Support Centre

You have out of 10 free articles left for the week

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kenya - Data Protection Overview
Back

Kenya - Data Protection Overview

March 2021

INTRODUCTION

The Constitution of Kenya ('the Constitution') guarantees the right to privacy as a fundamental right. To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 ('the Act') was enacted and came into effect on 25 November 2019. The Act has not been implemented and progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner ('the Commissioner'). As of the date of publication, the Office of the Data Protection Commissioner is in the process of setting up operations. A key action the Office of the Data Protection Commissioner has taken, through the ICT Advisory Committee on COVID-19, was the development of the Guidance Note on Access to Personal Data During COVID-19 Pandemic ('COVID-19 Guidelines'). The COVID-19 Guidelines were put out for public and stakeholder participation on 12 January 2021, and closed on 9 February 2021. Upon implementation, the COVID-19 Guidelines are expected to provide a policy guidance on processing personal data to actualise responses to and research on the COVID-19 pandemic.

On 15 January 2021, the ICT Cabinet Secretary appointed the Taskforce for the Development of the Data Protection General Regulations, with a term of six months, whose mandate includes development of the data protection regulations, auditing of the Act, identification of gaps or inconsistencies in the Act, and proposing any new policy or legal and institutional framework that may be needed to implement the Act, as well as other tasks related to the full implementation of the Act.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

The Kenya Information and Communications Act, 1998 ('the Kenya Information and Communications Act') came into effect in February 1999. The Kenya Information and Communications Act is the overarching law for the information and communications technology industry in Kenya. It outlines the requirements and compliance standards by which licensed information and communication service providers who are data collectors and controllers must abide. The provisions of the Kenya Information and Communications Act are enforced through its regulations, namely, the Kenya Information and Communications (Consumer Protection) Regulations of 2010 ('the Kenya Information and Communications Regulations') and the Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 ('the SIM Cards Regulations').

The processing of medical data (which is personal data) is regulated under:

In the financial sector, processing of financial data is regulated under the National Payment System Act, 2011 ('the National Payment System Act') and the National Payment System Regulations, 2014 ('the National Payment System Regulations') under the National Payment System Act. The National Payment System Act governs payment systems and payment system providers. A 'payment system' is defined as a system or arrangement that enables payments to be effected between a payer and a beneficiary, or facilitates the circulation of money, and includes any instruments and procedures that relate to the system.

The Consumer Protection Act, 2012 provides for the protection of consumers of all services. The provisions of the Act are cross-cutting in all sectors.

1.2. Guidelines

The Office of the Data Protection Commissioner is expected to be issuing data protection guidelines. 

The Central Bank of Kenya's ('CBK') Central Bank of Kenya: Prudential Guidelines for Institutions Licensed under the Banking Act ('the Prudential Guidelines') apply to financial institutions. The Prudential Guidelines provide basic standards that financial institutions must implement to safeguard customer data under the Competition Authority of Kenya's Consumer Protection Guidelines. The guidelines are binding on all financial institutions.

The CBK's Guideline on Cybersecurity for Payment Service Providers ('Cybersecurity Guideline') requires a risk assessment to address customer privacy.

The Health Information System Policy ('the Health Policy') guides the collection and processing of medical data of patients. The Health Policy promotes the use of technology in healthcare but requires medical institutions and personnel to uphold the utmost confidentiality of patient data. It requires that all patient data be de-identified before processing.

On 7 August 2020, the Ministry of Information, Communications and Technology published in the Kenya Gazette the National ICT Policy Guidelines 2020. The policy is intended to provide a proactive ICT framework that is in tandem with current technological realities and dynamics and guide the orderly development of the ICT sector and recognises the individual's indefeasible right to privacy and ownership of all data about them and commits to upholding the constitutional right to privacy, and to determine how and whether data is used, distributed, analysed, enhanced, or converted to other forms.

1.3. Case law

In light of the fact that the Act only came into effect in late 2019, there have been no cases based on it. There have been cases premised on the provisions of the Constitution on the right to privacy under Article 31, and some are pending before the courts.

2. SCOPE OF APPLICATION

2.1. Personal scope

The Act applies to all processing of personal data by any data controller or data processor established or resident in Kenya and who processes personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya.

The Kenya Information and Communications Act applies to telecommunication service providers that have been granted an operation licence from the Communications Authority ('CA'). Licensed providers include mobile network operators, content service providers, applications service providers, submarine cable landing rights-holders, and international gateway systems service providers.

The National Payment System Act and the National Payment System Regulations apply to payment systems and payment service providers (which include mobile service providers through their mobile money services). Payment service providers are regulated and licensed by the CBK under the National Payment System Act.

The Public Health Act, the Health Act, and the HIV and AIDS Prevention and Control Act apply to medical institutions, their staff, and third parties contracted by medical institutions.

The Prudential Guidelines and guidelines apply to financial institutions licensed and regulated by the CBK.

2.2. Territorial scope

Please refer to Section 2.1 above.

2.3. Material scope

The regulated actions cover:

  • data collection;
  • type of data to be collected;
  • security of collected data;
  • disclosure of data;
  • retention of data;
  • accuracy of the data;
  • deletion of data; and
  • updating of data.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The Office of the Data Protection Commissioner is established under Part II of the Act. The Commissioner was appointed in November 2020. As of the time of publication, the Commissioner is in the process of setting up operations to fully establish the office and implementation of its mandate under the Act. For this reason, the actual implementation of the Act has not commenced.

The provisions of the various sectoral laws are enforced by the respective sectoral regulatory bodies that are also now increasingly requiring compliance with the Act of their licensees as far as internal processes are concerned

The CA, established under Kenya Information and Communications Act, is the oversight body in the technology and telecommunications sector.

The CBK regulates all financial service providers as well as payment systems providers.

Health institutions are under the regulation of the Director of Medical Services at the Ministry of Health.

The Director of Medical Services regulates medical institutions and personnel, and oversees compliance with the laws, regulations, and policies in the health sector.

3.2. Main powers, duties and responsibilities

The Commissioner's powers, duties, and responsibilities include;

  • enforcement of the provisions of the Act;
  • the maintenance of the register of data controllers and data processors;
  • oversight and assessment on data processing to ensure it is in accordance with the Act either on its own motion or on request by a data subject or on request of a private or public body;
  • the promotion of self-regulation among data controllers and processors;
  • investigation of complaints by any person on infringement of rights under the Act;
  • to raise public awareness of the provisions of the Act;
  • to set the requirements for the appointment of data protection officers ('DPO');
  • to act as a bridge for, and promote, international cooperation in matters relating to data protection, and to ensure Kenya complies with its international obligations in relation to data protection; and
  • to undertake research on developments in data processing of personal data to mitigate any risks of such developments on the rights of data subjects.

The CA is responsible for:

  • enforcement of the provisions of the Kenya Information and Communications Act;
  • licensing of telecommunication service providers;
  • monitoring and evaluation of compliance by licensees; and
  • development and enforcement of sector guidelines.

4. KEY DEFINITIONS

Data controller: This means a natural or legal person, public authority, agency, or other body which alone, or jointly with others, determines the purpose and means of processing of personal data.

Data processor: This means a natural or legal person, public authority, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller.

Personal data: Under the Act, this means any information relating to an identified or identifiable natural person. Under the Kenya Information and Communications Act, 'personal information' includes a person's full name, identity card number, date of birth, gender, physical and postal address.

Sensitive data: Under the Act, this means sensitive personal data means data revealing a person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person's children, parents, spouse or spouses, sex, or sexual orientation.

Health data: This means data related to the state of physical or mental health of the data subject, and includes records regarding the past, present, or future state of the health, data collected in the course of registration for, or provision of, health services, or data which associates the data subject to the provision of specific health services.

Biometric data: This means any personal data resulting from specific technical processing based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition.

Pseudonymisation: This is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's race, sex, pregnancy, marital status, health status, ethnic social origin, colour, age, disability, religion, conscience, belief, culture, dress, language, birth, personal preferences, interests, behaviour, location, or movements.

5. LEGAL BASES

5.1. Consent

Under Section 30(1)(a) of the Act, consent of the data subject to the processing for one or more specified purposes is one of the legal bases for processing of personal data.

5.2. Contract with the data subject

Under Section 30(1)(b) of the Act, performance of a contract to which the data subject is party to is a legal basis for processing of personal data. In addition, the performance of a contract is deemed a legal basis where processing is necessary to take steps, at the request of the data subject, before entering a contract.

5.3. Legal obligations

Under Section 30(1)(b) of the Act, compliance with a legal obligation to which the controller is subject is a legal basis for processing of personal data. The Act does not specify instances.

5.4. Interests of the data subject

The protection of vital interests of the data subject or another natural person is a lawful basis for processing of personal data under the Act. It is also a basis for processing of sensitive personal data where the data subject or another person is physically or legally incapable of giving consent. What constitutes 'vital interest' is however not defined but may be inferred to include the data subject's rights and freedoms.

5.5. Public interest

Public interest is a legal basis for the processing of personal data. In addition, the exercise of official authority vested in the controller for the public interest is a legal basis for the processing of personal data.

5.6. Legitimate interests of the data controller

Legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed are a legal basis for the processing of personal data. The exception here is if the processing is unwarranted in any case with regard to any harm or prejudice to the rights and freedoms or legitimate interest of the data subject.

5.7. Legal bases in other instances

The Act provides two additional legal basis for processing of personal data which are:

  • for purposes of historical, statistical, journalistic, literature and art, or scientific research; or
  • for the performance of any task carried out by a public authority.

6. PRINCIPLES

Section 25 of the Act sets out the principles of data protection that data controllers and processors shall abide by. These are;

  • Lawfulness, fairness, and transparency. Data should be processed lawfully, fairly, and in a transparent manner. In addition, where a valid explanation is provided whenever information relating to family or private affairs is required.
  • Purpose limitation. Data is collected for an explicit, specified, and legitimate purpose and not further processed in a manner incompatible with those purposes.
  • Minimisation. Data is collected for adequate and relevant purposes and is limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy. Data collected is accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure inaccurate data is erased or rectified promptly.
  • Storage limitation. Data should be kept in a form that identifies the data subject for no longer than is necessary for the purposes which it was collected.
  • Data should not be transferred cross-border. Data collected is not to be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
  • Data should be processed in accordance with the right to privacy of the data subject.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

Data controller rights and responsibilities include:

  • the duty to notify as detailed in section 5.1., above;
  • the obligation to apply for registration or renewal or certificate/licence;
  • the obligation to designate a DPO as directed by the Commissioner;
  • the obligation to process data in accordance with the provisions of the Act;
  • the obligation to conduct impact assessments where a processing operation is likely to result in high risk to the rights and freedoms of a data subject;
  • to bear the burden of proof for establishing data subject consent to the processing of personal data for a specified purpose;
  • to incorporate an appropriate mechanism for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the obligation to retain data only for as long as is necessary to satisfy the purpose/s of collection, as provided by law, for any lawful purpose, with the consent of the data subject, or for historical, statistical, journalistic, literature, art, or research purposes;
  • the obligation to implement appropriate technical and organisational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to data subjects;
  • to put in place protective measures for the processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Commissioner of the appropriate safeguards with regard to the transfer of personal data outside Kenya.

All licensed providers under the Kenya Information and Communications Act have obligations, stated in the Kenya Information and Communications Regulations, the SIM-Card Registration Regulations, and the licensing terms and conditions to:

  • obtain and retain information required for the registration of subscribers and SIM cards;
  • generate and retain accurate billing information;
  • ensure the information obtained and generated is stored in a manner that is secure and confidential;
  • adhere to the prescribed retention periods stipulated by the CA for registration details, call data records, and financial information;
  • keep customer information accurate, up to date, confidential, and secure;
  • disclose customer data only when required by customer consent, by law through a court order or Act of Parliament, when disclosed to law enforcement agencies, or to the CA for reporting purposes;
  • inform the customer of the processing of information and intended/ potential purpose/s of processing and no objection to this is made by the customer; and to
  • establish a mechanism by which a customer may opt-out, opt-in, or withdraw consent to the processing of their data.

Under the National Payment System Act, the National Payment System Regulations, and the Prudential Guidelines, service providers must ensure the security and confidentiality of their customer's information and transactions. The Health Act and the HIV and AIDS Prevention and Control Act require that customer data be anonymised before processing to protect the patient/data subject privacy.

Data processor

In many circumstances, data controllers will also be data processors, and data processor obligations would similarly apply. In addition, data processors have the following obligations:

  • to apply for registration and application for renewal of the certificate as required;
  • to designate a DPO as directed by the Commissioner;
  • to process data in accordance with the provisions of the Act;
  • to conduct impact assessments where a processing operation is likely to result in high levels of risk to the rights and freedoms of a data subject;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the duty to notify, which is similar to that of data controllers;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • to retain data only for as long as is necessary to satisfy the purpose of collection, as provided by law, for any lawful purpose, with the consent of the data subject or for historical, statistical, journalistic, literature, art, or research purposes;
  • to implement appropriate technical and organisational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to a data subject;
  • to put in place protective measures for processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Data Commissioner of the appropriate safeguards with regard to transfer of personal data outside Kenya.

7.1. Data processing notification

Under the Act, data controllers and data processors are required to be registered with the Commissioner. The Commissioner has the mandate to prescribe the threshold for registration based on various factors, including:

  • the nature of industry of the data controller or data processor;
  • the volumes of data processed;
  • whether sensitive personal data is being processed; and
  • any other factor the Commissioner may consider relevant.

The Commissioner is tasked with maintaining a register of data controllers and data processors, and with issuing data controllers and processors with certificates of registration.

Data controllers must notify data subjects of:

  • their rights under the Act;
  • what data is being collected;
  • whether the collection is voluntary or mandatory;
  • the consequences of failure to provide all or any part of the requested data;
  • the fact that their data is being collected and processed; and
  • the uses to which their data will be put.

Data subjects also have the right to be informed of the third parties to whom their personal data will be transferred, including details of safeguards adopted and whether the data may be shared with any other entity.

Data controllers and data processors must notify data subjects of their contacts and provide a description of the technical and organisational security measures taken to ensure the integrity and confidentiality of the data.

In the event of a breach where there is a real risk of harm to data subjects, data controllers must notify data subjects of the breach (after notification to the Commissioner) in writing within a reasonably practical period.

Where an automated processing decision produces legal effects or significantly affects a data subject, the data processor must notify the data subject in writing that a decision has been taken based solely on automated processing.

Telecommunication service providers licensed under the Kenya Information and Communications Act must notify customers that their data is being processed, and further disclose the purpose for the collection.

For financial services, notification to the customer is required where there is a substantial change in the services, rates, and so on. However, the regulations do not specifically require notification in terms of data processing.

In relation to the healthcare sector, the Health Act and the HIV and AIDS Prevention and Control Act do not require notification or registration before processing data for health research or policy purposes.

7.2. Data transfers

The Act provides for conditions that must be met for the transfer of data outside Kenya, and these are where the data controller or data processor has:

  • the consent of the data subject where there is processing of sensitive personal data and confirmation of appropriate safeguards;
  • given proof to the Commissioner on appropriate safeguards with respect to the security and protection of the personal data involved; and
  • given proof to the Commissioner with respect to appropriate safeguards including jurisdictions with commensurate data protection laws.

Moreover, data transfers may be permissible where necessary:

  • for the performance or implementation of pre-contractual measures of a contract between the data subject and data controller or data processor;
  • for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another person;
  • for any matter of public interest;
  • for the establishment, exercise, or defence of a legal claim;
  • to protect the vital interests of a data subject or other persons where the data subject is legally incapable of giving consent; or
  • for compelling legitimate interests pursued by the data controller or data processor that are not overridden by the rights of the data subject.

Section 50 of the Act further provides that the Cabinet Secretary may determine certain types of processing which may only be conducted through a server or data centre located in Kenya on the basis of strategic interests of the State or for the protection of revenue.

Under the Health Information System Policy, there is a requirement that health data should not be stored outside Kenyan territory. As a matter of law, the Health Information System Policy, while not binding, is persuasive, and in the absence of statute provisions courts are likely to be guided by policy considerations in so far as they are interpreted in line with the Constitution and legal precedent.

7.3. Data processing records

Section 23 of the Act creates the duty of the Commissioner to conduct periodical audits on processes and systems of data controller or processor uses. This may require controllers and processors to maintain their processing records for purposes of providing sufficient information for such audits.

While there is no express requirement for data controllers or processors to maintain processing records, the other obligations in the Act will likely give rise to the maintenance of data processing records to ensure compliance.

7.4. Data protection impact assessment

Section 31 of the Act requires that where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, the data controller or processor must carry out a Data Protection Impact Assessment ('DPIA').

The Act does not set out the types of processing subject to DPIA but generally provides that the DPIA would apply to any processing that by its nature, scope, context, or purposes would result in high risk to the rights and freedoms of the data subject.

7.5. Data protection officer appointment

The Act requires data controllers and data subjects to appoint DPOs. The requirement is however not couched in mandatory terms, and DPO appointments are dependent on the conditions and activities of the data controller or processor.

For the appointment of a DPO, the Act requires a data controller or data processor to designate a DPO on terms and conditions it may determine where:

  • processing is carried out by a public or private body, except for courts acting in their judicial capacity;
  • the core activities of the data controller or data processor if by virtue of their nature, scope, or purposes require regular and systematic monitoring of data subjects; or
  • the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data.

The data controller or processor does not need to carve out a specialised DPO position. The DPO may be a staff member and may fulfill other tasks and responsibilities, provided this does not result in conflicts of interest. In addition, a group of entities may appoint a single DPO, provided such position-holder is accessible by/available to each entity.

The contact details of the DPO must be communicated to the Commissioner as well as published on the official website of the data controller or data processor.

7.6. Data breach notification

Where there is a real risk of harm to the data subject in case of a breach involving their personal data, there is an obligation to notify:

  • the Commissioner within 72 hours; and
  • the data subject within a reasonable time.

Service providers under the Kenya Information Communications Act have an obligation, under the Kenya Information Communications Regulations, to notify the customer/data subject if there is a risk of breach of security to its network. If the risk is outside the scope of measures that can be undertaken by the provider, the provider must inform the data subject of the possible remedies (including an indication of the likely costs involved). The notification must be by a message delivered to the data subject.

7.7. Data retention

The Act provides for retention of data under various circumstances which are (Section 39 of the Act):

  • as long as is reasonably necessary to satisfy the purpose for which the data is collected and processed;
  • as required or authorised by law including sectoral laws;
  • as consented to by the data subject; or
  • for historical, statistical, journalistic, literature, art, or research purposes.

Under the Kenya Information and Communications Act, data retention must ensure confidentiality, accuracy, and security. Call data records must be retained for a minimum of three years. There is no specified time limit for the retention of subscriber information. Under the National Payment System Act, financial information must be retained for a minimum of seven years.

7.8. Children's data

The Act prohibits the processing of data relating to a child unless consent is given by the child's parent or guardian and the processing is in a manner that protects and advances the rights and best interests of the child (Section 33 of the Act). A child by Kenyan law is anyone below the age of 18 years as defined in the Children Act No. 8 of 2001 and as such the age of consent is 18 years.

7.9. Special categories of personal data

Processing of sensitive data is restricted, and sensitive data includes the data defined under the key definitions above. In addition, under Section 47 of the Act, the Commissioner has the power to determine further categories of personal data that may be classified as sensitive data, as well any special grounds that such data may be processed considering:

    • the risk of significant harm that may be caused to the data subject as a result of processing;
    • the expectation of confidentiality that may be attached to such category of data;
    • whether a significant and discernible class of data subjects may suffer harm from such processing; and
    • the adequacy of protection afforded by ordinary provisions applicable to personal data.

It is worth noting that court records are public records and many of the court cases are reported online. As such, data related to a person's court case, including criminal convictions, would not be protected under the Act. Only information regarding children is concealed in the publication of court records.

7.10. Controller and processor contracts

As part of the organisational measures a data controller or processor is required to implement for the protection of personal data, the Act requires that where a data controller is using the services of a data processor, the parties must have a written contract that specifies that the data processor may only act on instructions received from the data controller. In addition, the contract must specify that the data processor shall be bound by the obligations of the data controller.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

The Act simply provides that a data subject has the right to be informed of the use to which their personal data is to be subject. The data controller or processor has the obligation to notify the data subject: of their rights; that personal data is being collected; of the purpose of the collection, of any third parties with whom the data will be shared with; of the safeguards adopted in case of third party sharing; of the contact information about the processor or controller; of the technical and organisational measures taken by the controller or processor to protect the data collected, whether the collection is pursuant to any law, voluntary or mandatory; and of the consequences if any of refusal to provide some or all of the data.

8.2. Right to access

The data subject has the right to access their data that is in the custody of the data controller or data processor, similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

8.3. Right to rectification

The Act provides for the data subject's right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data, similar to the GDPR.

The data controller or processor has an obligation to provide means for the data subject to make requests for rectification.

8.4. Right to erasure

Just like in the GDPR, the right to erasure is not absolute and applies under specific circumstances which under the Act are: where the data is inaccurate, outdated, incomplete, or misleading; where the data controller or processor is no longer authorised to retain the data; or the data is irrelevant, excessive, or has been obtained unlawfully.

8.5. Right to object/opt-out

Similar to the provisions of the GDPR, a data subject has the right to object to the processing of all or part of their personal data. However, the legitimate interest for the processing which overrides the data subject's rights may be applicable in limiting this right.

8.6. Right to data portability

Similar to the GDPR, a data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible.

The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others.

8.7. Right not to be subject to automated decision-making

A data subject has the right to not be subject to automated decision-making including profiling, which may produce legal effects on or may significantly affect the data subject. Where a data controller or processor takes a decision purely based on automated processing and such decision may significantly affect or produce legal effects on the data subject, the data controller or processor has no obligation to notify the data subject in writing of such decision taken based on automated processing.

The data subject has the right to request the data processor to reconsider the decision or take a new decision that is not based solely on automated processing. As a result, the data controller or processor has an obligation to consider the request, comply with it, and notify the data subject of the steps taken to comply with the request and the outcome of compliance. There is no set standard for the process of the request by a data subject but this is expected to be outlined in detail in the regulations that will supplement the Act. 

Unlike the GDPR, the Act does not require a data controller or processor to provide the data subject with prior information about processing with regard to automated decision-making and does not implicitly require processors to ensure the systems are working as intended through regular checks, even though this is expected from the obligations of the data controller and processor.

8.8. Other rights

Not applicable.

9. PENALTIES

The Act provides for various offences and sanctions. Additional sanctions are enforced by various sectoral regulators which may include fines and the revocation or suspension of licences. Sectoral laws also provide for specific sanctions for breaches. The sanctions are:

The Act

  • where the Commissioner is satisfied that a person has failed or is failing to comply with any provision of the Act, the Commissioner may serve an enforcement notice and a penalty notice requiring the person to pay a penalty of an amount specified in the notice. The maximum penalty that may be imposed in penalty notice is up to KES 5 million (approx. €38,420) or up to 1% of the annual turnover of the preceding financial year, whichever is lower;
  • failure to comply with an enforcement notice is an offence and upon conviction, a person is liable to a fine not exceeding KES 5 million (approx. €38,420) or imprisonment for a term not exceeding two years, or both;
  • obstruction of a Commissioner in exercising its functions is an offence that attracts a fine not exceeding KES 5 million (approx. €38,420) (or imprisonment for a term not exceeding two years, or both;
  • in relation to the failure to register with the Commissioner as a data controller or data processor, unlawful disclosure, processing of personal data without lawful purpose, the sale of personal data and publication of false or misleading information to the Commissioner, penalties are not specified and for this reason the general penalty of a fine not exceeding KES 3 million (approx. €23,052) or imprisonment for a term not exceeding ten years, or both is applicable; and
  • a data subject is entitled to compensation for damage from the data controller or data processor for any violation of their rights.

Kenya Information Communications Act

  • a licensee who violates the requirements of any of the regulations issued under the Kenya Information Communications Act (including regulations on privacy) commits an offence and is upon conviction liable to a fine not exceeding KES 300,000 (approx. €2,305), imprisonment for a term not exceeding three years, or both;
  • under the Sim Card Regulations, any telecommunications operator who commits an offence with regard to SIM Card registration will be liable on conviction to a fine not exceeding KES 5 million (approx. €38,420); or
  • a person who commits an offence for which no specific penalty has been provided for in the Kenya Information Communications Act and regulations issued it, will on conviction, be liable to fine not exceeding KES 300,000 (approx. €2,305) or imprisonment for a term not exceeding six months, or to both.

Healthcare sector

  • the HIV and Aids Prevention and Control Act provides that it is an offence to breach the provisions relating to confidentiality (with the penalty not prescribed). Under the HIV and AIDS Prevention and Control Act, a person convicted of an offence for which no other penalty is provided will be liable for imprisonment for a term not exceeding two years or to a fine not exceeding KES 100,000 (approx. €768), or both.

Financial sector

  • the National Payment System Act, a payments provider may have its licence suspended or revoked if it is unable to protect the confidentiality of data or information it collects and keeps. Unauthorised disclosure of confidential customer information is subject to a fine of up to KES 1 million (approx. €7,680). Use of confidential information for personal gain is subject to a fine of up to KES 500,000 (approx. €3,840), imprisonment for up to one year, or both.

9.1 Enforcement decisions

There have been no enforcement decisions made under the Act yet.