Data protection and the law
By Hellen Lubanga
In order to understand the importance of paper shredding and data destruction in your company, it is very important that you identify the laws that govern said data and why their proper disposal should be taken seriously.
On November the 25th, 2019, Kenya’s Data Protection Act was passed by the National Assembly and enacted as the main legislation governing how data is sourced, stored, and distributed in the country.
The Act consolidates statutes that outline the treatment of people’s data while giving clear requirements on how organizations are expected to treat their users’ data. This was done with the aim of giving the population more control over their personal information, thus boosting and complementing their right to privacy as outlined in article 31 of the constitution.
The main objectives and purposes of the Act include:
- Regulating the processing of personal data.
- Ensuring that the processing of personal data of a data subject is guided by set principles (located in section 25 of the act)
- Protection of the privacy of individuals;
- Establishing the legal and institutional mechanism to protect personal data
- Providing data subjects with rights and remedies to protect their personal data from being processed illegally
The data protection act covers a substantial range of information. However, in this article, we shall consider the data protection laws affecting how organizations collect, store, and dispose of consumer data.
While referring to organizations or individuals, the Data Protection Act uses the terms “data controllers” and “data processors.”
The data controller
The data controller determines the purpose for which and the means by which personal data is processed. So, if your company is the one deciding “why” and “how” the data is to be processed, then it is the data controller. Employees processing personal data within your company do so to fulfil your tasks as the data controller.
The data processor
The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.
The duties of the processor towards the controller must be specified in a contract. For example, the contract must indicate what happens to the personal data once the contract is terminated. An example of a data processor has outsourced services that handle company data, such as IT solutions, cloud storage services, and outsourced accountants that handle payroll and payments.
The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written permission from the data controller.
It is important to note that there are situations where an entity can be a data controller, a data processor, or both.
Your company is considered a joint controller when, together with one or more other organizations, you both determine “why” and “how” personal data should be processed. For example, you own a property you rent out for events, but do not have a restaurant, so you partner with a catering service as a value-added service. So the clients can choose to rent the space with the additional option of catering services. Both companies could also be involved in the set-up of the website, making the two companies joint controllers because not only do they agree to offer the possibility of “combined services”, but they also design and use a common platform.
Data retention and disposal according to the Data Protection Act
Data processors and controllers are required to retain personal data for a lawful purpose and only for as long as may reasonably be necessary for that purpose.
Under the regulations, data controllers and processors are required to establish a data retention schedule with appropriate time limits for review of the need for continued storage. Periodic audits of the data retained are also required.
Upon lapse of the purpose for which the personal data was collected, data controllers and data processors are required to erase, delete, destroy, or make the data anonymous or pseudo-anonymous.
Consequences for failing to properly store or dispose of client data
There are certain specific offences under the DPA, which include:
- Unlawful disclosure of personal data in a manner incompatible with the purpose for which the data was collected;
- Unlawful disclosure of personal data that the data processor processed without the prior authorization of the data controller;
- Obtaining access to personal data without the prior authorization of the data controller or processor holding the data;
- Disclosure of personal data to a third party without prior authorization by the data controller or processor holding the data
- Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to sell under this offence;
- Failure to register with the Office of the Data Commissioner as a data processor or controller
- Provision of false or misleading information during the application process for registration as a data processor or controller; and
- Obstruction of the Office of the Data Commissioner during an investigation.
If convicted, an offence under the DPA carries a general penalty of a fine not exceeding Kenya Shillings 3 million or an imprisonment term not exceeding ten years, or both. In addition, obstruction of the Data Commissioner during an investigation is an offence liable to a fine not exceeding KES 5 million or imprisonment for a term not exceeding two years, or both. If data is leaked and it is proven that the data was exposed as a result of company negligence, you risk being held accountable and convicted.
This is why paper shredding and hard drive destruction are of the utmost importance. Do not take the risk. Reach out to us today and let us help you take the necessary steps needed to ensure your company stays safe from data leaks.