The Office of the Data Protection Commissioner (ODPC) has unveiled a training programme for Egerton University employees aimed at equipping them with essential knowledge and skills in data protection. The initiative promotes accountability, transparency, and secure data management in institutions of higher learning.
Principal of Egerton University Nakuru Town Campus, Professor George Ogendi, described data protection as a critical global issue. He said the training was designed to align the institution’s senior staff with international standards and safeguard the rights of Kenyans.
Speaking at the inauguration of the four-day programme held at the Njoro main campus, Professor Ogendi, representing Vice Chancellor Professor Isaac Kibwage, emphasised that a proactive approach to data protection supported by clear policies and proper governance structures is vital for safeguarding both staff and student data.
He warned of the dangers posed by illegal access to personal data pools by individuals, companies, and government agencies, which are often exploited for blackmail, identity theft, intimidation, targeted advertising, and extortion.
“Data is a critical asset in the modern academic environment. This training also serves as a safeguard against loss of intellectual property and patents related to innovation,” he noted.
While citing the Data Protection Act of 2019, which provides guidelines for institutions like Egerton University, Professor Ogendi highlighted that the university has developed a draft policy on Data Protection and Security to help operationalise the Act.
He stressed that the growing reliance on digital platforms demands a collective effort to understand best practices for data handling, storage, and sharing. He underscored the importance of data protection in maintaining the university’s accountability, integrity, and reputation.
“These efforts aim to enhance institutional accountability, support regulatory compliance, and foster trust in the university’s management of sensitive information both locally and internationally,” Professor Ogendi explained.
He observed that the increasing volume of data processed by organisations raises the risk of violations of data security and privacy, hence the urgent need for data protection measures.
Professor Ogendi added that organisations have embraced various technological solutions, including digital services, online advertising, electronic communication, and virtual information sharing, reflecting a paradigm shift towards the digital space.
“Employees are the primary custodians of data within organisations and are thus at the highest risk of privacy breaches. It is crucial to create awareness among them about legal requirements related to data privacy,” he said.
The principal highlighted that employees must understand their roles in upholding high data privacy standards during the collection, processing, and storage of data, given the significant financial and reputational risks any data breach can cause.
He noted that almost all private firms, government agencies, and county government departments collect data from customers, employees, suppliers, or service providers, underscoring the importance of comprehensive data protection training.
The training initiative comes as the ODPC announced nationwide inspections across sectors to enforce compliance with data protection laws.
Training Coordinator Mr Godfrey Murata explained that the programme covers key topics including data privacy laws, cybersecurity protocols, recognising cyber threats, and implementing effective data management strategies.
Mr Murata emphasised that the initiative aims to sensitise university staff on compliance requirements, data registration, and citizens’ rights relating to the collection, access, and retrieval of personal data.
He highlighted the fundamental rights of data subjects, including the right to be informed, the right to access their data, the right to correction, and the right to deletion, all crucial for protecting privacy.
On June 3, Data Commissioner Ms Immaculate Kassait announced the nationwide inspections to assess how organisations manage personal data and to provide guidance on legal obligations.
ODPC is a government institution mandated to regulate the processing of personal data, ensuring the rights of data subjects and defining the obligations of data controllers and processors. It was established under the Data Protection Act of 2019.
The Act regulates the collection, processing, and storage of personal data by both government and private organisations. It also creates an ecosystem of rights and obligations operationalising the constitutional right to privacy.
Mr Murata noted that data breaches can cause severe financial losses, legal penalties, and reputational damage to organisations. By prioritising data protection, institutions ensure continuity, stability, and build customer loyalty.
He further said the training equips employees with knowledge about the ODPC’s mandate and core responsibilities regarding data protection.
“This initiative enhances the capacity of senior university staff to handle personal data responsibly and in compliance with the Data Protection Act. Human Resource teams are also urged to align their practices with public values and commit to professionalism in service delivery,” he added.
Currently, 36 African countries, including Kenya, have Data Protection Acts or regulations, while 16 have signed the African Union Convention on Cyber Security and Personal Data Protection.
Mr Murata warned organisations that violations flagged by ODPC could result in enforcement notices, administrative fines, and substantial public relations costs due to negative publicity.
The Data Protection (General) Regulations 2021 and Complaints Handling Regulations took effect on March 14, 2022, while registration of data controllers and processors commenced on July 14, 2022.
These regulations provide for data subject rights and limitations on commercial use of information. They define the roles of data controllers and processors, procedures for reporting data breaches, and rules governing the transfer of data outside Kenya.
Commercialisation of personal data without the data subject’s consent is an offence punishable by fines up to Sh20,000 or imprisonment for up to six months, or both, under the Data Protection Act.
Sharing or selling personal information improperly can attract jail terms of up to six months or fines of up to Sh5 million.
“Data collected by organisations includes IP addresses, search histories, locations, credit card numbers, and purchase histories. Virtually every organisation processes private data of thousands or millions of individuals at some point,” Mr Murata explained.
He stressed the importance of compliance with the Data Protection Act at the initial stages of a product’s life cycle, especially during data collection and employee onboarding.
Failing to implement appropriate privacy protections can have long-term adverse effects on organisations, with high penalties underscoring the need to prioritize data privacy.
Mr Murata noted that data privacy will become a key brand differentiator, building customer loyalty, while its absence could impede organisational growth.
He said organisations with strong privacy mechanisms foster trust, which is the foundation for establishing a loyal customer base.
By Esther Mwangi
