Processing of personal data in the education, health, financial and communication sectors has long been predisposed to dangers and risks associated with unauthorised use and breaches. These sectors process high volumes of personal and sensitive personal data by virtue of the nature of their operations.
The roll-out of sectoral Guidance Notes by the Office of the Data Protection Commissioner (ODPC) is meant to assist data controllers and data processors in better understanding their obligations under the Data Protection Act, 2019 (the ‘Act’).
General overview of the Guidance Notes
The Guidance Notes for the four sectors reflect some of the biggest industries in the market in terms of the volumes and sensitivity of personal data processed. By way of example, the guidance note for the education sector indicates that the education system provides services to over 16 million children and youth involving nearly 500,000 teachers across approximately 90,000 schools. For the education sector alone, these numbers demonstrate the variety of processing purposes and categories that the various educational institutions will use and require in their day-to-day operations.
The scope of each guidance note is to provide the educational institutions, healthcare institutions, communication sector players, and Digital Credit Providers (“DCPs”) with a better understanding of their obligations under the data protection laws and are to be used as helpful interpretation tools to ensure compliance.
We set out below a summary of each of the Guidance Notes:
1. Guidance note for the communication sector
The communication sector includes telecommunication, broadcasting, postal and courier service providers. All entities and persons in this sector are required to fully implement a privacy framework while processing personal data to ensure compliance with the Act and the Regulations. The guidance note clarifies how data protection principles in the telecommunication sector can be applied, the lawful basis for processing personal data, the obligations of the sector regulator and service providers, as well as the rights of data subjects who subscribe to the services of entities operating in the sector.
Privacy concerns in the communication sector
The ODPC highlights the key privacy issues that have been experienced in the sector as a result of the continued digitisation of systems. These concerns include:
- Collection and tracking of high volumes of personal data such as phone calls, call logs, text messages and internet browsing activity. This activity is used to build detailed profiles of individuals which can be shared with third parties for other purposes;
- Encryption and decryption: Decryption technologies and backdoors to access encrypted data are controversial, as they may compromise the privacy of users;
- Surveillance: Entities may use communications technology to monitor individuals, including their internet activity, phone calls, and text messages. The ODPC has observed that this often occurs with or without a lawful warrant, and it can be difficult to know when such surveillance takes place;
- Cybersecurity breaches: Vulnerability to cybersecurity breaches exposes users’ personal data and increases risks of insecurity to data subjects;
- Misuse of personal data: Communications companies may share or sell personal data to advertisers and other third parties without user consent, leading to unwanted marketing messages and other forms of spam.
The Guidance Notes provide considerations that must be factored in when processing subscribers’ personal data, network traffic, location or geographical data, financial data and mobile operators’ privacy policies.
2. Guidance note for digital credit providers (DCPs)
DCPs are persons or business entities that provide loan services through the internet, mobile services, computer devices, applications or other digital systems as may be prescribed by the sector’s regulator – Central Bank of Kenya (‘CBK’). DCPs are advised to implement comprehensive privacy impact assessments and consider the impact on other human rights such as equality, non-discrimination and economic, social and cultural rights. The guidance note for DCPs expressly emphasises that data subjects should be the centre of focus when processing their personal data, not the products. When data subjects are the centre, DCPs would have minimal exposure to risks associated with breaches, unauthorised use and non-compliance.
Privacy concerns with the DCPs’ sector
The guidance note for DCPs highlights the key privacy issues that have been experienced in the sector. These concerns arise from the mode of operation of DCPs on digital systems and platforms. Some of these concerns which have been highlighted by the ODPC include:
- Routine sharing of customer data with third-party marketing companies without consent or any lawful basis;
- Use of unclear and ambiguous terms and conditions. Many of the terms and conditions are non-compliant with data protection law;
- Overcollection of personal data such as photos and videos, texts and call logs and phone information which are used for purposes other than those they are collected for.
As the players in the DCP sector continue to expand their consumer portfolio, the guidance note clarifies the need to develop a robust privacy framework to protect both the businesses and data subjects. Some of the sector-specific compliance tools and procedures may include, the processing of personal data on a lawful basis and within the principles of data protection, the development of clear terms and conditions (which can be covered through the relevant privacy-related documents), data minimization and development of organisational safeguards that ensure compliance with data protection laws.
3. Guidance note for the education sector
The guidance note on the education sector highlights the significance of learning institutions in their role as data controllers with respect to the large volumes of personal and sensitive data that they process. Notably, educational institutions handle a lot of personal data relating to children – a vulnerable group of data subjects. The guidance note indicates that the sector provides services to over 16 million children and youth. Despite this, many players in the sector have not complied with the data protection laws such as the development of data protection impact assessments when processing sensitive data relating to children, organisational frameworks and the relevant privacy notices and policies. The ODPC highlights concerns in the guidance note relating to an increased likelihood of data breaches and unauthorised personal data use by non-compliant entities.
Privacy concerns in the education sector
The sector faces the risk of data breaches and non-compliance due to a lack of organisational measures and safeguards for data protection. These risks could be associated with physical processing (filings and physical records) or electronic processing (development of Edtech and digitised education systems) of personal data.
Some of the key privacy concerns that have been noted within the sector include:
- Frequent cyberattacks on institutional systems which put the privacy of collected and stored personal data at risk;
- Data breaches such as unauthorised access to personal data resulting from a lack of adequate data security measures and standards;
- Phishing and ransomware attacks by unauthorised persons;
- Unlawful use of personal data by vendors where personal data is used for purposes other than the initial stated purpose, such as for advertising;
- Failure to follow the highest data protection standards set under the law is also a huge concern for the ODPC, for example, by failing to implement adequate data security measures.
The scope of the guidance note is intended to cover various aspects of data protection applicable to all educational institutions operating in Kenya, including kindergartens, primary and secondary schools, and higher education institutions. Importantly, the note also extends to remote e-learning solutions and services to ensure that institutions are careful to ensure that distance learning tools and resources are selected based on the safeguards and compliance assurances offered.
4. Guidance note for the health sector
The health sector is also one of the largest processors of personal data in Kenya, as the various stakeholders collect, store and analyse vast amounts of personal and sensitive data during registration, diagnosis, storage, analysis, and transfer. Additionally, the digitization of the health sector has posed high risks of attack and predisposition of the sector to breaches related to personal data.
The guidance note on the health sector provides that e-health and m-health are revolutionising how health data is transferred, stored and accessed. Use of Health Management Information system (HMIS), e-Health, m-Health, medical imaging devices (X-rays, CT scans, MRI scans & ultra-sounds), wearable devices (such as fitness trackers, blood pressure monitors and heart rate monitors), e-Prescription and robotic surgery in the health sector are all platforms through which personal data is processed.
Privacy concerns in the health sector
Some of the privacy concerns that have been noted by the ODPC include:
- Misuse of personal and health data. This has raised concerns on patient’s privacy and dignity;
- Lack of transparency around data processing which has translated to misconceptions and misinformation;
- The risk of bias and discrimination in the processing of health data;
- Cyberattacks as a result of the increased adoption of technology within the sector;
- Automated processing of personal data in the context of data subject rights and prevention of discrimination.
The guidance note on the health sector states that while the sector touches on several aspects of confidentiality, there is a need to review such provisions as some are inconsistent with the DPA and the Regulations. Players within the sector need to appreciate that the DPA and the resultant Regulations provide the main data protection framework and personal data processing across all industries should reflect the requirements under this law. The guidance note helpfully provides a checklist that healthcare service providers can use as a guide to ensure compliance.