Firms collecting Covid data must seek consent, says State

Silhouettes of laptop users are seen next to a screen projection of binary code are seen in this picture illustration taken March 28, 2018. [Dado Ruvic/Illustration, Reuters]

Public and private entities seeking to collect personal data from Kenyans on Covid-19 pandemic will have to seek individual consent from the subjects.

This is according to a new policy from the office of the Data Protection Commissioner. It seeks to protect the personal data of Kenyans during ongoing efforts to fight the pandemic.

“There are a number of government initiatives that promote innovative responses to mitigate the effects of Covid-19,” states the draft Data Request Review Framework.

“For some of these aspirations to materialise, access and processing of personal data of individuals are necessary to appropriately respond to the pandemic,” explains the draft policy.

The State now wants services such as contact tracing apps that require health and geo-location data to beguiled by the Data Protection Act 2019. However, the data collection for purpose of Covid-19 responses will be limited to what is necessary and should be destroyed once its purpose has been exhausted.

“Responsible parties must collect personal information of an individual for a specific purpose, which in this context is to detect, contain and prevent the spread of Covid-19,” stated the policy. The guidelines come two months after the Data Protection Commissioner Immaculate Kassait was sworn into office, and will serve as the litmus test for the regulator. The rules come on the back of increased studies by researchers seeking to document the impact of Covid-19.

Contact tracing

The ICT Authority is yet to reveal whether Kenya will be rolling out a State-backed contact tracing app.

In June 2020, the National Transport and Safety Authority invited bids to develop a contact tracing app, alongside a cashless payment solution but the plan has since been shelved.

Company officials directly involved with accessing and processing users’ personal data will also be required to demonstrate how they will safeguard it.

Personal data-sharing agreements between third parties will also be approved by the Data Commissioner.