Data Protection Requirements for the Public Sector

Introduction

Many public sector organisations collect a large amount of data and information. The Government of Kenya has amassed a vast and valuable collection of the nation’s data. Public education, public health, law enforcement, transport, infrastructure, utility services, social services and the military all hold huge amounts of data about Kenya’s economy and population.

The public sector has a legal and moral responsibility to ensure that such information is kept safe. Government must set the tone in putting in place practical and effective policies and procedures to secure the nation’s data.

Helping to set that tone, there are currently two pieces of data protection legislation applicable in Kenya. One is the Kenya Data Protection Act, 2019 (“DPA”). The other is the EU General Data Protection Regulation (“GDPR”), which is applicable by virtue of its extra-territorial application. Both pieces of legislation are centred on the same principles, but the EU legislation has more stringent compliance obligations and more punitive sanctions for non-compliance.

All organisations operating in Kenya, whether public or private, are subject to the DPA. On the other hand, a Kenyan entity shall only be subject to the GDPR if it is engaged in the “offering of goods or services” (regardless of whether a payment is required) to data subjects within the EU.

In Kenya, organisations will be under increased scrutiny once the office of the Data Commissioner (which is the privacy regulatory authority) is set up in accordance with the DPA. A person who fails to comply with an enforcement notice issued by the Data Commissioner will have committed a crime and is liable on conviction to a fine or to imprisonment for a term not exceeding two years, or both.

There are also a range of other sanctions under the DPA that can be applied for breach of the law, including orders by the courts for compensation and administrative fines of up to KES 5 million imposed by the Data Commissioner. It is therefore critical for public sector organisations to understand the requirements under the data protection laws and then to implement a plan to ensure data protection.

Minimisation, visibility and control Since government and other public sector organisations collect vast amounts of data, some of which may be obsolete and outdated, it is also important to minimise or limit the amount of data that they collect. The principle of data minimisation also stipulates that organisations should not hold more data than they need. This requirement therefore demands careful planning to determine data needs before collection. Effective data minimisation also requires robust systems that can cope with large volumes of data as well as inbuilt mechanisms for sifting and filtering relevant data from irrelevant data.

Another relevant principle involves the visibility and control of personal data. Personal data is any data that identifies a natural person (such a person is referred to as a “data subject” under the data protection legislation). It includes their name, date of birth, address, dependents, race, ethnicity, gender, religious beliefs, photographs and even fingerprints. Such personal information is considered private and is also generally protected under the constitutional right to privacy.

Upon request, a person or data subject has the right to access their personal data in the custody of an entity or data controller and the right to be informed about how their personal data will be used. The data subject may object to the processing of their personal data and may even request that false or misleading data be corrected or deleted. Therefore, if a data subject requests it, public sector organisations must be prepared administratively to provide timely access to it. Powerful data processing systems and sufficient staff will be key in coping with such requests, which are expected to rise as people become more aware and informed.

Entities are required to inform data subjects of the fact that their personal data is being collected and the purpose for collection. Other disclosures include the data subject’s rights under the DPA, details of third parties who may have access to their data, security measures taken to ensure the integrity of their data and contacts of the entity collecting the data. These requirements call for the careful crafting of forms and contracts to reflect adequate disclosures. Organisations should revisit and revise their documentation to ensure compliance with the law in this regard.

The law also requires organisations to have a lawful basis for processing personal data. Generally speaking, an organisation must either prove that it has the consent of the data subject to process their personal data or the processing is necessary for one or more other grounds prescribed in the DPA.

Public sector entities, in particular, can justify processing personal data (in the absence of data subject consent) where they can prove that such processing is necessary for the performance of any task carried out in the public interest, by a public authority, or in the exercise of official authority.

That said, when it comes to consent, public sector entities must be careful to ensure that any consent extended is fully understood and explicitly given. The entity collecting or processing the data shall bear the burden of proof for establishing a person’s consent for processing their personal data for a specified purpose and therefore jargon should be minimised. Finally, silence or non-response by a data subject does not amount to valid consent under the DPA.