The Office of the Data Protection Commissioner ODPC on Friday conducted a public sensitisation forum under the County Awareness Outreach Programme in Uasin Gishu to educate the participants on the mandate of the ODPC, the provisions of the Data Protection Act 2019, and the regulations.
The participants were drawn from across various government departments and agencies, private organizations, civil society organisations, religious organisations and others,
Speaking during the forum, the Principal Advocacy Officer (PAO) at the ODPC Abdulahi Ali pointed out that the private policy framework is enshrined in the Constitution of Kenya 2010 under article 31 (C) and (D) and the enactment of the Data protection Act (DPA), 2019, paved way to the establishment of the ODPC.
“The ODPC is an independent institution of government mandated to regulate the processing of personal data, ensuring the data of the subjects is protected and protecting privacy of individuals by ensuring their privacy rights are not infringed,” he said.
He noted that the ODPC through the DPA is keen on ensuring the safety of the personal data of individuals like National ID number, Phone number, location and birth certificate and sensitive data like health status, biometric data, ethnicity and marital status.
“The ODPC functions to protect the privacy of individuals, provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act and to educate and create awareness to the public on their rights and obligations under the Act and also promoting international cooperation in matters of data protection,” explained Ali.
He identified key driving factors on data protection and government priority agenda which include E-Commerce, ICT and Innovation, Data transfer, right to privacy and increased collection of personal information.
The principal advocacy officer reiterated the need for the data controllers who collect data from the primary source and processors who process the information on behalf of the controllers on contractual basis, to adopt practices that take into account principles, rights of data subjects and safeguards under the DPA 2019.
Uasin Gishu County Commissioner, Dr Eddyson Nyale stressed the government’s commitment in prioritising data protection by establishing the ODPC.
He noted that the government is moving forward to use technology to promote its Bottom-Up Economic Transformation Agenda (BETA) and hence the need to ensure proper structures to protect the data of the citizens from unlawful use.
The stakeholders including the data controllers and processors, were also sensitized on the principles and guidelines of data protection like lawfulness, fairness and transparency, purpose limitation, accuracy and accountability among others.
In his presentation, Nicholas Kipkoech, a Data Protection Officer (DPO) at the ODPC called on the data processors to adhere by the lawful basis of processing personal data like seeking consent from the data subjects.
He indicated that the data controllers and processors should comply by registering with the ODPC, ensuring their services and programmes comply with data protection framework, develop data protection policy, enter to contractual data sharing agreements, conduct Data Protection Impact Assessments (DPIA) and ensuring they notify the Data Commissioner within 72 hours in case of data breach and as well communicate to the data subject of the same.
In his remarks Jotham Makanga, also a DPO at the ODPC said that the Data Protection Act 2019 in Section 25 widens and simplifies the rights to privacy adding that the DPA gives effect to the right to privacy as provided in article 31 of the constitution of Kenya 2010.
He indicated that the Data Subjects according to the DPA have a right to be informed that their data is collected, right to access personal data, and right to correction and deletion.
Additionally, the data subjects have a right to object processing of their personal data and automated decision making. They also have the right to data portability and the right to data erasure.
In the event of failure to comply with the provisions of the Act by the data controllers and processors, this may result in several consequences like legal actions by data subjects and relevant regulatory authorities, reputational damage and financial penalties of up to Sh 5 million or 1 percent of the gross turnover of the previous financial year.
By Ekuwam Sylvester