Kenya’s Data Protection Act 2019

November 2019

View the original document

Kenya’s Data Protection Act 2019 was enacted to safeguard the privacy of individuals in an increasingly data-driven world. Rooted in the right to privacy as guaranteed under Article 31(c) and (d) of the Constitution of Kenya, the Act establishes comprehensive regulations for the processing of personal data. It aims to balance the need for economic and technological development with the fundamental rights of individuals to control their personal information.

Purpose of the act

The Act is designed to:

  1. Protect the privacy of individuals: It ensures that personal data is collected, processed, and stored in ways that respect individual rights and freedoms.
  2. Regulate data processing activities: Setting legal standards governs how organisations and individuals handle personal data.
  3. Establish institutional mechanisms: It creates the Office of the Data Protection Commissioner, which is tasked with enforcing the Act and overseeing compliance.
  4. Empower data subjects: Individuals are granted rights, such as access to their data, correction of inaccuracies, and protection from misuse.
  5. Provide remedies for non-compliance: The Act sets out penalties and enforcement measures for breaches of data protection laws.

Scope of the act

The Act applies to:

  1. Data controllers and processors operating within Kenya: This includes any individual or entity that determines the purpose or processes personal data within Kenya.
  2. Data controllers and processors outside Kenya: If they handle the personal data of individuals located in Kenya, even if not physically present, they must comply with the Act.
  3. All forms of data processing: It covers automated and non-automated processing where data forms part of a structured filing system.

Key elements of the act

The Act introduces principles and obligations for data handlers, including lawfulness, transparency, data minimisation, and accountability. It also addresses specific issues such as:

  • Sensitive personal data: Special rules for data like health records, genetic information, and biometric data.
  • Children’s data: Enhanced protections for the personal data of minors.
  • Cross-border transfers: Restrictions and safeguards for sharing data outside Kenya.
  • Exemptions: Provisions for personal, journalistic, or research use under specific conditions.