The Data Protection Act in many cases provides consent as a legitimate ground for processing of personal information. Owing to the sensitive nature of personal information, the Act does not leave us guessing what consent means. All businesses should take note of the definition and ensure that consent given within the course of business qualifies as consent under the Act.
Consent is any manifestation of :
express, unequivocal, free, specific and informed indication of the data subject’s wishes
by a statement or by a clear affirmative action,
signifying agreement to the processing of personal data relating to the data subject.
The requirement for consent creates the duty to notify the data subject, in so far as is practicable, before collecting personal data. Companies are required to notify the data subjects of:
- their rights under the Act;
- the fact that personal data is being collected;
- the purpose for which the personal data is being collected;
- the third parties to whom their data has been or will be transferred to, including details of safeguards adopted;
- the contacts of the data controller or data processor and on whether any other entity may receive the collected personal data;
- a description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data;
- whether the data is being collected pursuant to any law and whether such collection is voluntary or mandatory; and
- the consequences if any, where the data subject fails to provide all or any part of the requested data.
Businesses should review and amend contracts, terms and conditions, and privacy policies (in physical form or digital), among other things, to provide adequate notice to third parties and obtain their consent where feasible.
The data controller or a data processor, in this case businesses will bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose. Failure to prove consent may result in a fine of upto 5 Million kenyan shillings or 1% of annual turnover for the preceding year per incident.