Citizens of Kenya are requested to immediately report any instances of data breaches to the Office of the Data Protection Commissioner (ODPC). This will facilitate legal action against organizations that engage in the unlawful use of personal information.
The right to data privacy is considered a fundamental right for every individual, as outlined in the Constitution. The Data Protection Act of 2019 prescribes penalties for such breaches.
During an awareness outreach in Tharaka Nithi and Meru Counties, Ms. Susan Waweru, the Head of Legal Services at the ODPC, emphasized the importance of reporting any breach within 72 hours of its occurrence. She reassured the public that upon receiving a report, the office initiates an investigation, takes necessary action, and concludes the matter within 90 days. This alleviates concerns about lengthy court processes that are often experienced in the country.
The outreach program involved engaging with data controllers and processors from various institutions, including government departments, educational and healthcare institutions, as well as civil society and religious organizations. These entities handle personal data for legitimate purposes, with some of them being custodians of sensitive personal information.
Ms. Waweru highlighted that certain Digital Credit Providers, known for aggressively persuading Kenyans to take out loans, were operating in violation of personal data privacy. These providers often illegally obtain and use personal information, such as phone numbers, without the consent of the data subjects.
She disclosed that in the past year, at least three data collectors have faced penalties for such misconduct, and enforcement notices have been issued to multiple operators, warning them to cease illegal activities involving personal data.
However, Ms. Waweru emphasized that the Office of the Data Protection Commissioner prefers Alternative Dispute Resolution to address public complaints, only resorting to court processes as a last option.
Data controllers and processors are required to register with the Office of the Data Protection Commissioner and obtain a license in accordance with the Data Protection Act of 2019. The initial certificate is issued for a fee and must be renewed every two years.
In addition to enforcing and implementing the Act, as well as registering data controllers and processors, the ODPC assumes an oversight role in all matters related to personal data management. The office also raises awareness among stakeholders regarding their roles and rights as outlined in the law.