The Data Protection Act, 2019 (“the Act”) provides for various safeguards in relation to the protection of personal data of data subjects. To achieve this, it places certain obligations on data controllers and data processors. The Act defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. Simply stated, a data processor acts on and within the scope of instructions from the data controller.
From the outset, it is imperative for all entities and individuals involved in the processing of personal data to, based on their specific roles, establish whether they are data processors or controllers. This determination will aid in understanding and appreciating their specific data protection compliance mandates.
Principles of Data Processing in the Act as a Guide for Compliance for Data Controllers and Data Processors
This refers to the verification of the correctness of personal data with the data subject before and at different stages of the processing depending on the nature of the personal data and in relation to how many times it may change. This further entails giving the data subjects an overview and easy access to personal data in order to control accuracy and verify it.
- Data minimization
This entails limiting the processing of personal data for the specific necessary purpose or avoiding the processing of personal data altogether when this is possible. A data controller or processor must demonstrate the relevance of the data to the processing in question. In addition, pseudonymising personal data is a key requirement as soon as the data is no longer necessary for the purpose.
- Integrity, confidentiality and availability
The principle entails having in place an operative means of managing policies and procedures for information security. This encompasses assessing the risks against the security of personal data and putting in place technical and organizational measures to counter the risks.
- Purpose limitation
The purpose limitation principle entails specifying the legitimate purpose for the processing of personal data before designing organizational measures and safeguards with respect to the processing. The purpose of collecting personal data should be the main determinant for personal data collection. Data controllers and processors should regularly review their processing activities to determine whether the processing is necessary for the purposes for which the data was collected and test the design against purpose limitation.
- Storage Limitation
The storage limitation principle requires data controllers and processors to determine the length of storage required for a given type of personal data collected. In this regard, data processors and controllers are under obligation to establish data retention policies and procedures including procedures for archiving and deletion of personal data.
The transparency principle mandates data controllers and processors to use clear, simple and plain language to communicate with the data subject to enable the data subject to make informed decisions on the processing of their personal data. Additionally, the information on the processing of personal data should be made available to the data subjects.
The appropriate legal basis or legitimate interests should be clearly connected to the specific purposes of processing. The data subject should know what they consented to with a simplified method of withdrawing their consent.
Applicability of the Principles of Data Processing
It is imperative that data processors and controllers ensure strict compliance with the data protection principles in their day-to-day personal data processing activities. The data protection principles should be the bedrock upon which all decisions relating to personal data processing including implementation of technical and organisational safeguard should be anchored.
Other Obligations of Data Processors and Controllers
The Act requires data processors and controllers to be registered with the Office of the Data Protection Commissioner (ODPC). An application for registration should provide for the description of the personal data to be processed, the purpose for which it is being processed, the general description of the risks, safeguards and security measures that have been put in place to ensure the protection of personal data. It is worth noting that entities with a turnover/revenue of below Kshs. Five Million (5,000,000/=) or with less than 10 employees are exempted from mandatory registration. The exemption from mandatory registration based on the turnover limit and number of employees will not apply to entities operating in the following industries: financial sector, health, gambling, hospitality industry, telecommunication sector or service providers, educational and political institutions, property management, and entities dealing with genetic data.
The Act also requires data processors and controllers to inform data subjects, prior to collection of personal data on among others: their rights, the fact that their personal data is being collected, the purpose for the collection, the safeguards to be adopted, data sharing arrangements, the consequences if any, where the data subject fails to provide all or any part of the requested data.
Additionally, the Act mandates data processors and controllers to carry out a data protection impact assessment where it is envisaged that a processing activity is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.
Further, a personal data breach should be reported by a data controller to the ODPC within 72 hours of occurrence.
Consequences of Failure to Comply with Data Protection Obligations
The enforcement mechanisms upon breach of obligations by data processors and controllers have been underpinned under Part VIII of the Act to include issuance of enforcement notices, penalty notices, administrative fines and compensation of data subjects. The ODPC is required to first issue an enforcement notice to a data controller and processor who is in breach of the Act requiring remedial actions. Failure of a data processor or controller to comply with the ODPC enforcement notice will result in a penalty of an amount not exceeding Kes. 5 million or 1% of the data processor’s or controller’s annual turnover of the preceding financial year or to imprisonment for a term not exceeding two years, or to both.
Article by Mary Ndung’u, Pauline Njau and Emily Ogonyo
Published on 5th February, 2024