Highlights from Sector-Specific Guidance Notes on Processing Personal Data by the ODPC

In January 2024, the Office of the Data Protection Commissioner (ODPC) published sector-specific guidance notes for the education, health, communications, and digital credit providers sectors.¹ The guidance notes were given as a mandate of the ODPC as prescribed under section 74(1)(d) of The Data Protection Act (DPA), which calls on the Data Commissioner to “develop sector-specific guidelines in consultation with relevant stakeholders in areas such as health, financial services, education, social Protection and any other area as the Data Commissioner may determine.”

The Guidance notes highlight privacy concerns that may arise within the respective sectors, recommend applying the provisions of the DPA in their day-to-day data processing, and provide examples of how the privacy issues may be mitigated or resolved. The highlights below canvass the privacy issues in each sector and outline the recommendations.

Digital Credit Providers

The Guidance Note for Digital Credit Providers highlights legislative frameworks for Digital Lenders. Key frameworks identified are the Prevention of Money Laundering and Combating the Financing of Terrorism Act (POCAMLA), the Data Protection Act, and the Central Bank of Kenya Regulations. The Guidance Note for digital lenders raises several data privacy concerns in the digital credit industry, including:²

• Collection, storage, and analysis of a wide range of customer data: Technological advancements have enabled financial services providers to collect, store, combine, and analyse a broader range of customer data, including location, behaviours, and preferences. While this can benefit consumers, it poses new risks specific to digital credit providers that may require a focused policy response.³

• Consumer consent and understanding of terms: Consumers may skip over product terms and conditions due to length, complexity, or time constraints, leading them to consent to terms they may have yet to agree to if the terms were clearer. Privacy policies published by digital credit providers may only sometimes meet compliance requirements outlined in the Data Protection Act, especially when data is shared with third parties.⁴

• Violation of the right to privacy: The Kenyan Constitution guarantees citizens the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed. Digital credit providers may violate this provision if they publish information about a data subject without a lawful basis.⁵

The Guidance Note for Digital Credit providers offers several recommendations to ensure compliance with data protection regulations and promote responsible practices in the industry. Some of the key recommendations deriving from the compliance checklist given include:⁶

• The Right to Privacy: Respecting the right to privacy acknowledges that individuals have a fundamental human right to control their personal information and how it is used. This principle requires digital credit providers to handle personal data carefully, ensuring that it is processed lawfully, fairly, and transparently. Identifying appropriate legal bases for data processing under the Data Protection Act is crucial to ensure that personal data is processed under the law. By establishing a legal basis for processing, such as consent, contract performance, legitimate interests, or legal obligations, digital credit providers can demonstrate compliance with data protection regulations and respect individuals’ privacy rights⁷

• Data Protection by Design and Default Implementing appropriate technical and organisational measures to ensure data protection by design and by default is a critical aspect of data privacy and security practices for digital credit providers. This approach integrates privacy and data protection considerations into the design and operation of systems, processes, and services from the outset. Key components of this include data minimisation, security measures, both institutional and technical, and transparency in data collection and use practices.⁸

• Compliance with Data Protection Laws: All personal data processing must adhere to relevant regulations and align with the original data collection purposes. Accuracy and transparency are needed to guide up-to-date information submission to the Office of the Data Protection Commissioner. Providing complete and accurate information during registration is essential for entities in the healthcare sector subject to mandatory registration.

• Transparency in business operations: Digital credit providers should communicate with data subjects transparently and understand how their personal data is being processed. This includes informing individuals about the purposes for which their data is being collected, the types of data being collected, how it will be used, and any third parties with whom the data may be shared.⁹

Health Sector

The healthcare industry in Kenya extensively utilises personal data for various purposes, including collecting, storing, and analysing significant amounts of data during registration, diagnosis, storage, analysis, and transfer. As a result, leveraging digital solutions and technologies constantly transforms how healthcare data is transferred, stored, and accessed, influencing healthcare data management. The Guidance Note on the Processing of Health Data guides healthcare institutions and stakeholders in Kenya regarding their obligations when processing personal data, ensuring that personal data related to healthcare services is processed fairly, legally, and transparently, in compliance with data protection laws and regulations. Data privacy issues raised in the Guidance Note relate to ¹⁰

• Lack of Privacy Notices: The absence of privacy notices on healthcare providers’ websites or their unavailability to the public creates a lack of transparency, creating uncertainty among data subjects about how their personal information is processed.¹¹

• Surveillance Technology: The adoption of surveillance technology as a safety measure raises concerns about the extent of monitoring and potential misuse of collected data. The widespread use and deployment of surveillance technology in healthcare, which includes CCTV and AI tools for monitoring patients’ online conduct, has raised concerns regarding privacy infringement. Continuous monitoring may infringe on individuals’ privacy, creating uncertainty about the scale of surveillance operations and data acquisition and amplifying concerns about privacy violations.¹²

• Inconsistent Laws and Policies: Existing laws and policies in the health sector may need to align with the Data Protection Act, leading to compliance gaps and potential data protection issues. Inconsistencies between regulations can create confusion and hinder adequate personal data protection. This lack of alignment poses privacy risks, exposing individuals to unauthorised access and misuse of sensitive information.¹³

• Vendor Practices: Untrustworthy vendors in the healthcare sector may misuse personal health data by collecting and reusing it without stakeholders’ consent, potentially compromising privacy. This lack of transparency raises concerns about data handling practices, leading to uncertainties and risks of unauthorised access to sensitive information.¹⁴

• Data Security Risks: The adoption of healthcare technologies, particularly cloud-based solutions, introduces significant data security risks in the healthcare sector. Non-efficient encryption algorithms used in these solutions can create vulnerabilities that malicious actors may exploit to gain unauthorised access to sensitive health data. Additionally, hosting health data online through cloud systems exposes it to inherent vulnerabilities that cyber attackers can target.

• Profiling and Predictive Analysis: Practices such as profiling and predictive analysis can adversely impact individuals and their privacy rights. Therefore, there is a need for careful consideration and the implementation of robust data protection measures when engaging in profiling and predictive analysis using health data. This caution is essential to mitigate the risks associated with the potential misuse of health data.¹⁵

In line with this, the Center for Intellectual Property and Information Technology (CIPIT) had previously published a report and policy brief on developing sector-specific guidelines for the health sector recommendations reflected in the Guidance Note. The following key recommendations are summarily noted in the Guidance Note to address privacy concerns and further apply the Data Protection Act.¹⁶

• Lawful, Fair, and Transparent Processing: Healthcare institutions must process personal data legally, fairly, and transparently. This includes obtaining explicit, specific, and easily revocable consent from data subjects for processing their health-related data.¹⁷

• Legitimate Processing Criteria: Data controllers or processors must meet specific criteria for processing health-related data, such as medical diagnosis and treatment, public health considerations, legal obligations, contractual purposes, or data subjects manifestly making the data public.¹⁸

• Confidentiality Obligations: Health-related data should only be processed by healthcare providers or individuals obligated to maintain professional secrecy under the law. Data processing must be necessary for public interest in public health or carried out by individuals subject to confidentiality duties.¹⁹

• Establishing Safeguards: Healthcare institutions must develop appropriate safeguards to ensure data security and respect for individual rights when processing health data. This includes implementing security measures, data retention policies, and procedures for data sharing or transfers.²⁰

• Privacy Notices: Healthcare institutions are required to issue privacy notices to inform data subjects about the processing of their data. These notices should include details on data categories, processing purposes, data collection methods, data security measures, rights regarding personal data, and contact information for the Data Protection Officer where applicable.²¹

• Transparency in Data Collection: When collecting personal data from patients, healthcare providers must identify the lawful purpose for processing the data, such as performing a contract or obtaining explicit consent. Additionally, healthcare providers must notify patients of their rights and provide information about the data collection process. Transparency in data collection promotes fair and lawful processing practices.²²

Education Sector

The education sector in Kenya plays a significant role in collecting, storing, and analysing vast amounts of personal data concerning students, teachers, and various stakeholders. This sector encompasses sub-sectors like Early Learning, Basic Education, Vocational Training, University Education, and more, overseen by entities such as the Ministry of Education and the Teachers Service Commission.²³ With over 16 million children and youth served by approximately 90,000 schools and hundreds of thousands of teachers, the sector’s expansion to accommodate more students underscores the extensive personal data processing involved.²⁴

Notably, the National Education Management Information System (NEMIS) stands out as one of Kenya’s largest databases of personal data. The actors in processing learner data range from direct relationships like teachers to entities like the Ministry of Education and Semi-Autonomous Government Agencies (SAGAs) handling data for analytics, examinations, and performance evaluations.²⁵ With this, The Guidance Note for the Education Sector identifies several privacy concerns, which include:²⁶

• Unauthorised Access to Student Records: Allowing parents unauthorised access to university students’ records can lead to privacy breaches, especially for adult students.²⁷

• Use of Personal Data without Consent: Posting or using photos or videos in school materials or websites without valid consent raises privacy concerns.²⁸

• Data Accuracy and Retention: The collection and retention of excessive data or data for more extended periods than necessary can pose privacy risks.²⁹

• CCTV Surveillance: Using CCTV cameras in boarding schools raises privacy concerns due to the intrusive nature of surveillance.³⁰

• Data Breaches and Cybersecurity: Adopting digital technologies in education introduces vulnerabilities to cyber-attacks, data breaches, and privacy violations.³¹

• Vendor Data Usage: Concerns arise from how vendors may collect and use personal data, potentially without the knowledge of educational institutions or data subjects.³²

• Cloud-Based Solutions Risks: Risks associated with cloud-based solutions include minimal control over data and potential security vulnerabilities.³³

• Surveillance Technology: While surveillance technology is often seen as a safety measure, its pervasive use can lead to privacy infringements.

• Disproportionate Data Disclosures: Disclosing sensitive data, such as health information or academic records, to larger groups without proper consent raises privacy concerns.³⁴

• Publication of Personal Information: Publishing personal information, such as exam results or photos, without consent violates individuals’ privacy rights.³⁵

Critical recommendations provided in the Guidance Notes in identifying and mitigating risk factors include:

• Identifying Lawful Basis and Purpose: Educational institutions should identify a lawful basis and purpose for processing personal data, especially sensitive data, ensuring compliance with data protection laws. Public institutions like schools and universities have the authority to process personal data while performing tasks in the public interest or exercising official authority. These tasks encompass education provision, administration, research, and related activities.³⁶

• Obtaining Explicit Consent: Institutions must obtain explicit consent from data subjects before processing sensitive personal data, ensuring clarity and specificity in the consent process. Schools are responsible for informing parents and guardians about data collection initiatives, providing details about the purpose of the data collection, and determining the protective measures in place.³⁷

• Transparency and Information Provision: Educational institutions should provide clear and easily understandable information to individuals about data processing activities, including the types of data collected, purposes of processing, and rights of data subjects. This is especially highlighted in the processing of sensitive personal data. Institutions must follow legal guidelines when handling sensitive personal data to enhance the protection of individuals’ privacy rights. This data may encompass health details, race, ethnicity, religion, biometric data, and sexual orientation. The Data Protection Act 2019 restricts the processing of sensitive personal data, except in defined situations as per the law.³⁸

• Data Accuracy and Retention: Procedures should be implemented to ensure the accuracy of personal data by regularly reviewing and updating information. Institutions should have internal controls that allow data subjects to verify and update their data. Data should only be retained for as much time as necessary for the specified purposes, and institutions should have retention policies in place that align with relevant laws and educational policies to determine appropriate storage periods.³⁹

• Data Security Measures: To enhance data security, institutions should implement robust measures such as encryption and restricted access to safeguard personal data from unauthorised access and breaches. Encryption ensures that data is encoded and can only be decoded by authorised parties, while restricted access controls limit who can view or manipulate the data. These measures help prevent unauthorised access and protect sensitive information from potential breaches.⁴⁰

• Limiting Data Collection: In accordance with the purpose limitation principle,⁴¹ institutions should collect and store only essential personal data required for specific purposes. This practice helps prevent excessive data collection and ensures that data processing is limited to what is necessary for the intended use. By adhering to this principle, institutions can minimise the risk of unauthorised access or misuse of personal information.⁴²

• Vendor Management: When engaging third-party vendors for data processing activities, educational institutions should exercise caution and ensure that these vendors adhere to data protection standards. Verifying that vendors have robust data security measures is essential to prevent data security compromise. Institutions should also establish clear contractual agreements with vendors outlining their responsibilities and obligations regarding data protection and security. Monitoring and oversight of vendor activities are also recommended to maintain data security standards.⁴³

• Compliance Audits: Compliance audits are essential for educational institutions in the education sector to receive tailored guidance and recommendations for ensuring compliance with data protection laws. These audits help institutions meet legal requirements and demonstrate adherence to data protection principles. Regular audits and risk assessments are emphasised to maintain compliance. It is recommended that institutions appoint a data protection officer to oversee compliance efforts and conduct these audits effectively.⁴⁴

• Privacy Notices: Schools are mandated to craft a personalised privacy notice detailing the specific data processing activities pertinent to that institution. These notices should outline the rights of data subjects and how they can be exercised. Educational institutions are advised to offer comprehensive guidance in their privacy notices regarding various data protection principles, such as the lawful basis for processing personal data, fair processing, data retention, security protocols, automated decision-making, profiling, and biometric data usage. The Guidance Note further recommends incorporating checklists to assist school administrations in understanding the requirements and ensuring compliance with pertinent legal obligations concerning privacy notices.⁴⁵

Communications Sector

In Kenya, the communications sector includes service providers offering telecommunication, broadcasting, postal, and courier services, overseen by the sector regulator. The Data Protection Act and the Data Protection (General) Regulations 2021 detail the regulator’s and service providers’ responsibilities and obligations for data subjects. The Guidance Note for the Communication Sector addresses a) implementing data protection principles in telecommunications, b) legal grounds for processing personal data, c) the sector regulator and service providers responsible for being data controllers or processors, and d) data subjects’ rights.⁴⁶ In so doing, privacy concerns in the sector were identified as follows:

• Data collection and tracking: Communication service providers must obtain explicit and informed consent from data subjects before collecting and tracking their data. This consent should be freely given and specific, detailing the collected data types, usage, access, and retention period. Additionally, processing data related to children requires parental consent to safeguard their rights and interests.⁴⁷

• Encryption and decryption: Communication service providers must carefully balance the use of encryption to safeguard sensitive data during transmission with the challenges it may pose for law enforcement agencies in accessing information. When deploying encryption technologies, it is essential to consider privacy concerns and security requirements. Service providers should assess the potential privacy risks associated with decryption technologies and backdoors before implementation to protect user data and privacy rights effectively.⁴⁸

• Surveillance: Entities conducting surveillance activities must prioritise legal compliance by adhering to relevant laws and regulations governing monitoring individuals’ internet activity, phone calls, and text messages. To prevent privacy violations, entities must obtain necessary warrants or permissions before engaging in surveillance. Transparency and accountability are fundamental principles that should guide surveillance practices, with entities being transparent about their monitoring activities and accountable for the data collected.⁴⁹

• Cybersecurity breaches: robust cybersecurity measures are necessary for communications companies to safeguard users’ data against potential breaches. Companies are urged to protect sensitive information from unauthorised access or theft by implementing advanced security technologies and protocols. Regular security assessments and audits are recommended to identify vulnerabilities and weaknesses in the system, allowing companies to address security risks and enhance their cybersecurity posture proactively. A comprehensive incident response plan is crucial for effectively managing cybersecurity breaches, outlining clear procedures for detecting, responding to, and recovering from security incidents to minimise user impact and mitigate potential data breaches.⁵⁰

• Misuse of personal data: Communication companies may share or sell personal data to advertisers and third parties without user consent, resulting in unwanted marketing messages and spam.⁵¹

Recommendations provided include ⁵²

• Consent: The recommendation under consent emphasises the importance of data controllers clearly defining the personal data needed before processing, offering individuals detailed information for informed decisions, and limiting data processing to what is essential for the intended purpose. It advises obtaining explicit consent through voluntary actions to ensure individuals comprehend and approve the processing.⁵³

• Data Privacy: The Guidance Note recommends service providers implement access control policies to restrict access to personal data to unauthorised personnel, including user permissions and authentication mechanisms. Additionally, data encryption is advised to protect data confidentiality and integrity during storage and transmission. Maintaining audit trails of system changes and data access activities is also emphasised to track data access modifications and enhance accountability in data handling processes.⁵⁴

• Compliance with legal obligations: data controllers should regularly review and update their privacy policies to align with data processing practices and law changes. These policies should be written in plain language, avoiding technical terms and may include visual aids for better understanding by data subjects. Additionally, data controllers are permitted to process personal data if necessary to meet legal obligations, emphasising the importance of ensuring that data processing activities comply with specific legal requirements and are essential for fulfilling legal obligations.⁵⁵

• Legitimate Interest Pursued by Data Controller or Data Processor: The Guidance Note allows data controllers or processors to process personal data based on their legitimate interests, as long as these interests do not override the fundamental rights and freedoms of the data subjects. This means that legitimate interests should justify data processing activities but not infringe upon the rights and freedoms of the individuals whose data is being processed.⁵⁶

Conclusion

Summarily, the ODPC Guidance Notes on processing personal data offer insights on privacy issues and recommendations in mitigating potential harms and risks for various sectors, including digital credit providers, education institutions, telecommunication companies, and health, to enhance data protection practices and ensure compliance with relevant legislation such as the Data Protection Act. The Guidance Notes emphasise the need to adhere to the data protection principles provided in the DPA, protect individual data privacy rights, establish clear guidelines for data processing activities, and ensure adherence to legal requirements and data protection principles across different sectors.

Image is by Getty Images Signature