Data protection and privacy will continue to dominate the news as concern for data breaches continues to grow.
The Office of the Data Protection Commissioner recently issued penalty notices to a digital credit provider, an educational institution and an entertainment facility for breach of the provisions of the Data Protection Act, 2019.
In the wake of these notices, entertainment joints took to their social media accounts to issue notices to the public, stating that entry into their establishments equals waiving of rights to privacy and consenting to the use of their photographed images online.
Notably, the right to privacy was enshrined in the Constitution of Kenya 2010 long before the enactment of the Data Protection Act.
The latter now provides elaborate mechanisms to operationalise this constitutional right. Indeed, the Data Protection Act accords data subjects several important rights as pertain to the collection, storage and processing of their data.
To begin with, data subjects are entitled to provide informed consent with regard to the manner in which their personal information is to be used.
Giving informed consent means that at the point of collecting such data, data controllers and processors are mandated to inform the data subjects of how they will utilise the collected data.
Additionally, data subjects should be informed that they reserve the right to; access their data, object to its processing, have false or misleading information about them corrected, and have the collected data deleted.
Emphatically, the Act accords a data subject the right to withdraw their consent at any time. It is worth mentioning that such withdrawal will not affect the use of data prior to it.
Speaking of consent, the Data Protection Commissioner has clarified that valid consent is that which is captured in writing. Therefore, the above-mentioned social media notices by entertainment joints may face legal hurdles.
That said, in case a person is aggrieved by a decision under the Data Protection Act, he or she can lodge a complaint with the commissioner who is required to investigate the complaint within 90 days.
Complaints can be made both orally or in writing. The decision of the commissioner is, however, not final. The Act provides that a party aggrieved with such a decision can seek recourse in the High Court.
Indeed, in this digital era, data protection plays a pivotal role in the realisation of our fundamental constitutional right to privacy.
It is thus critical for data controllers and processors to remain vigilant as they interact with personal information to avoid data breaches.
At the same time, the need for data subjects to take control of their privacy by reading terms and conditions, as a first step, cannot be emphasized enough!
The writer is an Associate at Ernst & Young LLP (EY).
