GUIDELINES FOR DATA PROTECTION ACT COMPLIANCE
The Office of the Data Protection Commissioner has developed a raft of sector-specific guidelines to assist entities in complying with the requirements of the Data Protection Act, 2019.
The Data Protection Act, 2019 in Kenya was enacted to regulate the processing of personal data and to give effect to Article 31 (c) and (d) of the Constitution of Kenya. It aims to ensure that personal data is processed lawfully, transparently, and securely, thereby protecting individuals’ privacy rights.
The guidelines include: Guidance note on the processing of personal data for journalistic, literary and Artistic purposes. It addresses the processing of personal data for the publication of audiovisual and recorded media, with the exclusion of intellectual property rights considerations. It provides direction on handling of personal data within the context of creating, processing and publishing audiovisual content, ensuring compliance with the Data Protection Act and the Data Protection Regulations.
The Guidance Note for Processing of Children’s Data spells out considerations that must be present when processing children’s personal data, among them a distinction between consent as a lawful basis and parental or guardian consent and privacy concerns while processing children’s data.
The Guidance Note on Historical and Statistical Purposes provides an overview of the lawful basis for processing such data and guidance on further processing where data was not originally collected for historical or statistical purposes.
The Guidance Processing of Biometric Data applies to biometric processing of personal data in either the public or private sectors, that can be supplemented by additional measures for the protection of privacy and individual rights, which may impact or be impacted by the processing of personal data.
The Guidance Note for Public Sector provides the public sector with a clear understanding of their obligations under data protection law aiming to cover various aspects of data protection, including the collection, use, retention, disposal, disclosure, and registration disposal of personal data in the public sector.
The Guidance Note on Processing by MSME is a simplified approach to assist MSMEs in understanding the scope of their data processing activities, including the collection, use, retention, disclosure, and disposal of personal data.
The Guidance Note on Research Purposes applies to Research Institutions, Researchers (academic and non-academic), Research assistants and data analysts, and data controllers and processors processing personal data for research purposes in either the public or private sectors and non-governmental organizations.