The Data Protection Bill, 2018 was gazetted in June 2018 (shortly after the European Union’s General Data Protection Regulation (GDPR) became enforceable). The introduction of the bill was timely in taking into account the global trend to overhaul data protection laws and safeguard the right to privacy of information. At the time of writing, the bill is currently at its second reading at the Senate and is yet to be passed into law. There was an earlier version of a draft data protection law introduced in 2013 that has since been replaced by the bill.
The purpose of the bill is to protect personal data collected, used, or stored by both public and private entities. The bill seeks to operationalize Article 31 of the Constitution of Kenya 2010, which provides that every person has the right to privacy, including the right not to have information relating to his or her family or private affairs unnecessarily required or revealed (Article 31(c)); and the right not to have the privacy of his or her communications infringed (Article 31(d)). It is important to note that apart from the guarantee of a right to privacy under the Constitution, there is currently no overarching law that regulates data privacy. There are, however, separate pieces of legislation that deal with data privacy, including the Kenya Information and Communications Act (Chapter 411A, Laws of Kenya).
If passed into law, the bill would create significant obligations and responsibilities for “agencies” (persons who collect or process personal data) and “data controllers” (persons who, either alone or together with other persons, control the content and use of personal information). The bill would also create far-reaching rights for “data subjects” (persons from whom personal data is obtained). This will clearly have an impact on the employer and employee relationship considering the agencies and data controllers (employers) and the data subjects (employees) covered under the bill. In this regard, employers will need to ensure that they have established the necessary processes to comply with their obligations under the bill. In particular, employers that outsource their human resources and administrative functions to third parties may want to consider the provisions on consent, prior notification, and data transfer.
The bill bears some similarities to the United Kingdom’s Data Protection Act, 2018, which incorporates and supplements the provisions of the GDPR.
The bill provides that an agency, where it requires personal data from a person, shall collect such data from a data subject for a purpose that is specific, explicitly defined, and lawful (clause 7). Personal data includes information relating to the race, gender, sex, pregnancy, marital status, ethnic or social origin, education, medical, criminal or employment history, identity number, fingerprints or blood type, and contact details.
The bill also provides for nine sets of principles that are to govern its interpretation and application. In summary, the principles provide that:
- consent from a data subject is required when information is being collected directly from the subject or before information held by a third party is released to another person;
- a data subject shall be informed of the purpose of the information being collected and its intended recipients at the time of collection;
- reasonable steps are to be taken to ensure that the information processed is accurate and up to date;
- appropriate technical and organizational measures are to be taken to safeguard against the risk of loss or unauthorized access to personal information;
- data subjects shall have a right to access their personal information and a right to demand correction if such information is inaccurate.
Other key provisions of the bill include:
- Section 24, which sets out specific rules that apply to the processing of special personal information defined as information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or biometric information, or any information relating to the alleged commission of an offense or any proceedings relating to an alleged offense (section 2). In such cases, consent is required prior to the processing of such data.
- Section 32, which grants the Kenya National Commission on Human Rights the responsibility to oversee implementation and enforcement, including the right to investigate complaints relating to infringement of the rights of a data subject.
With respect to the transfer of personal data out of Kenya, section 31 of the bill prohibits such transfer unless: the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data; the data subject consents to the transfer; the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and the transfer is for the benefit of the data subject. This means that employers intending to transfer data for storage or processing abroad will first have to ensure that the transferee company has in place measures that will ensure the data transferred is adequately protected. This will be particularly challenging for transferees located in countries that do not have stringent data protection laws.
If the bill is passed into law, we would anticipate regulations to set out in detail how agencies and data controllers are to ensure compliance with their obligations, particularly with respect to the duty to obtain consent. There is no definition of consent in the bill and it is questionable whether it will suffice for an employee to give constructive consent or consent that is specific, informed, and unambiguous as required under the GDPR. We would also expect some level of detail with respect to the measures that must be taken by agencies and data controllers to guard against the risk of loss or unauthorized access to personal data. For example, the kind of policies and procedures that are to be adopted by an employer, the level of training and oversight required of parties that have access to personal data, and the technology (encryption, anti-virus or data backups) that must be adopted to ensure that data is secure.
It is worth noting that the Commission will be tasked with ensuring that agencies (including employers) have put in place adequate safeguards to protect personal data. Pursuant to section 38, employers that collect or process personal data in a manner contrary to the provisions of the bill commit an offense and are liable, on conviction, to a fine not exceeding Kenya Shillings 500,000 or to a term of imprisonment not exceeding five years or both.
Written by Sonal Sejpal and Tabitha Joy Raore of Anjarwalla & Khanna and Roger James of Ogletree Deakins
© 2019 Anjarwalla & Khanna and Ogletree, Deakins, Nash, Smoak and Stewart, P.C.