The Office of the Data Protection Commissioner (ODPC) yesterday commemorated its fifth anniversary, marking a significant milestone in Kenya’s journey towards ensuring data privacy and security.
Since its inception in 2019, the ODPC has been at the forefront of safeguarding personal data and promoting responsible data handling practices.
Gracing the event were Data protection Commissioner, Immaculate Kassait; Executive Director Amnesty International Kenya, Irungu Houghton and Data Governance and Privacy Society of Kenya, Dr Mugambi Laibuta among others.
“As the Data Protection Act (2019) turns 5, we celebrate the progress made and the shared commitment to ensuring the safety and security of personal data,” said Immaculate Kassait, Data Protection Commissioner.
Speaking at the celebratory event at Villa Rosa Kempinski hotel, Nairobi, the data commissioner expressed her gratitude saying, “Thank you to everyone who contributed to this milestone, and here’s to continued growth and collaboration in the years to come.”
Key Achievements and Milestones:
- Registered Data Handlers: Over 7,223 data handlers, including those in finance, healthcare, education, NGOs, and telecommunications, have been registered with the ODPC.
- Guidance Notes: The ODPC has published eight guidance notes to provide sector-specific data protection standards and practices, covering areas such as data protection impact assessments, electoral purposes, finance, health, education, and technology.
- Complaint Resolution: The ODPC has processed numerous complaints, resulting in 155 determinations, 75 enforcement notices, and 11 penalty notices.
- Regional Offices: The ODPC has established five regional offices in Nyeri, Mombasa, Kisumu, Nakuru, and Eldoret to enhance accessibility and compliance across the country.
- International Recognition: Data Commissioner Immaculate Kassait has been appointed as the first Vice Chair to the board of the Network of African Data Protection Authorities (NADPA-RAPDP).
Deputy Data Commissioner at the Office of the Data Protection Commissioner, said Rose Mosero HSC, FIP said, “The Data Protection Act plays a crucial role in promoting business continuity and compliance. While there were initial challenges, we are actively working to standardize audit practices across sectors to ensure consistent and high-quality reporting.”
“The ODPC remains committed to fortifying the regulatory framework, closing critical gaps, and ensuring Kenya’s leadership in data governance within the evolving digital landscape,” added Dalton Mbondo, Head of Corporate Communications at the ODPC. “We will continue to adapt to the challenges posed by emerging technologies like AI, IoT, and Web3.”
The ODPC expresses gratitude to its partners, including Amnesty International, for their support in advancing data protection in Kenya.
The organization is dedicated to fostering a culture of data privacy and security, and it encourages individuals and organizations to embrace responsible data handling practices.
The ICT Authority extended its heartfelt congratulations to the Office of the Data Protection Commissioner (ODPC) on five years of championing data protection and privacy in Kenya.
The authority noted, “We reaffirm our dedication to supporting the ODPC in fostering trust, promoting compliance, and ensuring robust data protection for all Kenyans. Their unwavering commitment to safeguarding personal information has set a benchmark for a safer and more secure online ecosystem.”
Here are some of the key highlights of Kenya’s Data Protection Act 2019:
Kenya’s Data Protection Act of 2019 was established to uphold the privacy rights outlined in the Kenyan Constitution.
It accomplishes this by creating the Office of the Data Protection Commissioner (ODPC) to regulate how personal data is processed.
This includes protecting the rights of individuals whose data is collected (data subjects) and setting clear obligations for organizations that handle that data (data controllers and processors).
These obligations for data controllers and processors are significant. They must get explicit consent before processing any personal data and implement strong security measures to keep that data safe.
They also need to comply with data subject rights, which include the ability to access, correct, erase, or restrict how their data is used. Additionally, they must notify the ODPC of any data breaches.
Data subjects themselves have a number of rights under the Act. They can control access to their data, ensure its accuracy, and even request its deletion in certain situations.
They also have the right to receive their data in a transferable format and to object to how it’s being used.
The ODPC plays a crucial role in enforcing the Act. They investigate complaints, conduct audits, and can issue penalties for violations.
They are also responsible for overseeing data transfers outside of Kenya, ensuring they comply with specific safeguards.
The Act applies broadly, covering both public and private organizations that handle the personal data of Kenyan residents.
This data encompasses a wide range, including sensitive information like health records and biometric data. As a result, the Act has had a major impact on businesses operating in Kenya, requiring them to implement robust data protection practices.
By understanding these key provisions, organizations can ensure they are compliant with the law and safeguard the privacy of individuals.