Financial Crime World

Kenya’s Financial Institutions Under Scrutiny: Data Protection Measures Come Under the Spotlight

Introduction

Kenya’s financial sector has experienced significant growth in recent years, with the incorporation of various financial institutions such as SACCOs, micro-finance institutions, fintechs, mobile money, and non-bank financial institutions. However, this growth has also raised concerns over the protection of client data, particularly in the fintech space where mobile loan providers have been accused of requesting increasingly more access to clients’ private data.

The Need for Data Protection

The country’s Data Protection Act of 2019 and subsequent regulations have set out a comprehensive framework for the capture, use, and management of client data. Financial institutions must adhere to basic principles of data privacy, including the collection, storage, and use of personal data. According to the law, all personal data in Kenya must be collected directly from and with the consent of the data subject, and released to a third party only with their consent.

Key Principles

  • Collection: Personal data can only be collected directly from the data subject.
  • Storage: Personal data must be stored securely and confidentially.
  • Use: Personal data can only be used for specified purposes and with the consent of the data subject.
  • Accuracy: Financial institutions must take reasonable steps to ensure that personal data is accurate, up-to-date, and complete.

Rights of Individuals

Individuals have a right to:

  • Access their personal information
  • Correct inaccurate data
  • Object to the collection or processing of their data

Compliance Requirements

Financial institutions are required to adopt necessary measures to ensure protection and security of personal data, including:

  • Identifying foreseeable internal and external risks
  • Establishing safeguards against identified risks
  • Implementing necessary controls and procedures for the handling of personal data
  • Providing training to staff on data protection principles and practices

Kenya National Commission on Human Rights Emphasis

The Kenya National Commission on Human Rights has emphasized the importance of data protection in the financial sector, urging institutions to:

  • Notify the commission and individuals of any security compromises
  • Take steps to restore the integrity of their information systems where personal data has been compromised

Section 35 of the Data Protection Act

Financial institutions must implement safeguards and appeals mechanisms for all automated processing of personal data that produces a decision with no human intervention.

Conclusion

Kenya’s financial institutions are under pressure to implement robust data protection measures to ensure the safety and security of client data. Compliance with the Data Protection Act requires financial institutions to undertake regular audits, data mapping, impact assessments, appoint a data protection officer, train staff, and register as data controllers and processors. It is essential for financial institutions to prioritize data protection to maintain public trust and confidence in their operations.