What the Kenya Data Protection Act means for Research
Personal Data Protection Act regulates research data containing personal data.
As the COVID-19 pandemic rages on, and researchers race against time to find a cure, research and research data have been a critical component of the solutions. We have seen an increase in data sharing, with researchers making use of public data to understand the disease and propose interventions. However, a lot of personal data is collected, sometimes from patients who are unable to consent to the use of their data for research. In Africa, a majority of the countries are yet to operationalize personal data protection law. In a continent of 55 states, only 31 countries have some legislation that relates to personal data. Only 12 of those countries have enforced comprehensive laws. It is in times such as these that we expect personal data protection authorities, to guide the handling of personal data that arises during COVID-19 testing and surveillance, with emphasis on the protection of the data subjects.
While the law is in place in some countries, implementation and enforcement is still a challenge, which takes time. A country like Tunisia, which has had a data protection law since 2004 had an authority that never performed their duties until 2015: it is one thing to have a law, and another to enforce. Going back, in 2001, Cape Verde passed a data protection act that mirrored EU’s laws at the time. By January 2020, 37 Countries had heavy regulation and enforcement in place worldwide: 11 with robust laws; 38 with moderate laws with 7 African countries in this category; 26 with limited laws, including Kenya. In Africa, Mauritius leads, with robust regulations with international standards.
In Africa, the GDPR in the EU is driving the development of personal data protection laws, with most of the laws mirroring the EU law. The EU GDPR applies to anyone or company that works with EU data or companies, and therefore, directly affects other countries too. Therefore, other countries have joined the race to adopt a personal data protection Act that complies with the GDPR to safeguard trade and relationship with EU partners.
The Kenyan government, in response, recently introduced the Kenya Data Protection Act 2019 commenced from Nov 25 2019. The law governs the usage, processing, and archiving of personal data. This Act of the Kenyan parliament elaborated on Article 31(c) and (d) of the Kenyan constitution, establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, stipulates the rights of the data and specifies the obligations of the data controllers and processors. The Act is enshrined in article 31 of the constitution.
Article 31 of the constitution is under the bill of rights where every Person has the right to privacy not to have a) their Person, home or property searched, b) their possession seized, c) information relating to their family or private affairs unnecessarily required or revealed or d) the privacy of their communications infringed.
The Act aims to regulate the processing of personal data, ensure that principles set by the law guide the processing of personal information of a data subject, and protect the privacy of individuals. It also establishes the legal and institutional mechanism to protect personal data and provide citizens with rights and remedies to protect their data from types of processing not allowed under the Data Protection Act 2019.
The Act has consequences on research throughout its lifecycle: planning, creating, processing, analyzing, preserving, sharing, and reusing. For a clear understanding of the Act, and its implication to research, we will define some terminologies as applied to research data.
Sensitive personal data is that which reveals the natural Person’s information. These include race, health status, ethnicity, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the Person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject. Nearly all the sensitive data mentioned is used in social, economic, and clinical research.
Biometric data means personal data resulting from specific technical processing based on physical, physiological, or behavioural characterization, including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning, and voice recognition. Genetic data also include paternity and maternity testing details.
Health data means data related to the state of physical or mental health of the data subjects. It includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services. In research, the health data can be from reviewing patient records or accessing the information from the national health databases.
Processing means any operation or sets of actions performed on personal data or sets of personal data whether or not by use of computers, such as:
- collecting, recording, organizing, structuring;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination, or otherwise making available; or
- alignment or combination, restriction, erasure, or destruction.
In essence, what Scientists do is process data, which may include personal data: from data collection to analysis, to publication.
Anonymization means the removal of personal identifiers from personal data so that the data subject is no longer identifiable. Genetic data and biometric data (including DNA) are considered to be sensitive and identifying information. Studies that involve an individual’s sequence data would, therefore, fall under the regulation by this law, but subject to the exemptions on personal data for research. However, the Act doesn’t seem to have envisioned the difficulty of anonymizing genetic information. We expect that a follow-up regulation developed with consultation with the health ministry would fill this research gap.
Consent means any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by an explicit affirmative action, signifying agreement to the processing of personal data relating to the data subject.
Consent affects research collecting social data and clinical trials. Even before the Act, researchers obtained permission before collecting private data and secure ethical approval for the study. In January 2020, the pharmacy and poisons board (PPB), which regulates clinical trials, updated guidelines on clinical trials. The directives bear some semblance to the personal data protection act, especially on data protection, transfer, archiving, and consent.
The Clinical research organization is required to secure the data used and archive safely. Also, it restricts the transmission of data out of Kenya to other countries and specifies a minimum of ten years for archiving data. This resonates with the data protection law that states, “Every data controller or data processor shall ensure that personal data is collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.” As part of the research, data collected should be able to be archived and reused as a way to promote research and save on money funded by international agencies. As seen, the law makes reuse of research data for a different objective impossible.
Roles and Responsibilities
Data commissioners, Data Protection Officer, the data controller, and data processors are involved in implementing the Data Protection Act. The data controllers and processors are supposed to register with the data commissioner to be allowed to collect and process personal data. A Data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data. In contrast, a data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
The Office of Data Protection Commissioner was Declared vacant in March, and the applications closed in April 2020. However, by August 2020, the commissioner was yet to be hired, with the courts stopping the process. Therefore the Act, although already in effect, cannot be enforced as much as the Act commenced in November 2019.
As the offices and the accompanying regulations are set up, the researchers need to be aware of the implication of the new law to research that uses personal data. What we need to understand is who data processors and data controllers are for research and academic institutions. For example, data processors can include those who offer transcription services and DNA sequencing/translation services”, data analysis companies, LIMS companies, etc. On the other hand, the research institution and universities through their designated authority would be the data controllers.
We applaud the Act for anticipating the great cost of hiring a Data Protection Officer (DPO) and making a provision allowing for the sharing of a DPO across many institutions. This is especially pertinent for Universities which may find the cost to be prohibitive. The clause allows the research institutions to come together as a consortium to hire one DPO.
The Act regulates research dealing with personal and health data. It stipulates that specific consent has to be sought, specifying the purpose of data collection during data planning and creation. It is challenging to clearly outline the scope of the use of personal data for research. Therefore, the need for specific consent may impede research and data reuse. Why? “A data controller or data processor shall not process personal data, unless (a) the data subject consents to the processing for one or more specified purposes; or (b)the processing is necessary for historical, statistical, journalistic, literature and art or scientific research.”
The Act states that “Personal data relating to the health of a data subject may only be processed (a) by or under the responsibility of a health care provider, or (b) by a person subject to the obligation of professional secrecy under any law”. Processing of personal health data is only allowed if the processing (a) is necessary for reasons of public interest in the area of public health, or (b) is carried out by another person who in the circumstances owes a duty of confidentiality under any law. Who is the Person who owes confidentiality under the law? Does this mean that other researchers cannot process such data?
The Act has made some provisions to exempt data meant for research, if “the results of the research or resulting statistics are not made available in a form which identifies the data subject or any of them.” For example, scientists can retain personal data processed for research purposes for much longer — this frees research data from the restrictions enforced on personal data by the Act.
Also, the Act stipulates that personal data shall not be transferred outside Kenya “unless there is proof of adequate data protection safeguards or consent from the data subject.” It further states that “the processing of sensitive personal data out of Kenya shall only be effected upon obtaining the consent of a data subject and on obtaining confirmation of appropriate safeguards.”
Kenya has made significant headway to protect personal data from misuse, and this Act is a welcome development — we applaud Kenya for taking the lead. The Act is GDPR compliant, which enables data controllers to collaborate and work with EU companies as data processors or collaborators. Nevertheless, the Act is not implementation ready. There are cost implications, and human capacity needs to iron out for the Act is to be fully implemented. The hiring of a Data Commissioner will set the ball rolling, and we hope a sufficient grace period is given to the affected stakeholders to enable them to prepare.
As a global research village, and the need to promote collaborations within Africa, this Act may, in the short term impede research. However, we believe that the other countries, in compliance with the African Union Convention on Cyber Security and personal data protection recommendations, will set out to develop similar Acts.
Despite the progress the country has made, some questions remain. The exemptions in place for research data seem to only apply to the processing, raising questions. Does this restrict the transfer of personal data meant for research? What does this mean for publishing research data, where the journals are based outside the country? What does this mean for research collaboration? The restriction is a concern since many countries in Africa are yet to adopt a similar Act, and the interpretation can be subjective.
Although the Act was not formulated to regulate research, some sections do affect research. The data protection regulations that will follow should have the scientist’s interests at heart, and the desire to promote research. Time should be given to researchers to align with their work by the new law.
Please share your thoughts in the comments section below.
- Sarah Nyanchera for help with draft and research
- Christian Mumo for the map