Scribd Logo
Upload

Welcome to Scribd!

  • Data Protection Legal Opinion-Signed

    Uploaded by

    Mitch Ojwang
    13 views7 pages

    Original Title

    Data Protection Legal Opinion-signed

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views7 pages

    Data Protection Legal Opinion-Signed

    Uploaded by

    Mitch Ojwang

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Wednesday, September 21, 2022

    RE: LEGAL OPINION ON DATA PROTECTION COMPLIANCE

    Introduction

    Article 31 (c) and (d) of the Constitution of Kenya 2010 provides:


    “Every person has the right to privacy, which includes the right not to have—
    (c) information relating to their family or private affairs unnecessarily required or revealed;
    or
    (d) the privacy of their communications infringed.”
    Consequently, the Data Protection Act 2019 and Data Protection Regulations 2021 were enacted
    to secure the stated rights. The Office of the Data Protection Commissioner is mandated to
    ensure compliance of data regulations.

    Definitions

    1. The following terminologies are provided under section 2 of the Data Protection Act.

    a. Data is information which is held by a public entity, recorded as part of a relevant


    filing system and processed by means of equipment operating automatically in
    response to instructions to collect the information.

    b. Personal Data is any information relating to an identifiable natural person;

    c. Data Controller is a natural or legal person, public authority, agency or other body
    which determines the purpose and means of processing of personal data;

    d. Data Processor is a natural or legal person, public authority, agency or other body
    which processes personal data on behalf of the data controller;

    e. Data Subject is an identifiable natural person who is the subject of personal data.

    f. Processing is any operation which is performed on personal data whether or not by


    automated means, such as;

    i. collection, recording, organization, structuring;


    ii. storage, adaptation or alteration;
    iii. retrieval, consultation or use;
    iv. disclosure by transmission, dissemination, or otherwise making available; or

    1
    v. alignment or combination, restriction, erasure or destruction.

    g. Sensitive Personal Data means data revealing the natural person's:


    i. race, ethnic social origin;
    ii. health status, genetic data, biometric data;
    iii. conscience, belief;
    iv. property details;
    v. marital status, family details including names of the person's children, parents,
    spouse or spouses;
    vi. sex or the sexual orientation of the data subject.

    What are the rights of a Data Subject?

    2. A Data Subject (person who gives data to KEFRI) has the following rights:

    a. To be informed of the use to which their personal data is to be put;


    b. To access their personal data in custody of KEFRI;
    c. To object to the processing of all or part of their personal data;
    d. To correction of false or misleading data; and
    e. To deletion of false or misleading data about them.

    3. KEFRI requires the consent of the Data Subject to collect data, which may be revoked at the
    person’s request. Thereafter, KEFRI will be required to erase or destroy the data, except in
    the following circumstances:

    a. To comply with a legal obligation;


    b. For the performance of a task carried out in the public interest or in the exercise of
    official authority;
    c. For archiving purposes in the public interest, scientific research, historical research or
    statistical purposes where erasure is likely to render impossible or seriously impair
    the achievement; and
    d. For the establishment, exercise or defence of a legal claim

    4. Prior to collecting Data, KEFRI is required to notify the person;

    a. Of their rights,
    b. Reasons for collection of data,
    c. Security measures taken to protect the data;
    d. Consequences if the data subject fails to provide sufficient information;
    e. Description of security measures; and

    2
    f. Whether 3rd parties shall have access to the data.

    5. The Data Subject has the absolute right to object processing of data if it is intended for
    marketing purposes.

    What are KEFRI’s obligations?

    6. Register as a Data Handler with the Office of the Data Protection Commissioner.

    7. Rectify data upon the data subject’s request if it is untrue, inaccurate, outdated, incomplete
    or misleading.

    8. Establish personal data retention schedule with appropriate time limits for the periodic
    review of the need for the continued storage.

    9. Conduct audits of the retained data to ensure the data is up to date and still have a purpose.
    If the purpose of retaining the data has lapsed, it shall be erased or destroyed.

    10. Develop, publish and regularly update Data Privacy Policy reflecting its personal data
    handling practices.

    11. Design technical and organizational measures to safeguard and implement the data
    protection principles.

    12. Conduct a Data Protection Impact Assessment and submit a report to the Data
    Commissioner. (A sample of the DPIA form is provided in the Schedule below.)

    Who is a Data Protection Officer?

    13. A Data Protection Officer (DPO) is a natural or legal person appointed by KEFRI to assist
    with compliance of provisions outlined under the Data Protection Act.

    14. Duties of the DPO include:

    a. Advise KEFRI and its employees on data processing requirements provided under the
    Act or any other written law;
    b. Ensure on behalf of KEFRI that this Act is complied with;
    c. Facilitate capacity building of staff involved in data processing operations;
    d. Provide advice on data protection impact assessment; and

    3
    e. Co-operate with the Data Commissioner and any other authority on matters relating to
    data protection.

    15. The DPO may be a staff member of KEFRI and may fulfil other tasks and duties provided
    that any such tasks and duties do not result in a conflict of interest.

    16. Several public bodies may appoint a single DPO, taking into account their organizational
    structures.

    17. KEFRI shall publish the contact details of the DPO on the website and communicate them to
    the Data Commissioner who shall ensure that the same information is available on the
    official website.

    Conclusion

    KEFRI is tasked with processing the data of various stakeholders to achieve its mandate. Various
    departments within KEFRI must be involved to ensure that all data is accurately captured and
    processed.

    Of priority is to ensure the Institute is registered with the Office of the Data Protection
    Commissioner. Thereafter, the Institute should appoint a Data Protection Officer. The DPO may
    be a member of staff who is academically qualified and trained with matters of data protection,
    or a person hired for the specific duty.

    I undertake to review the KEFRI Data Privacy Policy to ensure it is updated and propose any
    amendments, if necessary.

    Best regards,

    Mitch Ojwang
    Legal Officer- KEFRI

    4
    SCHEDULE

    Data Protection Impact Assessment

    DPIAs can be regarded as an early warning system enabling all actors to systematically address
    potential deficiencies in a process that leads to the violation of fundamental rights and freedoms
    protected under articles 31(c) and 31(d) of the Constitution of Kenya 2010.

    KEFRI is expected to conduct DPIAs when there exists ‘High risks’ to the data subjects rights.
    High risk arises during the processing of Sensitive Personal Data, which require higher
    protection under law, and if the high intensity of interference of data processing can lead to
    serious consequences for the data subjects and there are no effective safeguards or methods of
    intervention for data subjects.

    DATA PROTECTION IMPACT ASSESSMENT TEMPLATE

    Part 1: Description of the processing operations

    Name of Data Controller/ Data Processors: ..........................................................................

    Postal Address:......................................................................................................................

    Email Address: ......................................................................................................................

    Telephone Number:...............................................................................................................

    1. Project Name

    2. Assess the need for Data Impact Assessment

    (Assess whether there is need for DPIA by determining if project involves personal data
    that is likely to result in high risk, specify risk where appropriate)

    3. Project Outline:

    (Explain broadly what the project aims to achieve and what type of processing it involves

    4. Personal data

    (e.g type of personal data data being processed.

    5
    5. Describe the Information Flow.

    (Describe the collection, use and deletion of personal data here, including; where you are
    getting the data from; how is the data being collected; where the data will be stored; how
    long will the data be stored; where data could be transferred to; and, how many
    individuals are likely to be affected by the project)

    6. Describe how the data processing flow complies with the data protection principles

    Part 2: An assessment of the necessity and proportionality of the processing operations in


    relation to the purpose. Require the assessment and provide the parameters of the
    assessment
    Describe compliance and proportionality, measures, in particular:
    The lawful basis for
    processing
    Methods of obtaining of
    consent.
    Whether processing personal
    data is key to achieving your
    purpose?

    Is there another way to


    achieve the same outcome
    without processing personal
    data?

    Data quality and data


    minimization
    Notification of the data
    subjects on the processing
    activity.
    Exercising of the rights of the
    data subjects
    The parties are involved in the
    processing and their specific
    roles.
    Measures to ensure
    compliance by the parties
    involved, if any
    Processing safeguard of the
    personal data
    Safeguard prior to and Cross
    border transfers, if any

    6
    Part 3: The measures envisaged for addressing the risks and the safeguards, security
    measures and mechanisms to ensure the protection of personal data and to demonstrate
    compliance with the Data Protection Act
    Risk Assessment - Identifying Privacy Risks and Evaluating Privacy Solutions
    Risk Conseque Risk Current Assessment of Risk Describe what
    Identity nce Own internal further
    and er CONTRO ACTIONS
    Descripti LS you will take to
    on (provide reduce the
    details of Impact/Likelihoo
    how you d and mitigate
    will the risk.
    manage State who is the
    the risk owner for
    risk) each action
    Impact Likeliho Score(i
    (1,2,3,4, od mpact +
    5) (1,2,3,4, likelihoo
    5) d

    Part 4: Sign Off and Record Outcomes


    ITEM DESCRIPTION NOTES/INSTRUCTIONS

    Consultation with Office


    of the Data Protection
    Commissioner (where
    applicable

    This DPIA will be kept


    under review by

    You might also like