Kenya Information and Communications Technology

New data privacy laws will have a major impact on businesses both locally and globally. Multinational companies with global presence must now adapt to a wide range of regulations, often with different requirements and restrictions. Data privacy laws are enacted in order to enable data protection authorities (DPAs) to make binding decisions and issue administrative sanctions including fines, right to object to processing based on controller’s or public interests, and obligate processors to notify DPAs and data subjects about any suspected data breaches. They also provide data subjects with stronger consent requirements including collection of biometric or genetic data classified as sensitive data. 

Passed in 2019, the Kenya Personal Data Protection Act  was designed to bring the protection of personal data from misuse in Kenya as the country continues to be highly digitized. It’s a significant step for Kenya as it facilitates lawful use of personal data, including research, thus strengthening individuals’ fundamental rights. 

The Act governs the use, processing, and archiving of personal data, establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, stipulates the data producers’ rights, and specifies the obligations of the data controllers and processors. The appointment of Kenya’s first Data Protection Commissioner in November 2020 finally operationalized the law.

The new act has significant implications for ICT service providers as well as other sectors such as the healthcare sector. The Act defines health data as data related to the state of physical or mental health of the data subjects. A data subject is the subject of personal data. Health data can be accessed when collecting patient information, reviewing patient records or accessing the national health databases’ information. For example, the issue of what data is collected, and what’s done with it, has become much more urgent in the light of accelerated efforts to find a COVID-19 vaccine. Draft regulations have been issued by Kenya’s new Data Commissioner for COVID-19 research. These provide a critical learning point for many stakeholders on how the new law could affect research and what the data processors and controllers need to be aware of.

Data controllers are those who determine the purpose and means of personal data processing. Data processors, on the other hand, process the personal data on behalf of the data controller. For example, research scientists process data through the research lifecycle which involves collection, analysis, and publication.

The role of the Data Commissioner is to enforce the new law by registering and monitoring the appointment of Data Protection Officers, data controllers and data processors. The person is also responsible for sensitizing the public about data issues and providing a code of practice to accompany the Act.

For more information please contact:  Janet.Mwangi@trade.gov