Personal Data
Personal data is the information that can be used to identify a natural person or any information that has the capability of identifying a natural person.
Sensitive personal data is information that is highly private and requires extra protection under the law.
Personal data protection in Kenya is governed by the Data Protection Act of 2019.
Source: Personal Data Protection Handbook (ODPC)
Key Takeaways
- In Kenya Data protection is governed by the Kenya Data Protection Act (2019)
- Protecting personal data prevents harm such as fraud and misuse of personal data.
- Poor data protection can lead to reputational damage and loss of customer trust.
- If only we can minimize exposing our personal data on daily basis.
- Always think before you share, review permission and secure your digital footprint.
Data Protection Mastery
Training on Data Protection Compliance.
A practical hands-on program that helps teams achieve compliance with the Kenya Data Protection Act (2019), reduce risk, and build trust through strong data protection practices.
Examples of Sensitive Data
Name
Phone number
Birth certificate
Location
Health status
Biometric Data
Ethnicity
Marital Status
Why is personal data protection important?
It is implemented to help maintain individual rights and prevent potential harm.
It’s an important aspect of building trust and maintaining positive relationships with individuals and other stakeholders.
Consequences of failing to protect personal information
- It can lead to identity theft.
- It can lead to financial fraud and other forms of abuse.
- It can damage an individual’s reputation and result in a loss of trust and confidence in an organization.
Organizations have legal and ethical obligations to protect personal data.
What should be done to protect personal data.
- Lawfulness, fairness and transparency:- processing personal data must be lawful, fair and transparent.
- Purpose Limitation: The collection and processing of personal data must be specified, explicit, and legitimate purposes.
- Data minimization :- personal data should be limited to what is necessary, which is specified, explicit and legitimate.
- Accuracy:– Personal data should be accurate and kept up to date.
- Storage limit:- personal data storage should not be longer than necessary for the specified, explicit and legitimate purposes.
- Accountability and transparency:- organizations should take responsibility for personal data and ensure individuals can exercise their rights. Organization should be transparent in providing clear information on data processing. Both ensure responsible data protection and understanding of data use.
- Integrity and confidentiality:- Personal data should be secured and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage.
How we expose our data
- When making a payment, giving out our details when making payment can expose our data to hackers, or a data breach may occur in the company you are making payment to or the sale of your information for marketing purposes.
- Accessing services from the government – Government portals which lack proper HTTPS or have expired credentials can leak form data or login details to attackers. Government legacy systems built years ago may not encrypt data on transit or at rest, or might use weak protocols that are vulnerable to attacks.
- Accessing services from private institutions, e.g schools, hospitals, etc. – By filling out forms carelessly with sensitive information, uploading documents on unsecured websites, oversharing during registrations or enquiries, such as giving out unnecessary personal information, such as ID no. Patient files or student files left open on desks, and staff lists or student lists pinned on the notice board. Making copies of personal documents, which are then kept in unsecured piles of paper documents. These can be used for unrelated paperwork. Discussing test results, grades or financial details in open reception areas can also expose personal information to bystanders.
- Accessing buildings.- Many buildings require you to sign in with full names, ID no., phone no. and Company name and sometimes even your car’s number. This is usually done in an open book that anybody can access and take a picture. And also CCTV that records faces, car number plates and entry times. If footage is not secured well, somebody can access your movement data.
- Signing up for online services or accounts.- We fill all fields with our names, address, and date of birth, even when they are optional. Some platforms require ID uploads for verification. Once uploaded, this data can never be deleted.
- Use of social media – When using social media, linking accounts with Google or Facebook is common. Your email, profile picture, contacts and sometimes location are shared. And also the browsing history.
- Online Shopping– Many people still shop on sites without HTTPS, enabling hackers to access card details, addresses and passwords.
- Use of digital apps.- Many apps ask for access to contacts, location, photos, microphone, camera, even when not necessary for the app’s function. This gives the app or even third parties access to your private life.
How your Personal data can be attacked
Credential stuffing
This is an attack method where stolen account credentials from a data breach are used to gain unauthorized access to accounts through large scale automated login requests. The attackers rely on the fact that many people use the same password across different accounts.
Brute force attacks
Attackers use trial and error to guess login info, passwords and PINs.
Dictionary Attacks
It is similar to brute force attacks, though it involves trying password combinations from a predefined list of common passwords instead of random guesses. The list would include passwords from previous breaches, which are likely to be reused.
Conclusion
To ensure you protect yourself, share as minimal personal information as possible.
Use secure websites and portals.
Know every institution’s retention and disposal policy that you share your data with.
Use strong passwords and ensure you log out after every use.
Avoid accepting cookies from the sites you are browsing.
Politely challenge requests for unnecessary data.