The Data Protection Act has been promulgated partly because of the amount of data that commercial businesses hold about customers from both direct and indirect sources. The Act requires businesses to collect data directly from the customers unless specifically exempted.
Exemptions envisioned under the Act include:
- that the collection of data from another source is necessary for the prevention, detection, investigation, prosecution and punishment of crime;
- for the enforcement of a law which imposes a pecuniary penalty; or
- for the protection of the interests of the owner of the data or another human being.
This is relevant considering business obligations under the Proceeds of Crime and Money Laundering Act. Whatever the circumstances under which data is collected, businesses are required to ensure that they collect, store or use personal data for purposes which are lawful, specific and explicitly defined.
The Act defines processing as any operation or sets of operations that a business performs on (customer/employees/third parties) personal data such as: collecting, recording, organising, structuring, storing, adapting, altering, using or disclosing by transmitting, disseminating, restricting, erasing or destroying data.
Notably, both customers and employees have a right to object to the processing of their personal data, by business unless the business can demonstrate compelling legitimate interest which overrides the interests of the customer/employee in question. The Act does not allow objections where the processing of data is for the establishment, exercise or defence of a legal claim.
This section requires businesses to create a process through which customers and employees can notify the business in a timely manner of any objections to processing of their personal data.
Cross border data transfer happens when a business transfers personal data of a kenyan customer or employee outside of Kenya. The Act allows cross-border transfer where there is proof of adequate data protection safeguards or consent from the concerned customer/employee. The transfer can also be authorised where necessary for reasons such as performance of a contract.
The rules are different for sensitive personal data. Any data revealing the a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation should only be processed out of Kenya after obtaining the consent of a data subject and upon obtaining confirmation of appropriate safeguards.