In our third article in our Data Protection law series, we discuss the principles of data protection and how organisations can implement them.
Principles & Rights based legislation
Those who are by now familiar with Kenya’s Data Protection Act of 2019 will appreciate that this law, like the EU’s GDPR. is inward looking; it requires organisations to assess their internal systems and procedures for purposes of complying with it. It is by and large rights and principles-based. Like our Constitution.
Chapter 4 of Kenya’s Constitution set outs the ‘Bill of rights’. Among these Constitution-enshrined rights are the right to life, right to privacy, right to fair labour practices etc. The Constitution essentially set outs these rights, and opens up the State and all persons to court proceedings and sanction for failure, denial, violation, infringement or threat to these rights.
In like manner, the Data Protection Act set outs rights and principles that all data processors and controllers must adhere to.
Data Protection Principles & Rights
The principles and rights of data protection and a data subject are set out in section 25 and 26 of the Act. These are as follows:
(a) processed in accordance with the right to privacy of the data subject;
(b) processed lawfully, fairly and in a transparent manner in relation to any data subject;
(c) collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
(d) adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
(e) collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
(f) accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
(g) kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
(h) not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
A data subject has the following rights:
(a) to be informed of the use to which their personal data is to be put;
(b) to access their personal data in custody of data controller or data processor;
(c) to object to the processing of all or part of their personal data;
(d) to correction of false or misleading data; and
(e) to deletion of false or misleading data about them.
Where a person is of the view that a particular data controller or processor has not processed their data in a manner that is consistent with these principles and rights, such person can complain to the Data Commissioner (under section 57 of the Act) who, if convinced of non-compliance with any provision of this Act, (the Data Commissioner) may serve an enforcement notice on that person requiring that person to take such steps and within such period as may be specified in the notice. A person who fails to comply with an enforcement notice is subject to a fine of up to five million shillings or to imprisonment for a term not exceeding two years, or to both.
This principles and rights-based legislation makes it necessary for organizations to be introspective about their systems and procedures, because how one organization complies with the deletion (or other) right is different from another.
Examples of Organisational & Technical Measures
Article 31 of the Constitution of Kenya provides that every Kenyan has a right to privacy, which right includes a right not to have:
- Their person, home or property searched;
- Their possessions seized;
- information relating to their family or private affairs unnecessarily required or revealed
- The privacy of their communications infringed
For many third party controllers and processors, compliance with the ‘Privacy principle’ can involve the following:
- As an organization, not requiring information regarding family unless in the context of ‘next of kin’ and in the context where this is necessary. For example a hospital or in context of air transport, the service provider may require next of kin details in order to be in a position to notify a third party in the event of an emergency when the person (data subject) is unable to communicate.
- As an employer, in employee induction forms, notifying and stating that an office computer is the company’s property, and requiring a sign-off by employees that they understand this and its consequence, eg that the company has a right to access the computer and its contents, which conduct shall not be construed as being the employee’s property.
- As an employer, not accessing, reading and or using material or information it comes across in an employee’s signed-in Yahoo account.
- In requesting information about an employee’s family, providing the nexus between the request and a particular legitimate purpose (to evidence the necessity aspect), eg when requesting information on a person’s children, to request this in the context of dependents’ for purposes of employment benefits, eg where an employee pays school fees for children, or for pension beneficiaries.
Companies are required to inculcate the Privacy principle in their systems and procedures across all functions. Breaches of this principle would be the following:
- An ‘employee joining’ form which requires, without any explanation, a listing of spouse and children.
- A company’s website using/employing cookies on site visitors without advising those that are essential (to access) and those that a visitor can opt out of (not necessary, like for marketing).
- A visitor form (or book) which requires all visitors to provide (without rationale for each information) their name, ID and phone number.
- An employer accessing an employee’s yahoo mail from the employee’s office computer merely because the employee is logged into their yahoo account/has saved their yahoo account password.
- An organization requiring a person’s national ID card or passport to be left with the watchman/security in order to access a building or office.
Recall that compliance is organization-dependent, so a company that is able to prove that the measures it has adopted, both technical and organization, are so as to enable the particular organization comply with the principles and rights, is not likely to fall foul of the legislative requirement.
We shall next provide examples of compliance (and non-compliance) with the fairness principle.
Photo by Jason Dent on Unsplash