In last week’s post, which can be accessed here, we introduced the concept of data protection. We outlined why data is so important to big companies and why the United States and China are fighting over the same. Given the centrality of the consumer in this debate, today, we will look at the Act from a consumer’s perspective and highlight some of the key features that a consumer should be aware of, and what they mean to them.

Definition of personal data and sensitive personal data

The Act defines personal data as data relating to an identifiable natural person. Ideally, this is data that one can use to identify you, such as your name and location. Further, the Act defines sensitive personal information as data revealing the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation.

Significance: By identifying and defining what constitutes these kinds of data; this allows the law to accord protection based on the category, the data lies as we shall see below. Additionally, as Kenyans, we do provide government agencies and private institutions with much information. For example, when signing up for NHIF, one does offer health data. Do you know what that means, and how should NHIF handle your data? Equally, if a private building requires you to fill in your details when logging in, how should it treat that data?

Moreover, the above distinction acquaints us with the different categories of data protectable by law.

Principles for the collection and processing of personal data

The Act highlights some principles that persons should abide by when collecting personal data. They include:

1. Lawful processing- Persons collecting personal data should collect and process data only as provided for in the law.
2. Prior informed consent– Before collecting personal data, persons should inform the data subjects in a language that they understand of the reasons for collection and should obtain explicit permission from them.
3. The specificity of purpose– In processing personal data, persons should only use that data for the purposes they stated earlier. For example, if I collect your data to facilitate payment only, I should not send you marketing communication.
4. Data should be accurate, specific, and updated.
5. Reasonable retention period. Data should not be kept longer than necessary.
6. Data should not be transferred outside Kenya unless there is adequate data protection safeguards or consent from the data subject.

Significance: The above principles highlight some of the critical rights that consumers should be aware of. In reality, we must use personal data to access essential services. You may not get Netflix without your email; you cannot open your bank account without your ID. Thus, these companies collect a lot of personal and sensitive data from you. Upon signing up, there are instances where you pay using MPESA, and the next day, you get short messages from your supermarket promoting some products. Ideally, this practice is illegal as you only consented to the use of your data (mobile number) to facilitate access to the payment. Similarly, some of you might have signed up for a particular product, say a betting company, then later, you start receiving ads from another related enterprise.

The Act will require companies to obtain your consent before taking, using, or transferring your data to someone else with the Act. Similarly, companies will not send you marketing information without your permission.

Processing of the sensitive personal data

The Act provides for unique principles to govern the collection and processing of sensitive personal data. The Act requires the collection to conform with the principles above. Also, it requires either a health care provider; or a person subject to the obligation of professional secrecy under any law to process such data. However, the Act allows for the collection of personal data without data subjects consent to protect the data subject’s interest and to facilitate the performance of a task in the public interest. More so, the Act allows for personal data collected from another source where the collection would not affect the interests of the data subject.

Significance:  with the current pandemic, governments and private institutions will collect health data from citizens to fight the epidemic. Both governments and private institutions can rely on public interest exemptions to collect personal data. Notwithstanding that, both parties should ensure that they obtain the consent of the data subject, employ appropriate safeguards, and only allow individuals bound by legal secrecy to collect such data. (In a later post, I shall look at COVID-19 contract-tracing apps from a Data Protection Act perspective.)

Enforcement Provisions

The Act allows one who is “aggrieved by a decision of any person under this Act,” to file a complaint with the Data Commissioner. Thus, a consumer can lodge a complaint against a person who violates the Act. Upon submitting a claim, the Commissioner will investigate the allegation, and if a person is guilty, it shall serve them with the enforcement or a penalty notice. An enforcement notice shall seek the person to remedy the claim. On the other hand, a penalty notice requires the person to pay the fine specified in the notice. The Act entitles a consumer to seek damages from the data controller or data processor. Moreover, the Act provides for criminal sanctions and fines for persons that violate the Act.

Significance: Although we are yet to see any company fined for violating the Act, it presents an avenue for consumers to get redress. Equally, companies will be more vigorous in their data collection policies as they would be keen to avoid harsh penalties. (In our next post, Stephanie shall discuss this in detail)

For the consumer, the Act unveils a new era in which they will feel safe on how companies handle their data. Moreover, the Act provides certainty in the digital environment as companies will have a guide on how to process personal data.

Where do we find the devil? In the details

Consumers should also read the terms and conditions before transacting in the digital space. I know some of those contracts may be long and tedious, but the devil lies in the details. It is crucial to find out how a particular website/company will handle your data. Despite the existence of reprieve under the Data Protection Act, the cost of data breaches is very high. A company might compensate you for the loss of your data, but at what cost?

*Cover Image Credits: Kevin Ku from Pexels

Coming up next week…

1. A special mid-week edition is looking at Contract Tracing Apps from a Data Protection Act Perspective.
2. Given the nature of data protection and implications for failing to comply with the Act, Stephanie will handle this amorphous topic by highlighting salient provisions of the Act that companies should be aware of.