Schools, churches put on data protection watchlist over privacy

Immaculate Kassait

Data Commissioner Immaculate Kassait. FILE PHOTO | NMG

Learning institutions, churches, landlords and security firms operating closed-circuit television cameras (CCTV) have been included on the list of those required to offer special safeguards when handling personal data.

The new regulations are likely to shake up data management in premises and homes where CCTV cameras have been installed. Demand for CCTV cameras has surged as public and private institutions as well as home owners move to boost security.

The regulations, which mirror that of the EU’s General Data Protection Regulation, now means CCTV operators risk reprimand for misuse of personal data.

The law mandates the Data Commissioner to investigate any breaches, with offences under the Act attracting a fine of up to Sh5 million or a term of imprisonment of up to 10 years, or both.

The new regulations published by Data Commissioner Immaculate Kassait also says that political campaigners, gaming and betting firms, banks, credit reference bureaus, technology firms and transport service providers, including taxi hailing apps, will also obtain mandatory certification as data controllers or processors.

The regulations, which are part of Data Protection Act that was signed by President Uhuru Kenyatta in November 2019, set out restrictions on how personally identifiable data obtained by firms and government entities can be handled, stored and shared.

Data processors or controllers will pay a certification fee of Sh250,000. Businesses will also be charged registration and annual renewal fees of between Sh1,000 and Sh20,000 depending on the number of employees, turnover and the risk of exposure of personal information.

“Every data controller or a data processor whose annual turnover is below five million shillings or whose annual revenue is below five million shillings; and who employs less than ten people, is exempt from the mandatory registration under these regulations,” the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 says.

The Data Protection Act requires data controllers and processors both in Kenya and abroad to ensure that all personal data is processed lawfully, fairly and in a transparent manner. They are also required to inform clients on the use of the personal data and correct or delete any false representations about them.

The law also guarantees special safeguards for sensitive data such as one’s marital status, sexual orientation, health status, ethnicity, names of children and biometric data.

Further, the law restricts transfer of personal data to parties outside Kenya. Data controllers and processors are required to obtain permission from the Data Commissioner before transferring personal data outside the country and provide proof of sufficient safeguards against misuse of the information.

Kenya has mainly pushed for data protection laws to enhance security surveillance and bolster investment in its information and communication technology sector.

The country has over the years attracted foreign firms with innovations such as Safaricom’s M-Pesa mobile money services, but the lack of safeguards in handling personal data has held it back from its full potential.

The State has in recent times also stepped up moves to access personal communication in a bid to curb security breaches.

Parliament amended the Official Secrets Act of 1968, making it compulsory for anyone who owns a mobile phone or communication gadget to provide information on persons and data that the State is pursuing for national security breaches.

Those who breach a State order to share the information risk a Sh1 million fine in the changes that also includes gadgets belonging to Kenyans that have been used in foreign countries to send information through channels like SMSs, emails and WhatsApp to the country.

In 2017, the Communications Authority of Kenya (CA), the industry regulator, sought to have Safaricom, Airtel and Telkom Kenya instal a Data Management System (DMS), arguing it would help in detecting fake mobile devices.

The three telecoms firms opposed the plan, saying it was a spyware whose purpose was to eavesdrop on people’s calls, read messages and also track their financial transactions.

The CA in a letter dated January 31, 2017 defended the directive, saying the purpose of DMS was to access information.