Public bodies are expected to comply with the provisions of the Data Protection Act, 2019. The Act defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data It also defines a data processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
The Act requires data controllers and data processors to register with the Office of the Data Commissioner. The draft Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 state that the only public bodies that are exempted from registration are State Corporations and County Corporations. All the other public bodies at national or county government level which operate within a state department or county department, wholly funded from the Exchequer and provide a public service will be required to register and pay fees.
The processing of personal data by a national security organ mentioned in the Constitution in furtherance of their mandate constitutes a processing for national security and the processing of personal data is exempt from the provisions of the Data Protection Act. It is important to note that Kenya does not have a law enforcement privacy law equivalent to the Law Enforcement Directive, in the EU deals with the processing of personal data by data controllers for ‘law enforcement purposes’ which falls outside of the scope of the GDPR.
Since government bodies share personal data, the Act states that the Data Commissioner may issue a data sharing code which shall contain practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation. The data sharing code shall specify on the lawful exchange of personal data between government departments or public sector agencies. This provision shows that the Data Commissioner will be guiding government bodies on how they will be handling personal information.
Enforcement by the Data Commissioner
The Data Commissioner has quasi-judicial powers and may serve an enforcement notice and a penalty notice on a public body that is not complying with data protection law.
In Europe, the United Kingdom’s ICO has fined Hampshire County Council while the Portuguese regulator (CNPD) has previously fined RTP, the public television company. The Bulgarian National Revenue Agency fined was 5,100,000 BGN (Approximately KES 336.1 Million) by the Bulgarian Commission for Personal Data Protection in August 2019. In its decision, the CPDP found that NRA’s failure to implement the necessary technical and organisational measures had resulted in an unauthorised access, disclosure and distribution of personal data of more than 6 million natural persons. The compromised personal data included names, addresses and contact information, as well as data from individuals’ annual tax returns, information relating to their personal income tax position, insurance declarations and health insurance premiums, as well as data on tax payments they had completed and on VAT refunds claimed and received. In addition to imposing a fine, the CPDP announced it had ordered the NRA to undertake a number of actions designed to improve its data security practices. So there is precedent for fining public sector bodies despite the GDPR giving member states discretion on whether they should levy fines on public authorities and bodies, and there is a general reluctance to fine such organizations.
In Kenya, the question remains, will the Office of the Data Protection Commissioner clamp down on public bodies that breach data protection law or will they just receive slaps on their wrists?
But prevention is better than cure. It will be better for the Office of the Data Protection Commissioner to stop privacy breaches from happening through awareness within the public bodies and through programs to enable the organisations comply with the provisions of the Act.