Financial Crime World

Data Protection Alert: Licensed Providers Must Take Precautions to Safeguard Personal Data

In Kenya, licensed telecommunications providers have been warned to take immediate action to protect personal data from unauthorized access, disclosure, and use. This alert highlights the importance of compliance with the Kenya Information and Communications Act (KICA) and its related regulations.

Obligations under KICA

According to KICA, licensed providers are obligated to:

  • Obtain and retain accurate billing information
  • Ensure secure storage of customer data
  • Adhere to prescribed retention periods
  • Keep customer information up-to-date and confidential
  • Disclose customer data only when required by law or with the customer’s consent
  • Inform customers of the processing of their information and intended purposes

Additional Obligations

Other legislation, such as:

  • The National Payment System Act
  • Prudential Guidelines
  • Health Act
  • HIV and AIDS Prevention and Control Act

also impose specific obligations on service providers to ensure the security and confidentiality of customer transactions and health-related data.

Data Processors’ Responsibilities

Data processors must:

  • Register with the Commissioner
  • Designate a Data Protection Officer (DPO)
  • Process data in accordance with the Act
  • Take measures to indemnify data subjects against unlawful use of their data

Registration Requirements

The Registration of Data Controllers and Data Processors Regulations outline the procedure for applying for registration, which includes:

  • Submitting Form DPR1 and accompanying documents
  • Paying registration fees based on the size of the controller/processor, number of employees, and annual turnover/revenue

Consequences of Non-Compliance

Failure to comply with these regulations may result in serious consequences, including fines and reputational damage.

Action Required by Licensed Providers

To ensure compliance, licensed providers must:

  1. Review policies and procedures: Ensure they meet the requirements of KICA and related regulations.
  2. Conduct a thorough risk assessment: Identify potential vulnerabilities in their systems and processes.
  3. Implement robust security measures: Protect customer data using encryption, access controls, and regular backups.
  4. Designate a DPO: Oversee data protection efforts and ensure compliance with regulatory requirements.
  5. Register with the Commissioner: As required by the Registration of Data Controllers and Data Processors Regulations.

Seek Professional Advice

Licensed providers are advised to seek professional advice if necessary to ensure compliance with these regulations. The stakes are high, and non-compliance can have serious consequences for both individuals and organizations.