The Data Protection Act, 2019

The data protection bill of 2019 has officially been signed into a law. The Data Protection Act provides the legal framework for the protection of a person’s privacy in instances where personal information has been collected, stored, used or processed by another party. This makes Kenya, the second country in East Africa, after Rwanda to have a legislation dedicated to data protection following the path taken by the EU in enacting General Data Protection Regulation in May 2018.

The New Data Protection Act establishes the office of the Data Commissioner who will oversee the implementation and enactment of this law and it sets out the requirements for the protection of personal data processed by both public and private entities. This law outlines the principles that will govern data processing, it sets out the rights of data subjects.

Benefits of The Data Protection Act

This law elaborates on the duties and responsibilities of data controllers and processors, therefore, this data protection act will regulate the processing of personal data and information. The handling of that information will be bound to the principles of data protection that ape those provided by GDPR. Illegal processing of personal data will effectively be punishable.

According to this law local organizations and even the global ones will be guided on processing data belonging to the locals. The Data Protection Act, 2019, covers people who own and control data, as well as third parties that manage, store and sort personal data. The Act provides for the exemptions to processing of data and outlines data handling offenses and attendant penalties. The organizations that own, manage or control data must register their business at the Data Protection Commissioner (DPC)

The law gives Kenyans the right to know how their information is handled and also have the right to ask for the deletion or editing of the incorrect data. Kenyans will also have the right to acknowledge or reject their data from being transferred to ano9ther service. For instance, a public officer who shares personal data with a third party without permission risks a fine of Sh500,000 or two years in jail or both

The data protection law also encompasses a deeply robust data privacy system for sensitive data and stiff penalties for people that go against the law. Abusers will be fined up to Sh3 million or receive a maximum 2yr jail term.

Principles and Obligations of personal data protection

Duty to notify; according to this act, the data controllers and data processors have the duty notify the data subject before collecting personal data.

Lawful processing of data

On Commercial use of data: The law prohibits the use of data for commercial use unless there’s consent from the data subject or where possible, anonymize the data in such a manner as to ensure that the data subject is no longer identifiable.

Limitation to the retention of personal data: The data protection act stipulates the circumstances under which the data controller or data processor can retain the data collected.  A data controller or data processor shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is, required or authorized by law; reasonably necessary for a lawful purpose; authorized or consented by the data subject; or for historical, statistical, journalistic literature and art or research purposes.

Journalism, literature and art: The principles of processing personal data shall not apply where:

  • Processing is undertaken by a person for the publication of a literary or artistic material;
  • Data controller reasonably believes that publication would be in the public interest;
  • Data controller reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.

Research, history and statistics; The Data Protection Act gives measures on data collected for research, history and statistics. The Act states that the processing  of personal data shall be compatible with the purpose of collection if the data is used for historical, statistical or research purposes and the data controller or data processor shall ensure that the further processing is carried out solely for such purposes and will not be published in an identifiable form

Complaints to the Data Commissioner

A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act either orally or in writing

A person who commits an offence under this Act for which no specific penalty is provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.