Personal data protection has become a key concern for Kenyans and, at the centre of it all, the Office of Data Protection Commissioner (ODPC) has had to face players in sectors such as digital lenders, clubs and even schools, stamping its authority hard in an environment where businesses use personal information and get away with it.
In this interview, Data Commissioner Immaculate Kassait talks about interventions aimed at injecting sanity in internet, how her office deals with challenges of regulating more than a million enterprises holding Kenyans’ personal data and why, in the new era of Artificial Intelligence (AI).
We started 2023 on a high note by launching the registration portal in January. This automated processes and replaced manual registration for data processors and data controllers, which has eased the process for them to get registration certificates. We now have slightly more than 2,800 registered data controllers and data processors.
We have also started moving into the regions outside Nairobi because we consider that regional presence is an important part of making sure that our services are available where they are needed. This year we’ve been able to move to Mombasa, Kisumu, Nakuru and launched operations in three huduma centres (Garissa, Eldoret and Nyeri).
Our outlook for the coming year is to move to another six huduma centres, notably at Konza, which being our Silicon Savannah, it is important for us to have a presence there.
Kenya was also elected first Vice Chairperson to the network for Africa Data Protection Authority, a network that brings together African countries in 2023.
Kenya also hosted the first regional meeting on data protection in 2023, where conversations around harmonisation of data protection and making data protection an agenda in the region were had.
How many investigations did you conduct in 2023?
During the year, we did preliminary inspections (audits) on 38 digital lenders as a result of complaints we received. We had received more than 700 complaints concerning unethical practices by digital lenders and when you see a consistent complaint in a certain sector, you have to ask yourself, ‘What is the issue?’
We found out that some were unaware of what was required of them with regards to their users’ data protection. They had not factored it in their operations, in design and principle. The audits were part of their compliance requirements and we had conversations with the 38 to make them appreciate the importance of protecting users’ personal data.
Complaints against digital lenders were the most of any sector in our database, which speaks to action on their part.
We got 65 determinations, 36 enforcements and four penalties issued during the year, and five issues were referred to the Alternative Dispute Resolution (ADR) to encourage out-of-court settlements.
You penalised some schools and clubs for publishing pupils and clients’ photos on the internet a few months ago. Has this improved state of things?
The reason we took this action was the upsurge of complaints relating to photography where some Kenyans felt that their privacy had been intruded.
Following the actions we took, some of the players have been responsive. They have come back and demonstrated that they have brought down photos they had posted. We fined others who haven’t acted because you cannot use people’s personal information for commercial purposes.
If you intend to take photos, put a privacy notice out there and indicate that as people walk into your premises their information will be recorded and it will be used for a specific purpose. The minute it moves from that for marketing on social media sites, it becomes commercial. Let us respect people’s privacy.
What are the challenges your office faces in enforcing the law to ensure people’s personal data are protected?
Many people still do not appreciate the importance of protecting people’s privacy and the kind of harm one could be exposed to just by revealing their personal data. We also are working in an environment where we have so many businesses and institutions to regulate, despite our limited capacity.
To succeed, we have had to seek partnerships from development partners to conduct enhanced public education for data processors and data controllers.
Which are the sectors of concern for the ODPC with regards to personal data protection? Why?
Sectors from which we see a lot of concerns include the digital credit providers due to the high number of complaints we saw last year; the health sector because of the amount of people’s personal data it collects and keeps and also the education sector which keeps students’ personal information from pre-primary to university level.
How does the office ensure effective regulation with a limited budget and constrained staff levels?
We adopted a strategy to promote self-regulation by institutions and sectors by working with other regulators and umbrella bodies that represent sectors.
We’ve seen tremendous response from different government agencies who want to be trained and build their capacities. Lastly, we got approval from the Treasury to accredit trainers and auditors from whom private companies can pick.
What will be the ODPC’s key focus in 2024?
We are following the debate around Artificial Intelligence (AI) keenly and our focus is on data protection. We will also be hosting the Network for Africa Data Protection Authority in May, which is an opportunity for Africa to experience what Kenya has to offer.
