Kenya has promulgated a Data Protection Act
The Data Protection Bill that has been a subject of discussion for years, was passed into law on 8 November 2019 when the president assented to it. The Data protection Bill 2019, follows the path taken by the European Union in enacting the General Data Protection Regulation (GDPR) in May 2018 and makes Kenya the third country in East Africa to have legislation dedicated to data protection.
This law was expedited following concerns raised over the Huduma Namba registration exercise, with those
opposed to the process raising concern about the safety of citizen’s personal data collected by the
Government.
Purpose of the Act
The Act seeks to:
- give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy;
- establishment of the Office of the Data Commissioner;
- regulate the processing of personal data,
- provide for the rights of data ‘subjects’; and
- obligations of data ‘controllers’ (Person who determines the purpose and means of processing of personal data) and ‘processors’ (Person who processes personal data on behalf of the data controller).
Data Protection Principles
The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data; restricts further processing of data; requires data controllers and processors to ensure data quality; and that they establish and maintain security safeguards to protect personal data.
Registration of Data Controllers and Processors
The Act requires that any person who acts as a data controller or data processor must be registered with the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations meeting the definition of a controller or processor will need to register as such, and renew their registration every 3 years.
Transfer of Personal Data Outside Kenya
- Every data controller or data processor is required to ensure the storage, on a server or data centre located in Kenya, of at least one serving copy of personal data to which the Act applies.
- Cross-border processing of sensitive personal data is prohibited and only allowed when certain conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50)
- A data controller or data processor may transfer personal data to another country where—
- i. the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data;
- the data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer such as the absence of appropriate security safeguards;
- the transfer is necessary for performance of a contract.
Exemptions
The processing of personal data is exempt from the provisions of the Data protection Act if—
- exemption is necessary for national security or public order;
- disclosure is required by or under any a written law or by an order of the court e.g. Anti Money Laundering (AML) Laws;
- the prevention or detection of crime e.g. AML/CFT laws;
- the apprehension or prosecution of an offender; or
- the assessment or collection of a tax or duty or an imposition of a similar nature