Public and private entities seeking to collect personal data from Kenyans on Covid-19 pandemic will have to seek individual consent from the subjects.
This is according to a new policy from the office of the Data Protection Commissioner. It seeks to protect the personal data of Kenyans during ongoing efforts to fight the pandemic.
“There are a number of government initiatives that promote innovative responses to mitigate the effects of Covid-19,” states the draft Data Request Review Framework.
“For some of these aspirations to materialise, access and processing of personal data of individuals are necessary to appropriately respond to the pandemic,” explains the draft policy.
- 1 Signal back up after outage
- 2 WhatsApp users to lose access to accounts unless they agree to share data with Facebook
- 3 Senate calls for policies to safeguard Kenyans' data on TikTok
- 4 How secure is your data, really?
The State now wants services such as contact tracing apps that require health and geo-location data to beguiled by the Data Protection Act 2019. However, the data collection for purpose of Covid-19 responses will be limited to what is necessary and should be destroyed once its purpose has been exhausted.
“Responsible parties must collect personal information of an individual for a specific purpose, which in this context is to detect, contain and prevent the spread of Covid-19,” stated the policy. The guidelines come two months after the Data Protection Commissioner Immaculate Kassait was sworn into office, and will serve as the litmus test for the regulator. The rules come on the back of increased studies by researchers seeking to document the impact of Covid-19.
The ICT Authority is yet to reveal whether Kenya will be rolling out a State-backed contact tracing app.
In June 2020, the National Transport and Safety Authority invited bids to develop a contact tracing app, alongside a cashless payment solution but the plan has since been shelved.
Company officials directly involved with accessing and processing users’ personal data will also be required to demonstrate how they will safeguard it.
Personal data-sharing agreements between third parties will also be approved by the Data Commissioner.