security vs data protection: balancing the duty of care to ensure security and the right to privacy through the lease of data protection act 2019

The right to privacy in Kenya is provided for in Article 31 of the Constitution of Kenya, 2010. It grants individuals the right to be free from searches of their person, home, or property, the seizure of their possessions, the unnecessary requirement of information related to their family or private affairs, and the infringement of privacy in their communications. This fundamental human right enables private citizens to establish boundaries and protect themselves from unwarranted interference and intrusion. The right to privacy is crucial for maintaining autonomy, upholding human dignity, and serves as the foundation for many other human rights. 

Following the Westgate terrorist attack and subsequent terrorist incidents by the Al-Shabaab extremist group, security measures in Kenya have significantly intensified, with a focus on proactive surveillance. This phenomenon is often observed at the entrances of government buildings, schools, hotels, shopping malls, and other public establishments, where visitors undergo security checks and have their person and property examined for potential security risks. When visitors come to commercial buildings, they are frequently required to participate in a visitor registration process, during which their names, mobile numbers, ID numbers, and reasons for visiting are recorded. This process aims to ensure security, safety, and record-keeping. It enables building management or security personnel to track individuals entering the premises and maintain a record of their presence for reference or emergency situations

This practice, however, presents challenges in our increasingly data-driven world. Regulatory measures are being implemented to protect the rights of data subjects. In 2019, the Kenyan Data Protection Act (DPA) came into force, providing protection for personal data. It establishes measures and regulations for the safeguarding and responsible handling of personal data that building owners and security personnel must adhere to.

The data collected, such as names, ID numbers, and phone numbers, fall under the category of personal data. Section 2 of the DPA describes personal data as any information relating to an identified or identifiable natural person. By collecting this data from visitors, who are considered data subjects, the owners of these premises become data controllers and bear the responsibility of ensuring that best practices are followed in processing this information. Processing, as defined by the DPA, has a wide scope of application and encompasses actions such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction of personal data.

The DPA necessitates the development of a framework by data controllers and processors to protect data and information collected from individuals. Section 30 of the DPA stipulates that a data controller or processor cannot process data, unless the data subject consents to such processing, for one or more specified purposes. Exceptions to the requirement for specific, free, express, and informed consent are provided in Section 30 and they include; compliance with a legal obligation, protection of the data subject’s vital interests and performance of a task carried out in the public interest. These provisions grant data processors legitimate reasons to collect and process the data to ensure the rights of data subjects are not violated. 

Building owners can incorporate privacy-by-design strategies to comply with the law. These are strategies that involve integrating privacy considerations and safeguards into the design and development of systems, processes, and technologies from the onset, ensuring that privacy protections are inherent and proactive rather than being added as an afterthought. They include:

1. Clearly defining the specific purpose for collecting personal information at building entrances, ensuring it aligns with legitimate and necessary objectives.
2. Obtaining explicit consent from individuals before collecting their personal information, by clearly communicating the purpose, duration, and any third parties involved in data processing.
3. Collecting only the minimum necessary personal information required for the intended purpose, avoiding excessive or irrelevant data.
4. Implementing appropriate measures to securely store and protect collected personal data, utilizing secure storage systems and encryption methods.
5. Defining and adhering to specific retention periods for the collected data, thus ensuring personal information is not kept longer than necessary.
6. Restricting access to the collected personal data to authorized personnel who require it for the specified purpose, preventing unauthorized access or use.
7. Establishing data protection agreements with third parties, such as security companies, when sharing personal data, and conducting due diligence to ensure compliance with data protection regulations.
8. Informing individuals about their rights regarding their personal data, such as the right to access, rectify, restrict processing, and erase their information, and establish procedures to address their requests promptly and effectively.
9. Developing a data breach response plan specific to building owners, outlining steps to be taken in the event of a data breach, including timely notification to authorities and affected individuals.
10. Regularly reviewing and updating data protection practices to ensure ongoing compliance with applicable data protection regulations and staying informed about legal changes that may impact building owners’ responsibilities.

The enforcement of the DPA falls on the Office of the Data Protection Commissioner (ODPC) which is established under Section 5 of the Act. The ODPC is tasked with conducting various functions in relation to data protection in Kenya. These functions include: overseeing the enforcement of data protection laws, maintaining a register of data controllers and processors, conducting oversight on data processing operations, promoting self-regulation, investigating complaints, raising public awareness, conducting inspections, facilitating international cooperation, undertaking research, and performing other functions necessary for the promotion of data protection objectives.

The ODPC is therefore responsible for regulating this process of processing personal data and ensuring that the interests of both building owners and data subjects are taken care of. It can therefore consider the following recommendations to streamline the activities of the building owners and ensure the rights of data subjects are protected: 

1. Conducting Awareness Campaigns: Educating stakeholders about data protection rights and obligations through workshops, seminars, and informational materials.
2. Providing Guidance on Lawful Processing: Offering building owners guidance on legal bases for processing personal data and obtaining valid consent.
3. Establishing a Complaints Mechanism: Creating a dedicated channel for data subjects to report concerns and resolve disputes.
4. Conducting Audits and Inspections: Assessing building owners’ compliance with data protection regulations through regular inspections.
5. Collaborating with relevant stakeholders: Partnering with associations representing building owners to promote compliance and develop industry-specific guidelines.
6. Offering Technical Assistance: Providing guidance on effective data protection measures, including data storage, security protocols, and privacy-enhancing technologies.
7. Enforcing Penalties for Non-Compliance: The ODPC can impose penalties and sanctions on non-compliant building owners to incentivize adherence to data protection regulations.
8. Fostering Data Protection Culture: Promote a culture of privacy by design and privacy considerations in building owners’ operations through training programs and collaborations.

The DPA has created a framework that protects the interests of data subjects. However, the Act also presents a challenge for businesses to comply with its regulations to ensure that the way they process and store data is in line with the law. It has created heavy punishments for non-compliance with strict fines of Ksh.5 million or up to 1% of the annual turnover of the preceding financial year. These penalties provide data processors and controllers with a strong incentive to prioritize compliance with the DPA. By adhering to the regulations, privacy by design principles and industry best practices, businesses can safeguard data subjects’ rights, maintain trust in their operations and save themselves from monetary fines and regulatory headaches.

DATE: JUNE 2, 2023 BY: ANNE GATHIRWA

For more insights pertaining to this matter, you can reach the writer at annegathirwalaw@gmail.com. You can also contact us at MMS Advocates, Lower Duplex Apartments, LOWER HILL ROAD, or email us at info@mmsadvocates.co.ke