Professional Documents
Culture Documents
Module 1 - Legal Aspects of Data Protection (1)
Module 1 - Legal Aspects of Data Protection (1)
Mercy Mutemi
Summary
b. Article 19 (3)
- Human rights are inherent, they are not given.
- Human rights are only subject to the limitations in the
Constitution.
Constitutional foundations of data protection
c. Article 20 (1) & (2)
- Applies to all-
Jemimah Wambui Ikere v Standard Group Limited & anot
her [2013] eKLR
on vertical and horizontal application.
- What is protected is the right to enjoy the rights to the
greatest extent.
d. Article 21 (1)
- The State has a duty to observe protect, promote and fulfil
human rights and fundamental freedoms.
Constitutional foundations of data protection
e. Article 24
- How human rights are to be limited:
- The principle of legality
- Reasonable and justifiable in an open and democratic
society based on human dignity, equality and freedom
- Necessity principle
- Proportionality principle and whether there are less
restrictive measures
- Protection of the rights and freedoms of others.
Constitutional foundations of data protection
f. Article 24 (2)
- What should a law limiting a right or fundamental freedom
look like:
- Specific expression of intention to limit the right and
the nature and extent of the limitation
- Clarity and specificity on the right and extent of
limitation
» Should not limit the right so far as to derogate
from its core or essential content.
Constitutional foundations of data protection
Definitions
Data
Section 2 Data Protection Act:
• Information processed by means of equipment operating
automatically in response to instructions given for that
purpose
• Recorded information which is held by a public entity
• Information recorded as part of a relevant filing system
• Information that forms part of an accessible record
• Information recorded with intention that it should be
processed by means of equipment operating automatically in
response to instructions given for that purpose
Personal Data
Information relating to an identified or identifiable natural
person. Examples:
• Full name
• ID/Passport number
• Phone number (personal)
• Phone number (business)
• Bank account number
• Email address (personal)
• Email address (business)
• Social media handle
Personal Data
• House address
• Company registration number
• Biometric data
• Mother’s maiden name
• KRA (tax) PIN number
• Photo of face
• Property title number
• IP address
• Date of birth
Personal Data
• Place of birth
• Employment information
• Medical information
• Hospital booking number
• Blood type
• Location data
Data Processing
Territorial jurisdiction
● Data controllers and processors established or ordinarily
resident in Kenya AND process personal data while in Kenya
● Data controllers and processors not established or ordinarily
resident in Kenya but processing personal data of data
subjects located in Kenya.
Lesson 4
Data Processing
Legal basis of data processing (Section 30)
• Consent (Sections 2, 32)
– Express, unequivocal, free, specific and informed
– (Example- was provision of a service conditional on
consent?)
– Clear affirmative action signifying agreement to the
processing of personal data relating to the data subject
– Burden of proof is on the controller or processor
– Can be withdrawn at any time but won’t affect the
lawfulness of prior processing done before consent was
withdrawn
Legal basis of data processing (Section 30)
• Necessary for the performance of a contract to which the data
subject is a party
• Compliance with legal obligations
• Protecting the vital interests of the data subjects or another
natural person
• Performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller
• Exercise, by any person in the public interest, of any other
functions of a public nature
Legal basis of data processing (Section 30)
• For the legitimate interests pursued by the data controller or
data processor by a third party to whom the data is disclosed.
– Except if the processing is unwarranted in any particular
case having regard to the harm and prejudice to the rights
and freedoms or legitimate interests of the data subject.
• Historical, statistical, journalistic, literature and art or
scientific research
• Further processing where done in accordance with the
purpose of collection
* Processing without a legal basis is an offence.
Restrictions
Data revealing:
• Race
• Health status
• Ethnic social origin
• Conscience
• Belief
• Genetic data
• Biometric data
• Property details
• Marital status
Sensitive Personal Data
• Family details including names of the person’s children,
parents, spouse or spouses
• Sex or sexual orientation of the data subject
• Health Data
To only be processed:
- By or under the responsibility of a health care provider
- By a person subject to the obligation of professional secrecy
under any law.
Sensitive Personal Data