Kenya Data Protection Act came to effect in November 8th 2019. It was borrowed majorly from the European Union General Data Protection Regulation (GDPR).

Data Protection is the Fair and Proper use of information about people. It is a fundamental right to privacy.

Protection of personal data is important to build trust and legal compliance. Unauthorized loss and access can result in a serious breach of individual rights and heavy penalties under the data protection regulations.

What is Data? As per the Data Protection Act, it is information which;

  • Is processed by means of equipment in response to instructions.
  • Is recorded with intention it should be processed.
  • Is recorded as part of a relevant filing system.
  • Forms part of an accessible or
  • Is recorded information which is held by the public.

Data Protection covers all aspects of data management throughout the data life cycle. This includes; collection, processing, storing, dissemination, erasure and deletion.

Principles;

  • Integrity and confidentiality: Data must be processed in accordance with the right to privacy /secrecy of the data subject. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
  • Lawfulness, fairness and transparency: Data must be processed lawfully, fairly and in a transparent manner in relation to any data subject. An entity is responsible for informing the data subject that they intend to collect data, how the data will be used or whether the data will be disclosed to third parties.
  • Accuracy: Data must be accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
  • Data Minimization: Entities that collect data must make sure that information collected is not excessive given the purpose of collection. Therefore, information should be adequate and relevant. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data need to be used.
  • Purpose Limitation: Data should be collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Storage Limitation: Data must be kept in a form which identifies the data subjects for no longer than is necessary for which it was collected.
  • Accountability: All data controllers or data processors shall be responsible for personal data protection, and be able to demonstrate compliance to the data protection principles and the Data Protection Commissioner.
  • Data Transfer: Data should not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Breaches of data protection can cause significant damage to those individuals whose personal data has been compromised. For this reason, data controllers & processors are required by law to act when a personal data breach has occurred and process, collect, store & disseminate data as per the principles.

– By Beth Njau