Kenya - Data Protection Overview
1. Governing Texts
The Constitution of Kenya ('the Constitution') guarantees the right to privacy as a fundamental right. To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 ('the Act') was enacted and came into effect on 25 November 2019.Progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner ('the Commissioner') and setting up of the Office of the Data Protection Commissioner ('ODPC').
On 15 January 2021, the ICT Cabinet Secretary appointed the Taskforce for the Development of the Data Protection General Regulations ('Taskforce'), with a term of six months, whose mandate includes development of the data protection regulations, auditing of the Act, identification of gaps or inconsistencies in the Act, and proposing any new policy or legal and institutional framework that may be needed to implement the Act, as well as other tasks related to the full implementation of the Act.
The Taskforce together with the ODPC developed and published for public participation the Data Protection (General) Regulations, 2021 ('General Regulations'); the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 ('Complaints Handling and Enforcement Procedures Regulations'); and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021('Data Controllers and Data Processors Regulations') (all available here). These Regulations were published in the National Gazette on 14 January 2022 and were approved by the National Assembly on 14 March 2022. The General Regulations and 'Complaints Handling and Enforcement Procedures Regulations' came into effect immediately upon approval whilst the Registration of Data Controllers and Data Processors Regulations came into effect on 14 July 2022
1.1. Key acts, regulations, directives, bills
The Act came into effect in November 2015 and the Regulations under the Act came into effect in 2022.
The Kenya Information and Communications Act, 1998 ('the Kenya Information and Communications Act') came into effect in February 1999. The Kenya Information and Communications Act is the overarching law for the information and communications technology industry in Kenya. It outlines the requirements and compliance standards by which licensed information and communication service providers who are data collectors and controllers must abide. The provisions of the Kenya Information and Communications Act are enforced through its regulations, including, the Kenya Information and Communications (Consumer Protection) Regulations of 2010 ('the Kenya Information and Communications Regulations') and the Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 ('the SIM Cards Regulations').
The processing of medical data (which is personal data) is regulated under:
- the Public Health Act 2012 ('Public Health Act');
- the Health Act, 2017 ('Health Act'); and
- the HIV and AIDS Prevention and Control Act, 2006 ('HIV and AIDS Prevention and Control Act').
In the financial sector, processing of financial data is regulated under the National Payment System Act, 2011 ('the National Payment System Act') and the National Payment System Regulations, 2014 ('the National Payment System Regulations') under the National Payment System Act. The National Payment System Act governs payment systems and payment system providers. A 'payment system' is defined as a system or arrangement that enables payments to be effected between a payer and a beneficiary, or facilitates the circulation of money, and includes any instruments and procedures that relate to the system. Financial institutions are subject to the Data Protection Act.
The Consumer Protection Act, 2012 provides for the protection of consumers of all services. The provisions of the Act are cross-cutting in all sectors.
The Office of the Data Protection Commissioner is expected to be issuing data protection guidelines from time to time, on various issues.
Through the ICT Advisory Committee on COVID-19, the ODPC developed the Guidance Note on Access to Personal Data During COVID-19 Pandemic ('COVID-19 Guidelines'). The COVID-19 Guidelines were put out for public and stakeholder consultation on 12 January 2021, and closed on 9 February 2021.
The ODPC has so far published the Guidance Note on the following:
- Guidance Note on Consent;
- Guidance Note on Data Impact Assessment ('DPIA');
- Guidance Notes for Electoral Purposes, which is particularly useful as this is an election year in Kenya and whose purpose is to guide processing of personal data for election purposes including voter registration, maintaining register of members for political parties, rights of a data subject; and
- Guidance Note on registration of Data Controllers and Data Processors.
The ODPC has also developed a Complaints Management Manual to provide guidance on filing of complaints with the ODPC and the procedure for complaints handling the ODPC is implementing; and the ODPC Service Charter.
The Central Bank of Kenya's ('CBK') Central Bank of Kenya: Prudential Guidelines for Institutions Licensed under the Banking Act ('the Prudential Guidelines') apply to banking institutions. The Prudential Guidelines provide basic standards that financial institutions must implement to safeguard customer data under the Consumer Protection Guidelines. There are also Guidelines on Cybersecurity for the Banking Sector that require banks to put in please measures to protect customer data.
The CBK's Guideline on Cybersecurity for Payment Service Providers ('Cybersecurity Guideline') requires a risk assessment to address customer privacy for Payment Services providers.
The Health Information System Policy ('the Health Policy') guides the collection and processing of medical data of patients. The Health Policy promotes the use of technology in healthcare but requires medical institutions and personnel to uphold the utmost confidentiality of patient data. It requires that all patient data be de-identified before processing.
On 7 August 2020, the Ministry of Information, Communications and Technology published in the Kenya Gazette the National ICT Policy Guidelines 2020. The policy is intended to provide a proactive ICT framework that is in tandem with current technological realities and dynamics and guide the orderly development of the ICT sector and recognises the individual's indefeasible right to privacy and ownership of all data about them and commits to upholding the constitutional right to privacy, and to determine how and whether data is used, distributed, analysed, enhanced, or converted to other forms.
1.3. Case law
In light of the fact that the Act only came into effect in late 2019, there have been no cases based on it. There have been cases premised on the provisions of the Constitution on the right to privacy under Article 31, and some are pending before the courts.
The ODPC in February 2022 in marking the Data Protection Day indicated that it has so far received more than 400 complaints and successfully resolved about half of them, unfortunately, such decisions are not published publicly as of yet. However between December 2022 and January 2023, the ODPC issued two decisions; one where it issued its first penalty notice for using a data subjects photograph in its social media platforms without the data subject's consent; and the second where it dismissed a complaint of breach of privacy filed by a law firm against its former employee on grounds that most the documents the complainant claimed had been shared and contained information about data subjects were not availed to the ODPC for inspection and the other documents and information cited were already in the public domain.
2. Scope of Application
2.1. Personal scope
The Act applies to all processing of personal data by any data controller or data processor established or resident in Kenya and who processes personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya.
The Kenya Information and Communications Act applies to telecommunication service providers that have been granted an operation licence from the Communications Authority ('CA'). Licensed providers include mobile network operators, content service providers, applications service providers, submarine cable landing rights-holders, and international gateway systems service providers.
The National Payment System Act and the National Payment System Regulations apply to payment systems and payment service providers (which include mobile service providers through their mobile money services). Payment service providers are regulated and licensed by the CBK under the National Payment System Act.
The Public Health Act, the Health Act, and the HIV and AIDS Prevention and Control Act apply to medical institutions, their staff, and third parties contracted by medical institutions.
The Prudential Guidelines and guidelines apply to financial institutions licensed and regulated by the CBK.
2.2. Territorial scope
Please refer to section on personal scope above.
2.3. Material scope
The regulated actions cover:
- data collection;
- type of data to be collected;
- security of collected data;
- disclosure of data;
- retention of data;
- accuracy of the data;
- deletion of data; and
- updating of data.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The Office of the Data Protection Commissioner is established under Part II of the Act. The Commissioner was appointed in November 2020 and the office of the ODPC is currently up and running with continuous efforts towards full implementation of the Act.
The provisions of the various sectoral laws are enforced by the respective sectoral regulatory bodies that are also now increasingly requiring compliance with the Act of their licensees as far as internal processes are concerned
The CA, established under Kenya Information and Communications Act, is the oversight body in the technology and telecommunications sector.
The CBK regulates all financial service providers as well as payment systems providers.
Health institutions are under the regulation of the Director of Medical Services at the Ministry of Health.
The Director of Medical Services regulates medical institutions and personnel, and oversees compliance with the laws, regulations, and policies in the health sector.
3.2. Main powers, duties and responsibilities
The Commissioner's powers, duties, and responsibilities include;
- enforcement of the provisions of the Act;
- the maintenance of the register of data controllers and data processors;
- oversight and assessment on data processing to ensure it is in accordance with the Act either on its own motion or on request by a data subject or on request of a private or public body;
- the promotion of self-regulation among data controllers and processors;
- investigation of complaints by any person on infringement of rights under the Act;
- to raise public awareness of the provisions of the Act;
- to set the requirements for the appointment of data protection officers ('DPO');
- to act as a bridge for, and promote, international cooperation in matters relating to data protection, and to ensure Kenya complies with its international obligations in relation to data protection; and
- to undertake research on developments in data processing of personal data to mitigate any risks of such developments on the rights of data subjects.
The CA is responsible for:
- enforcement of the provisions of the Kenya Information and Communications Act;
- licensing of telecommunication service providers;
- monitoring and evaluation of compliance by licensees; and
- development and enforcement of sector guidelines.
The CBK is responsible for enforcement of all regulation in the financial sector, licensing of financial institutions and payments system providers and development and enforcement of sector guidelines.
4. Key Definitions
Data controller: This means a natural or legal person, public authority, agency, or other body which alone, or jointly with others, determines the purpose and means of processing of personal data.
Data processor: This means a natural or legal person, public authority, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller.
Personal data: Under the Act, this means any information relating to an identified or identifiable natural person. Under the Kenya Information and Communications Act, 'personal information' includes a person's full name, identity card number, date of birth, gender, physical and postal address.
Sensitive data: Under the Act, this means sensitive personal data means data revealing a person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person's children, parents, spouse or spouses, sex, or sexual orientation.
Health data: This means data related to the state of physical or mental health of the data subject, and includes records regarding the past, present, or future state of the health, data collected in the course of registration for, or provision of, health services, or data which associates the data subject to the provision of specific health services.
Biometric data: This means any personal data resulting from specific technical processing based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition.
Pseudonymisation: This is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's race, sex, pregnancy, marital status, health status, ethnic social origin, colour, age, disability, religion, conscience, belief, culture, dress, language, birth, personal preferences, interests, behaviour, location, or movements.
5. Legal Bases
Under Section 30(1)(a) of the Act, consent of the data subject to the processing for one or more specified purposes is one of the legal bases for processing of personal data.
5.2. Contract with the data subject
Under Section 30(1)(b) of the Act, performance of a contract to which the data subject is party to is a legal basis for processing of personal data. In addition, the performance of a contract is deemed a legal basis where processing is necessary to take steps, at the request of the data subject, before entering a contract.
5.3. Legal obligations
Under Section 30(1)(b) of the Act, compliance with a legal obligation to which the controller is subject is a legal basis for processing of personal data. The Act does not specify instances.
5.4. Interests of the data subject
The protection of vital interests of the data subject or another natural person is a lawful basis for processing of personal data under the Act. It is also a basis for processing of sensitive personal data where the data subject or another person is physically or legally incapable of giving consent. What constitutes 'vital interest' is however not defined but may be inferred to include the data subject's rights and freedoms.
5.5. Public interest
Public interest is a legal basis for the processing of personal data. In addition, the exercise of official authority vested in the controller for the public interest is a legal basis for the processing of personal data.
5.6. Legitimate interests of the data controller
Legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed are a legal basis for the processing of personal data. The exception here is if the processing is unwarranted in any case with regard to any harm or prejudice to the rights and freedoms or legitimate interest of the data subject.
5.7. Legal bases in other instances
The Act provides two additional legal basis for processing of personal data which are:
- for purposes of historical, statistical, journalistic, literature and art, or scientific research; or
- for the performance of any task carried out by a public authority.
Section 25 of the Act sets out the principles of data protection that data controllers and processors shall abide by. These are;
- Lawfulness, fairness, and transparency. Data should be processed lawfully, fairly, and in a transparent manner. In addition, where a valid explanation is provided whenever information relating to family or private affairs is required.
- Purpose limitation. Data is collected for an explicit, specified, and legitimate purpose and not further processed in a manner incompatible with those purposes.
- Minimisation. Data is collected for adequate and relevant purposes and is limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy. Data collected is accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure inaccurate data is erased or rectified promptly.
- Storage limitation. Data should be kept in a form that identifies the data subject for no longer than is necessary for the purposes which it was collected.
- Data should not be transferred cross-border. Data collected is not to be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
- Data should be processed in accordance with the right to privacy of the data subject.
7. Controller and Processor Obligations
Data controller rights and responsibilities include:
- the duty to notify as detailed in section on consent above;
- the obligation to apply for registration or renewal or certificate/licence;
- the obligation to designate a DPO as directed by the Commissioner;
- the obligation to process data in accordance with the provisions of the Act;
- the obligation to conduct impact assessments where a processing operation is likely to result in high risk to the rights and freedoms of a data subject;
- to bear the burden of proof for establishing data subject consent to the processing of personal data for a specified purpose;
- to incorporate an appropriate mechanism for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
- the obligation to retain data only for as long as is necessary to satisfy the purpose/s of collection, as provided by law, for any lawful purpose, with the consent of the data subject, or for historical, statistical, journalistic, literature, art, or research purposes;
- the obligation to implement appropriate technical and organisational measures to safeguard data and comply with the provisions of the Act;
- to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to data subjects;
- to put in place protective measures for the processing of sensitive personal data; and
- to ensure sufficient protective measures and provide sufficient proof to the Commissioner of the appropriate safeguards with regard to the transfer of personal data outside Kenya.
All licensed providers under the Kenya Information and Communications Act have obligations, stated in the Kenya Information and Communications Regulations, Consumer Protection Regulations, the SIM-Card Registration Regulations, and the licensing terms and conditions to:
- obtain and retain information required for the registration of subscribers and SIM cards;
- generate and retain accurate billing information;
- ensure the information obtained and generated is stored in a manner that is secure and confidential;
- adhere to the prescribed retention periods stipulated by the CA for registration details, call data records, and financial information;
- keep customer information accurate, up to date, confidential, and secure;
- disclose customer data only when required by customer consent, by law through a court order or Act of Parliament, when disclosed to law enforcement agencies, or to the CA for reporting purposes;
- inform the customer of the processing of information and intended/ potential purpose/s of processing and no objection to this is made by the customer; and
- establish a mechanism by which a customer may opt-out, opt-in, or withdraw consent to the processing of their data.
Under the National Payment System Act, the National Payment System Regulations, and the Prudential Guidelines, service providers must ensure the security and confidentiality of their customer's information and transactions. The Health Act and the HIV and AIDS Prevention and Control Act require that customer data be anonymised before processing to protect the patient/data subject privacy.
In many circumstances, data controllers will also be data processors, and data processor obligations would similarly apply. In addition, data processors have the following obligations:
- to apply for registration and application for renewal of the certificate as required;
- to designate a DPO as directed by the Commissioner;
- to process data in accordance with the provisions of the Act;
- to conduct impact assessments where a processing operation is likely to result in high levels of risk to the rights and freedoms of a data subject;
- to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
- the duty to notify, which is similar to that of data controllers;
- to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
- to retain data only for as long as is necessary to satisfy the purpose of collection, as provided by law, for any lawful purpose, with the consent of the data subject or for historical, statistical, journalistic, literature, art, or research purposes;
- to implement appropriate technical and organisational measures to safeguard data and comply with the provisions of the Act;
- to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to a data subject;
- to put in place protective measures for processing of sensitive personal data; and
- to ensure sufficient protective measures and provide sufficient proof to the ODPC of the appropriate safeguards with regard to transfer of personal data outside Kenya.
7.1. Data processing notification
Under the Act, data controllers and data processors are required to be registered with the Commissioner. The Commissioner has the mandate to prescribe the threshold for registration based on various factors, including (Article 18 of the Act):
- the nature of industry of the data controller or data processor;
- the volumes of data processed;
- whether sensitive personal data is being processed; and
- any other factor the Commissioner may consider relevant.
The Commissioner is tasked with maintaining a register of data controllers and data processors, and with issuing data controllers and processors with certificates of registration. The Commissioner will issue a certificate of registration where a data controller or data processor meets the requirements for registration (Article 19(4) of the Act). Furthermore, the certificate will be valid for a period determined at the time of the application, after taking into account the need for the certificate, and the holder may apply for a renewal of the certificate after its expiry (Article 20 of the Act). Moreover, a data controller or data processor must notify the Commissioner of a change in the notification, which the Commissioner will amend in the Register (Article 19(5) and (6) of the Act).
If a data controller or data processor meets the prescribed threshold, notification must include the following (Article 19(2) of the Act):
- a description of the personal data to be processed by the data controller or data processor;
- a description of the purpose for which the personal data is to be processed;
- the category of data subjects, to which the personal data relates;
- contact details of the data controller or data processor;
- a general description of the risks, safeguards, security measures, and mechanisms to ensure the protection of personal data;
- any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
- any other details as may be prescribed by the Commissioner.
In relation to the healthcare sector, the Health Act and the HIV and AIDS Prevention and Control Act do not require notification or registration before processing data for health research or policy purposes.
the General Regulations outline the procedure for an application for registration of a data controller or data processor as follows (Article 5 of the Regulations):
- the application shall be made through 'Form DPR1' set out in the First Schedule of the Regulations; and
- the application shall be accompanied by:
- the registration fees specified in the Second Schedule of the Regulations;
- a copy of the establishment documents;
- particulars of the data controllers or data processors including name and contact details;
- a description of the purpose for which personal data is processed; and
- a description of categories of personal data being processed.
The Second Schedule of the Regulations provides the amount attached to registration and renewal fees. The total amount of such fees depends on the size of the controller/processor concerned, the number of employees and their annual turnover/revenue, and are as follows:
- for 'Micro and Small Data Controllers/Processors', i.e. a data controller/processor with between 1 and 50 employees and an annual turnover/revenue of a maximum of KES 5 million (approx. € 35,984), a registration fee of KES 4,000 (approx. €29) and a renewal fee (every 2 years) of KES 2,000 (approx. €14);
- for 'Medium Data Controllers/Processors', i.e. a data controller/processor with between 51 and 99 employees and an annual turnover/revenue of between KES 5,000,001 (approx. €35,980) and a maximum of KES 50 million (approx. €359,800), a registration fee of KES 16,000 (approx. €115) and a renewal fee (every 2 years) of KES 9,000 (approx. €65);
- for 'Large Data Controllers/Processors', i.e. a data controller/processor with more than 99 employees and an annual turnover/revenue of more than 50 million (approx. €359,800), a registration fee of KES 40,000 (approx. €288) and a renewal fee (every 2 years) of KES 25,000 (approx. €180);
- for 'Public Entities', i.e. a data controller/processor offering government functions (regardless of number of employees or revenue/turnover), a registration fee of KES 4,000 (approx. €29) and a renewal fee (every 2 years) of KES 2,000 (approx. €14); and
- for 'Charities and Religious entities', i.e. a data controller/processor offering charity or religious functions (regardless or revenue/turnover), a registration fee of KES 4,000 (approx. €29) and a renewal fee (every 2 years) of KES 2,000 (approx. €14).
Upon receipt of the application for registration, the Commissioner shall:
- undertake a verification process of the details provided in the application (Article 7 of the Regulations);
- if satisfied the applicant fulfils the requirements for registration, the Commissioner shall within 14 days (Articles 8 and 9 of the Regulations):
- issue the applicant with a certificate of registration, which will be valid for two years; and
- enter the particulars of the successful applicant in the register; and
- if the Commissioner declines the application for registration, it shall within 21 days from the date of the decision (Article 10(1) of the Regulations):
- notify, in writing, the applicant of the refusal; and
- provide reasons for such refusal.
Notably, the Commissioner may refuse to grant an application for registration or renewal where (Article 10(2) of the Regulations):
- the particulars provided for inclusion in an entry in the register are insufficient;
- appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller or a data processor; or
- the data controller or data processor is in violation of any provisions of the Act and the Regulations.
A data controller or data processor whose application for registration or renewal has been declined may make a fresh application upon complying with the requirements specified in the refusal notice (Article 10(3) of the Regulations). Additionally, a data controller or a data processor shall, within 14 days of the occurrence of any changes in their particulars, notify the Commissioner in writing (Article 15(1) of the Regulations). After expiry of the certificate of registration (which is valid for two years as per Article 7 of the Regulations), a registered data controller or data processor must apply for a renewal of registration, the procedure for which is outlined in Article 11(2) of the Regulations (Article 11(1) of the Regulations).
Finally, Article 11(4) specified that where renewal is for a distinct purpose or categories of data other than that for which the data controller or data processor had been registered for, the Commissioner shall undertake a verification process pursuant to Article 7.
Under the Regulations, data controllers or data processors whose annual turnover is below KES 5 million (approx. €35,971) and employs less than ten people is exempt from the mandatory registration requirement unless it processes personal data for any of the purposes in the Third Schedule of the Regulations (Article 13(2) of the Regulations).
However, Article 13(4) of the Regulations provides the above mentioned exemption does not apply to a data controller or processor that carry out any of the following activities:
- processing of genetic data;
- transport services including taxi hailing apps;
- canvassing political support among the electorate;
- crime prevention and prosecution of offenders including operating security CCTV systems;
- operating an educational institution;
- health administration and provision of patient care;
- hospitality industry firms excluding tour guides;
- property management and selling real-estate;
- provision of financial services;
- telecommunications network service providers; and
- businesses wholly or mainly in direct marketing.
Please note the Commissioner has specified that data controllers and data processors can register through its website here.
7.2. Data transfers
The Act provides for conditions that must be met for the transfer of data outside Kenya, and these are where the data controller or data processor has:
- the consent of the data subject where there is processing of sensitive personal data and confirmation of appropriate safeguards;
- given proof to the Commissioner on appropriate safeguards with respect to the security and protection of the personal data involved including execution of cross border transfer agreements;
- given proof to the Commissioner with respect to appropriate safeguards including jurisdictions with commensurate data protection laws.
- Transfer to jurisdictions with reciprocal data protection agreement with Kenya
Under the General Regulations it is further specified that cross border transfer of data must be based on;
- Appropriate data protection safeguards – where a legal instrument with sufficient safeguards is executed and is binding on the recipient and assessment by the data controller of all circumstances surrounding the transfer of that type of personal data to another country or organisation and determining appropriate safeguards are in place. Determination of appropriate safeguards is based on; the ratification of the African Union Convention on Cyber Security and Personal Data Protection; a reciprocal data protection agreement with Kenya, a contractual binding corporate rules among a group of companies or enterprises.
- An adequacy decision made by the ODPC – the ODPC would make a determination on adequacy based on confirmation that the recipient country or organisation has in place adequate level of protection and may publish a list of approved countries and organisations.
- Transfer as a necessity is based on there being a specific and necessary reason for transfer as well as confirmation that no fundamental right or freedom of the data subject overrides the public interest necessitating the transfer.
- Consent of the data subject which must be explicit and informed.
Moreover, data transfers may be permissible where necessary:
- for the performance or implementation of pre-contractual measures of a contract between the data subject and data controller or data processor;
- for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another person;
- for any matter of public interest;
- for the establishment, exercise, or defence of a legal claim;
- to protect the vital interests of a data subject or other persons where the data subject is legally incapable of giving consent; or
- for compelling legitimate interests pursued by the data controller or data processor that are not overridden by the rights of the data subject.
Section 50 of the Act further provides that the Cabinet Secretary may determine certain types of processing which may only be conducted through a server or data centre located in Kenya on the basis of strategic interests of the State or for the protection of revenue. The requirements on data localisation are detailed in the General Regulations. Data localisation refers to the requirement for data to be processed through a server and data centre located in Kenya, and requiring at least one serving copy of the personal data to be stored in a data centre located in Kenya. The requirement for data localisation is imposed on processing in the following fields; national civil registration systems, population register and identity management, facilitation of primary and secondary education, management of licensed electronic payment systems, revenue administration, processing of health data and critical infrastructure.
Under the Health Information System Policy, there is a requirement that health data should not be stored outside Kenyan territory. As a matter of law, the Health Information System Policy, while not binding, is persuasive, and in the absence of statute provisions courts are likely to be guided by policy considerations in so far as they are interpreted in line with the Constitution and legal precedent.
7.3. Data processing records
Section 23 of the Act creates the duty of the Commissioner to conduct periodical audits on processes and systems of data controller or processor uses. This may require controllers and processors to maintain their processing records for purposes of providing sufficient information for such audits.
While there is no express requirement for data controllers or processors to maintain processing records, the other obligations in the Act will likely give rise to the maintenance of data processing records to ensure compliance.
7.4. Data protection impact assessment
Section 31 of the Act requires that where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, the data controller or processor must carry out a Data Protection Impact Assessment ('DPIA').
The Act does not set out the types of processing subject to DPIA but generally provides that the DPIA would apply to any processing that by its nature, scope, context, or purposes would result in high risk to the rights and freedoms of the data subject. The General Regulations identify that a DPIA is required in high-risk activities including;
- automated decision making with legal or other significant effect;
- processing of biometric or genetic data;
- processing prevents the data subject from exercising a right;
- systemic monitoring of a publicly accessible area;
- use of personal data on a large scale for purposes other than the original reason for collection;
- where there is a change in any aspect of processing that may result in higher risk to data subjects;
- processing of sensitive data, data relating to children and vulnerable groups; and
- financial and reputational benefits, demonstrating accountability and building trust and engagement with data subjects.
The DPIA must include (Section 31(2) of the Act):
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks and the safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.
A DPIA is not required where (Part 9(D) of the DPIA Guidelines):
- the processing is not likely to result in a high risk to the rights and freedoms of data subjects;
- the nature, scope, context, purpose, and risk of the processing are similar to the processing for which a DPIA has already been carried out, and in such cases, the results for a similar processing can be used; and
- the processing falls under Section 51(2) of the Act where:
- the processing relates to purely household activities;
- the processing is necessary for national security or public interest; and
- the disclosure of personal data is required by or under any written law or by the order of the court.
The data controller or data processor must consult the Commissioner prior to the processing if a DPIA prepared under Article 31 of the Act indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject (Section 31(3) of the Act). DPIA reports must be submitted 60 days prior to the processing of data to the Commissioner (Section 31(5) of the Act and Regulation 51(1) of the General Regulations).
Moreover, when making the consultation, the data controller or data processor is required to provide:
- the DPIA prepared under Section 31(1) of the Act; and
- the respective responsibilities of the data controller or the data processors involved in the processing.
In reviewing the DPIA report, the Commissioner may make any recommendations to be incorporated prior to commencing the processing operations (Regulation 52(2) of the General Regulations). If the data controller or the data processor does not receive any communication within 60 days of submitting the DPIA report, they may commence processing operations and the assessment report shall be taken to have been approved (regulation 52(3) of the General Regulations). Moreover, a data controller or data processor may publish on its website the DPIA Report (Regulation 52(4) of the General Regulations).
Finally, the General Regulations stipulate that where a DPIA is required, a data controller or data processor may conduct the assessment through a template set out in the Third Schedule of the General Regulations (Regulation 50(1) of the Proposed Regulations). Moreover, a DPIA should be started as early as practicable in the design of the processing operation contemplated even if some of the processing operations are still unknown. In addition, the data controller or processor is required to fill out a template before commencing any processing activities (Part 9(E) of the DPIA Guidelines).
7.5. Data protection officer appointment
The Act requires data controllers and data subjects to appoint DPOs. The requirement is however not couched in mandatory terms, and DPO appointments are dependent on the conditions and activities of the data controller or processor.
For the appointment of a DPO, the Act requires a data controller or data processor to designate a DPO on terms and conditions it may determine where:
- processing is carried out by a public or private body, except for courts acting in their judicial capacity;
- the core activities of the data controller or data processor if by virtue of their nature, scope, or purposes require regular and systematic monitoring of data subjects; or
- the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data.
The data controller or processor does not need to carve out a specialised DPO position. The DPO may be a staff member and may fulfil other tasks and responsibilities, provided this does not result in conflicts of interest. In addition, a group of entities may appoint a single DPO, provided such position-holder is accessible by/available to each entity. However, is not specified where the DPO must be located. A person may be designated or appointed as a DPO if that person has relevant academic or professional qualifications, which may include knowledge and technical skills in matters relating to data protection (Article 24(5) of the Act).
The contact details of the DPO must be communicated to the Commissioner as well as published on the official website of the data controller or data processor. A data controller or data processor must publish the contact details of the DPO on the website and communicate them to the Commissioner, who must ensure that the same information is available on their official website (Article 24(6) of the Act).
A DPO must (Article 24(7) of the Act):
- advise the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law;
- ensure, on behalf of the data controller or data processor, that the Act is complied with;
- facilitate capacity building of staff involved in data processing operations;
- provide advice on Data Protection Impact Assessments ('DPIAs'); and
- cooperate with the Commissioner and any other authority on matters relating to data protection.
A DPO may be a staff member of the data controller or data processor, and may fulfil other tasks and duties provided that any such tasks and duties do not result in a conflict of interest (Article 24(2) of the Act). In addition to the functions set out under Section 24(7) of the Act, the Regulations provide that the responsibilities of the DPO shall include monitoring and evaluating the efficiency of the data systems in the organisation, and keeping written records of the processing activities of the civil registration entity (Section 20(1) of the Regulations)
Further details in relation to the record keeping responsibility in Section 20(1)(b) of the Regulations can be found in Section 20(2) of the same.
7.6. Data breach notification
Where there is a real risk of harm to the data subject in case of a breach involving their personal data, there is an obligation to notify:
- the Commissioner within 72 hours; and
- the data subject within a reasonable time.
Under the General Regulations, a breach notification to the ODPC should include date and circumstances of the breach, account of steps taken and assessment of the breach, information on how the breach occurred, number of data subjects affected, classes of affected personal data, potential harm to the affected data subjects and information on actions taken by the data controller or processor to eliminate or manage the breach and any potential harm.
The Second Schedule of the General Regulations sets out circumstances that amount to a notifiable breach and these include among others;
- financial information such as salaries, fees, commissions, bonus, gratuity or other remuneration, arising out of a contact of services, income from the sale payable to a data; subject credit card information; bank account numbers;
- identifying information regarding a child as the data who is in conflict with the law subject;
- private key of a data subject used to create an electronic record, verify integrity of an electronic record, authentication of an e-signature;
- credit information of a data subject;
- withdrawal or deposit of money by a data subject;
- medical information such as sexually transmitted infections , mental disorder, substance abuse and addiction, and HIV status;
- medical treatment involving donation or receipt of human egg or sperm, contraceptives operation or abortion.;
- suicide attempt of an individual; and
- domestic abuse, child abuse or sexual abuse involving or allegedly involving the data subject.
Service providers under the Kenya Information Communications Act have an obligation, under the Kenya Information Communications Regulations, to notify the customer/data subject if there is a risk of breach of security to its network. If the risk is outside the scope of measures that can be undertaken by the provider, the provider must inform the data subject of the possible remedies (including an indication of the likely costs involved). The notification must be by a message delivered to the data subject.
7.7. Data retention
The Act provides for retention of data under various circumstances which are (Section 39 of the Act):
- as long as is reasonably necessary to satisfy the purpose for which the data is collected and processed;
- as required or authorised by law including sectoral laws;
- as consented to by the data subject; or
- for historical, statistical, journalistic, literature, art, or research purposes.
Under the Article 19 of the General Regulations, a data controller or data processor is required to establish a data retention schedule with appropriate time limits for periodic review of the need for continued storage. They also required to delete, anonymise or pseudonymise data once the purpose for collection lapses.
Under the Kenya Information and Communications Act, data retention must ensure confidentiality, accuracy, and security. Call data records must be retained for a minimum of three years. There is no specified time limit for the retention of subscriber information. Under the National Payment System Act, financial information must be retained for a minimum of seven years.
7.8. Children's data
The Act prohibits the processing of data relating to a child unless consent is given by the child's parent or guardian and the processing is in a manner that protects and advances the rights and best interests of the child (Section 33 of the Act). A child by Kenyan law is anyone below the age of 18 years as defined in the Children Act No. 8 of 2001 and as such the age of consent is 18 years. Under Article 49 of the General Regulations, where children's data is to be processed, a DPIA is required. Breach of an adoption order or related information is also a notifiable breach.
7.9. Special categories of personal data
Processing of sensitive data is restricted, and sensitive data includes the data defined under the key definitions above. In addition, under Section 47 of the Act, the Commissioner has the power to determine further categories of personal data that may be classified as sensitive data, as well any special grounds that such data may be processed considering:
- the risk of significant harm that may be caused to the data subject as a result of processing;
- the expectation of confidentiality that may be attached to such category of data;
- whether a significant and discernible class of data subjects may suffer harm from such processing; and
- the adequacy of protection afforded by ordinary provisions applicable to personal data.
It is worth noting that court records are public records and many of the court cases are reported online. As such, data related to a person's court case, including criminal convictions, would not be protected under the Act. Only information regarding children is concealed in the publication of court records.
7.10. Controller and processor contracts
As part of the organisational measures a data controller or processor is required to implement for the protection of personal data, the Act requires that where a data controller is using the services of a data processor, the parties must have a written contract that specifies that the data processor may only act on instructions received from the data controller. In addition, the contract must specify that the data processor shall be bound by the obligations of the data controller.
Under the Article 48 of the General Regulations, a data controller or data processor transferring data cross border is required to enter into a written agreement with the recipient of the personal data providing for unlimited access by the transferor to the recipient to ascertain the existence of adequate protection measures and countries to which the data may be transferred to under the agreement.
8. Data Subject Rights
8.1. Right to be informed
The Act simply provides that a data subject has the right to be informed of the use to which their personal data is to be subject.
Data controllers must notify data subjects of (Article 19(2) of the Act):
- their rights under the Act;
- what data is being collected;
- whether the collection is voluntary or mandatory;
- the consequences of failure to provide all or any part of the requested data;
- the fact that their data is being collected and processed;
- the uses to which their data will be put;
- of any third parties with whom the data will be shared with;
- the safeguards adopted in case of third party sharing;
- the contact information about the processor or controller; of the technical and organisational measures taken by the controller or processor to protect the data collected, whether the collection is pursuant to any law, voluntary or mandatory; and
- of the consequences if any of refusal to provide some or all of the data.
In the event of a breach where there is a real risk of harm to data subjects, data controllers must notify data subjects of the breach (after notification to the Commissioner) in writing within a reasonably practical period.
Where an automated processing decision produces legal effects or significantly affects a data subject, the data processor must notify the data subject in writing that a decision has been taken based solely on automated processing.
Telecommunication service providers licensed under the Kenya Information and Communications Act must notify customers that their data is being processed, and further disclose the purpose for the collection.
8.2. Right to access
The data subject has the right to access their data that is in the custody of the data controller or data processor, similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
8.3. Right to rectification
The Act provides for the data subject's right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data, similar to the GDPR.
The data controller or processor has an obligation to provide means for the data subject to make requests for rectification.
8.4. Right to erasure
Just like in the GDPR, the right to erasure is not absolute and applies under specific circumstances which under the Act are: where the data is inaccurate, outdated, incomplete, or misleading; where the data controller or processor is no longer authorised to retain the data; or the data is irrelevant, excessive, or has been obtained unlawfully.
8.5. Right to object/opt-out
Similar to the provisions of the GDPR, a data subject has the right to object to the processing of all or part of their personal data. However, the legitimate interest for the processing which overrides the data subject's rights may be applicable in limiting this right.
8.6. Right to data portability
Similar to the GDPR, a data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible.
The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others.
8.7. Right not to be subject to automated decision-making
A data subject has the right to not be subject to automated decision-making including profiling, which may produce legal effects on or may significantly affect the data subject. Where a data controller or processor takes a decision purely based on automated processing and such decision may significantly affect or produce legal effects on the data subject, the data controller or processor has no obligation to notify the data subject in writing of such decision taken based on automated processing.
The data subject has the right to request the data processor to reconsider the decision or take a new decision that is not based solely on automated processing. As a result, the data controller or processor has an obligation to consider the request, comply with it, and notify the data subject of the steps taken to comply with the request and the outcome of compliance. There is no set standard for the process of the request by a data subject but this is expected to be outlined in detail in the regulations that will supplement the Act.
Unlike the GDPR, the Act does not require a data controller or processor to provide the data subject with prior information about processing with regard to automated decision-making and does not implicitly require processors to ensure the systems are working as intended through regular checks, even though this is expected from the obligations of the data controller and processor.
8.8. Other rights
The Act provides for various offences and sanctions. Additional sanctions are enforced by various sectoral regulators which may include fines and the revocation or suspension of licences. Sectoral laws also provide for specific sanctions for breaches. The sanctions are:
- Where the Commissioner is satisfied that a person has failed or is failing to comply with any provision of the Act, the Commissioner may serve an enforcement notice and a penalty notice requiring the person to pay a penalty of an amount specified in the notice. The maximum penalty that may be imposed in penalty notice is up to KES 5 million (approx. €35,971) or up to 1% of the annual turnover of the preceding financial year, whichever is lower;
- failure to comply with an enforcement notice is an offence and upon conviction, a person is liable to a fine not exceeding KES 5 million (approx. €35,971) or imprisonment for a term not exceeding two years, or both;
- obstruction of a Commissioner in exercising its functions is an offence that attracts a fine not exceeding KES 5 million (approx. €35,971) (or imprisonment for a term not exceeding two years, or both;
- in relation to the failure to register with the Commissioner as a data controller or data processor, unlawful disclosure, processing of personal data without lawful purpose, the sale of personal data and publication of false or misleading information to the Commissioner, penalties are not specified and for this reason the general penalty of a fine not exceeding KES 3 million (approx. €21,575) or imprisonment for a term not exceeding ten years, or both is applicable; and
- a data subject is entitled to compensation for damage from the data controller or data processor for any violation of their rights.
Kenya Information Communications Act
- A licensee who violates the requirements of any of the regulations issued under the Kenya Information Communications Act (including regulations on privacy) commits an offence and is upon conviction liable to a fine not exceeding KES 300,000 (approx. €2,157), imprisonment for a term not exceeding three years, or both;
- under the Sim Card Regulations, any telecommunications operator who commits an offence with regard to SIM Card registration will be liable on conviction to a fine not exceeding KES 5 million (approx. €35,958); or
- a person who commits an offence for which no specific penalty has been provided for in the Kenya Information Communications Act and regulations issued it, will on conviction, be liable to fine not exceeding KES 300,000 (approx. €2,157) or imprisonment for a term not exceeding six months, or to both.
- The HIV and Aids Prevention and Control Act provides that it is an offence to breach the provisions relating to confidentiality (with the penalty not prescribed). Under the HIV and AIDS Prevention and Control Act, a person convicted of an offence for which no other penalty is provided will be liable for imprisonment for a term not exceeding two years or to a fine not exceeding KES 100,000 (approx. €718), or both.
- The National Payment System Act, a payments provider may have its licence suspended or revoked if it is unable to protect the confidentiality of data or information it collects and keeps. Unauthorised disclosure of confidential customer information is subject to a fine of up to KES 1 million (approx. €7,187). Use of confidential information for personal gain is subject to a fine of up to KES 500,000 (approx. €3,593), imprisonment for up to one year, or both.
9.1 Enforcement decisions
There have been no enforcement decisions made under the Act yet.