The Data Protection Act No. 24 of 2019 came into effect on 25th November 2019 and substantially mirrors the European Union’s General Data Protection Regulations (GDPR).
It is a comprehensive statute that governs the collection, processing, and storage of personal data both by the government and private sectors.
Following the heavy public uproar and criticism of the ‘Huduma Namba’ digital identification programme, the High Court in Nubian Rights Forum and Others V The Hon. Attorney General and Others determined and noted that the country lacked specific and inclusive data protection legislation.
This necessitated the need for the implementation of the Data Protection Act which has been hailed in the continent, as a key milestone in the protection of consumer privacy and data rights.
Further, the Act mirrors the provisions of Europe's GDPR and underscores its conformity and compliance with international data protection standards and safeguards.
The major challenges that have been experienced by organisations in protecting consumer data privacy and preferences, not just in Kenya but also globally, include the exponential growth of data, the costs of maintaining data privacy, and the colossal amounts of open vulnerabilities.
With data growing at a high rate, it is prudent that organisations step up their safeguards on their clients’ personal and sensitive information.
A data breach in an organization could lead to huge revenue losses, regulatory fines, loss of public trust, and an adverse brand reputation.
Most sectors including the health sector have digitised their services. Medical services such as treatment, diagnosis, and monitoring of patients are now administered and stored on digital platforms.
However, these platforms, and consequently, the data stored therein, are always at risk of a data breach. According to 2021 research by HIPAA Journal, the healthcare industry has suffered the highest number of data breaches in comparison to other industries, over recent years.
Further, researchers argue that the reason for the higher data breach reported in the healthcare industry was a result of the strict laws in various countries that demand the reporting of any breach occasioned on unsecured protected health information, and the monetary gains that are yielded from patients’ data.
They observe that such data is priced higher compared to other data. The information obtained from medical identity theft is crucial as it entails insurance details, pharmacy prescriptions, health history, health billings, and other medical account information.
When such information gets into the wrong hands, it could be used for extortion and harassment. Further, it could be used to illegally obtain financial benefits such as loans, and insurance, all under the patient’s name.
The impact that healthcare service providers face in the event of a data breach is usually huge. From reputational damage to incurring extra costs on impending lawsuits, penalties, and settlements.
Eventually, patients tend to leave and seek medical care from competitors who guarantee better security of their data.
In the medical sector in Kenya, the Data Protection Act complements the Public Health Act, of 2012 in controlling how health and medical service providers manage patients’ data. Medical records and information related to patients need to be always kept under strict confidence.
One of the principles of the Data Protection Act is that only sufficient data that is relevant to the purpose should be collected.
Further, that data needs to be collected only where the individual is provided with valid explanations and consents to the collection of their data.
When the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, came into effect on 14th July 2022, it gave effect to Section 18 of the Data Protection Act, which requires entities that collect and process data to register with the Office of the Data Protection Commissioner.
Whilst there are exemptions from the legislation based on annual turnover that is below KES 5,000,000, and those with less than 10 employees, the same exemption does not extend to entities providing health administration and patient care.
Dr Isaac Rutenberg in his expert commentary column at worldprivacyforum.org recommends that to avoid the ramifications that result from a data breach, medical service providers need to solidify their data protection mechanisms by adopting the latest tools and techniques such as end-to-end data encryption, keeping updated anti-virus and anti-malware solutions, doing consistent 3rd party security risk assessments, utilizing multi-factor authentication, and ensuring that the employees are taken through a vigorous cybersecurity training.
Manyala is a Senior Technology Risk Consultant with KPMG Advisory Services. The views are his own.