Data Processing Principles:
All data processors/controllers are required to follow the data protection principles, which are:
- Data processing in accordance with the right to privacy of the data subject;
- Fair and transparent processing of a data subject's personal data;
- Collection of personal data for specified and legitimate purposes and not further processing beyond those purposes;
- Purpose limitation for data collected;
- Collection of personal data relating to family or private affairs only where a valid explanation is provided;
- Accuracy of collected personal data and every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- Personal data is to be kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
- Personal data shall not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.
Duty to Notify:
Before collecting any personal data, data processors/controllers are required to notify a data subject of:
- Their rights as data subjects under the DPA;
- The fact that their data is being collected and the purpose for the collection;
- Any third parties that have or will have access to their data, including details of safeguards adopted;
- The contacts of the data controller/processor and any other entity receiving the collected personal data;
- The technical and organisational security measures taken to ensure the integrity and confidentiality of the data;
- Whether the data is being collected pursuant to any law and whether such collection is voluntary or mandatory; and
- The consequences, if any, if they fail to provide all or any part of the requested data.
Lawful Processing:
Personal data may only be processed on the lawful basis provided under Section 30 of the DPA as:
- Consent: the individual has given clear consent for a data processor or controller to process their personal data for a specific purpose;
- Contract: the processing is necessary for a contract's performance between a data processor or controller and the data subject or because the data subject has asked the data processor or controller to take specific steps before entering into a contract;
- Legal obligation: the processing is necessary for a data processor or controller to comply with the law (not including contractual obligations);
- Vital interests: the processing is necessary to protect the vital interests of the data subject or another natural person;
- Public task: the processing is necessary for a data processor or controller to perform a task in the public interest or the exercise of official authority vested in the controller;
- Legitimate interests: the processing is necessary for a data processor or controller's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject's data which overrides those legitimate interests; and
- Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required in such pursuits.
Data Retention Obligations
Data processors and data controllers are required to retain personal data for a lawful purpose and only for as long as may reasonably be necessary for the purpose.
Under the Regulations, the data controllers and processors are required to establish a data retention schedule with appropriate time limits for review of the need for continued storage. Periodic audits of the data retained are also required.
Upon lapse of the purpose for which the personal data was collected, data controllers and data processors are required to erase, delete, anonymise or pseudonymise the personal data retained.
Obligation to Process Personal Data Anonymously or Pseudonymously
A data subject may request that their data be processed anonymously or pseudonymously.
Upon such a request, the data processor or data controller may accede to the request if the reason provided is that the data subject wishes:
- not to be identified;
- to avoid subsequent contact such as direct marketing from an entity or third parties;
- to enhance their privacy on the whereabouts of a data subject;
- to access services such as counselling or health services without it becoming known to others;
- to express views in a public arena without being personally identified; or
- to minimise the risk of identity fraud.
Data Sharing Obligations
A data controller or data processor may share or exchange personal data collected if requested in writing by another data controller, data processor, third party or a data subject.
The written request for data sharing must specify the purpose for which the personal data is required, the duration it will be retained, and proof of safeguards in place to secure the personal data.
Under the Regulations, upon such a request, the providing data controller or data processor is required to enter into a data-sharing agreement with the requesting party.
Automated Individual Decision Making in Data Processing
While permitted under the DPA and the Regulations, a data controller or data processor utilising automated individual decision making in their data processing is required to:
- inform the data subject when engaging in processing based on automated individual decision making;
- provide meaningful information about the logic involved in such processing;
- ensure:
- specific transparency and fairness requirements are in place;
- rights for a data subject to oppose profiling and specifically profiling for marketing are present; and
- where the processing is likely to result in high-risk to the rights and freedoms of the data subject, a data protection impact assessment is carried out;
- explain the significance and envisaged consequences of the processing;
- ensure the prevention of errors;
- use appropriate mathematical or statistical procedures;
- put appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors;
- process personal data in a way that eliminates discriminatory effects and bias; and
- ensure that a data subject can obtain human intervention and express their point of view.
Data Protection Policy
Data processors and data controllers in Kenya are required to develop, publish and regularly update a policy reflecting their personal data handling practices.
Contracts of Data Controllers and Data Processors
Data processors and data controllers may only engage through a written contract. The written contract must provide specified particulars under the Regulations.
Data processors are not permitted to engage the services of a third party without the prior authorisation of the data controller. Once authorisation is given, the data processor shall enter into a contract with the third party.
Personal Data required to be specifically processed in Kenya
Data controllers and data processors processing personal data based on the grounds of strategic interests of the state are required to process such personal data through a server and data centre located in Kenya or store at least one serving copy of the concerned personal data in a data centre located in Kenya.
Elements in Implementing Data Protection by Design or Default
Data controllers and data processors are required under the Regulations to establish data protection mechanisms aligned with the DPA and the Regulations and design technical and organisational measures to safeguard and implement the data protection principles. These principles are spelt out in the Regulations, where the elements of the principles and the obligations of data controllers and data processors are listed as follows:
Lawfulness:
To implement this principle, the following elements are necessary:
- appropriate legal basis or legitimate interests clearly connected to the specific purpose of the processing;
- processing that is necessary for the purpose;
- the data subject is granted the highest degree of autonomy possible with respect to control over their personal data;
- a data subject knowing what they consented to and easy means to withdraw consent; and
- restricting processing where the legal basis or legitimate interests ceases to apply.
Transparency:
To implement this principle, the following elements are necessary:
- the use of clear, simple and plain language to communicate with a data subject for them to make decisions on the processing of their personal data;
- easily access to information about the processing of personal data of the data subject;
- access for the data subject to the information on the processing at the relevant time and in the appropriate form;
- the use of machine-readable language to facilitate and automate readability and clarity;
- providing a fair understanding of the expectation with regards to the processing, particularly for children or other vulnerable groups; and
- providing details of the use and disclosure of the personal data of a data subject.
Purpose Limitation:
To implement this principle, the following elements are necessary:
- specifying the purpose for each processing;
- determining the legitimate purposes for the processing of personal data before designing organisational measures and safeguards;
- the purpose for the processing being the determinant for personal data collected;
- ensuring a new purpose is compatible with the original purpose for which the data was collected;
- regularly reviewing whether the processing is necessary for the purposes for which the data was collected and test the design against purpose limitation; and
- the use of technical measures, including hashing and cryptography, to limit the possibility of repurposing personal data.
Integrity, Confidentiality and Availability:
To implement this principle, the following elements are necessary:
- having an operative means of managing policies and procedures for information security;
- assessing the risks against the security of personal data and counter identified risks;
- processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
- ensuring only authorised personnel have access to the data necessary for their processing tasks;
- securing transfers such that they are secured against unauthorised access and changes;
- securing data storage from unauthorised access and alterations;
- keeping back-ups and logs to the extent necessary for information security;
- using audit trails and event monitoring as a routine security control;
- protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
- having in place routines and procedures to detect, handle, report, and learn from data breaches; and
- regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.
Data Minimisation:
To implement this principle, the following elements are necessary:
- avoiding the processing of personal data altogether when data processing is not necessary for the relevant purpose;
- limiting the amount of personal data collected to only what is necessary;
- maintaining an ability to demonstrate the relevance of the data to the processing in question;
- pseudonymising personal data as soon as it is no longer necessary to have directly identifiable personal data, pseudonymised data and identification keys stored separately;
- anonymising or deleting personal data where it is no longer necessary for the purpose;
- making data flow efficient to avoid the creation of more copies or entry points for data collection than is necessary; and
- the application of available and suitable technologies for data avoidance and minimisation.
Accuracy:
To implement this principle, the following elements are necessary:
- ensuring data sources are reliable in terms of data accuracy;
- having personal data particulars being accurate as necessary for the specified purposes;
- verification of the correctness of personal data with the data subject before and at different stages of the processing depending on the nature of the personal data, in relation to how often it may change;
- erasing or rectifying inaccurate data without delay;
- mitigating the effect of an accumulated error in the processing chain;
- giving data subjects an overview and easy access to personal data in order to control accuracy and rectify as needed;
- having personal data accurate at all stages of the processing and carrying out tests for accuracy at critical steps;
- updating personal data as necessary for the purpose; and
- the use of technological and organisational design features to decrease inaccuracy.
Storage Limitation:
To implement this principle, the following elements are necessary:
- having clear internal procedures for deletion;
- determining what data and length of storage of personal data that is necessary for the purpose;
- formulating internal retention statements implementing them;
- ensuring that it is not possible to re-identify anonymised data or recover deleted data and testing whether this is possible;
- the ability to justify why the period of storage is necessary for the purpose, and disclosing the rationale behind the retention period; and
- determining which personal data and length of storage is necessary for back-ups and logs.
Fairness:
To implement this principle, the following elements are necessary:
- granting the data subjects the highest degree of autonomy with respect to control over their personal data;
- enabling a data subject to communicate and exercise their rights;
- elimination of any discrimination against a data subject;
- guarding against the exploitation of the needs or vulnerabilities of a data subject; and
- incorporating human intervention to minimise biases that automated decision-making processes may create.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.