Data Protection Act

Section 1. Short title Section This Act may be cited as the Data Protection Act.

Section 2. Interpretation Section is processed by means of equipment operating automatically in response to instructions given for that purpose;

Section 3. Object and purpose of this Act Section to regulate the processing of personal data;

Section 4. Application Section entered in a record, by or for a data controller or processor, by making use of automated or non-automated means: Provided that when the recorded personal data is processed by non-automated means, it forms a whole or part of a filing system;

Section 5. Establishment of the Office Section 5(1)(a) suing and being sued; Section 5(1)(b) taking, purchasing or otherwise acquiring, holding, charging or disposing of movable and immovable property; Section 5(1)(c) entering into contracts; and Section 5(1)(d) doing such other legal acts necessary for the proper performance of the functions of the Office. Section 5(2) The Office is designated as a State Office in accordance with Article 260(q) of the Constitution. Section 5(3) The Office shall comprise the Data Commissioner as its head and accounting officer, and other staff appointed by the Data Commissioner. Section 5(4) The Office shall ensure reasonable access to its services in all parts of the Republic. Section 5(5) The Data Commissioner shall in consultation with the Cabinet Secretary, establish such directorates as may be necessary for the better carrying of the functions of the Office.

Section 6. Appointment of the Data Commissioner Section 6(1) The Public Service Commission shall, whenever a vacancy arises in the position of the Data Commissioner, initiate the recruitment process. Section 6(2) The Public Service Commission shall, within seven days of being notified of a vacancy under subsection (1), invite applications from persons who qualify for nomination and appointment for the position of the Data Commissioner. Section 6(3)(a) consider the applications received to determine their compliance with this Act; Section 6(3)(b) shortlist qualified applicants; Section 6(3)(c) publish and publicise the names of the applicants and the shortlisted applicants; Section 6(3)(d) conduct interviews of the shortlisted persons in an open and transparent process; Section 6(3)(e) nominate three qualified applicants in the order of merit for the position of Data Commissioner; and Section 6(3)(f) submit the names of the persons nominated under paragraph (e) to the President. Section 6(4) The President shall nominate and, with approval of the National Assembly, appoint the Data Commissioner.

Section 7. Qualifications of Data Commissioner Section 7(1)(a) data science; Section 7(1)(a)(i) data science; Section 7(1)(a)(ii) law; Section 7(1)(a)(iii) information technology; or Section 7(1)(a)(iv) any other related field; Section 7(1)(b) has knowledge and relevant experience of not less than ten years; Section 7(1)(c) meets the requirements of Chapter Six of the Constitution; and Section 7(1)(d) holds a Master's degree. Section 7(2) The Data Commissioner shall be appointed for a single term of six years and shall not be eligible for a re-appointment.

Section 8. Functions of the Office Section 8(1)(a) oversee the implementation of and be responsible for the enforcement of this Act; Section 8(1)(b) establish and maintain a register of data controllers and data processors; Section 8(1)(c) exercise oversight on data processing operations, either of own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with this Act; Section 8(1)(d) promote self-regulation among data controllers and data processors; Section 8(1)(e) conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law; Section 8(1)(f) receive and investigate any complaint by any person on infringements of the rights under this Act; Section 8(1)(g) take such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public; Section 8(1)(h) carry out inspections of public and private entities with a view to evaluating the processing of personal data; Section 8(1)(i) promote international cooperati...

Section 9. Powers of the Office Section 9(1)(a) conduct investigations on own initiative, or on the basis of a complaint made by a data subject or a third party; Section 9(1)(b) obtain professional assistance, consultancy or advice from such persons or organisations whether within or outside public service as considered appropriate; Section 9(1)(c) facilitate conciliation, mediation and negotiation on disputes arising from this Act; Section 9(1)(d) issue summons to a witness for the purposes of investigation; Section 9(1)(e) require any person that is subject to this Act to provide explanations, information and assistance in person and in writing; Section 9(1)(f) impose administrative fines for failures to comply with this Act; Section 9(1)(g) undertake any activity necessary for the fulfilment of any of the functions of the Office; and Section 9(1)(h) exercise any powers prescribed by any other legislation. Section 9(2) The Data Commissioner may enter into association with other bodies or organisations within and outside Kenya as appropriate in furtherance of the object of this Act.

Section 10. Delegation by the Data Commissioner Section The Data Commissioner may, subject to such conditions as the Data Commissioner may impose, delegate any power conferred under this Act or any other written law to a regulator established through an Act of Parliament.

Section 11. Vacancy in the Office of the Data Commissioner Section dies;

Section 12. Removal of the Data Commissioner Section 12(1) A person desiring the removal of Data Commissioner on any ground specified under section 11 (d) may present a complaint to the Public Service Commission setting out the alleged facts constituting that ground. Section 12(2)(a) investigate the matter expeditiously; Section 12(2)(b) report on the facts; and Section 12(2)(c) make a recommendation to the Cabinet Secretary. Section 12(3)(a) informed, in writing, of the reasons for the intended removal; and Section 12(3)(b) offered an opportunity to put in a defence against any such allegations.

Section 13. Staff of the Office Section The Data Commissioner shall in consultation with the Public Service Commission, appoint such number of staff as may be necessary for the proper and efficient discharge of the functions under this Act or any other relevant law.

Section 14. Remuneration of the Data Commissioner and staff Section The Data Commissioner and staff of the Office shall be paid such remuneration or allowances as the Salaries and Remuneration Commission may advise.

Section 15. Oath of office Section The Data Commissioner shall take the oath set out in the First Schedule on appointment.

Section 16. Confidentiality agreement Section The Data Commissioner, or any staff of the Office, shall not, unless with lawful authority, disclose any information obtained for the purposes of this Act.

Section 17. Protection from personal liability Section The Data Commissioner or any staff of the Office shall not be held liable for having performed any of their functions in good faith and in accordance with this Act.

Section 18. Registration of data controllers and data processors Section 18(1) Subject to subsection (2), no person shall act as a data controller or data processor unless registered with the Data Commissioner. Section 18(2)(a) the nature of industry; Section 18(2)(b) the volumes of data processed; Section 18(2)(c) whether sensitive personal data is being processed; and Section 18(2)(d) any other criteria the Data Commissioner may specify.

Section 19. Application for registration Section 19(1) A data controller or data processor required to register under section 18 shall apply to the Data Commissioner. Section 19(2)(a) a description of the personal data to be processed by the data controller or data processor; Section 19(2)(b) a description of the purpose for which the personal data is to be processed; Section 19(2)(c) the category of data subjects, to which the personal data relates; Section 19(2)(d) contact details of the data controller or data processor; Section 19(2)(e) a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data; Section 19(2)(f) any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and Section 19(2)(g) any other details as may be prescribed by the Data Commissioner. Section 19(3) A data controller or data processor who knowingly supplies any false or misleading detail under subsection (1) commits an offence. Section 19(4) The Data Commissioner shall issue a certificate of registration where a data controller or data processor meets the requirements for registration. Section 1...

Section 20. Duration of the registration certificate Section A registration certificate issued under section 19 shall be valid for a period determined at the time of the application after taking into account the need for the certificate, and the holder may apply for a renewal of the certificate after expiry of the certificate.

Section 21. Register of data controllers and data processors Section 21(1) The Data Commissioner shall keep and maintain a register of the registered data controllers and data processors. Section 21(2) The Data Commissioner may, at the request of a data controller or data processor, remove any entry in the register which has ceased to be applicable. Section 21(3) The register shall be a public document and available for inspection by any person. Section 21(4) A person may request the Data Commissioner for a certified copy of any entry in the register.

Section 22. Cancellation or variation of the certificate Section any information given by the applicant is false or misleading; or

Section 23. Compliance and audit Section The Data Commissioner may carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with this Act.

Section 24. Designation of the Data Protection Officer Section 24(1)(a) the processing is carried out by a public body or private body, except for courts acting in their judicial capacity; Section 24(1)(b) the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects; or Section 24(1)(c) the core activities of the data controller or the data processor consist of processing of sensitive categories of personal data. Section 24(2) A data protection officer may be a staff member of the data controller or data processor and may fulfil other tasks and duties provided that any such tasks and duties do not result in a conflict of interest. Section 24(3) A group of entities may appoint a single data protection officer provided that such officer is accessible by each entity. Section 24(4) Where a data controller or a data processor is a public body, a single data protection officer may be designated for several such public bodies, taking into account their organisational structures. Section 24(5) A person may be designated or appointed as...

Section 25. Principles of data protection Section processed in accordance with the right to privacy of the data subject;

Section 26. Rights of a data subject Section to be informed of the use to which their personal data is to be put;

Section 27. Exercise of rights of data subjects Section where the data subject is a minor, by a person who has parental authority or by a guardian;

Section 28. Collection of personal data Section 28(1) A data controller or data processor shall collect personal data directly from the data subject. Section 28(2)(a) the data is contained in a public record; Section 28(2)(b) the data subject has deliberately made the data public; Section 28(2)(c) the data subject has consented to the collection from another source; Section 28(2)(d) the data subject has an incapacity, the guardian appointed has consented to the collection from another source; Section 28(2)(e) the collection from another source would not prejudice the interests of the data subject; Section 28(2)(f) for the prevention, detection, investigation, prosecution and punishment of crime; Section 28(2)(f)(i) for the prevention, detection, investigation, prosecution and punishment of crime; Section 28(2)(f)(ii) for the enforcement of a law which imposes a pecuniary penalty; or Section 28(2)(f)(iii) for the protection of the interests of the data subject or another person. Section 28(3) A data controller or data processor shall collect, store or use personal data for a purpose which is lawful, specific and explicitly defined.

Section 29. Duty to notify Section the rights of data subject specified under section 26 ;

Section 30. Lawful processing of personal data Section 30(1)(a) the data subject consents to the processing for one or more specified purposes; or Section 30(1)(b) for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract; Section 30(1)(b)(i) for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract; Section 30(1)(b)(ii) for compliance with any legal obligation to which the controller is subject; Section 30(1)(b)(iii) in order to protect the vital interests of the data subject or another natural person; Section 30(1)(b)(iv) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Section 30(1)(b)(v) the performance of any task carried out by a public authority; Section 30(1)(b)(vi) for the exercise, by any person in the public interest, of any other functions of a public nature; Section 30(1)(b)(vii) for the legitimate interests pursued by the data controller or data processor by a third party to who...

Section 31. Data protection impact assessment Section 31(1) Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment. Section 31(2)(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor; Section 31(2)(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; Section 31(2)(c) an assessment of the risks to the rights and freedoms of data subjects; Section 31(2)(d) the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned. Section 31(3) The data controller or data processor shall consult the Data Commissioner prior to the processing if a data pr...

Section 32. Conditions of consent Section 32(1) A data controller or data processor shall bear the burden of proof for establishing a data subject's consent to the processing of their personal data for a specified purpose. Section 32(2) Unless otherwise provided under this Act, a data subject shall have the right to withdraw consent at any time. Section 32(3) The withdrawal of consent under subsection (2) shall not affect the lawfulness of processing based on prior consent before its withdrawal. Section 32(4) In determining whether consent was freely given, account shall be taken of whether, among others, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Section 33. Processing of personal data relating to a child Section 33(1)(a) consent is given by the child's parent or guardian; and Section 33(1)(b) the processing is in such a manner that protects and advances the rights and best interests of the child. Section 33(2) A data controller or data processor shall incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child. Section 33(3)(a) available technology; Section 33(3)(b) volume of personal data processed; Section 33(3)(c) proportion of such personal data likely to be that of a child; Section 33(3)(d) possibility of harm to a child arising out of processing of personal data; and Section 33(3)(e) such other factors as may be specified by the Data Commissioner. Section 33(4) A data controller or data processor that exclusively provides counselling or child protection services to a child may not be required to obtain parental consent as set out under subsection (1).

Section 34. Restrictions on processing Section 34(1)(a) accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the data; Section 34(1)(b) personal data is no longer required for the purpose of the processing, unless the data controller or data processor requires the personal data for the establishment, exercise or defence of a legal claim; Section 34(1)(c) processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or Section 34(1)(d) data subject has objected to the processing, pending verification as to whether the legitimate interests of the data controller or data processor overrides those of the data subject. Section 34(2)(a) the personal data shall, unless the data is being stored, only be processed with the data subject's consent or for the establishment, exercise or defence of a legal claim, the protection of the rights of another person or for reasons of public interest; and Section 34(2)(b) the data controller shall inform the data subject before withdrawing the restriction on processing of the personal data. Section 34(3...

Section 35. Automated individual decision making Section 35(1) Every data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject. Section 35(2)(a) necessary for entering into, or performing, a contract between the data subject and a data controller; Section 35(2)(b) authorised by a law to which the data controller is subject and which lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests; or Section 35(2)(c) based on the data subject's consent. Section 35(3)(a) the data controller or data processor must, as soon as reasonably practicable, notify the data subject in writing that a decision has been taken based solely on automated processing; and Section 35(3)(b) reconsider the decision; or Section 35(3)(b)(i) reconsider the decision; or Section 35(3)(b)(ii) take a new decision that is not based solely on automated processing. Section 35(4)(a) consider the request, including any information provided by the data subject that is relevant to it; Section 35(4)(b) comply with the request; and Section 35(4)...

Section 36. Objecting to processing Section A data subject has a right to object to the processing of their personal data, unless the data controller or data processor demonstrates compelling legitimate interest for the processing which overrides the data subject's interests, or for the establishment, exercise or defence of a legal claim.

Section 37. Commercial use of data Section 37(1)(a) has sought and obtained express consent from a data subject; or Section 37(1)(b) is authorised to do so under any written law and the data subject has been informed of such use when collecting the data from the data subject. Section 37(2) A data controller or data processor that uses personal data for commercial purposes shall, where possible, anonymise the data in such a manner as to ensure that the data subject is no longer identifiable. Section 37(3) The Cabinet Secretary, in consultation with the Data Commissioner, may prescribe practice guidelines for commercial use of personal data in accordance with this Act.

Section 38. Right to data portability Section 38(1) A data subject has the right to receive personal data concerning them in a structured, commonly used and machine-readable format. Section 38(2) A data subject has the right to transmit the data obtained under subsection (1), to another data controller or data processor without any hindrance. Section 38(3) Where technically possible, the data subject shall have the right to have the personal data transmitted directly from one data controller or processor to another. Section 38(4) Where data controller or data processor declines to comply with a request under subsection (3), the Data Commissioner may make a determination on the technical capacity of the data controller or data processor. Section 38(5)(a) processing may be necessary for the performance of a task carried out in the public interest or in the exercise of an official authority; or Section 38(5)(b) it may adversely affect the rights and freedoms of others. Section 38(6) A data controller or data processor shall comply with data portability requests, at reasonable cost and within a period of thirty days. Section 38(7) Where the portability request is complex or numerous, t...

Section 39. Limitation to retention of personal data Section 39(1)(a) required or authorised by law; Section 39(1)(b) reasonably necessary for a lawful purpose; Section 39(1)(c) authorised or consented by the data subject; or Section 39(1)(d) for historical, statistical, journalistic literature and art or research purposes. Section 39(2) A data controller or data processor shall delete, erase, anonymise or pseudonymise personal data not necessary to be retained under subsection (1) in a manner as may be specified at the expiry of the retention period.

Section 40. Right of rectification and erasure Section 40(1)(a) to rectify without undue delay personal data in its possession or under its control that is inaccurate, out-dated, incomplete or misleading; or Section 40(1)(b) to erase or destroy without undue delay personal data that the data controller or data processor is no longer authorised to retain, irrelevant, excessive or obtained unlawfully. Section 40(2)(a) the rectification of such personal data in their possession or under their control that is inaccurate, out-dated, incomplete or misleading; or Section 40(2)(b) the erasure or destruction of such personal data that the data controller is no longer authorised to retain, irrelevant, excessive or obtained unlawfully. Section 40(3) Where a data controller or data processor is required to rectify or erase personal data under subsection (1), but the personal data is required for the purposes of evidence, the data controller or data processor shall, instead of erasing or rectifying, restrict its processing and inform the data subject within a reasonable time.

Section 41. Data protection by design or by default Section 41(1)(a) to implement the data protection principles in an effective manner; and Section 41(1)(b) to integrate necessary safeguards for that purpose into the processing. Section 41(2) The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing. Section 41(3)(a) the amount of personal data collected; Section 41(3)(b) the extent of its processing; Section 41(3)(c) the period of its storage; Section 41(3)(d) its accessibility; and Section 41(3)(e) the cost of processing data and the technologies and tools used. Section 41(4)(a) to identify reasonably foreseeable internal and external risks to personal data under the person's possession or control; Section 41(4)(b) to establish and maintain appropriate safeguards against the identified risks; Section 41(4)(c) to the pseudonymisation and encryption of personal data; Section 41(4)(d) to the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; Section 41(4)(e) to verify that the safeguards are effectively implemented...

Section 42. Particulars of determining organisational measures Section 42(1)(a) the state of technological development available; Section 42(1)(b) the cost of implementing any of the security measures; Section 42(1)(c) the special risks that exist in the processing of the data; and Section 42(1)(d) the nature of the data being processed. Section 42(2)(a) the data controller shall opt for a data processor who provides sufficient guarantees in respect of organisational measures for the purpose of complying with section 41 (1); and Section 42(2)(b) the data controller and the data processor shall enter into a written contract which shall provide that the data processor shall act only on instructions received from the data controller and shall be bound by obligations of the data controller. Section 42(3) Where a data processor processes personal data other than as instructed by the data controller, the data processor shall be deemed to be a data controller in respect of that processing. Section 42(4) A data controller or data processor shall take all reasonable steps to ensure that any person employed by or acting under the authority of the data controller or data processor, complies w...

Section 43. Notification and communication of breach Section 43(1)(a) notify the Data Commissioner without delay, within seventy-two hours of becoming aware of such breach; and Section 43(1)(b) subject to subsection (3), communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established. Section 43(2) Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the delay. Section 43(3) Where a data processor becomes aware of a personal data breach, the data processor shall notify the data controller without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach. Section 43(4) The data controller may delay or restrict communication referred to under subsection (1)(b) as necessary and proportionate for purposes of prevention, detection or investigation of an offence by the concerned relevant body. Section 43(5)(a) description of the nature of the data breach; Section 43(5)(b) description of the measures that the data controller or data processor intends to take or has taken to address the d...

Section 67. Funds of the Office Section monies allocated by the National Assembly for purposes of the Office;

Section 68. Annual estimates Section 68(1) At least three months before the commencement of each financial year, the Data Commissioner shall cause to be prepared estimates of the revenue and expenditure of the Office for that year. Section 68(2)(a) the payment of salaries, allowances and other charges in respect of the staff of the Office; Section 68(2)(b) the payment of pensions, gratuities and other charges in respect of retirement benefits which are payable out of the finances of the Office; Section 68(2)(c) the acquisition, maintenance, repair and replacement of the equipment and other movable property of the Office; Section 68(2)(d) funding of training, research and development of activities of the Office; Section 68(2)(e) the creation of such reserve funds to meet future or contingent liabilities or in respect of such other matters as the Data Commissioner may deem fit; and Section 68(2)(f) any other expenditure for the purposes of this Act. Section 68(3) The annual estimates shall be submitted to the Cabinet Secretary for tabling in the National Assembly.

Section 69. Accounts and Audit Section The annual accounts of the Office shall be prepared, audited and reported in accordance with the provisions of Articles 226 and 229 of the Constitution, the Public Finance Management Act (Cap. 412A), or any other law relating to audit of public entities.

Section 70. Annual reports Section 70(1) The Data Commissioner shall, within three months after the end of each financial year, prepare and submit to the Cabinet Secretary a report of the operations of the Office for the immediately preceding year. Section 70(2) The Cabinet Secretary shall submit the annual report before the National Assembly within three months of receipt of the report under subsection (1). Section 70(3)(a) the financial statements and description of activities of the Office; Section 70(3)(b) such other statistical information as the Data Commissioner may consider appropriate relating to the Data Commissioner's functions; Section 70(3)(c) the impact of the exercise of any of Data Commissioner's mandate or function; Section 70(3)(d) any impediments to the achievements of the object and purpose of this Act or any written law; and Section 70(3)(e) any other information relating to its functions that the Data Commissioner may consider necessary.

Section 44. Processing of sensitive personal data Section No category of sensitive personal data shall be processed unless section 25 applies to that processing.

Section 45. Permitted grounds for processing sensitive personal data Section the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes; and

Section 46. Personal data relating to health Section 46(1)(a) by or under the responsibility of a health care provider; or Section 46(1)(b) by a person subject to the obligation of professional secrecy under any law. Section 46(2)(a) is necessary for reasons of public interest in the area of public health; or Section 46(2)(b) is carried out by another person who in the circumstances owes a duty of confidentiality under any law.