Data Privacy and Protection has been an ongoing global conversation and Kenya has actively engaged in this new frontier in East Africa together with Uganda, Rwanda and Tanzania. Data privacy laws and new regulators are now in place in this part of the African continent which is a welcome development and also a demonstration of support to the worldwide effort to uphold the right to privacy of individuals with the aim of giving individuals control over their personal data.
In Kenya, the Office of the Data Protection Commissioner (ODPC) has been knee-deep in various activities including the registration of various entities as data controllers and processors, issuing audit notices in line with its statutory power to carry out audits which ensures compliance with the law, and even recently, issuing a penalty notice of Sh5 million to a known smartphone maker as a result of neglect and/or default to comply with an enforcement notice issued against it.
During the commemoration of International Data Privacy Day, the ODPC celebrated the strides made in Kenya from a data privacy and protection perspective. A key highlight was that all entities handling the personal data of individuals located in Kenya need to register with the ODPC subject to the thresholds provided under the law and this includes churches.
Data is one of the most valuable assets a church can have. The Data Protection Act, of 2019, and the set of regulations issued in 2022 make up the legal framework for data privacy and protection in Kenya. These laws provide among other things, principles to guide the processing of personal data, rights of data subjects, consent and other lawful bases for the processing of personal data, data sharing with third parties and transfer of personal data outside Kenya.
Churches have traditionally collected and used personal data from their members to fulfil their core functions including member registration which enhances the growth of the church, prayer requests and testimonies from church members, counselling of individuals and married couples, mission work and other common church activities. They process (collect, use, store and dispose of) colossal amounts of personal data including names, identification card numbers, emails, phone numbers, bank account information, health data and family details, among others. In this regard, they have a great responsibility to care of personal data belonging to their members and other third parties.
Thus, churches need to rethink and reset their data-handling practices and overall strategies. They need to accelerate efficiencies through standardisation and automation and reconfigure operating models since data privacy has now become a foundational element of trust. By carefully managing members' personal data, churches will not only be exercising good practices, but they would also be protecting themselves from a wide spectrum of consequences including financial and criminal sanctions, reputational damage for noncompliance, and operational restrictions.
Churches need to review the personal data that they keep, how it is used and stored, access controls relating to such information, the process for obtaining consent, especially where sensitive personal data is collected and the retention period for such personal data. Once this is determined, churches would need to communicate with their members about the information they collect, store, and how they may use it. This can be done through written policies, notices on websites as well as capacity building efforts to sensitise church members on the privacy frameworks their churches are putting in place.
For most organisations, appointing an individual who is responsible for data privacy and protection matters is becoming a key indicator of good corporate strategy and governance. Churches now need to consider whether the designation of such a role is necessary considering the complexity of data privacy and protection issues that could affect the church.
It is possible for churches to improve their data privacy and protection compliance to highly efficient operational levels by taking advantage of technology solutions and outsourcing privacy operations that are routine, high-volume, and repeatable.
The writer is a Manager, Legal Business Solutions at PwC Kenya