Kenyans have been asked to promptly report incidences of data breach to the Office of the Data Protection Commissioner (ODPC) to facilitate legal action against entities that engage in unlawful use of personal information.
Data privacy is a fundamental right for every citizen as provided for in the Constitution and penalties for such breach are prescribed in the Data Protection Act of 2019.
According to the Head of Legal Services at the ODPC Ms. Susan Waweru, an individual, referred by law as a data subject, is required to report any breach within 72 hours of the occurrence.
‘Once such a report is received, our office embarks on investigation, followed by the necessary action and the matter is concluded within 90 days,’ she said, allaying fears of protracted court processes that are common in this country.
Ms. Waweru was speaking during an awareness outreach in Tharaka Nithi and Meru Counties where she led a team from the ODPC to engage with data controllers and processors from the two counties with the aim of enlightening them on the mandate of OCPD and Data Protection Act of 2019.
The participants included government departments, representatives of learning and health institutions, members of the Civil Society and Religious Organizations. These are institutions that collect personal data for lawful use, with some of them being custodians of sensitive personal data.
The legal officer said that some Digital Credit Providers who are known to aggressively lure Kenyans into taking loans from them were operating in breach of personal data privacy as they often acquired and used personal information such as phone numbers illegally and without the consent of data subjects.
She disclosed that in the last one year, at least three data collectors have been penalized for such conduct while enforcement notices have been issued to several operators with a warning to stop illegal dealing in personal data.
She however said that her office preferred Alternative Dispute Resolution to address complaints from the public and only pursued a court process as a last resort.
Data Controllers and Processors are required to register with the Office of the Data Protection Commissioner to be licensed to continue with their operations in adherence to the Data Protection Act of 2019. The certificate issued at a fee will be due for renewal after two years.
Apart from the mandate of enforcement and implementation of the Act and registration of data controllers and processors, the ODPC plays an oversight role in all matters related to personal data management and also creates awareness among stakeholders on their roles and rights as provided in the law.
Source: Kenya News Agency