Town Hall Meeting Summary: DPGSK & ODP Participants:
ODPC: Commissioner Immaculate Kassait, Deputy Commissioner John Walubengo (Compliance), Assistant Commissioners Oscar (Presenter), Bridget Dong (Enforcement), Emmanuel Mayo (Complaints & Investigations), John Lokal (Registration), Rebecca Marecha (Compliance).
DPGSK: Chairperson Dr. Laibuta, Secretary Grace Bomu, Organizing Secretary Philip Kisawa, and members.
1. Introductions & Opening Remarks
Dr. Laibuta introduced the DPGSK as a society with over 750 members (200 paid) from private, public, civil society, and academic sectors. The society focuses on mentorship and collaboration with the ODPC.
Commissioner Kassait was introduced as Kenya’s first Data Protection Commissioner, praised for her collaborative and supportive approach, especially towards young professionals.
The meeting was necessitated by numerous questions from members seeking clarifications on compliance.
2. Key Topics & ODPC Responses
A. ODPC Communication & Public Engagement
Question: How is ODPC simplifying communication to avoid legalistic jargon that confuses stakeholders?
Response (John Bengo): The ODPC has a training wing that conducts nationwide sensitization, including roadshows in local languages, radio, and TV programs. Despite these efforts, the message hasn’t reached everyone, and the office continues to demystify the Act.
Commissioner’s Addition: Acknowledged that data protection is often lawyer-driven. Suggested a partnership where DPGSK could develop a donor-funded curriculum and map out the country for grassroots awareness, creating a complementary strategy.
B. Complaints Handling & Timelines
Question: How will ODPC adhere to the 90-day determination timeline, especially in light of a High Court ruling?
Response (Oscar):
The 90-day limit is in the Act, with an additional 7 days in regulations for serving the determination.
The ODPC strives to handle all cases within 90 days. The complexity of some cases makes this challenging.
A High Court ruling on mediation (ADR) not being compulsory has been appealed.
Admissibility: ~70% of complaints are not admitted, primarily for these reasons:
Fraud/Loan Defaults: Cases better suited for other agencies (e.g., financial disputes).
Opt-Out Available: Complainants haven’t tried to opt-out first.
Rights Not Exercised: Data subjects are advised to first exercise their rights directly with the data controller.
Commissioner’s Addition:
The ODPC is a regulator, not a court. The focus is on documentation and evidence.
Acknowledged feedback to improve the clarity of justification for non-admission.
Noted the tight balance between engagement and the strict 90-day timeline.
Dissatisfied parties can appeal a decision to the High Court within six months.
C. Legal & Regulatory Reforms
Question: What is the status of the Audit Regulations and the review of the Data Protection Act (DPA)?
Response (Commissioner Kassait):
Audit Regulations: Submissions have been made to the Ministry. The process is now with the Cabinet Secretary and will proceed to the JLC (Joint Legal Committee) for stakeholder engagement and tabling. A priority for the ODPC.
DPA Review: A committee chaired by the Ministry is working on it. The process involves a Cabinet memo, the Attorney General, and finally Parliament. The Commissioner expressed concern that the upcoming election season could delay this and urged stakeholders to push for its progress sooner.
Other Updates: The Data Commissioner Bill is currently in Cabinet. Adequacy negotiations with the EU are ongoing, hopefully concluding this year or next.
D. Registration, Audits & the Role of DPOs
Question: Can an ICT Manager serve as a Data Protection Officer (DPO)? Does this present a conflict?
Response (Commissioner Kassait): An ICT manager can be a DPO but it presents a governance risk. The ideal is for the DPO to be in a senior, independent role like internal audit to avoid conflicts and ensure authority. The lack of formal guidance on DPO roles leads to issues like low pay (~Ksh 100,000 for 45%) and victimization.
Action Point: The Commissioner challenged DPGSK to draft a framework/guidance note on the role, responsibilities, and protections for DPOs, which the ODPC would then review and adopt.
Question: How can an organization request a baseline audit from the ODPC?
Response (John Bengo):
The ODPC proactively targets ~60 high-risk, mandatory-registration entities for audit annually.
Organizations are encouraged to conduct their own annual audits as a best practice. They can engage any competent professional or choose from the ODPC’s list of accredited auditors (procured through a public process).
Audited reports can be submitted to the ODPC for review.
Commissioner’s Addition: Auditing is a massive blue-ocean business opportunity for DPGSK members, especially for mandatory sectors like education, health, and hospitality.
E. Collaboration with Other Regulators
Question: How is ODPC collaborating with other sector regulators (e.g., IRA, CBK)?
Response (John Lokal & Team): The ODPC actively pursues partnerships with umbrella bodies and regulators to streamline compliance. Examples include:
SARA: Made ODPC registration a prerequisite for sales agents.
CBK: Supported compliance in the financial sector.
KMPDC: Issued a circular mandating registration for health facilities.
Ongoing: Discussions with IRA (Insurance) and ISK (Property) to finalize collaboration agreements.
Action Point: The Commissioner directed her team to invite DPGSK members to future sector-specific stakeholder meetings for exposure and input.
F. Cross-Border Data Transfers
Question: Must data handlers seek ODPC approval for cross-border data transfers?
Response (Rebecca Marecha):No, approval is not mandatory. However, the ODPC strongly encourages organizations to seek advisory opinions. The key is to have a lawful basis (e.g., adequacy, safeguards like SCCs, BCRs) and maintain robust records of the transfer, which the ODPC can inspect.
Priority: The ODPC is working on formal guidance for Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), and adequacy for 2024/25.
G. Enforcement & Determinations
Question: Why are most enforcement actions against the private sector and not the public sector?
Response (Commissioner Kassait): The caseload is driven by complaints received, which are predominantly against private entities. The ODPC has initiated investigations against public bodies (e.g., NTSA, PDS) but needs more complaints to build public sector jurisprudence. She urged members to file complaints against public bodies.
Question: How are determinations enforced?
Response (Oscar): The ODPC cannot enforce its own determinations (e.g., collect fines). A complainant must take the ODPC’s decision to a court to have it enforced as a decree. This is a recognized gap that may be addressed in the legal reform.
3. Rapid-Fire Q&A
Biometric Data in Universities (Daniel): Refer to the ODPC’s draft Biometric Guidelines. For specific issues, contact the ODPC directly for clarification.
Sharing Student Data with Guardians (Daniel): This must be based on a lawful basis established in the university’s policy or a contract signed by the student (the data subject) upon registration.
“Consent” via Event Terms & Conditions (J): A notice at an event fulfills the duty to inform but does not constitute valid consent for photography/videography for marketing. Consent must be explicit, specific, and unambiguous.
Use of Shutterstock Images (Mike): Assessed case-by-case. The burden is on the user to prove that Shutterstock had lawful consent from the data subject for the specific use. If valid consent cannot be demonstrated, it is a violation.
4. Closing Remarks
Dr. Laibuta thanked the Commissioner and her team for their openness, mentorship, and collaboration.
Commissioner Kassait reiterated her office’s open-door policy and commitment to stakeholder feedback.
The recording of the session will be shared with DPGSK members.
A follow-up session was suggested to address unanswered questions.
