate safeguards with respect to the security and protection of the personal data, including proving that the jurisdictions have commensurate data protection laws;
- The ODPC has issued an adequacy decision on the receiving jurisdiction;
- The transfer is necessary for:
-
- the performance of a contract between the data subject and the data controller or data processor, or the implementation of pre-contractual measures;
- any matter of public interest;
- the establishment, exercise or defence of a legal claim;
- the protection of the vital interests of the data subject or other persons, where the data subject is incapable of giving consent; or
- compelling legitimate interests pursued by the data controller or data processor, provided that they are not overridden by the rights of the data subject; or
- the consent of the data subject has been obtained.
Adequate safeguards are deemed to be present where:
- there is a legal instrument containing appropriate safeguards for the protection of personal data binding the intended recipient that is essentially equivalent to the protection under the DPA; or
- the data controller has assessed all circumstances of the transfer and concluded that appropriate safeguards exist.
A country is automatically taken to have adequate safeguards if it has:
- ratified the African Union Convention on Cyber Security and Personal Data Protection;
- a reciprocal data protection agreement with Kenya; or
- contractual binding corporate rules among a concerned group of undertakings or enterprises.
A list of countries that meet the adequacy requirements has not yet been published by the ODPC.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Data transfers should be well documented, setting out the obligations and responsibilities of each party with respect to the transferred data.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Under the Data Protection Act, data subjects have the right to:
- be informed of how their personal data will be used;
- access their personal data in the custody of a data controller/processor;
- object to the processing of all or part of their personal data;
- request the correction or deletion of false or misleading data about them;
- receive their personal data in a structured, commonly used and machine-readable format;
- request the data controller/processor to transmit their personal data to another data controller or processor without hindrance;
- request the deletion of irrelevant or excessive personal data or data which the controller/processor is no longer authorised to retain, or which has been obtained unlawfully; and
- not be subject to a decision based solely on automated decision making.
These rights are not absolute and may be limited where a data controller or processor demonstrates a compelling legitimate interest which overrides the data subject's interests. In such cases, the data controller or processor must inform the data subject of its inability to fulfil the request. Notably, the right to erasure does not apply if the processing is necessary:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- to perform a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest;
- for scientific research, historical research or statistical purposes; or
- for the establishment, exercise or defence of a legal claim.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
The Data Protection (General) Regulations, 2021 provide data subject rights request forms through which a data subject may make a request to a data controller/processor. However, these are generic forms and the data controller/processor is not restricted from providing alternative mechanisms through which the data subject may make the relevant requests. The regulations also provide for specific timelines within with a data subject request must be acted upon.
If a data subject feels aggrieved by the actions of a data controller/processor, a complaint may be lodged under the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. The complaint must be made to the Office of the Data Protection Commissioner (ODPC) in a prescribed form. The ODPC has also launched an online complaint tool on its portal.
7.3 What remedies are available to data subjects in case of breach of their rights?
Regulation 14(3) of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 sets out the remedies to which a complainant is entitled if, upon investigation by the ODPC, the complaint is determined in his or her favour. These include:
- the issuance of an enforcement notice to the respondent;
- the issuance of a penalty notice imposing an administrative fine;
- a recommendation for prosecution; or
- an order for compensation to the data subject by the respondent.
8 Compliance
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
A data controller/processor is not mandated to appoint a data protection officer (DPO) unless:
- its core activities consist of processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of data subjects; or
- its core activities comprise the processing of sensitive categories of personal data.
The Office of the Data Protection Commissioner (ODPC) is empowered to issue guidelines and codes of practice for data protection officers. However, these have not yet been issued. There are no fines or penalties set out for failure to appoint a DPO.
8.2 What qualifications or other criteria must the data protection officer meet?
There are no mandatory qualifications for a DPO under Kenyan law. The Data Protection Act (DPA) provides that a person may be appointed a DPO if he or she possesses the relevant academic or professional qualifications, which may include knowledge and technical skills in matters relating to data protection. The ODPC is empowered to issue guidelines or codes of practice for DPOs. These have not yet been issued.
8.3 What are the key responsibilities of the data protection officer?
A DPO's main responsibilities are to:
- advise the data controller or data processor and its employees on data processing requirements under the law;
- ensure, on behalf of the data controller/processor, that the DPA is complied with;
- facilitate capacity building of staff involved in data processing operations;
- advise on data protection impact assessments; and
- cooperate with the ODPC and any other relevant authorities on matters relating to data protection.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
There are no restrictions on outsourcing the DPO function. Companies can structure this arrangement as they see fit, as long as the DPO:
- is qualified;
- is accessible to the entity, data subjects and the ODPC; and
- is free of other tasks and duties that may result in a conflict of interest.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Under the DPA, a data controller or data processor must develop, publish and regularly update a policy reflecting its personal data handling practices. This policy should cover issues such as:
- the nature of the personal data collected and held;
- how data subjects may exercise their rights in respect to that personal data;
- complaints handling mechanisms;
- the lawful purpose of the data processing;
- obligations where personal data is to be transferred;
- the retention period; and
- the collection of personal data from children and the applicable criteria.
The DPA contains no provisions that require data controllers or processors to keep a record of processing activities. However, it empowers the ODPC to conduct periodic audits over the processes and systems of data controllers and processors. Thus, we recommend that data controllers/processors maintain a record of processing activities.
In addition, the DPA requires data controllers to maintain records in relation to personal data breaches. These records must include the facts relating to the breach, its effects and any remedial action taken subsequent to the breach.
Data controllers and processors must also establish and maintain a data retention schedule which takes into account the purpose for which the data was collected and determines the need for continued retention of the data.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
- A data controller/processor is expected to conduct a data protection impact assessment where the processing is likely to result in an elevated risk to the rights and freedoms of the data subjects. If it is determined that the processing will result in increased risk, the data controller/processor must consult the ODPC 60 days prior to the processing.
- Under the DPA, data cannot be used for direct marketing purposes unless:
-
- the consent of the data subject has been sought; or
- the data controller is authorised to do so under any written law and the data subject has been informed of such use when collecting the data.
- A data controller or data processor that uses personal data for direct marketing purposes without the consent of the data subject commits an offence and is liable on conviction to a fine of up to KES 20,000, imprisonment for up to six months or both. Sensitive personal data cannot be used for direct marketing purposes.
- The DPA confers upon data subjects a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning, or which significantly affects, the data subject. The data controller or processor must notify the data subject in writing if a decision has been made based solely on automated processing; and the data subject has a right, upon notification, to request the controller or processor to reconsider the decision or to make a new decision that is not solely based upon automated processing.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
Data controllers and processors are expected to implement appropriate technical and organisational measures designed to implement the data protection principles effectively and to integrate the necessary safeguards into the processing activities.
In considering the nature of the safeguards to be put in place, data controllers and processors must take into account:
- the amount of personal data collected;
- the extent of the processing;
- the period of storage;
- the accessibility of the data;
- the cost of the implementing the safeguards; and
- the technology available at the time.
Data controllers and processors must ensure that any person employed by them or acting under their authority complies with the relevant security measures put in place by them.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
The Data Protection Act requires a data controller to notify the Office of the Data Protection Commissioner (ODPC) without delay within 72 hours of becoming aware of a breach. A data processor must notify the controller without delay within 48 hours of becoming aware of a breach. The ODPC has created an online breach notification platform on its website. The following information must be uploaded to the platform when reporting a breach:
- the date on which and the circumstances in which the data controller or processor first became aware of the breach;
- a chronological account of the steps taken by the data controller or processor after it became aware of the breach;
- the data controller or processor's assessment of whether the breach is notifiable to the data subjects;
- details of how the breach occurred;
- the number of data subjects affected by the breach;
- the personal data or classes of personal data affected by the breach;
- information on any action by the data controller or processor to eliminate or mitigate any harm as a result of the breach or remedy any failure that caused the breach; and
- the contact information of an authorised representative of the data controller or processor.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Where there is a real risk of harm to the data subjects as a result of the breach, the breach should be communicated in writing to the data subjects within a reasonably practical period, unless their identity cannot be established. Notification of a breach to the data subject is not mandatory where the data controller has implemented appropriate security safeguards such as encryption of the data. The breach notifications must have sufficient information to allow the data subject to take protective measures against the consequences of the data breach, including:
- a description of the nature of the breach;
- the name and contact details of the data protection officer;
- where applicable, the identity of the unauthorised person who may have accessed the personal data;
- recommendations on measures to be taken by the data subject to mitigate the adverse effects of the breach; and
- a description of the measures that the controller or processor has taken or intends to take to address the breach.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
It is advisable for a data controller/processor to develop an incident response policy and create a data breach playbook to inform its response to a data breach. This should be disseminated to staff, vendors, third parties and data processors.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
No special requirements or restrictions apply to employee information. The general principles of data protection will apply. However, a data breach revealing the remuneration paid or payable to a data subject will amount to a notifiable breach and, as such, the data controller will be obliged to notify the person to whom the data relates.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Under the Data Protection Act (DPA), there is no specific prohibition on the monitoring of data subjects. However, surveillance is grounds for mandatory registration as a data controller/processor. Furthermore, under the Guideline issued by the Office of the Data Protection Commissioner on the Conduct of Data Protection Impact Assessments, a data protection impact assessment should be carried out by any employer seeking to deploy a surveillance/monitoring system.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
The DPA does not distinguish between the personal data of employees and that of any other data subject. As such, the treatment of the personal data of employees will depend on the nature of the data collected and the lawful basis relied on for processing.
11 Online issues
11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?
No specific requirements or restrictions apply to the use of cookies under Kenyan law.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
The Data Protection Act contains no provisions relating to cloud service providers (CSPs). The Office of the Data Protection Commissioner has not released any guidance notes or codes of conduct for CSPs. We recommend that the responsibilities of the CSP with respect to privacy measures should be defined, documented and assigned in the cloud services agreement. Controllers should only use CSPs as processors that provide sufficient guarantees to implement appropriate technical and organisational measures.
The Data Protection Regulations set out the basic safeguards that should be in place for all contracts between controllers and processors, such as provisions on the following:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subjects;
- the obligations and rights of the controller and processor;
- the use of sub-processors;
- breach response timelines;
- data subject request controls; and
- deletion timelines.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
A data controller or data processor can use personal data (other than sensitive personal data) for direct marketing where:
- the personal data has been collected from the data subject;
- the data subject has been informed that direct marketing is one of the purposes of the collection;
- the data subject has consented to the use or disclosure of his or her personal data for direct marketing;
- the data controller has provided a simple opt-out mechanism for the data subject to stop receiving direct marketing communications; and
- the data subject has not made an opt-out request.
A data controller or processor may not transmit direct marketing communication where:
- the identity of the person on whose behalf the communication has been sent is concealed or disguised;
- a valid address to which an opt-out request can be sent has not been provided; or
- automated calling systems are used with no human intervention.
The Data Protection (General) Regulations, 2021 identify businesses that are wholly or mainly in direct marketing as one of the categories of businesses that meet the threshold for mandatory registration.
12 Disputes
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 promote alternative dispute resolution (ADR) through negotiation, mediation or conciliation. Where a dispute is determined through ADR, the parties must sign a binding agreement in a prescribed form, which will be deemed to be a determination of the Office of the Data Protection Commissioner (ODPC).
Where ADR mechanisms fail to determine the dispute, the ODPC will proceed to issue a determination on the complaint. A determination of the ODPC will be enforced as an order of the court and will be binding on all parties.
An enforcement notice issued by the ODPC may be appealed to the High Court within 30 days of service of the enforcement notice.
12.2 What issues do such disputes typically involve? How are they typically resolved?
The Kenyan Data Protection framework is still in its infancy and we are yet to encounter any disputes.
12.3 Have there been any recent cases of note?
In January 2019 (prior to the enactment of the Data Protection Act (DPA)), the Kenyan government commenced a nationwide exercise to collect the personal and biometric data of Kenyan citizens and residents, in order to create a biometric database known as the National Integrated Management System (NIIMS). Citizens and residents were then to receive a unique identification number in order to access a number of government services (a ‘Huduma card'). Several legal challenges were filed and in January 2020, the High Court ordered the government to delay the data collection exercise until the country had enacted an appropriate and comprehensive regulatory framework for the implementation of NIIMS that was compliant with the constitutional right to privacy.
Once the DPA was enacted in November 2019, the government proceeded with the data collection exercise, claiming that a regulatory framework was now in place.
On 14 October 2021, the High Court of Kenya declared the government's continued rollout of the Huduma card unlawful on the grounds that:
- it conflicted with the provisions of the DPA; and
- a data protection impact assessment should have been carried out prior to the collection and processing activities.
The government has challenged the High Court's decision in the Court of Appeal.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
We expect that the registration of data controllers and processors will commence in July 2022. Prior to registration, data controllers and processors will likely assess their internal data privacy controls in order to establish their compliance level and identify key actions to be taken to achieve compliance with the Data Protection Act (DPA).
The Office of the Data Protection Commissioner (ODPC) has been raising awareness among the Kenyan population of the provisions of the DPA. According to the ODPC's current Strategic Plan, this will remain a key area of focus, as it intends to equip stakeholders with adequate information on data protection in order to promote compliance.
The ODPC has also listed the establishment of policy frameworks as a key consideration in its Strategic Plan. We therefore anticipate the release of sector-specific guidelines in areas such as health, financial services and education.
With the Data Protection Regulations in effect, we also expect that the ODPC will begin to take enforcement actions this year based on random inspections and audits of personal data processing systems.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
An overall data protection strategy should be a key consideration for many Kenyan organisations. This strategy should inform the overall route taken by the organisation regarding data protection.
With a clear strategy in place, organisations should look into taking an inventory of the data they already hold with a view to determining:
- the purposes for which the data is collected;
- the relevant data retention periods;
- the access controls relating to the data; and
- review periods to ensure the accuracy of the data.
After taking an inventory of the data they hold, organisations should review how this data is processed in order to determine their data needs. Any unnecessary or excessive data should be purged, and data processes should be designed to comply with the principle of data minimisation.
Organisations should also establish adequate data security frameworks, which include breach notification procedures. Staff should be properly trained in order to ensure compliance with the obligations, especially given the tight timeframes around breach notification.
Finally, the organisational data privacy framework should not be left to institutional memory. Key strategies, policies and playbooks should be documented in order to ensure a smooth transition in the case of employee replacement.
Privacy risks should be prioritised in the boardroom and directors should ensure that data privacy is given the attention required under the Data Protection Act and Regulations. A sound data security programme should incorporate stakeholders from across the business who bring a different perspective on these issues. The board should define metrics for measuring the effectiveness of the privacy programme and review them on a quarterly basis.
Co-Authored by Charles Owino
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.