Data Commissioner Immaculate Kassait responds to questions from the public via Nation.

How safe is my data in the hands of third parties? There are times I get text messages from companies I have never had any dealings with. How do they get my number? Does it mean that I give away some of my rights by purchasing a SIM card? Robert Kiptoo, Kericho County

The enactment of the Data Protection Act and subsequent passing of the regulations have called for increased accountability by entities collecting personal data. This means that entities have to show that they have a lawful reason to collect your personal data and share it with any third parties.

The collecting entity also has the responsibility to ensure that personal data being shared is not used in a manner than is inconsistent with the purpose for which it was collected.

The Data Protection (General) Regulations, 2021 which came into effect on February 24, 2022, have called for increased accountability and control where personal data is being used or collected for commercial purposes.

This means that entities wishing to contact you for purposes of direct marketing now have an obligation to first seek your consent before sharing these marketing messages and to provide an easy opt-out mechanism in the event that you consented and have since changed your mind.

It is important that those with entities with obligations relating to protection of personal data and those with rights, being individual to whom the data belongs, are aware of the Act, and how it applies to them.

Discussions about data and data protection can sometimes be abstract. Could you help me understand the limits of your mandate in so far as data protection is concerned? Joy Waithera, Naivasha

The mandate of the office is to regulate the processing of personal data. This means that the office regulates the processing (being the collection, storage, sharing, use, dissemination, deletion, amongst other things) of information that relates to an identified or identifiable natural person.

The office also has a mandate to ensure that the processing of personal data of a data subject is guided by data protection principles which are set out in the Data Protection Act; protect the privacy of individuals; establish the legal and institutional mechanisms to protect personal data, and provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act.

The concern of ordinary Kenyans anytime they hear about data protection is their mobile phones and online information security. Such data, therefore, is squarely in the jurisdiction of the mobile service providers. What is the role and responsibility of these companies in data protection? Komen Moris, Eldoret

According to the Data Protection law, personal data should be processed by both data controllers and processors lawfully, fairly, and in a transparent manner. Part of the responsibility of our office is to empower Kenyans on their personal data rights, and to regulate entities collecting personal data and ensure that such entities are putting adequate and appropriate measures to safeguard the personal data they collect from Kenyan citizens and residents.

A cybercrime law is already in place. How is your office helping in the implementation of this very important law? Komen Moris, Eldoret

The Office of the Data Protection Commissioner (ODPC) is relatively new and was established over a year ago under the Data Protection Act, 2019.

However, the office does not operate in isolation of other existing government agencies established by various statutes, including the National Cybercrimes and Computer Coordination Committee established under the Computer Misuse and Cyber Crimes Act.

The office is mandated to regulate matters relating to personal data which could have cross-sectional implication on matters relating to computer misuse and cybercrimes. The office works closely with other agencies to ensure that issues that are cross-cutting are adequately responded to and dealt with.

For issues relating to personal data, the ODPC has a mandate to deal with complaints brought to it by persons aggrieved. There are a number of other avenues available to the public to report issues relating to cybercrimes, one is through the recently gazetted National Computer and CyberCrimes Coordination Committee, which brings together a number of agencies, including the Office of the Data Protection Commissioner.

The office can also direct you to the right entity/ agency to address matters relating to online crimes.

In the ordinary cause of investigations, investigative agencies may access the data of an individual using ex-parte court orders. In this case, how does your office ensure that the data so obtained is protected? Josphat Murigi, Kabete

The Data Protection Act requires those accessing personal data, whether provided directly or indirectly from an individual, to ensure that they are protecting that personal data. However, the very nature of a judicial process is that, unless otherwise ordered by a court, all documents filed through the judicial system and used in the carrying of judicial functions are public. This is an aspect of the constitutional right to fair hearing.

Recently, Kenyans have had the bad experience of waking up and finding themselves registered in political parties they know nothing about. Are we ever going to see someone made to account for such a breach? Kioko Muli, Mtito Andei 

The ODPC has dealt with and managed a number of complaints relating to the registration of persons into a political party without consent. Those persons who have complained to the ODPC have been removed from the relevant registers.

Additionally, the office has conducted awareness campaigns to sensitise political parties on their obligations with respect to the Data Protection Act and handling of personal data.

In a bid to boost compliance, the office has also published a Guidance Note for the Processing of Personal Data for Electoral Purposes which outlines clearly how organisations dealing with personal data for electoral purposes should handle data.

The National Integrated Identity Management System via the Huduma had vouched for the sharing of information between government agencies, among them IEBC, DCI, ORPP, Immigration Department and National Civil Registration Bureau. I have observed that some of these institutions are now opposed to this plan. What can you propose as the best way forward in this matter? Dan Murugu, Nakuru City 

This matter is still subject of court proceedings. To answer generally, the Data Protection Act allows for sharing of information among different agencies.

There are obligations that are placed on all these entities wishing to share data, which include the conducting of a data protection impact assessment to ensure that individuals’ rights are being considered and protected and that any risks are identified and mitigated against.

In addition, the Act and regulations provide for the use of agreements in instances of data sharing, which also act as an additional safeguard.

As the first holder of this very sensitive office, what assurance can you give Kenyans on the confidentiality and security of their personal information held by government from abuse and misuse? Dan Murugu, Nakuru City

The office is working in collaboration with all stakeholders to achieve our mission of protecting personal data of citizens through compliance, enforcement, public awareness, and institutional capacity development.

The office is and will continue on an awareness creation campaign, in addition to conducting its other mandates, in order to promote a culture of data protection compliance.

The office has every intention to uphold the law and ensure that all organisations, whether in the public or private sector, processing sensitive personal data are doing the same.

We are in the silly season of politics and as Kenyans, our foremost fear is that we will soon start being bombarded by political messages through our phones. Could you assure us that our data will be protected from being exploited by politicians to send us unsolicited messages? Vivianne A. Mugo, Nairobi

The processing of personal data, including its collection and use, without a lawful basis is a breach of the Data Protection Act, 2019. It is, therefore, key for the integrity of elections and democracy that all organisations and institutions involved in political campaigning and elections process data in compliance with the Data Protection Act.

The legislation is applicable to all stakeholders engaged in the election process including, but not limited to, the Independent Electoral and Boundaries Commission, political parties, the Office of the Registrar of Political Parties, observers and volunteers. All organisations processing data for electoral purposes should process personal data lawfully, fairly, and only for the specified legitimate purposes.

What are you doing to let the public know about your office which is hardly two years old? Martin Owiti, Migori

As a commission, we have taken the approach of partnership and unity of purpose. We have partnered with both public, private institutions and civil societies through various forums including awareness campaigns, workshops and media engagements to ensure that Kenyans know their rights to privacy.

Most recently, we have partnered with the Kenya School of Government to build capacity of both public and private entities in an effort to ensure that personal data is protected.