The Data Protection (Civil Registration) Regulations

Section 1. Citation. Section These Regulations may be cited as the Data Protection (Civil Registration) Regulations.

Section 2. Interpretation. Section the National Registration Bureau;

Section 3. Scope of the Regulations. Section registration of births;

Section 4. Lawful processing of personal data. Section the Registration of Persons Act (Cap 107);

Section 5. Privacy in processing personal data. Section access to the data in its system is only by authorized officers;

Section 6. Consent. Section 6(1) A civil registration entity shall seek consent from a data subject for processing of personal data at the time the personal data is collected. Section 6(2)(a) the type of personal data to be processed; Section 6(2)(b) the magnitude of personal data to be processed; Section 6(2)(c) the reasons for the processing the required personal data; and Section 6(2)(d) whether the personal data processed shall be shared with third parties. Section 6(3)(a) the data subject is informed in a language they understand; Section 6(3)(b) the data subject voluntarily gives consent; Section 6(3)(c) consent is specific; and Section 6(3)(d) the data subject has capacity to understand and communicate their consent. Section 6(4) A civil registration entity shall obtain the consent in physical or electronic form.

Section 7. Manner of giving consent. Section 7(1) Consent shall be given either orally or in writing and may include a handwritten signature, an oral statement, or use of an electronic medium to signify agreement. Section 7(2) A civil registration entity shall not presume that a data subject has given consent on the basis that the data subject did not object to a proposal to handle personal data in a particular manner. Section 7(3) Consent shall not be implied, where the intention of the data subject is ambiguous or there is reasonable doubt as to the intention of the data subject. Section 7(4) Subject to section 32(2) and (3) of the Act, the data subject shall be informed of the implications of providing, withholding or withdrawing consent by the civil registration entity.

Section 8. Collection of personal data. Section 8(1)(a) collect personal data which it is permitted to collect by the data subject; Section 8(1)(b) undertake steps to ensure the quality of personal data; and Section 8(1)(c) undertake processes to secure personal data. Section 8(2) Where a civil registration entity intends to use personal data for a new purpose, it shall ensure that the new purpose is compatible with the initial purpose. Section 8(3) Where the new purpose is not compatible with the initial purpose, the civil registration entity shall seek fresh consent from the data subject. Section 8(4) Subject to section 32(2) and (3) of the Act, the data subject shall be informed of the implications of providing, withholding or withdrawing consent for the new purpose by the civil registration entity.

Section 9. Limitation in processing of personal data. Section 9(1) A data subject may request a civil registration entity to restrict the processing of their personal data, pursuant to section 34 of the Act. Section 9(2) A request envisaged under paragraph (1) shall be in Form 1 set out in the First Schedule. Section 9(3)(a) consider the restriction request; Section 9(3)(b) respond in writing to the data subject within fourteen days from the date of receiving the restriction request; Section 9(3)(c) indicate on its system that the processing of personal data has been restricted; and Section 9(3)(d) notify any relevant third party where personal data subject to such restriction may have been shared. Section 9(4) Where a civil registration entity declines to comply with a request for restriction in processing, it shall within seven days notify the data subject of such decline giving reasons for the decision. Section 9(5) Where the application for restriction in limitation of processing of the data is declined, the data subject may appeal to the Data Commissioner.

Section 10. Access to personal data. Section 10(1) A data subject shall make a request to access their personal data in Form 2 set out in the First Schedule. Section 10(2)(a) on request, provide access to a data subject to their personal data in its possession; and Section 10(2)(b) put in place electronic or manual mechanisms to enable data subjects to access their personal data.

Section 11. Rectification of personal data. Section 11(1) Pursuant to section 40 of the Act, a data subject may request a civil registration entity to rectify their personal data, which is inaccurate, outdated, incomplete or misleading. Section 11(2) A request for rectification envisaged under paragraph (1) shall be made in Form 1 set out in the First Schedule. Section 11(3) An application for rectification of personal data shall be supported by the necessary documents, relevant to the rectification being sought. Section 11(4)(a) the data subject making the request; Section 11(4)(b) the personal data requested; Section 11(4)(c) the rectification requested by the data subject; Section 11(4)(d) the information useful to warrant the rectification; and Section 11(4)(e) the justification for rectification of the personal data. Section 11(5) A civil registration entity shall within thirty days rectify an entry of personal data in the database where the civil registration entity is satisfied that a rectification is necessary. Section 11(6) A civil registration entity shall in writing notify the data subject of its objection to rectify the personal data where such data is required as envis...

Section 12. Objection to processing of personal data. Section A data subject who objects to the processing of personal data pursuant to section 26(c) of the Act, shall apply to the civil registration entity in Form 1 set out in the First Schedule.

Section 13. Data portability request. Section A civil registration entity shall, upon request in writing by the data subject, provide the data subject with their personal data in a structured, commonly used and machine readable format within thirty days from the date of receipt of the request and upon payment of the required fees.

Section 14. Exercise of data subject rights by others. Section 14(1) Subject to section 27 of the Act, where a person duly authorized by the data subject seeks to exercise the rights of a data subject on their behalf, the person exercising that right shall take into consideration the best interests of the data subject. Section 14(2) Where there is doubt as to the existence of a relationship between the duly authorized person and the data subject, the civil registration entity shall halt the request of exercising a right on behalf of the data subject until evidence to the contrary is adduced. Section 14(3)(a) a birth certificate; Section 14(3)(b) an adoption certificate; Section 14(3)(c) a court Order; or Section 14(3)(d) any other relevant document.

Section 15. Processing of Personal data relating to a child. Section 15(1)(a) consent is given by the child’s parent or guardian; Section 15(1)(b) processing is done lawfully and safeguards the best interest of the child; Section 15(1)(c) where required, that the child is present; Section 15(1)(d) unauthorized access to personal data relating to a child is prohibited; Section 15(1)(e) it has design systems and processes that safeguard the best interest of the child; and Section 15(1)(f) the risks and consequences of the processing are identified, and appropriate safeguards are put in place.

Section 16. Duty to notify. Section 16(1) The information given by the civil registration entity pursuant to section 29 of the Act shall be simple, clear and in an understandable language. Section 16(2) In giving the information envisaged under paragraph (1), a civil registration entity may use physical or electronic formats, verbal means or any other technology.

Section 17. Retention of personal data. Section 17(1) A civil registration entity shall retain processed personal data in perpetuity and in accordance with the enabling written laws. Section 17(2) Where a civil registration entity processes personal data for a specific reason and does not require retention of the personal data in perpetuity, personal data shall be deleted, anonymised or pseudonymised. Section 17(3) A civil registration entity shall formulate administrative mechanisms that describe the categories of personal data that shall be deleted, erased, anonymised or pseudonymised.

Section 18. Notification of breach of personal data. Section 18(1) Pursuant to section 43 of the Act, a civil registration entity shall in writing notify the Data Commissioner and communicate to the data subject of breach to personal data. Section 18(2) Where a data subject suspects that their personal data has been breached, the data subject may, within fourteen days from the date of such suspicion, notify the respective civil registration entity and the Data Commissioner of such personal data breach in writing. Section 18(3) The provisions of regulation 23 shall apply to this regulation with necessary modifications.

Section 19. Data protection impact assessment. Section 19(1) Where a data protection impact assessment may be required in accordance with section 31 of the Act, a civil registration entity shall conduct the data protection impact assessment guided by Form 1 set out in the Second Schedule. Section 19(2) The data impact assessment report prepared pursuant to paragraph (1) shall, with the approval of the Data Commissioner, be published in the manner determined by the Data Commissioner.

Section 20. Responsibilities of Data Protection Officer. Section 20(1)(a) monitor and evaluate the efficiency of the data systems in the organization; and Section 20(1)(b) keep written records of the processing activities of the civil registration entity. Section 20(2)(a) the name and contact details of the civil registration entity; Section 20(2)(b) the purpose for processing the data; Section 20(2)(c) a description of the categories of the data subjects and of the categories of the personal data; Section 20(2)(d) the categories of recipients to whom personal data have or shall be disclosed to, including to those outside Kenya; Section 20(2)(e) any transfers of personal data outside Kenya including the identification of the third party or an organization outside Kenya to which the data is to be transferred; Section 20(2)(f) a description of the technical and security measures that have been utilized to alleviate data-related risks; Section 20(2)(g) number of staff trained on the data protection; and Section 20(2)(h) data protection impact assessment undertaken, if any.

Section 21. Sharing of personal information with public agencies. Section 21(1) Subject to section 25 of the Act, a civil registration entity may make personal data collected by it, available to a public agency, upon request. Section 21(2)(a) made by an authorized officer of the requesting public agency; Section 21(2)(b) the purpose for which personal data is required; Section 21(2)(b)(i) the purpose for which personal data is required; Section 21(2)(b)(ii) the duration for which personal data shall be kept; and Section 21(2)(b)(iii) proof of the safeguards put in place to secure personal data from unlawful disclosure. Section 21(3)(a) be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is requested; and Section 21(3)(b) not be processed in a manner that is incompatible with the purpose for which it was requested.

Section 22. Automated individual decision making. Section 22(1)(a) inform the data subject when engaging in the automated processing; Section 22(1)(b) provide meaningful information about the logic involved; Section 22(1)(c) explain the significance and envisaged consequences of the processing; Section 22(1)(d) ensure the prevention of errors, bias and discrimination; Section 22(1)(e) use appropriate mathematical or statistical procedures; Section 22(1)(f) put appropriate technical and organizational measures in place, so that it can correct inaccuracies and minimize the risk of errors; Section 22(1)(g) secure personal data in a way that is proportionate to the risk to the interests and rights of the data subject, and that prevents discriminatory effects; and Section 22(1)(h) obtain human intervention; and Section 22(1)(h)(i) obtain human intervention; and Section 22(1)(h)(ii) express their point of view.

Section 23. Internal complaints handling procedure. Section 23(1) Where a data subject is aggrieved by the processing of their personal data, the data subject may lodge a complaint with the civil registration entity. Section 23(2) A complaint made under paragraph (1) may be made orally or in writing. Section 23(3) A civil registration entity shall reduce an oral complaint into writing and shall be executed by the complainant. Section 23(4)(a) the full name of the data subject lodging the complaint; Section 23(4)(b) contact details of the data subject; Section 23(4)(c) details of the complaint; Section 23(4)(d) period over which the suspected wrongdoing occurred; or Section 23(4)(e) documentary evidence in support of the complaint where available. Section 23(5) The civil registration entity shall investigate the complaint and notify the data subject of the investigation outcome in writing within seven days from the date of completion of the investigation and any action taken where the complaint has been upheld. Section 23(6) The civil registration entity shall inform the data subject of the right to appeal to the Data Commissioner, where the data subject is dissatisfied with the dec...

Section 24. Data protection by design or default. Section 24(1) A civil registration entity shall embed data privacy features directly into the design of the database to ensure protection of personal data. Section 24(2)(a) data protection principles; Section 24(2)(b) enforceability mechanisms of the data subject’s rights; Section 24(2)(c) risk management mechanisms for data protection and for information security; Section 24(2)(d) cyber security measures; Section 24(2)(e) access security; Section 24(2)(f) physical security; and Section 24(2)(g) de-identification measures. Section 24(3)(a) protect personal data it holds from misuse, interference and loss, and unauthorized access, modification or disclosure; and Section 24(3)(b) protect personal data at all stages of the personal data lifecycle.

Section 25. Security safeguards of personal data. Section technical safeguards for encryption of personal data at rest or in transit;

Section 26. Database security. Section A civil registration entity shall implement restriction of unauthorized access, configuration to prevent distributed denial of service attack or user overload and continuous database backup to enhance database security.

Section 27. Monitoring by the Data Commissioner. Section The Data Commissioner may on a periodic basis conduct monitoring and evaluation of security safeguards employed by a civil registration entity.

Section 28. Data security procedure. Section 28(1) A civil registration entity shall formulate a written data security procedure for its entity. Section 28(2)(a) instructions concerning physical protection of the database sites and their surroundings; Section 28(2)(b) access authorizations to the database and database systems; Section 28(2)(c) description of the means intended to protect the database systems and the manner of their operation for this purpose; Section 28(2)(d) instructions to authorized officer of the database and database systems regarding the protection of data stored in the database; Section 28(2)(e) the risks to which the data in the database is exposed in the course of the civil registration entity's ongoing activities; Section 28(2)(f) the manner of dealing with information security incidents, according to the severity of the incident; Section 28(2)(g) instructions concerning the management and usage of portable devices; Section 28(2)(h) instructions with respect to conducting periodical audits to ensure that appropriate security measures, in accordance with the Procedure and these Regulations exist; and Section 28(2)(i) instructions regarding backup of person...

Section 29. Database systems and a risk assessment. Section 29(1)(a) infrastructure and hardware systems, types of communication and data security components; Section 29(1)(b) the software systems used to operate, administer and maintain the database, to support, monitor and secure its activity; Section 29(1)(c) software and interfaces used for communication to and from the database systems; Section 29(1)(d) a diagram of the network in which the database is operating, including a description of the connections between the different system components and the physical location of components; and Section 29(1)(e) the dates in which the document and the inventory were last updated. Section 29(2) The up-to-date database structure document and inventory shall be secured in such a manner that only authorized users who require them for the performance of their role shall be provided access. Section 29(3) The civil registration entity shall be responsible to conduct a data security risk assessment. Section 29(4)(a) the findings of the risk assessment provided; and Section 29(4)(b) the need to update the database definitions document or the data security procedure as a result, and act to ame...

Section 30. Physical protection and secure surroundings. Section 30(1) A civil registration entity shall ensure that the database and database systems are maintained in a secure place, preventing unauthorized access, and which is suitable to the nature of the database activity and the sensitivity of information therein. Section 30(2) A civil registration entity shall take measures to monitor and document the entry to and exit from sites in which the database or database systems are located, including the setting and removing of equipment in and from the database systems.

Section 31. Data security in manpower management. Section 31(1) A civil registration entity shall not grant access to information stored in the database and shall not change the scope of authorization granted, unless the civil registration entity has undertaken reasonable measures, to screen and place authorized officers, to ensure that the unauthorized user is not granted access to the personal data stored in the database. Section 31(2) The measures specified under paragraph (1) shall be taken in accordance with the sensitivity of the information in the database and the scope of access permissions attached to the role proposed to the relevant person. Section 31(3) Prior to authorized officers gaining access to the database or before a change in the scope of their authorizations, the civil registration entity shall train authorized officer on the obligations embodied in the Act and these Regulations.

Section 32. Access permission management. Section 32(1) A civil registration entity shall determine access permission of authorized users to the database and database systems in accordance with the authorized officer’s responsibilities. Section 32(2) Access permission shall be granted to the extent required for performing the role. Section 32(3) A civil registration entity shall keep an up-to-date record of authorized user’s roles, user permission granted to these roles and the authorized users performing such roles. Section 32(4) Immediately following the termination of an authorized user’s role, a civil registration entity shall revoke the permission of an authorized user who has ceased working in their role, and change the passwords to the database and database systems to which the authorized user could have known.

Section 33. Monitoring and documenting access. Section 33(1)(a) user identity; Section 33(1)(b) date and time of access attempt; Section 33(1)(c) system component to which access was attempted; and Section 33(1)(d) access type, its scope, and whether access was granted or denied. Section 33(2)(a) not enable disabling or modifying its operation; and Section 33(2)(b) in the event of disabling or modifying, send alerts to the authorized officer or any other relevant person.

Section 34. Documentation of security incidents. Section 34(1) A civil registration entity shall document cases in which a data security incident was discovered, raising concern regarding a breach of personal data integrity, unauthorized use thereof or deviation from authorization. Section 34(2) The documentation specified under paragraph (1) shall, as far as is practicable, be stored in electronic form. Section 34(3)(a) revoking authorizations and other necessary immediate measures; and Section 34(3)(b) reporting security incidents, to the Data Commissioner and the actions taken in response to the security incidents.

Section 35. Network security. Section 35(1) A civil registration entity shall not connect the database systems to the internet or to another public network without installing the appropriate safeguards against unauthorized access or against software that may damage or disrupt computers or computer material. Section 35(2) The transfer of personal data from the database through a public network or the internet shall be conducted by commonly used encryption methods.

Section 36. Periodical audits. Section 36(1) The civil registration entity shall conduct, at least once in twenty-four months, an internal or external audit by an auditor adequately trained in the field of data security who is not the civil registration entity’s data protection officer, in order to ensure it complies with the provisions of the Act and these Regulations. Section 36(2) The auditor shall report on the adherence of the security measures to the data security procedure and to these Regulations, identify shortcomings and recommend the necessary measures to correct the situation. Section 36(3) A civil registration entity shall review the audit reports specified under sub-regulation (2) and assess the need to update the database definitions document or the data security procedure, accordingly. Section 36(4) A civil registration entity that controls several databases may comply with the duty prescribed in this regulation by performing a single audit for all the databases it controls.

Section 37. Data backup and restoration. Section 37(1) The civil registration entity shall retain the backup copy of the data and of the security procedures in a manner that ensures the integrity of the personal data and the ability to restore the information in case of loss or destruction. Section 37(2)(a) procedures for routine periodical backup in accordance with these Regulations; and Section 37(2)(b) procedures to ensure restoration of the data. Section 37(3) In documenting security incidents pursuant to regulation 34, data restoring processes shall also be documented, including the identity of the person who performed the data restoration and the details of the personal data restored.

Section 38. Transfer of personal data outside Kenya. Section 38(1) A civil registration entity shall not transfer personal data collected for civil registration purposes out of Kenya, except with the written approval of the Data Commissioner. Section 38(2) A person who contravenes Paragraph (1) shall, on conviction, be liable to a penalty specified under section 73 of the Act.

Section 39. Reports to the Data Commissioner. Section A civil registration entity shall, on annual basis, submit a compliance report to the Data Commissioner.

Section 40. Outsourcing. Section 40(1)(a) assess, prior to entering an agreement with the external service provider, the data security risks involved in the engagement; Section 40(1)(b) the data the external service provider may process and the permitted purposes of its use as required by the agreement between the parties; Section 40(1)(b)(i) the data the external service provider may process and the permitted purposes of its use as required by the agreement between the parties; Section 40(1)(b)(ii) the database systems that the external service provider may access; Section 40(1)(b)(iii) the type of processing or activities the external service provider may perform; Section 40(1)(b)(iv) the agreement duration, the manner of returning the data to the civil registration entity at the end of the agreement, its destruction at the disposal of the external service provider and of reporting accordingly to the civil registration entity; Section 40(1)(b)(v) the manner data security obligations which apply to the processor of the database according to these Regulations are implemented, and additional data security instructions set by the civil registration entity, if any; Section 40(1)(b)(vi...