On Tuesday 13th October 2020, the National Assembly Speaker revealed that the President had nominated Ms. Immaculate Kassait as Kenya’s much awaited Data Commissioner.
If Parliament approves her appointment, Ms. Kassait will be responsible for leading the Office to implement and enforce the Data Protection Act.The Data Protection Commissioner will be expected to:
- Establish and maintain a register of data controllers and data processors;
- Oversee on data processing and ensure it is in accordance with the Data Protection Act, 2019;
- Promote self-regulation among data controllers and data processors;
- Conduct Data Protection Impact Assessments to ascertain that personal information is processed according to the law;
- Receive and investigate any complaint on infringements of the rights under the Data Protection Act;
- To educate the general public on the provisions of the Data Protection Act;
- Carry out inspections of public and private entities so as to evaluate the processing of personal data;
- Promote international cooperation in data protection matters relating and ensure that Kenya complies with data protection obligations under international law; and
- Research on developments in data processing and ensure that they have no adverse effect on the privacy of individuals.
The law gives the Office the following powers to execute its mandate:
- To conduct investigations on their own initiative, or on the basis of a complaint
- To obtain necessary professional assistance, consultancy or advice when necessary
- To facilitate dispute resolution on disputes arising from the Data Protection Act
- To issue summons to a witness for the purposes of an investigation
- To require any person to provide it with explanations, information and assistance
- To impose administrative fines for failures to comply with the Data Protection Act
Other duties imposed by the law include:
- Joining associations and organisations in furtherance of the Act.
- To issue a data sharing code which will contain a practical guidance on the sharing of personal data according to provisions of the Data Protection Act between government departments or public sector agencies.
- To issue guidelines or codes of practice for the data controllers, data processors and data protection officers
- To offer data protection certification standards and data protection seals and marks in order to encourage compliance of processing operations with the Data Protection Act
- To require certification or adherence to code of practice by a third party
- To develop sector specific guidelines for areas such as health, financial services, education, social protection and any other areas where there is data processing.
While Ms. Kassait’s tenure as the Director Voter Education, Partnerships and Communication & Corporate Affairs at the Independent Electoral and Boundaries Commission is making some Member’s of Parliament uneasy as reported by the Daily Nation, the challenge ahead of her is bigger.
On the day her nomination was announced, the Huduma Number laws were gazetted. The Registration of Persons (National Integrated Identity Management System) Rules, 2020 and the Data Protection (Civil Registration) Regulations, 2020 are now law in compliance with the Nubian Rights Forum case judgement. With the government having announced plans to proceed with the Huduma Number project, the Data Commissioner’s role will be to ensure that the process is in compliance with the data protection Act while building public confidence in the whole system.
Other challenges the Data Commissioner is going to deal with is how to establish and maintain a register of data controllers and data processors in a way that it does not affect Kenya’s ease of doing business.
The Office has to be efficient in their complaint system. The term “you have nothing to hide” is commonly used by Kenya’s security agencies to justify unwarranted intrusion which is against the the Data Protection Act. While section 10 of the Act requires the Data Commissioner to work closely with national security agencies, maintaining a balance national security interests and ensuring that the Act is operationalized to enable businesses to lawfully use data commercially will be a challenge.
In 2019, a study by IPSOS and the Internet Society found Kenya’s concern for privacy at 44%, the lowest in the entire study. The Office has to expend effort and money in civic education and in educating the general public on the provisions of the Data Protection Act.
Since the world has become a global village due to internet connectivity, the issue of cross border transfers will be prevalent for the next few years.