Immaculate Kassait was sworn in on 16th November 2020 as Kenya’s first Data Commissioner (note that she is not the ‘Data Protection Commissioner’, which is the office, comprising the Data Commissioner and other staff appointed by the Data Commissioner). While we all wait to see her first course of action (Huduma Rules? Regulations on de-minimis registration of processors and controllers? Audits of our telcos’ processing of data? ), this article discusses one of the most frequently asked about issue: whether each instance of processing personal data (and thought) requires consent.
Kenya’s Data Protection Act, like the EU’s GDPR, requires a data subject (you and me) to consent to processing of their personal data, with the processor or controller having specified the purpose of collection.
Recalling that ‘processing’ of personal data includes collection, storing, retrieving, transmitting, accessing and disclosing, among others, companies will have to re-look at the way in which they, to start with, collect/obtain personal data they interact with and hold. The law stipulates that the collection of data be directly from the data subject, with some exceptions (we will look at the exceptions in a future article) including from public sources (like social media posts) and where a data subject consents to collection from another source (like when you agree to logging into an app through/via another apps log ins).
However, obtaining (and giving) consent to collection is not the only way for processing personal data to be considered lawful under the law.
Exceptions to the general ‘consent rule’ include:
(i)for performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract: In a typical credit agreement, the lender may require the potential borrower to consent to the lender seeking and obtaining information from credit reference bureaus and mobile money service providers, as part of due diligence. In obtaining such credit information in order to determine whether or not to enter into a lending agreement with a potential borrower, the bank need not request consent from the potential borrower (data subject) to collect from each and every CRB etc.
(ii)for compliance with any legal obligation to which the controller is subject: If a data controller, such as a government registry, is required or mandated to collect, store etc personal data, it does not need an individual’s consent to do so. Note that this does not preclude a controller from complying with the other requirements on treating/handling such personal data, for example, informing the data subject the use to which the data will be put, notification to the Data Commissioner in the event of breach etc)
(iii)in order to protect the vital interests of the data subject or another natural person: Perhaps among the clearest example of what can be ‘vital interest’ of a data subject would be COVID-19 related processing of personal data. Collection, storage etc of personal data of a COVID-19 patient, and his close contacts, could be seen to be vital such that the patient’s consent to collect and store his details is not nececssary
(iv)for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, (v)the performance of any task carried out by a public authority;(vi)for the exercise, by any person in the public interest, of any other functions of a public nature: A controller using this ‘exception’ to consent is likely to be a government or public body only. An example of such an instance would be collection and storage of personal data for purposes of a national census or election (read here our article whether census markers/identifiers need to include a person’s name).
Does a deceased person have the rights of a data subject outlined in the Data Protection Act, like a deletion right, right to correction of inaccurate data, right to stop/prevent processing? Read here our aged article about how the internet has made us immortal, without a choice.