The Data Protection Act (Cap 411C formerly Number 24 of 2019) is the law that deals with processing of personal data in Kenya. The law defines personal data as “any information relating to an identified or identifiable natural person”.
Under the Act, processing of personal data is any operation performed on personal data including:
- collection, recording, organisation or structuring of personal data;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination, or otherwise making available; or
- alignment or combination, restriction, erasure or destruction.
Anyone who performs any of the above operations is known as a data processor while anyone who determines the purpose and means of processing personal data is known as a data controller. A data controller and a data processor may be the same person or different persons depending on the circumstances.
Before a data controller or a data processor can collect personal data from a data subject, they must inform them of their rights under the Act. These rights are, the right:
- to be informed of the use to which their personal data is to be put;
- to access their personal data in the custody of the data controller or data processor;
- to object to the processing of all or part of their personal data;
- to correction of false or misleading data; and
- to deletion of false or misleading data about them.
The data controller or data processor must also inform the data subject of:
- the fact that personal data is being collected;
- the purpose for which the personal data is being collected;
- the third parties to whom personal data has been or will be transferred to, including details of safeguards adopted;
- the contacts of the data controller or data processor and on whether any other entity may receive the collected personal data;
- a description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data;
- the data being collected pursuant to any law and whether such collection is voluntary or mandatory; and
- the consequences if any, where the data subject fails to provide all or any part of the requested data.
A data controller or data processor must not process personal data unless and until they have received the consent of the data subject to the processing, for one or more specified purposes. The data subject may withdraw their consent at any time. However, withdrawal of that consent does not affect the lawfulness of any processing done prior to the withdrawal.
A data controller or data processor is required to keep personal data only as long as may be reasonably necessary to satisfy the purpose for which it is being processed, unless the law requires a longer period of retention or unless the data subject has authorized or consented to a longer retention period.
Is your organization compliant with the law?
You can reach out to us for assistance in complying with all the requirements of the law in all areas where you may be collecting or processing personal data.