Have you heard about the Kenya’s data protection act?
If the answer is no, don’t worry. I will offer a clear and concise explanation of just what you need to know as the owner of your data. We will go through what the act is about, why it should concern you to know, understand who a data subject, controller, processor and commissioner are, and finally zero in on the data subject (you).
What is a data protection act?
Data protection act is a legal document that contains laws which regulates the processing of personal data by organizations, governments and businesses.
A month to the year end 2019, the Kenyan parliament enacted the data protection act which established the office of the data commissioner; whose main roles are to provide regulations of processing personal data, provide for rights of data subjects and obligations of data controllers and processors.
Why should I care about the act?
Advertisement business is a billion dollar industry. It’s expected to grow to over half a trillion by 2026 according to Yahoo. Advertisement is driven by processing of personal data. Why? Because businesses want to spend money asking the most likely people to buy their goods /services — not the entire population. For example, a diaper company would not want to ask a 15 year old to buy diapers yet he/she mostly spend their time playing video games. Perhaps a video game company would benefit from promoting their service to that population instead.
As the century gains more technical expertise, more data will become available for processing hence vulnerable to exploitation. Understanding the laws governing processing of your data accessible to others will be essential. If you have a business, knowing the obligations you have with your customer’s personal data will inform you on; how much of that data you need, whether you need new skills to meet your business bottom-line and how to remain on the right side of the law as you outstand competition.
Who are these people?: Data subject, data controller, data processor, and data commissioner.
They are the main players in the personal data processing story.
Data subject : The identifiable owner of personal data.
Data controller : Any individual/organization that determines the purpose and means of processing personal data.
Data processor : Any individual/organization who processes personal data on behalf of data controller.
Data commissioner : The bearer of the office responsible for ensuring that the data protection act is adhered to.
What should I know as a data subject?
Data subject is literally anyone who has data out there about themselves. For example in offices, digital platforms, healthcare institutions etc. That is just about everyone.
Have you ever been to a hospital before and filled in multiple forms? Have you been accessing a stringent security at any entrance and made to fill in a visitors book, or leave your ID at the gate? Have you signed up on a platform, online? If you answered yes to any of these questions, then you need to be concerned about the status of your personal data. Questions like who else can access your data, do you have to provide that much data about yourself would get you started.
If you answer was no in all the questions which I highly doubt is the case; Does no still holds as the answer to any of your family members? Close friends? I don’t think so. That’s why you also need to pay attention.
Personal data is increasing getting accessible to other people. For me, I sought to answer two questions while reading this act.
1. What are my rights as a data subject?
2. When my rights are violated, what can I do about it?
1. What are my rights?
I was impressed to know that the main objective of the act is to regulate the processing of personal data. Lets first get clear on who owns the data. Data belongs to the person generating it, not to the company processing it nor the government setting up the regulations. This reminds me to treat my data as I would any of my property.
Personally, I rarely read the terms and conditions. I rationalize this behavior by using thoughts in the lines of “someone else could have raised an alarm if there was a problem or violation”. I am not surprise your nodding in agreement. However, my advice to you and I is making it a habit of reading those terms before hitting “ok”, ”submit”, or signing above the dotted line. If you are like most of us, you might find that this habit is not easy to form.
This is where I got your back. There are a three fundamental questions you could ask to get reasonably confident about how your data is being processed:
1. Why is this data about me being collected and does it have to be this much?
2. Can I access it at the custody of the data collector and who else can?
3. Do I have a say about what happen with my data? Like can I update, delete, revoke consent.
You need to be convinced by whoever is asking for your data that you are providing just enough data for a reason you understand and care about. That's the underlying principle of the first question. The act demands that only specific data necessary for the purpose is collected for processing by default.
If you can access the data after providing it, then you still have control over your data . Your concern should be who else can access your data. You need to be convinced that there is confidentiality and privacy for your data. The more sensitive the data you are providing — like your health related, finance related data — the higher your guard should be.
You need to know that you can undo consent. Literally opt out from allowing people to access your data to having all way in yourself. You need to know that you can update, correct and erase accordingly. You need to know that basically you retain your control over your data. The act demands that you can request rectification of your data from the one collection and processing your data which should be done without delay.
In conclusion, to be informed about the use of your personal data; to access your personal data in custody of data controller or data processor; to object to the processing of all or part of your personal data; to correct false or misleading data; to delete false or misleading data sum up your rights as a data subject.
2. What can I do when my rights are violated?
Well, its unfortunate that some time it gets here. But first, make sure you have an objective claim(s) about the violation. Once this is checked, this act is here for you. The Office of the Data Protection Commissioner(ODPC) should hear your complaint either in written or oral form (you will be recorded). After which, an investigation is made within 90 days and necessary actions need to take place for your justice. Where the Data Commissioner is satisfied that a person has failed, or is failing, to comply with any provision of this Act, an enforcement notice on that person requiring them to take necessary steps within a period specified in the notice.
Conclusion
Huh, we have made it this far, thumbs up! We now know that we have an Act meant to regulate the processing of our data. We also know what questions we can quickly ask to get some idea about the privacy level of our data. We know how do go about lodging a complaint and what follows after the complaint.
We have not exhausted questions about the privacy of our data. We are curious to find out say what measures are in place incase of an attack on your data — someone trying to get your data illegally, also does my data live in Kenya? Or is it sitting somewhere in US servers? If you have a business, questions could be in the line of how to go about registration as a data controller or processor. Yes, you need to register if you are collecting and/or processing any personal data.
Lets meet in the upcoming blogs as we answer these questions. Lastly, you can find the official copy of the data protection act on the Office of the Data Protection Commissioner’s (ODPC) website.
