The Centre for Intellectual Property and Information Technology Law (CIPIT), Strathmore University has published a study of the Publicly Available Data Policies of Commercial Banks operating in Kenya in Relation to a Set Data Protection Standard.

The report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). The standard comprises three broad indicators: 

1. data collection, 
2. data sharing, and 
3. the rights of data subjects. 

• Data Collection

To ensure that data collection adheres to data protection requirements the following requirements must be met: 

1. A data subject needs to be informed of the type of data being collected;
2. A data subject needs to be informed of the purpose of processing;
3. A   description   must   be   provided   for   technical   and   organizational   security   measures   taken   to   ensure the integrity and confidentiality of the data (Principle of integrity and confidentiality);
4. The  data  retention  period/criteria  to  be  used  to  determine the period must be mentioned;
5. The   data   subject   must   be   given   a   means   of   providing  valid  consent  for  the  specified  purposes  of data collection;
6. The measure to be taken in the event of data breach i.e. data breach notification provisions in the event of a security mishap;and 
7. The   contact   details   and   identity   of   the   data   controller/ processor must be provided.

• Rights of Data Subjects

Data protection is ensured when the following rights are granted:

1. The right to access information about themselves, i.e. which type of data is held about them, details of the data controller, details of any recipients, data retention period etc;
2. The right to rectification, which entitles data subjects to have inaccurate data about them corrected or incomplete data completed;
3. The right to erasure, which entitles data subjects to have their personal data erased;
4. The right to restrict processing or object to processing of all or part of their personal data, which entitles data subjects to limit how an organisation uses their data;
5. The right to data portability, which entitles data subjects to transfer their personal data from one controller to another in a structured, commonly used, and machine-readable format;
6. The right to lodge a complaint with a supervisory authority; and
7. The right to know the existence of automated decision-making and object the outcome of such decision making, i.e. the logic involved, the significance, envisaged consequences of such processing and recourse.3

• Data Sharing

Provisions that adequately communicate a controller’s data sharing practices must state:

1. Which third-party actor holds/receives the personal data;
2. The types/ categories of personal data being processed;
3. The purposes of processing; and
4. The appropriate safeguards to be maintained by a third party.

Test to determine the adequacy of consent.

CIPIT developed a threefold test to determine the adequacy of consent in the study.

First, the test evaluates whether customers/visitors to the site are informed of each instance of use (or intended use) of their data, and whether they are given the opportunity to opt-in/out. 

Second, the test evaluates whether the choice to opt-in/out was through a mechanism such as a checkbox that would actively prompt them to indicate their consent. 

Third, the test evaluates whether the customer/visitor to the site has the option of revoking consent at a later date, and the means provided for revocation of consent.

Findings

• Policies evaluated on indicators pertaining to Data Collection

The study found that the studied banks were generally likely to have incomplete /unclear provisions in their policies. The most frequent provision in the banks’ data policies was the  purpose  of  processing  data. The least frequent provision was that of data breach notification.

• Policies evaluated on indicators pertaining to the Rights of Data Subjects

A large number of the banks studied took one of two approaches: clear and unambiguous provisions for the rights of data subjects, or a complete lack of such provisions.The most frequently recited right was the right to rectification while the right to object to the outcome of automated decision-making was the least frequent. 

• Policies evaluated on indicators pertaining to Data Sharing

Provisions  relating  to  the  purpose  of  data  processing  by  third parties were the most prominent. Provisions relating to the type or category of data received by  third  parties  were  technically  the  least  frequent.

The study shows areas that have the greatest need for improvement for the overall banking sector. For example, the lowest average scores were obtained in the following sub-indicators:

1. Data Breach Notification provisions;
2. Right to Object to the outcome of automated decision-making;
3. Right to Data Portability;
4. Types/ categories of personal data being processed by third parties; and
5. Description of the technical/ other measures taken to ensure the integrity and confidentiality of data.

Effect of the Study on data protection in Kenya

While the study looks at the Privacy Policies of commercial banks in Kenya, the study refrains from making reference to specific banks, and anonymises bank identity in the tabulations. However, a list of the studied banks is contained in the appendix to the report. Nothing stops the Data Protection Commissioner from using the report to initiate audits on banks to check default of data protection law. The Data Protection Act, 2019 states that the Office of the Data Protection Commissioner can exercise oversight,  carry out inspections and even conduct assessments on data processing operations to verify whether the processing of data is done in accordance with the Act.

Therefore banks should prioritise data protection since a penalty notice from the ODPC has the potential of destroying their reputation and credibility in the market.

To be fair, most banks already have good data protection systems due to the sensitive nature of banking. However, data protection law prescribes certain specific compliance requirements that banks should not ignore.

Oxygene MCL’s Data Protection Compliance team has vast experience in assisting financial institutions in data protection compliance and are ready to serve. For assistance in privacy and data protection compliance issues, you can contact Francis Monyango through his email address: francis.monyango@oxygene.co.ke.