In the course of doing business, it is common to interact with personal data relating to clients, suppliers, contractors and employees. You must handle this information in accordance with privacy laws and regulations to avoid litigation, regulatory fines and sanctions or disrepute to the business. With the enactment of the Data Protection Act (the ‘Act’) and supporting regulations, many businesses are now revisiting their relationship with personal data. In this article, we consider the scope of application of the Act and how and when the exemptions apply.
Scope of application of the Data Protection Act
Two critical factors come into play when considering the scope of application of the Act. First, is the nature of processing activities. The Act covers personal data processing entered into a record by automated or non-automated means. Personal data processed by non-automated means falls within scope if it forms whole or part of a filing system. For instance, HR information collected in paper format for filing falls within the scope of non-automated processing. The second is the location of the data subject. As long as the processing relates to an individual located in Kenya, it falls within scope. Therefore, companies established and ordinarily resident in Kenya, and processing data relating to persons in Kenya, must comply. Similarly, companies that do not have a legal or physical presence in Kenya but process data relating to persons in Kenya (e.g. Amazon) must also comply.
As a general rule, all data controllers and data processors must comply with certain basic principles of the Act such as the lawful processing of data, ensuring data quality, minimisation of data collection and adopting security safeguards to protect personal data. However, as we shall see below, some data processing operations may be exempt from the Act or certain provisions of the Act.
a. Scope Exemption for purely personal or household purposes
Information collected for individual or domestic use does not fall within the scope of the Act. For example, collecting personal data through WhatsApp groups to organise informal events such as birthdays, graduations, etc.
b. Exemptions based on national security reasons
National Security organs i.e., the Kenya Defence Forces, the National Intelligence Service and the National Police Service are exempt from the provisions of the Act. That notwithstanding, any data controller or data processor who processes personal data for national security reasons can apply to the Cabinet Secretary (CS) in the Ministry of Information and Communications for exemption. In doing so, the applicant must elaborate the grounds upon which the application is based. A certificate of exemption is issued by the CS if he/she is satisfied that the grounds of the application are sufficient. The CS may revoke the certification at any time if the grounds no longer apply.
c. Public interest exemptions
Public interest exemptions apply in two situations: permitted general situations and permitted health situations.
i) Permitted general situations
A permitted general situation enables data controllers and data processors to collect, use or disclose an individual’s personal data when: –
- lessening or preventing a serious threat to the life, health or safety of any individual, or the general public;
- taking appropriate action in relation to suspected unlawful activity or serious misconduct;
- locating a person reported as missing;
- asserting a legal claim;
- conducting an alternative dispute resolution process; or
- performing diplomatic or consular duties.
ii) Permitted health situations
Permitted health situations enable controllers and processors to collect, use or disclose personal data for the following reasons: –
- provision of a health service;
- health research;
- use or disclosure of genetic information only when necessary and obtained in course of providing a health service;
- disclosure of health information for a secondary purpose to a responsible person for the patient. For example, disclosure to an individual’s next of kin in order to facilitate appropriate care and treatment.
However, to rely on the permitted health situations outlined above, one has to demonstrate that: –
- they provide a health service to the individual;
- the recipient of the personal information is actually responsible for the individual;
- the individual is either physically or legally incapable of giving or communicating consent to the disclosure;
- the disclosure is necessary to provide appropriate care or treatment of the individual, or is made for compassionate reasons;
- the disclosure is not contrary to any wish expressed by the individual before they were unable to give or communicate consent; and
- the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment of the individual or for compassionate reasons
It is important to note that all the above conditions must exist for the exemptions based on permitted general health situations to apply.
d. Exemption by court order or written law
The provisions of the Act do not apply when the disclosure of personal information is necessary to comply with any law or court order. For instance, the recent Companies (Beneficial Ownership Information) Regulations, 2020 requires companies to keep a register of their key shareholders and periodically submit the register to the registrar of companies. Personal shareholder information kept and exchanged in compliance with this law is exempt from the Data Protection Act.
e. Exemption for journalism, literature and art
The principles of personal data protection may not apply where processing relates to the publication of literary or artistic material. This exemption applies where the data controller reasonably believes that publication would be in the public interest and compliance would otherwise be incompatible with the special purposes of the work. Thus, where a literary or artistic piece heavily relies on the processing of personal information to be impactful to the general public, the principles of personal data do not apply. If a controller believes that publication would be in the public interest, they have to demonstrate that the processing is in compliance with self-regulatory or issued code of ethics in practice and relevant to the publication.
f. Exemption for historical, research and statistical purposes
The Act allows for further processing and use of personal data for reasons beyond the original purpose of the data provided that: –
- the further processing relates and is restricted to historical, statistical and research purposes
- the further processing is compatible with the original purpose of collection of the information
- the information is not published in an identifiable form
- the data controller or processor takes appropriate measures to safeguard against the records being used for any other purposes aside from research and statistics.
g. Scope exemption by the Data Commissioner
The Data Commissioner has power to prescribe any other instances where data processing may be exempt from the provisions of the Act. As of the date of publication of this article, no such directives have been issued.
h. Exemption by Data-Sharing Code
The Data Commissioner may also issue a data-sharing code which will provide practical guidance on sharing of personal information in a way that will abide by the Act and promote good practice in the sharing of personal data. The code will specify on data sharing between government departments or public sector agencies. This data-sharing code has not yet been issued.