The Centre for Intellectual Property and Information Technology Law (CIPIT), Strathmore University has published a study of the Publicly Available Data Policies of Commercial Banks operating in Kenya in Relation to a Set Data Protection Standard.
The report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). The standard comprises three broad indicators:
- data collection,
- data sharing, and
- the rights of data subjects.
- Data Collection
To ensure that data collection adheres to data protection requirements the following requirements must be met:
- A data subject needs to be informed of the type of data being collected;
- A data subject needs to be informed of the purpose of processing;
- A description must be provided for technical and organizational security measures taken to ensure the integrity and confidentiality of the data (Principle of integrity and confidentiality);
- The data retention period/criteria to be used to determine the period must be mentioned;
- The data subject must be given a means of providing valid consent for the specified purposes of data collection;
- The measure to be taken in the event of data breach i.e. data breach notification provisions in the event of a security mishap;and
- The contact details and identity of the data controller/ processor must be provided.
- Rights of Data Subjects
Data protection is ensured when the following rights are granted:
- The right to access information about themselves, i.e. which type of data is held about them, details of the data controller, details of any recipients, data retention period etc;
- The right to rectification, which entitles data subjects to have inaccurate data about them corrected or incomplete data completed;
- The right to erasure, which entitles data subjects to have their personal data erased;
- The right to restrict processing or object to processing of all or part of their personal data, which entitles data subjects to limit how an organisation uses their data;
- The right to data portability, which entitles data subjects to transfer their personal data from one controller to another in a structured, commonly used, and machine-readable format;
- The right to lodge a complaint with a supervisory authority; and
- The right to know the existence of automated decision-making and object the outcome of such decision making, i.e. the logic involved, the significance, envisaged consequences of such processing and recourse.3
- Data Sharing
Provisions that adequately communicate a controller’s data sharing practices must state:
- Which third-party actor holds/receives the personal data;
- The types/ categories of personal data being processed;
- The purposes of processing; and
- The appropriate safeguards to be maintained by a third party.
Test to determine the adequacy of consent.
CIPIT developed a threefold test to determine the adequacy of consent in the study.
First, the test evaluates whether customers/visitors to the site are informed of each instance of use (or intended use) of their data, and whether they are given the opportunity to opt-in/out.
Second, the test evaluates whether the choice to opt-in/out was through a mechanism such as a checkbox that would actively prompt them to indicate their consent.
Third, the test evaluates whether the customer/visitor to the site has the option of revoking consent at a later date, and the means provided for revocation of consent.
- Policies evaluated on indicators pertaining to Data Collection
The study found that the studied banks were generally likely to have incomplete /unclear provisions in their policies. The most frequent provision in the banks’ data policies was the purpose of processing data. The least frequent provision was that of data breach notification.
- Policies evaluated on indicators pertaining to the Rights of Data Subjects
A large number of the banks studied took one of two approaches: clear and unambiguous provisions for the rights of data subjects, or a complete lack of such provisions.The most frequently recited right was the right to rectification while the right to object to the outcome of automated decision-making was the least frequent.
- Policies evaluated on indicators pertaining to Data Sharing
Provisions relating to the purpose of data processing by third parties were the most prominent. Provisions relating to the type or category of data received by third parties were technically the least frequent.
The study shows areas that have the greatest need for improvement for the overall banking sector. For example, the lowest average scores were obtained in the following sub-indicators:
- Data Breach Notification provisions;
- Right to Object to the outcome of automated decision-making;
- Right to Data Portability;
- Types/ categories of personal data being processed by third parties; and
- Description of the technical/ other measures taken to ensure the integrity and confidentiality of data.
Effect of the Study on data protection in Kenya
While the study looks at the Privacy Policies of commercial banks in Kenya, the study refrains from making reference to specific banks, and anonymises bank identity in the tabulations. However, a list of the studied banks is contained in the appendix to the report. Nothing stops the Data Protection Commissioner from using the report to initiate audits on banks to check default of data protection law. The Data Protection Act, 2019 states that the Office of the Data Protection Commissioner can exercise oversight, carry out inspections and even conduct assessments on data processing operations to verify whether the processing of data is done in accordance with the Act.
Therefore banks should prioritise data protection since a penalty notice from the ODPC has the potential of destroying their reputation and credibility in the market.
To be fair, most banks already have good data protection systems due to the sensitive nature of banking. However, data protection law prescribes certain specific compliance requirements that banks should not ignore.
Oxygene MCL’s Data Protection Compliance team has vast experience in assisting financial institutions in data protection compliance and are ready to serve. For assistance in privacy and data protection compliance issues, you can contact Francis Monyango through his email address: firstname.lastname@example.org.