BY SHADRACK SHARU
Does your business collect customer’s names, phone numbers, identity numbers or biometrics? If yes, you will soon be considered a data processor according to Section 2 of the Data Protection Bill.
The Privacy and Data Protection Taskforce Draft Policy and Bill is the latest data protection draft law. Earlier on, the Senate Information, Communication and Technology Committee had published a Data Protection Bill.
The business model of the digital age involves a lot of personal data collection and the right to privacy has become a critical issue in commerce. Kenyan entities with foreign clientele have been forced to comply with emerging international standards on data protection to keep business flowing. Local businesses will soon be forced to join the bandwagon as the government attempts to comply with good practice in privacy and data protection.
The right to be forgotten
If the Bill is passed, it will give effect to Article 31(c) and (d) of the Constitution to regulate the processing of personal data. It will also establish the Office of the Data Protection Commissioner, which will maintain a register of all data controllers and processors. Commercial entities will not be allowed to process their customer’s data unless they are registered. Other than maintaining the Register and handling complaints, the Data Protection Commissioner will also be conducting privacy compliance audits periodically.
Whoever processes personal data will be expected to be fair and transparent. Collection and use of a customer’s personal information will have to be for specified and legitimate purposes only. The information will also have to be relevant and limited to what is necessary for the business. If it is to be shared with third parties, the customer’s freely given consent will be required.
Information on how the business processes its data and the requirement of customer consent will soon be an integral part of data management. Businesses will have to notify customers on the purpose of the information, whether it is needed for fulfillment of a legal obligation and the consequences of not giving the information. The customer will also have the right to withdraw consent at any time.
The rights in the Data Protection Bill limit a business’ ability to make decisions on personal information based on results of automated processing. Businesses will need consent to use customer information for direct marketing. Customers will have a right to data portability where they will be able to request entities for a copy of their personal information. They will also have a right to rectification and erasure of erroneous personal information.
Commercial entities will have a duty to take measures to avoid data breaches. Among others, Data Controllers or Data Processors under the Bill will be required to take reasonable measures to— (a) identify reasonably foreseeable internal and external risks to personal data under the persons possession or control; (b) establish and maintain appropriate safeguards against the identified risks; (c) the pseudonymisation and encryption of personal data; (d) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (e) verify that the safeguards are effectively implemented; and (f) ensure that the safeguards are continually updated in response to new risks or deficiencies.
In determining the appropriate security measure to employ, entities will be required to take into account costs, the technology available as well as the nature of the data involved. They are required to employ every reasonable effort. In the event of a breach, they will have to inform the Data Protection Commissioner. However, it will not be a must for a business to notify their customers of the data breach.
During the Universal Peer Review in 2015, Kenya committed to having a Data protection law by 2019. However, if the Bill was to be assented to today without a transition period and further clarity on the exemptions provided in the Act, businesses would face great difficulties in complying with the law. This is borrowed from the General Data Protection Regulations, and the California Consumer Privacy Act, each allowing for transition periods to facilitate compliance.
The principles of processing personal data will not apply when publication is for journalistic or artistic purposes. Even so, the data controller must be convinced that publication would be in the public interest, is ethical and that in all the circumstances; compliance with the provision is incompatible with the special purposes.
Controversially, the Bill also exempts processing of personal data if: (a) exemption is necessary for national security or public order; (b) disclosure is required by or under any written law or by an order of the court; (c) the prevention or detection of crime; (d) the apprehension or prosecution of an offender; or (e) the assessment or collection of a tax or duty or an imposition of a similar nature. The Cabinet Secretary also has power to prescribe other instances where compliance with certain provisions of this Act may be exempted. In the absence of specificity, the fear is that the new law will be misapplied to the extent of threatening the fundamental rights and freedoms it was meant to protect.