How education sector can navigate data law minefield


Data Commissioner, Immaculate Kassait before the National Assembly Ad Hoc Committee of inqury on the Worldcoin controversy at the County Hall, Nairobi on September 7, 2023. PHOTO | DENNIS ONSONGO | NMG

The Office of the Data Protection Commissioner has targeted various sectors among them education. Slapping of a Sh4 million penalty to an educational institution based in Uthiru, Nairobi, which the office terms as the first and highest fine to an educational institution has several implications for schools. What then does this mean for these institutions?

Some of the questions raised and the discourse by active players in the educational sector include: what informed this move? Is there a requirement for all educational institutions to comply? If yes, what are the consequences for non-compliance, and moving forward what should educational institutions do to ensure they avoid such hefty penalties?

Section 18 (1) of the Data Protection Act provides that no person shall act as a data controller or data processor unless registered with the data commissioner. A data controller, on the one hand, is a natural or legal person alone or jointly with others, who determines the purpose and means of processing personal information.

A data processor, on the other hand, is a natural or legal person who processes personal data on behalf of the data controller. This means that an educational institution may either be a data controller, processor, or both.

Further, section 18 (2) of the Act provides that the data commissioner shall prescribe thresholds required for mandatory registration of data controllers and data processors.

The third schedule of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 lists inter alia that a data controller or processor operating an educational facility (emphasis) must register with the ODPC regardless of the annual turnover/revenue and number of employees provided that they are processing personal information under the categories outlined in the third schedule.

In addition, where a Data Controller or Data processor has an annual turnover/revenue of more than Sh5 million and employs more than 10 people, the individual or entity is also required to register with the ODPC.

This, therefore, means that any educational facility operating in Kenya that is yet to be registered with the ODPC is non-compliant regardless of its annual turnover.

Before the use of children’s personal data on social media platforms particularly for commercial purposes, educational institutions have a duty to notify parents and guardians of the rights of their children as the data subjects, the fact that they intend to collect their personal information, the purpose for which the personal data is being collected, any third parties whose personal data has been or will be transferred to.

These include details of appropriate safeguards such as technical and organisational security, measures the institution has adopted to ensure confidentiality of the children’s data, whether any law necessitates the collection of such data to any law, whether such collection is voluntary or mandatory; and the consequences if any, where the data subject fails to provide all or any part of the requested information.

Moreover, in addition to the duty to notify data subjects, a data controller or processor seeking to process personal data relating to a child for whatever purpose must obtain consent from the child’s parent or guardian; and process the data in such a manner as to protect and advance the rights and best interests of the child.

Section 2 of the Act defines consent as any manifestation of express, unequivocal, free, specific, and informed indication of the data subject’s wishes by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.

Be that as it may, educational institutions should develop consent-seeking forms to be used when obtaining the go-ahead while providing for the withdrawal of consent at any time upon request by a data subject.

The forms must also clearly provide a parent or guardian an option to check where they do not wish for their child’s images and videos to be posted on social media.

There is also the requirement for data controllers or data processors to ensure that they incorporate appropriate mechanisms for age verification and consent to process the personal data of a child.

The mechanisms to be implemented by an educational entity must consider available technology, the volume of personal data processed, the proportion of such personal data likely to be that of a child, and the possibility of harm to a child arising out of the processing of such personal data.

For this reason, it should be noted that the mere act of obtaining consent from parents before the publication of photos and videos on social media platforms does not amount to compliance with the ODPC.

To be on the safe side of the law, educational institutions must ensure that they register their entities with the ODPC either as a data controller, data processor, or both.

Those that have published photos of minors on their social media pages without seeking the consent of their minors’ guardians, may wish to consider deleting those images and videos and ensure that they obtain the consent of parents before doing so.

The writer is an advocate of the High Court of Kenya Email: [email protected]

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.