The National Industrial Training Authority (NITA) has rolled out a training programme for Nakuru County Government employees on data protection ahead of the nationwide data protection laws’ compliance inspections.
The initiative, which is a partnership between NITA and the devolved unit’s Public Service Management department, comes at a time when the Office of the Data Protection Commissioner (ODPC) has announced that it will begin nationwide inspections on various sectors to enforce compliance with data protection laws.
NITA Training Coordinator Dr Joash Omosa explained that the initiative was aimed at sensitising county staff on matters of data protection compliance requirements, data registration, and the rights of citizens in collecting, accessing and retrieving their personal data.
The official emphasised that citizens had the right to be informed, the right to access their personal data, the right to correction and the right to deletion in order to protect their privacy.
Data Protection Commissioner Ms Immaculate Kassait, in a recent statement, said the nationwide inspections were aimed at assessing how organisations manage personal data and how they provide guidance on legal obligations.
The Office of the Data Protection Commissioner (ODPC) is a government institution mandated with the regulation of the processing of personal data to provide for the rights of data subjects and obligations of data controllers and processors for connected purposes. The office was established by the Data Protection Act of 2019.
The Act regulates the collection, processing and storage of personal data by both government and private organisations and also establishes an ecosystem of rights and obligations that operationalises the right to privacy as enshrined in the Kenyan Constitution.
The NITA Training Coordinator warned that data breaches could cause severe financial losses, legal penalties, and reputational damage to organisations.
He said by prioritising data protection, institutions ensure continuity and stability in addition to building customer loyalty.
Dr Omosa, who is also a member of the Institute for Human Resource Management (IHRM), further explained that the trainings would ensure that employees are equipped with enough knowledge on the mandate and core responsibilities of the ODPC office in terms of data storage and protection.
The initiative, the official added, would enhance the capacity of public servants in handling personal data responsibly and in compliance with the Data Protection Act.
“This training also ensures that Human Resource team align their practices with public values and commit to professionalism in service delivery,” he added.
Dr Omosa regretted that illegal access to pools of personal data gleaned by individuals, companies and even government agencies was often used for blackmail, identity theft, intimidation, targeted advertising and extortion.
He, however, warned firms that getting their processes flagged by ODPC not only resulted in enforcement notices and administrative fines but also a steep public relations cost due to the ensuing bad publicity.
Dr Omosa observed that owing to the rising amount of data created and processed by organisations, there was a great possibility of violation of data security and privacy, thus the rising need for data protection.
He noted that virtually all private firms and government agencies and departments operating in the County collect data from either customers, employees, suppliers or service providers, data which he said ranges from IP addresses, search histories, locations, credit card numbers and purchase histories, among others.
The coordinator underscored the importance of organisations complying with the provisions of the Data Protection Act at the initial stages of a product life cycle, especially when collecting and storing such data, including when onboarding new employees.
He cautioned that collecting data without the right privacy protections in place would have adverse and long-term effects on organisations, adding that the penalties for breaches were high enough to make organisations pay attention to data privacy.
Dr Omosa said employees were the predominant custodians of data in an organisation and were at the highest risk of breach of privacy, hence the need to create awareness among them on the legal requirements relating to data privacy.
He advised that in the long term, data privacy would be a great brand differentiator, as it would build customer loyalty, while a lack of it would impede organisational growth, adding that the image and reputation of a company with strong privacy mechanisms would create trust, which is the basis for establishing a loyal customer base.
The Data Protection (General) Regulations 2021 and the Complaints Handling Regulations took effect from March 14, 2022, while the registration of data controllers and processors took effect on July 14, 2022.
The Data Protection (General) Regulations 2021 provide for rights of a data subject and limitations to commercial use of such information. It also explains the roles of data controllers and processors, the communication of data breaches and the transfer of data outside Kenya.
In the event of commercialisation of data, a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.
He or she is liable, on conviction, to a fine not exceeding Sh20,000, to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the Data Protection Act.
Sharing or offering for sale personal information could land those responsible for its safe storage jail terms of up to six months or fines of up to Sh5 million.
So far, 36 African countries, Kenya included, have Data Protection Acts or regulations in place, while sixteen countries have signed the African Union Convention on Cyber Security and Personal Data Protection.
By Esther Mwangi and Mary Ochieng
