By Diana Meso

On Thursday, December 2, the Division of Legal Services partnered once again with Gikera & Vadgama Advocates (GVA) to hold the second edition of the Data Protection & Privacy (Risk Imperatives) webinar, with an aim of digging deeper into the obligations the university has, as an institution of higher learning, when it comes to handling personal data.

Moderating the event, Ms. Helen Ambasa, Director of Legal Services, welcomed the participants and facilitators to look inward or navel gaze as it were, into what kind of data the university deals with on a daily basis, as well as how to ensure that the data is collected, used and stored in a lawful way. She commended the university for developing and implementing a data protection and privacy policy long before the enactment of the Data Protection Act, 2019.

Mr. Emmanuel Ouma, Advocate of the High Court of Kenya and presently an associate in the Dispute Resolution Department GVA, started by explaining the kind of data collected and processed from when a student begins the admission process and the best practices aligning to the Data Protection Act.

“Name, year of birth, gender and parents/guardian information are some of the data collected from students who are joining the university through the admissions office and then shared with the registrar,” he said.

Mr. Ouma mentioned that at the very basis of collecting this data, the university has to consider the issue of consent, transparency, limitation of retention, integrity and lawfulness. He further went on to ask the following questions that the university might want to consider regarding the same:-

• Does the person (student) providing this information have the capacity (age) to give consent in the first place? Do they understand and agree to the repercussions of sharing the data?
• Is there a clear indication to give consent on the admission form?
• Why is the university collecting this data and for how long will they retain it?
• Has the university put measures in place to ensure that the data collected remains with the intended person and not shared with a third party who has absolutely nothing to do with the data?
• Have the parents/guardians given consent for their information to be shared?

Elaborating on some the legal terms frequently used when it comes to data protection, Mr. Felix Mung’ara, Associate GVA, defined Personal Data, Data Controller, Data Processor and Data Subject. Personal Data is any data that can be used to identify a natural person, a Data Controller is person or a legal entity that collects and determines how data will be used, for example, USIU-Africa, a Data Processor person or a legal entity who is under instructions from the Data Controller on how to handle the data, for example, the Finance or Human Resource departments and a Data subject is the person providing information. He also articulated the distinctions made in the Data Protection Act on personal data and sensitive personal data.

Furthering the discussions Ms. Kananu Mutea, Partner & Head of Dispute Resolution, GVA, pointed out that a university is like a city; it has different components that are data oriented and share data consistently. She said that data can be collected in form of certificates, photographs, CCTV footage, biometric and serve various purposes including finding out the suitability of a person for a certain role, pension processing, performance review, training and development among other things.

Additionally, Ms. Mutea said that the data collected can be shared with different entities like the Ministry of Education, Donors, Insurance providers, unions and security agents. However, she cautioned data controllers and processors on sharing data with integrity and for the rightful reason.

Reacting to participants questions and comments, the following points were highlighted;

• Data controllers and processors can be called upon to share data with security agents, however they should be cautious and assess the lawfulness of the request as well as minimize the data to only what has been requested. Court orders can play a big role when it comes to this, but a verification of the court order is crucial to ensure its authenticity.
• Data protection policies should include the threshold of information to be shared.
• Employers should be alert their employees before sharing data to a third party, and the employees have to first give consent. Additionally, employers have the right to verify information given by employees especially during recruitment process but only limited to the purpose point.
• On International data sharing including in cases of Student & Staff Exchange Programs, the Data Protection Act requires that an entity provide proof that appropriate safeguards have been put in place with respect to the security and protection of the personal data.
• On cloud data storage, it is important for an entity to understand the terms and conditions of their service provider and share the same with their employees. In case of any data breach, the entity should let the vendor, the office of the Data Protection Commissioner and the data subject know.
• Additionally, it is recommended that before engaging a vendor on cloud data storage, a data mapping should be done to identify the pros and cons and put effective measures in place.
• The Data Protection Act is premised on various principles including Transparency, Lawfulness, Integrity and Limitation of retention.
• Data subjects have the right to inquire how, when and where the information they are giving will be used.
• When students collect data for their research projects, who bears the security of the information collected and to what limitation? Should the data be anonymized? Universities should develop data policies to govern research.

In concluding, participants were informed that the Data Protection Act, 2019 provides for sanctions in the event of unlawful disclosure of personal data: said sanctions include a fine not exceeding three million shillings or imprisonment for a term not exceeding ten years or to both a fine and imprisonment.