DATA PROTECTION IN ACTION: HOW THE DRAFT DATA PROTECTION (GENERAL) REGULATIONS 2021 AIM TO PROTECT YOUR PERSONAL DATA
The Draft Data Protection (General) Regulations, 2021 (“the Draft Regulations”) were recently published for public consultation by the Communications Authority of Kenya. They elaborate the rights and duties of the data subjects, data controllers and data processors, and also provide the procedures for enforcement of the said rights and duties.
Data subjects are individuals whose personal information is collected while data controllers are the individuals or entities that determine the use and mode of processing the personal information collected from data subjects. Data processors, on the other hand, are individuals or entities that process the personal information collected, on behalf of data controllers.
We highlight the salient provisions of the Draft Regulations below.
- B. REVIEW OF THE DRAFT REGULATIONS
- Enabling the Rights of Data Subjects
The Draft Regulations require that data subjects are informed by data controllers/processors through notice of the following:
- nature and scope of the personal data to be processed;
- the reasons for the said processing;
- confirmation on whether the data will be shared with third parties.
Data processors and controllers are also required to ensure that:
- the data subject has capacity to understand and communicate their consent - consent cannot be presumed on the basis that the data subject did not object and cannot be implied where the intention of the data subject is ambiguous or doubtful;
- the nature of processing is explained in an understandable language to the data subject;
- Data is voluntarily given by the data subject;
- Data is specific to the data subject.
Further, data subjects have the right to request for data portability, access, restriction and objection to their data processing as well as deletion/rectification of their personal data held by data processors or controllers. If any request by a data subject is rejected, data processors are required to notify them promptly and give sufficient reasons for the refusal.
Data processors are also required to act in the best interests of data subjects despite receiving consent to use and process their personal data.
- Restrictions on the Commercial Use of Personal Data
The Draft Regulations classify the sending of electronic messages, catalogues and display of adverts on online media sites of data subjects as a form of direct marketing. They, therefore, require data subjects to be given prior notice of the intended use of their personal data for commercial purposes. On receipt of the notice, data subjects can object to the use of their personal data for marketing by third parties. Sensitive personal data and personal data belonging to minors is excluded from direct marketing by the Draft Regulations.
Additionally, data processors are required to have an op-out system, and to make it simple, easily understandable and place it in a conspicuous place that is easily visible for use by data subjects. Direct messages should contain a single sentence notifying data subjects that they can opt out of future messages by responding to the direct messages by using one word, and the unsubscribe link in an email should be prominently located. With respect to phone calls, data subjects should be informed that they can verbally opt-out of future calls.
- Obligations of Data Processors and Controllers
The Draft Regulations require data processors to have a personal data retention schedule that sets out the purpose for retention of data, the retention period and a provision for periodic audit(s) of personal data. Where a data subject requests for their personal data to be anonymised or pseudomised, the data processor is under obligation to consider the request.
Where the sharing of personal data by data processors or controllers is on a regular basis, they should enter into a written agreement with data subjects prior to the sharing. Further, where data processors are involved in automated data processing (i.e., processing without human involvement), data subjects should be informed of the same and of their right to object to any profiling for marketing purposes. The system used for automated processing should be sound, accurate and non-discriminative.
Additionally, the Draft Regulations provide that any server used for processing personal data for actualising public goods or services, such as education or elections, must be located in Kenya. Data processors that do not perform such activity may also be required by the Data Commissioner to move their servers to Kenya where there is a breach that violates the Data Protection Act (“Act)) or if they fail to co-operate with the Data Commissioner during an investigation.
- Notification of Data Breaches
The Draft Regulations set out the types of breaches that amount to notifiable breaches, including instances where a data subject’s identification details that are not publicly available are unduly revealed, and disclosure of personal credentials such as passwords used to access electronic or online systems or accounts. Such notification to the Data Commissioner should include the scope and extent of the breach and steps taken to mitigate the same.
- Cross-border Data Transfer
The Draft Regulations provide that transfer of data outside Kenya should only be done under written agreements with data subjects that set out the obligations therein. Moreover, data processors should ensure that the legal regimes for data protection binding the transferee are at least the same as under the Act and its attendant Regulations. For this purpose, countries that have ratified the African Union Convention on Cyber Security and Personal Data Protection, or have a reciprocal data protection agreement with Kenya or an adequate data protection law are presumed to have sufficient safeguards.
- Data Protection Impact Assessment
Under the Draft Regulations, when data processors engage in activities that constitute high risk in relation to personal data, they are required to undertake a detailed Data Protection Impact Assessment as set out in the guidelines. These high-risk activities include automated decision making with legal or similar significant effects, processing of biometric or genetic data, and processing of sensitive personal data or data relating to children or vulnerable groups.
From the foregoing, it is apparent that efforts have been made to substantively implement the provisions of the Data Protection Act. Public participation is ongoing and it is expected that this will result in changes being introduced in the Draft Regulations.
Article by Pauline Njau & James Karuga