MODULE 1

Legal Aspects of Data Protection

Mercy Mutemi
 Summary

Lesson 1: Constitutional foundations of data protection

Lesson 2: Definitions
Lesson 3: Kenya Data Protection Act, 2019
Lesson 4: Data Processing
 Lesson 1

Constitutional foundations of data

protection
Constitutional foundations of data protection
Why it is important to understand the underlying Constitutional
basis:
• It helps to understand the why of data protection.
• Privacy by design can only be achieved through seeking to
achieve the underlying goal.
Constitutional foundations of data protection
a. Article 19 (2)
- The purpose of having a bill of rights is to preserve the
dignity of individuals and promote social justice.

b. Article 19 (3)
- Human rights are inherent, they are not given.
- Human rights are only subject to the limitations in the
Constitution.
Constitutional foundations of data protection
c. Article 20 (1) & (2)
- Applies to all-
Jemimah Wambui Ikere v Standard Group Limited & anot
her [2013] eKLR
on vertical and horizontal application.
- What is protected is the right to enjoy the rights to the
greatest extent.
d. Article 21 (1)
- The State has a duty to observe protect, promote and fulfil
human rights and fundamental freedoms.
Constitutional foundations of data protection
e. Article 24
- How human rights are to be limited:
- The principle of legality
- Reasonable and justifiable in an open and democratic
society based on human dignity, equality and freedom
- Necessity principle
- Proportionality principle and whether there are less
restrictive measures
- Protection of the rights and freedoms of others.
Constitutional foundations of data protection
f. Article 24 (2)
- What should a law limiting a right or fundamental freedom
look like:
- Specific expression of intention to limit the right and
the nature and extent of the limitation
- Clarity and specificity on the right and extent of
limitation
» Should not limit the right so far as to derogate
from its core or essential content.
Constitutional foundations of data protection

g. Article 28 - Human dignity

– Every person has inherent dignity and the right to have
that dignity respected (See Hingh;
Fred Khumalo & Others v Bantubonke Harrington Hol
omisa
)
h. Article 29 - Freedom and security of the person
- The right not to be subjected to psychological torture
- The right not to be treated or punished in a cruel, inhuman
or degrading manner
Constitutional foundations of data protection

i. Article 30 - Slavery, servitude and forced labour

- Data exploitation as servitude (See Romele)
j. Article 31 (c)
- The right not to have information relating to family or
private affairs unnecessarily required or revealed
- Required
- Revealed
k. Article 31 (d)
- The right not to have the privacy of communications
infringed.
Constitutional foundations of data protection

l. Article 35 - Access to information

- Right of access to information held by the State or by another
person and required for the exercise or protection of a right of
a citizen
m. Article 36 - Freedom of association
- Not to be compelled to join an association of any kind
- See
Clubhouse accessing contacts of people who have not signed
up to invite them
; being added to WhatsApp groups without consent; political
parties online register saga
Constitutional foundations of data protection

n. Article 40 - Right to property

- Is data property?
- Right to own data of ANY description
o. Article 40 (6)
- Effect of acquiring property unlawfully- lose the
protection of the right to property
p. Article 43 - Economic and social rights
- Entitlements to these rights and reliance on biometric data
regimes
Constitutional foundations of data protection

q. Article 53 - Children rights

- A child’s best interests are of paramount importance in every
matter concerning the child.
r. Article 46 - Consumer rights
- Right to information necessary for one to gain full benefits
from goods and services
- Protection of health, safety and economic interests
- Compensation for loss or injury from defects on goods or
services.
- Fair, honest and decent advertising
 Discussion Questions

1. Is data protection limited to the right to privacy or is it

broader?
2. Is data property?
3. Person or the data?
Lesson 2

Definitions
 Data
Section 2 Data Protection Act:
• Information processed by means of equipment operating
automatically in response to instructions given for that
purpose
• Recorded information which is held by a public entity
• Information recorded as part of a relevant filing system
• Information that forms part of an accessible record
• Information recorded with intention that it should be
processed by means of equipment operating automatically in
response to instructions given for that purpose
 Personal Data
Information relating to an identified or identifiable natural
person. Examples:
• Full name
• ID/Passport number
• Phone number (personal)
• Phone number (business)
• Bank account number
• Email address (personal)
• Email address (business)
• Social media handle
 Personal Data
• House address
• Company registration number
• Biometric data
• Mother’s maiden name
• KRA (tax) PIN number
• Photo of face
• Property title number
• IP address
• Date of birth
 Personal Data

• Place of birth
• Employment information
• Medical information
• Hospital booking number
• Blood type
• Location data
 Data Processing

Any operation performed on personal data whether or not by

automated means such as:
• Collection, recording, organization, structuring
• Storage, adaptation, alteration
• Retrieval, consultation or use
• Disclosure (transmission, dissemination etc.)
• Alignment, combination, restriction
• Erasure and destruction
 Other definitions
- Data subject
- The identified or identifiable person who is the subject of
personal data
- Data controller
- A person (natural or legal), public authority, agency or
other body who determines the purpose and means of
processing personal data
- Data processor
- A person (natural or legal), public authority, agency or
other body who processes personal data on behalf of the
data controller
 Discussion Questions

Discuss who, between data controller or data processor,

determines each of the following:
• Whether or not to collect data
• The lawful basis for collecting data
• What type of personal data to collect
• What IT systems or other methods to use to collect data
• How to store the personal data
• The details of the security measure to protect the personal
data
• The purpose the data are to be used for
• Which individuals to collect about
 Discussion Questions
• Whether to disclose the data and if so, to whom
• What to tell potential data subjects
• How to respond to requests made by data subjects
• How long to retain the data
• How to delete or dispose of the data
 Lesson 3

Kenya Data Protection Act, 2019

 Kenya Data Protection Act, 2019
Long title
An Act of Parliament to–
• give effect to Article 31(c) and (d) of the Constitution
• establish the Office of the Data Protection Commissioner
• make provision for the regulation of the processing of
personal data
• provide for the rights of data subjects
• provide for the obligations of data controllers and processors
• provide for connected purposes
 Kenya Data Protection Act, 2019

Object and Purpose of DPA (Section 3)

• Regulate the processing of personal data
• Ensure that the processing of personal data is guided by data
principles
• Protect the privacy of individuals
• Establish legal and institutional mechanism to protect
personal data
• Provide data subjects with rights and remedies to protect their
personal data from processing that is not accordance with the
Act
 Kenya Data Protection Act, 2019

Subject matter jurisdiction (Section 4)

(i) Personal data
● Entered in a record by/for a data controller or processor
by automated means
● Entered in a record by/for a data controller or processor
by non-automated means where it forms part of a filing
system
 Kenya Data Protection Act, 2019

Territorial jurisdiction
● Data controllers and processors established or ordinarily
resident in Kenya AND process personal data while in Kenya
● Data controllers and processors not established or ordinarily
resident in Kenya but processing personal data of data
subjects located in Kenya.
 Lesson 4

Data Processing
 Legal basis of data processing (Section 30)
• Consent (Sections 2, 32)
– Express, unequivocal, free, specific and informed
– (Example- was provision of a service conditional on
consent?)
– Clear affirmative action signifying agreement to the
processing of personal data relating to the data subject
– Burden of proof is on the controller or processor
– Can be withdrawn at any time but won’t affect the
lawfulness of prior processing done before consent was
withdrawn
 Legal basis of data processing (Section 30)
• Necessary for the performance of a contract to which the data
subject is a party
• Compliance with legal obligations
• Protecting the vital interests of the data subjects or another
natural person
• Performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller
• Exercise, by any person in the public interest, of any other
functions of a public nature
 Legal basis of data processing (Section 30)
• For the legitimate interests pursued by the data controller or
data processor by a third party to whom the data is disclosed.
– Except if the processing is unwarranted in any particular
case having regard to the harm and prejudice to the rights
and freedoms or legitimate interests of the data subject.
• Historical, statistical, journalistic, literature and art or
scientific research
• Further processing where done in accordance with the
purpose of collection
* Processing without a legal basis is an offence.
 Restrictions

Data relating to a child (Section 33)

Do NOT process unless–
(a) Consent from parent or guardian (unless it involves
provision of counselling or child protection services);
AND
(b)Processing is in a manner that protects and advances the
rights and best interests of the child.
 Restrictions

Automated individual decision making (Section 35)

Data subject has a right NOT to be subject to a decision based
solely on automated processing (such as profiling) which
produces legal effects concerning the data subject.
Exceptions include–
(a) Where the data subject has given their consent;
(b)Where it is necessary for entering into, or performing a
contract between the data subject and a data controller
 Restrictions
(c) Where it is authorized by a law to which the data
controller is subject. The said law should lay down suitable
measures to safeguard the data subject’s rights and legitimate
interests.
The data controller has a duty to notify the data subject where a
decision has been made solely based on automated means. The
data subject has a right to appeal that decision and to request that
a different decision be made without using automated means. The
data controller has to comply with the appeal.
 Restrictions

Objection (Section 36)

If the data subject has objected to the processing, the legal basis
for processing is lost UNLESS the data controller demonstrates
compelling legitimate interests for the processing which
overrides the data subject’s interests or for the defence of a legal
claim.
 Restrictions

Commercial use of data (Section 37)

Commercial use of personal data is forbidden UNLESS–
(a) Consent has been obtained from the data subject; or
(b)The use is authorized under a written law and the data
subject has been informed of such use when collecting
the data from the data subject.
When using personal data for commercial purposes personal
data should be anonymized in such a manner to ensure that the
data subject is no longer identifiable.
 Data protection principles (Section 25)

Principle 1: Right to privacy

• To be processed in accordance with the right to privacy of the
data subject
• For information relating to family or private affairs, data
should only be collected only where there is a valid
explanation
Principle 2: Lawfulness, fairness and transparency
• In relation to the data subject
 Data protection principles (Section 25)

Principle 3: Purpose limitation

• Should be collected for explicit specified and legitimate
purposes
• Should not be further processed in a manner incompatible
with the original purpose
Principle 4: Data minimization
• Only process data that is adequate, relevant and limited to
what is necessary in relation to the purpose for which it is
processed.
 Data protection principles (Section 25)

Principle 5: Accuracy (Section 25, 40)

• Accurate
• Kept up to date if necessary
• Erase or rectify any inaccurate personal data
Principle 6: Storage limitation (Section 25, 39)
• Kept in a form which identifies the data subjects for no
longer than is necessary for the purpose for which it was
collected
 Data protection principles (Section 25)

Principle 7: International Transfers

• Not to be transferred outside Kenya unless there is proof of
adequate data protection safeguards or consent from the data
subject
Principle 8: Integrity and confidentiality
• Right to be informed of the use to which their personal data is
to be put
 Rights of a data subject (Section 26)
• Right to access their personal data in custody of the data
controller or data processor
• Right to object to the processing of all or part of their
personal data
• Right to correction of false or misleading data
• Right to deletion of false or misleading data about them
(Compare this right to the right to be forgotten)
• Right to data portability (Section 38). This is the right to
receive personal information in a structured, commonly used
and machine-readable format and the right to transmit data
held by one controller to another controller.
 Sensitive Personal Data

Data revealing:
• Race
• Health status
• Ethnic social origin
• Conscience
• Belief
• Genetic data
• Biometric data
• Property details
• Marital status
 Sensitive Personal Data
• Family details including names of the person’s children,
parents, spouse or spouses
• Sex or sexual orientation of the data subject
• Health Data
To only be processed:
- By or under the responsibility of a health care provider
- By a person subject to the obligation of professional secrecy
under any law.
 Sensitive Personal Data

Permitted grounds for processing sensitive personal data

* By a foundation, association or not-for-profit body with a
political, philosophical, religious or trade union where:
- It is processed in the course of legitimate activities;
- There are appropriate safeguards;
- The processing relates solely to members of the body or
persons with regular contact with its purpose; AND
- The personal data should not be disclosed outside the
processing body without the consent of the data subject.
 Sensitive Personal Data

* Processing relates to personal data which is manifestly made

public by the data subject
* Processing is necessary for–
- Establishment, exercise or defence of a legal claim
- The purpose of carrying out the obligations and exercising
specific rights of the controller or of the data subject
- Protecting the vital interests of the data subject or another
person where the data subject is physically or legally
incapable of giving consent.
 Other laws relating to data processing
• Consumer Protection Act, 2012; and the Consumer Protection
Guidelines.
– Generally protect consumer data.
• Kenya Information and Communications Act, 1998; Kenya
Information and Communications (Consumer Protection)
Regulations, 2010.
– Outline the requirements and compliance standards for
licensed information and communication service
providers who are data collectors and controllers.
 Other laws relating to data processing
• Kenya Information and Communications Act (Registration of
SIM Cards) Regulations, 2015
– Give specific requirements to controllers and processors.
• Public Health Act, 2012; Health Act, 2017 and the HIV and
AIDS Prevention and Control Act, 2006; and Health
Information System Policy.
– Regulate health data.
 Other laws relating to data processing
• National Payment System Act; the National Payment System
Regulations, 2014; Central Bank of Kenya: Prudential
Guidelines for Institutions Licensed under the Banking Act;
Guidelines on Cybersecurity for Payment Service Providers;
Banking (Credit Reference Bureau) Regulations 2013.
- Regulate financial data.
• Elections Act, 2011; the Elections (Registration of Voters)
Regulations 2012; Political Parties Act, 2011.
- Governs elections data