New regulations to guide data protection

The cabinet secretary for ICT, Youth and innovation Mr Joe Mucheru has published new regulations that will guide data protection in a special issue of the Kenya Gazette. The CS published the data protection and regulations 2021 supplement number 236,237,238 legislative supplement no 106 legal notices 263,264 and 265.

The regulations published include the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

The publication means that Parliament has the task to assess the Regulations, and if no issues are raised for a revision, then the regulations will come into effect. This will be done by February 2022.

The Data Protection (General) Regulations, 2021 provide for rights of a data subject, limitations to commercial use of such information, the roles of data controllers and processors, the communication of data breaches and transfer of data outside Kenya, to mention a few.

Secondly, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 allow for lodging, admission and response of complaints and enforcement provisions.

Lastly, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 give details about the process of registering data controllers and data processors. Their certificates have a validity of two years from the time of registration.

The provisions of these regulations are legal notices and shall come into effect six months after the date of publication. The Data Protection Act, 2019 was signed into law more than two years ago. Before then, the bill went through deliberations in Parliament for an extended period.

It was also key because it served as unique law in East Africa, because it follows the steps of Europe’s GDRP, and was actually necessary because Kenya was and is still experiencing data protection abuses.

Data protection issues have been raised in the country, and more so in the wake of the Huduma Namba registration exercise. Concerns were also highlighted for the better part of 2020 and 2021 after it became clear that some data processors and handlers, including online loan firms, were using personal data to further their business without considering the implications of doing so, including cases of blatant abuse of such information.

To this end, it is clear why the laws exist. In wholesome, The Act provides for a framework for the right to privacy as it applies to “personal data”, practices, safeguards, rules, transparency and responsibility, safe collection, processing and storage of personal data. It regulates the processing of personal data and has since seen the establishment of the office of the Data Commissioner in November last year.

The law also provides for the rights of data subjects and states the objectives of data controllers and processors. Moreover, it protects the privacy of individuals; establishes the legal and institutional mechanism to protect personal data; provides data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act.

It also contributes to cementing your rights as an individual as in the right to access personal data, right to restrict processing, right to object to processing, right of rectification, data portability request and right of erasure.

Barely a year since the establishment of the data commissioner, the office has developed its first strategic plan for the period 2022 to 2025 as a master plan to guide its activities as anchored on the constitution, the national ICT policy, the digital economy blueprint and the data protection laws.

The strategy provides the overall policy direction in program prioritization and resource allocation to promote personal data protection in the country.

In addition, the office in collaboration with the Kenya School of Government has developed a data protection curriculum for Kenya to empower data controllers and processors to comply with the laws through capacity building. 

Written by Gerard Nyele.