Data Protection Impact Assessments
The scramble for access to personal, health and general data in relation to Covid-19 is increasing by the day. Every other person or institution wants a piece of Covid-19 data. Many wish to process this data for a public purpose, for the management of Covid-19 and coming up with strategies to ‘flatten the curve’; others may wish to process the data for commercial or nefarious purposes. There have been claims and fears that even those claiming to process personal data and health data for a public health purpose may be using the data to undertake mass surveillance that is unrelated to ‘flattening the curve’.
Where processing of data may have an impact on fundamental rights and freedoms of data subjects, the Data Protection Act provides that a data controller or data processor must carry out a data protection impact assessment. Section 31(4) of the Data Protection Act defines “data protection impact assessment” as an assessment of the impact of the envisaged processing operations on the protection of personal data.
Section 31(3) provides that the data controller or data processor shall consult the Data Commissioner prior to the processing if a data protection impact assessment prepared under the section indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject. Section 31(5) of the Act requires that the data impact assessment report should be submitted sixty days prior to the processing of data.
In the prevailing circumstances, Kenya does not have a Data Commissioner. Further, it is not practicable to have data impact assessment reports done sixty days prior to processing of data. Data to ‘flatten the curve’ must be processed in real time and as a matter of urgency. Hopefully, once the Data Commissioner is in place, they shall set out guidelines for carrying out an impact assessment as provided for under Section 31(6) of the Data Protection Act. The guidelines should be clear on processing of data in times of emergency. I find the sixty days requirement under Section 31(5) problematic since no clear statutory discretion has been afforded to the Data Commissioner to vary the number of days.
Notwithstanding the above, data controllers who wish to process data in these Covid-19 times must undertake data impact assessments. I have argued before that the absence of a Data Commissioner does not preclude the courts from enforcing the constitutional right to privacy. A data subject may file a petition arguing that a data controller or data processor is processing or processed data in violation of provisions of the Data Protection Act, in effect infringing on the data subject’s right to privacy.
It is important that notwithstanding the absence of a Data Commissioner that data controllers undertake comprehensive data protection impact assessments. Section 31(2) sets out the contents of a data protection impact assessment, it provides that the assessment shall include –
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; and
the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.