The Office of the Data Protection Commissioner (ODPC) has embarked on a mission to sensitize the public on the issues of data protection.
Speaking during a workshop that brought together representatives from various government departments, the media, health and education institutions among others, Data Protection Officer Mr Godfrey Maruta said that they aimed to equip the public with enough knowledge on the mandate and core responsibilities of the ODPC office in terms of data protection.
ODPC is a government institution mandated with the regulation of the processing of personal data to provide for the rights of data subjects and obligations of data controllers and processors for connected purposes. The office was established by the Data Protection Act of 2019.
The Act regulates the collection, processing and storage of personal data by both government and private organizations and also establishes an ecosystem of rights and obligations that operationalizes the right to privacy enshrined in the Kenyan Constitution.
Maruta noted that the ODPC office had embarked on the campaign to sensitize the public on matters of data protection compliance requirements, data registration, and the rights of citizens in collecting, accessing and retrieving their personal data.
The official emphasized that citizens had the right to be informed, the right to access their personal data, the right to correction and the right to deletion in order to protect their privacy.
ODPC has partnered with the Kenya School of Government (KSG) to train organizations on data protection in order to create awareness and improve their skills.
So far, 36 African countries, Kenya included, have Data Protection Acts or regulations in place, while sixteen countries have signed the African Union Convention on Cyber Security and Personal Data Protection.
He observed that illegal access to pools of personal data gleaned by individuals, companies and even government agencies were often used for blackmail, identity theft, intimidation, targeted advertising and extortion.
Maruta warned firms that getting their processes flagged by ODPC not only resulted in enforcement notices and administrative fines but also a steep public relations cost due to the ensuing bad publicity.
The Data Protection (General) Regulations 2021 and the Complaints Handling Regulations took effect from March 14, 2022 while the registration of data controllers and processors took effect on July 14, 2022.
The Data Protection (General) Regulations 2021 provide for rights of a data subject and limitations to commercial use of such information. It also explains the roles of data controllers and processors, the communication of data breaches and the transfer of data outside Kenya.
In the event of commercialization of data, a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence. He or she is liable, on conviction, to a fine not exceeding Sh20,000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the Data Protection Act.
Sharing or offering for sale personal information could land those responsible for their safe storage jail terms of up to six months or fines of up to Sh5 million.
A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.
Maruta indicated that insurance and providers of health care also face stringent fines in case they breach the privacy of patients by sharing such data with third parties.
ODPC Deputy Data Commissioner- Corporate Services Mr Festus Musyoki observed that owing to the rising amount of data created and processed by organizations, there is a great possibility of violation of data security and privacy, thus the rising need for data protection.
“In this digital age, organizations have come up with different technological solutions, including digital services, online advertising, e-communication and virtual sharing of information. There is thus a paradigm shift towards the digital space, with many organizations processing more and more data in order to drive strategic growth and improve their bottom-line,” Musyoki added.
He noted that virtually all private firms, government agencies and departments in county governments collect data from either customers, employees, suppliers or service providers.
“Data collected by organizations ranges from IP addresses, search histories, location, credit card numbers, purchase histories, among others. Inevitably, every organization is likely to touch on private data of thousands or millions of individuals at some point,” explained Musyoki.
The Deputy Data Commissioner underscored the importance of organizations complying with the provisions of the Data Protection Act at the initial stages of a product life cycle, especially when collecting and storing such data, including when onboarding new employees.
He cautioned that collecting data without the right privacy protections in place would have adverse and long-term effects on organizations and the penalties for breach are high enough to make organizations pay attention to data privacy.
Musyoki said employees were the predominant custodians of data in an organization and were at the highest risk of breach of privacy, hence the need to create awareness among them on the legal requirements relating to data privacy.
“This should entail making employees understand their roles in upholding high standards of data privacy during the collection, processing and storage of data, considering the significant impacts any form of data breaches will have on the business, especially the financial and reputational risks associated with breach,” the official added.
He pointed out that in the long-term, data privacy would be a great brand differentiator, as it would build customer loyalty while lack of it would impede organizational growth.
He said the image and reputation of a company with strong privacy mechanisms would create trust, which is the basis for establishing a loyal customer base.
A Nakuru lawyer Steve Biko Osur called upon Kenyans to exercise respect for other people’s privacy while using social media platforms.
He noted that there was need to encourage responsible and ethical use of artificial intelligence even as Kenyans exercise their freedom of expression.
Osur further noted that many organizations were breaching the privacy of their users’ personal data and urged the Data Commission to tighten the noose on misuse of such information.
Participants singled out institutions such as banks, health facilities, betting firms, digital lenders and online retail shops for violation of provisions of the Data Protection Act adding that there is need to step up the war on online and private data breaches even as the digital economy booms exposing vast quantities of sensitive user data to misuse.
A Senior Lecturer in Information Technology at Kabarak University Dr Moses Thiga expressed concern that the Data Protection Act could curtail research in view of stiff penalties spelt out in event of breach.
“Researchers need to know the new law’s implication for research that uses personal data. They also need to know who data processors and data controllers are for research and academic institutions. For example, data processors can include those who offer transcription services and DNA sequencing or translation services for data analysis companies. Research institutions and universities would be the data controllers through their designated authority,” stated Dr Thiga.
He added, “There are also some unanswered questions. For example, exemptions for research data seem to only apply to the processing. Does this restrict the transfer of personal data meant for research? What does this mean for publishing research data, where the journals are based outside the country? What does this mean for research collaboration?
By Jane Ngugi