Churches, landlords, learning institutions, and security companies who use closed Circuit Television Cameras (CCTV) will now be required by law to protect personal data captured in the devices or risk attracting a fine of up to KSh5 million or a term of imprisonment of up to 10 years, or both.
This is in line with the newly drafted data protection regulations by Kenya’s Data Commissioner Immaculate Kassait that mimics EU’s data protection laws which seek to impose penalties on institutions that mishandle personal data.
The laws come into play amid an increase in the adoption of CCTV cameras in households and businesses in a bid to boost security.
Further, the regulations require political campaigners, banks, gaming, and betting companies, credit reference bureaus (CRBs), and taxi-hailing apps to obtain mandatory data controllers’ or processors’ certification before accessing personal information.
Data processors or controllers will be required to pay a certification fee of KSh250,000. Businesses will also be charged registration and annual renewal fees of between KSh1,000 and KSh20,000 depending on the number of employees, turnover, and the risk of exposure of personal information.
The Data Protection Act also requires all processors to handle personal information lawfully, fairly, and in a transparent manner. The data handlers will be required to inform their clients of the use of their data and correct or delete any false representations about them.
Health status, marital status, sexual orientation, ethnicity, biometric data, names of children, and other sensitive information are also guaranteed special safeguards in the Act.
The transfer of personal data out of Kenya is prohibited unless the data processors obtain express permission and prove that the information will be protected against misuse.