On 12th January 2021, the Data Protection Commissioner’s office in Kenya invited public comments on its Draft Guideline on Access to Personal Data During COVID-19 Pandemic.
The Draft Guideline aims to tackle the effects of Covid-19 pandemic on individuals; enhance the quality of lives and ensure continuity of jobs, business and learning; ensure the provision of universal and affordable health care, amongst others, there has been the need for innovative interventions whether ICT based or otherwise. In furtherance of these aspirations, access to personal data (health data and geo-location data) may be required from private or government entities.
The Guideline aims to give effect to the right to privacy of individuals related to the protection of personal information and ensure compliance with the Data Protection Act of 2019.
- Principles of Data Protection
The Guideline emphasises data protections’ fundamental principles such as accountability, security, purpose limitation, accuracy, adequacy, confidentiality, data minimisation, and storage limitation.
It also requires that personal data kept for a more extended period should be kept in an anonymised format such that the data subject cannot be re-identified. Also, any person who has access to personal data must protect them and adequately demonstrate that it does and comply with the Data Protection Act of 2019 and may be called by the Data Protection Commissioner to do so. It further expects that access to personal data is only limited to those who need it to address or respond to the covid-19 pandemic.
The Guideline provides that personal data shall be collected directly from individuals subject to their express consent using a data request form annexed to the Guideline.
Where personal data is to be sold to third parties or transferred outside of Kenya, the data subject’s express consent must be sought.
- Data Sharing Contracts
Where personal data is shared between parties, there has to be a signed agreement covering non-disclosure, confidentiality, data destruction techniques, safeguard, data protection impact and so on. It must be approved by the Office of the Data Protection Commissioner. This also applies to data requests.
- Privacy Notice
Every application that requests personal data must publish a privacy notice on what information is being collected and with whom the information may be shared.
- International Transfer
Where personal data is to be transferred outside of Kenya, there has to be sufficient proof that appropriate safeguards concerning the security and protection of the personal data.
- Request for Personal Data
For personal data requests from public entities, the requests shall be channelled appropriately. For instance, health data shall be requested from the Ministry of Health while telecommunications data from the Communications Authority of Kenya.
A copy of the data request form is available here.
Albeit late, Kenya joins host of other African countries like Cape Verde, South Africa, Mauritius, Senegal, Burkina Faso, Mali, Morocco, and Tunisia that issued Guidance on Covid-19 and data protection.
A copy of the Draft Guideline is available here.
By Tojola Yusuf and Ridwan Oloyede