Data Protection Requirements for the Public Sector


Many public sector organisations collect a large amount of data and information. The Government of Kenya has amassed a vast and valuable collection of the nation’s data. Public education, public health, law enforcement, transport, infrastructure, utility services, social services and the military all hold huge amounts of data about Kenya’s economy and population.

The public sector has a legal and moral responsibility to ensure that such information is kept safe. Government must set the tone in putting in place practical and effective policies and procedures to secure the nation’s data.

Helping to set that tone, there are currently two pieces of data protection legislation applicable in Kenya. One is the Kenya Data Protection Act, 2019 (“DPA”). The other is the EU General Data Protection Regulation (“GDPR”), which is applicable by virtue of its extra-territorial application. Both pieces of legislation are centred on the same principles, but the EU legislation has more stringent compliance obligations and more punitive sanctions for non-compliance.

All organisations operating in Kenya, whether public or private, are subject to the DPA. On the other hand, a Kenyan entity shall only be subject to the GDPR if it is engaged in the “offering of goods or services” (regardless of whether a payment is required) to data subjects within the EU.

In Kenya, organisations will be under increased scrutiny once the office of the Data Commissioner (which is the privacy regulatory authority) is set up in accordance with the DPA. A person who fails to comply with an enforcement notice issued by the Data Commissioner will have committed a crime and is liable on conviction to a fine or to imprisonment for a term not exceeding two years, or both.

There are also a range of other sanctions under the DPA that can be applied for breach of the law, including orders by the courts for compensation and administrative fines of up to KES 5 million imposed by the Data Commissioner. It is therefore critical for public sector organisations to understand the requirements under the data protection laws and then to implement a plan to ensure data protection.

Minimisation, visibility and control Since government and other public sector organisations collect vast amounts of data, some of which may be obsolete and outdated, it is also important to minimise or limit the amount of data that they collect. The principle of data minimisation also stipulates that organisations should not hold more data than they need. This requirement therefore demands careful planning to determine data needs before collection. Effective data minimisation also requires robust systems that can cope with large volumes of data as well as inbuilt mechanisms for sifting and filtering relevant data from irrelevant data.

Another relevant principle involves the visibility and control of personal data. Personal data is any data that identifies a natural person (such a person is referred to as a “data subject” under the data protection legislation). It includes their name, date of birth, address, dependents, race, ethnicity, gender, religious beliefs, photographs and even fingerprints. Such personal information is considered private and is also generally protected under the constitutional right to privacy.

Upon request, a person or data subject has the right to access their personal data in the custody of an entity or data controller and the right to be informed about how their personal data will be used. The data subject may object to the processing of their personal data and may even request that false or misleading data be corrected or deleted. Therefore, if a data subject requests it, public sector organisations must be prepared administratively to provide timely access to it. Powerful data processing systems and sufficient staff will be key in coping with such requests, which are expected to rise as people become more aware and informed.

Entities are required to inform data subjects of the fact that their personal data is being collected and the purpose for collection. Other disclosures include the data subject’s rights under the DPA, details of third parties who may have access to their data, security measures taken to ensure the integrity of their data and contacts of the entity collecting the data. These requirements call for the careful crafting of forms and contracts to reflect adequate disclosures. Organisations should revisit and revise their documentation to ensure compliance with the law in this regard.

The law also requires organisations to have a lawful basis for processing personal data. Generally speaking, an organisation must either prove that it has the consent of the data subject to process their personal data or the processing is necessary for one or more other grounds prescribed in the DPA.

Public sector entities, in particular, can justify processing personal data (in the absence of data subject consent) where they can prove that such processing is necessary for the performance of any task carried out in the public interest, by a public authority, or in the exercise of official authority.

That said, when it comes to consent, public sector entities must be careful to ensure that any consent extended is fully understood and explicitly given. The entity collecting or processing the data shall bear the burden of proof for establishing a person’s consent for processing their personal data for a specified purpose and therefore jargon should be minimised. Finally, silence or non-response by a data subject does not amount to valid consent under the DPA.

"An organisation trying to set up a data protection framework should develop a data privacy and protection policy as a matter of importance. The policy should be informed by the organisation’s specific field of operation and its data processing needs."

Risks to data security Evolving cybersecurity threats create the potential for theft and misuse of personal data. By legal obligation, data must be kept safe from security threats both during processing and storage. For the public sector, this means that organisations must put in place appropriate security measures to prevent unauthorised access to data, whether internal or external. Such measures range from simple risk policies such as password etiquette to more complex information technology systems that are professionally implemented.

An organisation trying to set up a data protection framework should develop a data privacy and protection policy as a matter of importance. The policy should be informed by the organisation’s specific field of operation and its data processing needs. An effective data protection framework must also include creating and maintaining awareness of data protection and privacy within the organisation such as through regular training, soft messaging and e-learning programmes.

In our experience, many entities in the public and private sectors have already embarked upon a re-examination of their approaches to data protection. They have started to overhaul their policies and legal documentation, operational systems, administrative resource allocation as well as technology and data processing systems. This is the recommended approach to address the stringent obligations set out by the law.

PwC is uniquely positioned to assist organisations to develop their data protection programmes. We offer:

  • A multidisciplinary team of experts comprised of legal professionals, technology consultants and risk assurance professionals;
  • Access to global data protection and privacy expertise, thought leadership and experience drawn from the PwC network; and
  • A tailored approach to designing and implementing data protection programmes based on the particular circumstances of the organisation.

Related articles

Augmented Reality applications for the NPO sector

Beyond just visual effects, AR has the potential to provide a multi-sensory composite experience. Dennis Maina and Nicholas Kanyagia from PwC's Business Recovery Services unit discuss the potential Augmented Reality has and the possible applications for companies in the public sector.

Fraud risks facing NPOs amidst the COVID-19 pandemic

As NPOs tighten their belts in response to the economic pressure brought about by the COVID-19 pandemic, fraudsters are also adapting to this ‘new normal’ to exploit any weaknesses and opportunities that they can find. In this article, PwC's Eric Owino challenges organisations' gatekeepers to exercise even more vigilance and to focus their attention not only on dealing with the crisis but also on the potential for fraud. After all, the last thing that an organisation needs during a crisis is another crisis...

Transforming Africa through ICT: Managing crises through technology

The COVID-19 pandemic provides an opportunity for Africa to transform its economies through innovation and ICT, as well as to prepare more effectively for future crises. PwC Rwanda Senior Manager, Victor Omurunga, however notes that countries will have to invest in ICT infrastructure, foster innovations and effectively regulate emerging technologies to achieve a balance between collective safety and individual privacy, if they are to realise these benefits.

Caroline Kipkulei

Senior Associate, Regulatory Compliance & Advisory E: T: +254 20 285 5834

Share with your networks

Read the next article: Digitisation in the public sector