- Of the 352 complaints her office received, 291 were against political parties.
- Commissioner says the Act presents a need to change the ways in which technologies are designed and managed.
Political parties are the most notorious for breaching Kenyans’ private data, the Office of the Data Protection Commissioner has revealed.
Data Commissioner Immaculate Kassait in a report to Parliament to mark her one year in office says of the 352 complaints her office received, 291 were against political parties.
Another 33 complaints were filed against money lending platforms, while 28 were due to other forms of personal data processing.
“The numbers of complaints and data breaches is expected to increase drastically as more Kenyans become aware of their rights and available mechanisms in place to safeguard their personal information,” Kassait said.
She said her office registered the complainants with theOffice of Register of Political Parties for inclusion of an ‘opt out mechanism’ by political parties when processing personal data.
“Out of the received complaints, 291 have been investigated and resolved. However, 61 complaints remain active and investigations are ongoing.”
In the report, Kassait said organisations that breach the Data Protection Act would be charged hefty penalties of up to two per cent of their annual turnover.
“Many organisations will require a data protection officer to ensure compliance with the law. A renewed emphasis on organisational accountability will demand proactive robust privacy governance,” the commissioner said.
Kassait added that the developments would require organisations to review how they write privacy policies to make the requirements easy to understand and to ensure compliance.
She further told MPs that the requirement of the Act presents the need to change the ways in which technologies are designed and managed.
“Documented data protection impact assessments will be required to deploy major new systems and technologies that are likely to result in high risk of the rights and freedoms of data subjects,” the report reads.
Entities, the commissioner adds, would be required to report to regulators any data breaches within 72 hours in line with new data security approaches and incident response procedures.
“The concept of data privacy now becomes enshrined in law, with the Privacy Impact Assessment expected to become common across organisations over the next few years,” she said.
The commissioner added that organisations will be expected to “look more into data masking, pseudonymisation, and encryption.”
Kassait has called on the National Assembly, through the Delegated Legislation Committee, to prioritise the approval of the Data Protection Regulations, 2021.
Part of the regulations requires that all organisations, including the IEBC, host their data servers locally in measures to contain troubles with accessing such information.
IEBC would thus be required to host its election data and transmission servers in the country ahead of the 2022 general election.
Citing high expectations from Kenyans, Kassait wants MPs to help push the government to fast-track full operationalisation of her office in terms of recruitment of staff, ICT and finalisation of data laws.
The commissioner reported plans to move the Office of Data Protection Commissioner from the Communications Authority headquarters to Britam Towers.
(Edited by Bilha Makokha)