1 of 49

Utility of The Data Protection Act 2019 and its Impact on the Health Sector

Mugambi Laibuta

www.laibuta.com

2 of 49

www.laibuta.com

3 of 49

Privacy Harms

www.laibuta.com

Monetary

    • physical, reputational, emotional, relationship, chilling effect, discrimination, thwarted expectations, control, data quality, informed choice, vulnerability, disturbance, and autonomy harms

Non-monetary

4 of 49

Article 31 – Right to Privacy

Article 43 – Right to Health

Laws – Health Act, Public Health Act, Medical Practitioners and Dentists Act, Medical Laboratory Technicians and Technologists Act, Nurses and Midwives Act

Professional Codes of Conduct

www.laibuta.com

5 of 49

Regulating data protection: �The Data Protection Act, 2019

www.laibuta.com

6 of 49

Application of Data Protection Act (Jurisdiction)

Section 4: the Act applies to the processing of personal data—

(a) entered in a record, by or for a data controller or processor, by making use of automated or non-automated means:

Provided that when the recorded personal data is processed by non-automated means, it forms a whole or part of a filing system;

(b) by a data controller or data processor who—

(i) is established or ordinarily resident in Kenya and processes personal data while in Kenya; or

(ii) not established or ordinarily resident in Kenya but processing personal data of data subjects located in Kenya.

www.laibuta.com

7 of 49

Definitions (s.2 DPA)

www.laibuta.com

"data controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;

"data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;

"data subject" means an identified or identifiable natural person who is the subject of personal data;

8 of 49

Definitions (s.2 DPA)

www.laibuta.com

"personal data" means any information relating to an identified or identifiable natural person

"identifiable natural person" means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity

9 of 49

sensitive personal data

data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject

www.laibuta.com

10 of 49

Definitions (s.2 DPA)

www.laibuta.com

"processing” means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as

(a) collection, recording, organisation, structuring;

(b) storage, adaptation or alteration;

(c) retrieval, consultation or use;

(d) disclosure by transmission, dissemination, or otherwise making available; or

(e)alignment or combination, restriction, erasure or destruction.

11 of 49

Section 26 DPA (Rights of a data subject) A data subject has a right—��

www.laibuta.com

(a) to be informed of the use to which their personal data is to be put;

(b) to access their personal data in custody of data controller or data processor; (s.38 right to data portability)

(c) to object to the processing of all or part of their personal data;

(d) to correction of false or misleading data; and

(e) to deletion of false or misleading data about them.

See Part II General Regulations on enabling the rights of data subjects . Pay attention to the forms to be filled to exercise these rights

12 of 49

Data Subject Rights

www.laibuta.com

Consent/Informed (r.4)

Access (r.9)

Object (r.8)

Opt- in/opt-out

Rectification (r.10)

Erasure (r.12)

Restriction of processing (r.7)

Portability (r.11)

Not allow automated decision making

(s.35)

Non-discrimination (Art 27 const)

Complain

(complaints regulations)

Representation

13 of 49

Data controllers and data processors

www.laibuta.com

14 of 49

www.laibuta.com

15 of 49

46. Personal data relating to health

(1) Personal data relating to the health of a data subject may only be processed—

(a) by or under the responsibility of a health care provider; or

(b) by a person subject to the obligation of professional secrecy under any law.

(2) The condition under subsection (1) is met if the processing—

(a) is necessary for reasons of public interest in the area of public health; or

(b) is carried out by another person who in the circumstances owes a duty of confidentiality under any law.

www.laibuta.com

16 of 49

www.laibuta.com

17 of 49

S.53 – Research, History and Statistics

www.laibuta.com

18 of 49

www.laibuta.com

Data Protection

Lawfulness

Fairness

Transparency

Purpose limitation

Data minimization

Accuracy

Storage limitation

Security

Accountability

19 of 49

Information to the data subject (r.4 general regs)

www.laibuta.com

What personal data you will be processing

Why you need it + consequences for no consent

What you will do with it + possible risks

Who you are going to share with

How long you will keep the data

How secure you will keep the data

The rights of the data subject

Contact details in case of breach

20 of 49

Privacy by design and by default (s. 41)

R.27 General Regulations

  • Design - embedding privacy into the design of IT products, systems, and business practices and integrating data protection considerations before the collection and processing of personal data.
  • Default - implement appropriate technical and organizational measures to ensure that, by default, the data subject has been provided the strictest privacy measure available. 

www.laibuta.com

21 of 49

Privacy Programme

  • Gap assessment
  • Vulnerability assessment
  • Maturity assessment
  • Audits – regulatory compliance, control effectiveness, vulnerabilities, disaster preparedness
  • Policies – internal, external
  • Standards – practices, methods, protocols
  • Controls – ensuring desired outcomes
  • Skills and knowledge
  • Metrics
  • Assets management
  • Risk management

www.laibuta.com

22 of 49

Privacy Programme

  • Insurance
  • Data management practices
  • Critical data
  • Critical systems
  • Business impact analysis
  • Privacy and security logs
  • Outsourced services
  • Culture – People at the centre

www.laibuta.com

23 of 49

Office of the Data Protection Commissioner

www.laibuta.com

24 of 49

Roles of the ODPC

www.laibuta.com

Regulator

Auditor

Educator

Enforcer

Policy Advisor

Negotiator

International Ambassador

Consultant

25 of 49

Section 8 DPA – Data Commissioner

(c) exercise oversight on data processing operations, either of own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with this Act;

(d) promote self-regulation among data controllers and data processors;

(e) conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law;

www.laibuta.com

26 of 49

www.laibuta.com

Section 8 DPA

(f) receive and investigate any complaint by any person on infringements of the rights under this Act;

(g) take such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public;

(h) carry out inspections of public and private entities with a view to evaluating the processing of personal data;

27 of 49

Section 9 DPA

(a) conduct investigations on own initiative, or on the basis of a complaint made by a data subject or a third party;

(c) facilitate conciliation, mediation and negotiation on disputes arising from this Act

(e) require any person that is subject to this Act to provide explanations, information and assistance in person and in writing;

(f) impose administrative fines for failures to comply with this Act

www.laibuta.com

28 of 49

Section 64. Right of appeal�

A person against whom any administrative action is taken by the Data Commissioner, including in enforcement and penalty notices, may appeal to the High Court.

www.laibuta.com

29 of 49

Section 65 DPA - Compensation to a data subject�

(1) A person who suffers damage by reason of a contravention of a requirement of this Act is entitled to compensation for that damage from the data controller or the data processor.

(4) In this section, "damage" includes financial loss and damage not involving financial loss, including distress.

www.laibuta.com

30 of 49

Section 66 DPA - Preservation Order�

The Data Commissioner may apply to a court for a preservation order for the expeditious preservation of personal data including traffic data, where there is reasonable ground to believe that the data is vulnerable to loss or modification.

www.laibuta.com

31 of 49

S. 63 DPA – Administrative Fines

In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.

www.laibuta.com

32 of 49

S. 72 – Offences of unlawful disclosure of personal data

www.laibuta.com

33 of 49

Data Controller/Processor Registration

  • Regulation 5 Registration Regulations
    • Form DPR1
    • Fees
    • Establishment documents
    • Particulars including contacts
    • Description of purpose for processing
    • Description of categories of data processed

www.laibuta.com

34 of 49

Compulsory Registration

1. Canvassing political support among the electorate.

2. Crime prevention and prosecution of offenders (including operating security

CCTV systems).

3. Gambling.

4. Operating an educational institution.

5. Health administration and provision of patient care.

6. Hospitality industry firms but excludes tour guides.

7. Property management including the selling of land.

8. Provision of financial services.

9. Telecommunications network or service providers.

10. Businesses that are wholly or mainly in direct marketing.

11. Transport services firms (including online passenger hailing applications)

12. Businesses that process genetic data.

www.laibuta.com

35 of 49

Data Inventory

www.laibuta.com

Personal data you process

Where does the data come from?

Whose personal data is it?

What kind of personal data is it?

Is it sensitive data?

Why do you process this data?

What is the lawful ground for processing?

Where do we process/store this data?

36 of 49

Data Inventory

www.laibuta.com

How long do we keep this data (retention period)?

What are the security measures we put in place to protect this data?

If we transfer to a processor, is a data processor agreement in place?

Is there transfer of data outside Kenya?

37 of 49

Why data inventory is key

www.laibuta.com

For crafting a data protection strategy

To determine which regulations apply

For classification of data – sensitive data

Aids in data minimization

For data protection impact assessments

For registration of controllers and processors

For data subject access requests

For data breach response

Ensure effective use of data

38 of 49

Consent management

  • Consent MUST be
    • Freely given
    • Specific
    • Informed
    • Unambiguous

www.laibuta.com

39 of 49

Vendor Risk Assessment

  • Are vendors compliant?
  • Do vendors handle personal data?
  • Do vendors handle critical aspects of the company?
  • Vendor contracts
  • Review of vendor compliance

40 of 49

Components of privacy policy (inhouse)

  • Data sources
  • Basis for collection, processing, storage and transfer of data
  • Professional ethical standards (lawyers, medical professionals, accountants etc)
  • Personal data
  • Collection of data
  • Processing of data
  • Data storage
  • Data accuracy
  • Data security

41 of 49

Components of privacy policy (inhouse)

  • Data retention
  • Handling complaints
  • Data Protection Officers
  • Communications from organization
  • Third party access
  • Data Protection Impact Assessments
  • Non-compliance
  • Employee/agents obligations
  • Data transfers

42 of 49

Data Protection Officer

Section 24 (5)

A person may be designated or appointed as a data protection officer, if that person has relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection.

Section 24 DPA

Designate a DPO

43 of 49

Data Protection Officer

  • Section 24(7) role of DPO
    • Advise the data controller or data processor and their employees on data processing requirements provided under the act or any other written law;
    • Ensure on behalf of the data controller or data processor that the act is complied with;
    • Facilitate capacity building of staff involved in data processing operations;
    • Provide advice on data protection impact assessment; and
    • Co-operate with the data commissioner and any other authority on matters relating to data protection.

44 of 49

Security Controls - Pay attention to:�

www.laibuta.com

NATURE, SCOPE, CONTEXT, AND PURPOSES OF PERSONAL DATA PROCESSING:

INDUSTRY BEST PRACTICES AROUND SECURITY CONTROLS:

COSTS OF IMPLEMENTATION OF SECURITY CONTROLS:

45 of 49

Record Keeping

  • keep the following records
    • Trainings of employees on data protection
    • Data policies
    • Privacy notices
    • Appointment of data protection officers
    • Inventory of personal data processed
    • Inventory of reasons for processing personal data
    • Inventory of third parties with whom personal data is shared
    • Strategies on ensuring correctness of data, security of data
    • Complaints by data subjects
    • Requests for data by data subjects
    • Data breaches

46 of 49

01

02

03

04

Data Protection Act, 2019 Compliance Strategy�

Data protection training for all within the organisation

Develop institutional data protection policies and privacy notices

Appoint/Designate Data Protection Officers (s.24 DPA)

Create a data inventory + data map

47 of 49

05

06

07

08

Ensure data subject rights fulfillment (s.26 DPA)

Carry out data protection impact assessments where necessary (s.31 DPA)

Put in place incident and data breach management strategies (s. 43 DPA)

Put in place a consent management framework (s. 32 DPA)

48 of 49

09

10

11

12

Carry out vendor risk assessments

Have a record of personal data processing operations

Prepare documentation for registration with ODPC

Review contracts/agreements with staff/contractors/agents/suppliers

For consultation on the compliance strategy, contact: Mugambi@laibuta.com

49 of 49

Thank You

Website: www.Laibuta.com

Email: Mugambi@laibuta.com

Podcast: Ole Law Podcast

0722363247

www.laibuta.com