What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a process to help you identify and minimize the data protection risks of a project.
Importance of a DPIA
- They negate the risk that may arise in the collecting and processing of data
- They enable accountability
- They identify the impact entities will have on the privacy of a data subject
- They provide input on privacy by design
- They demonstrate the measures to be taken to comply with the DPA
Kenya Data Protection Act 2019 (DPA)
The DPA under Section 31 states that a DPIA should be conducted by a data controller or data processors where the processing of data shall result in a high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context, and purposes.
The Data Protection Act states that a DPIA should include the following:
- A description of the intended processing, purpose, and if possible the legitimate interest being pursued.
- An assessment of the necessity and proportionality of processing the data in relation to the purpose
- An assessment of the risk to the rights and freedoms of data subjects
- The measures put in place to ensure the security of the data and compliance with the DPA
Guidance Note on Data Protection Impact Assessment
The Office of the Data Protection Commissioner published a Guidance Note in accordance with the DPA to guide the formulation of a DPIA. The Guidance Note contains the following;
Definition of risk
It defines risk as a scenario describing an event and its consequences estimated in terms of severity and likelihood. In this case, the risk is in relation to the rights and freedom of a data subject. These are the rights and freedoms found in the DPA and the Constitution of Kenya.
Processing that requires a DPIA
- Automated decision making with legal or similarly significant effect
- Systematic Monitoring
- Sensitive data or data relating to a data subject or matters of private nature
- Data processed in large scale or volume
- Matching or combing data sets
- Data concerning vulnerable subjects
- Innovative use or applying new technology or organizational measures
- When processing prevents data subjects from exercising their rights
Submission of a DPIA
A DPIA should be submitted within 60 days before the commencement of processing the data.
The Data Protection Act is silent on whether a DPIA may concern a single data point or a single DPIA can be used to access multiple similar data processing activities.
The guidelines recommend that a single DPIA can be used for similar processing activities that present similar risks. In this case, the nature, scope, context, purpose, and risks are similar to the ones in which the DPIA has been conducted. A DPIA is, however, required if there has been a change of risks for example with the introduction of new technology.
If it is a joint DPIA it should state what each data controller and data processor is responsible for and the measures they have taken to ensure the safety and privacy of the data
A DPIA is not required when:
- The processing is not likely to result in a high risk to the rights and freedoms of the data subject.
- The case where the processing may lead to a similar risk as to the one in which a DPIA has already been conducted. Therefore, the data controller can use the same DPIA.
- The processing falls under the exceptions of Section 51 (2) of the DPA. These are: it relates to the processing of personal data by an individual in the course of a purely personal or household activity; if it is necessary for national security or public interest; or disclosure is required by or under any written law or by an order of the court.
When should a DPIA be conducted?
A DPIA should be conducted from the onset when designing the project. The DPIA should regularly be updated during the lifecycle of the project.
The DPIA should contain the following:
- The amount of data being collected
- The extent of processing personal data
- The period and method of storing personal data
- The technological development available for processing the data
- The special risks that exist in processing the data
- Assessment of the necessity and proportionality of processing the data in relation to the purpose
- Assessment of the risk and rights to data subjects
- The measures put in place to ensure that the data is secure and compliant with the DPA
Effects of the DPIA on Industry
Public bodies, private entities, and civil societies are examples of entities that would be required to have a DPIA.
A DPIA may be required to be carried out by public bodies that collect and process data that deals with Biometrics, and surveillance. Some of the public bodies that may be affected include:
- Kenya Revenue Authority
- Independent Electoral and Boundaries Commission (IEBC)
- National Hospital Insurance Fund (NHIF)
- Huduma Namba Secretariat
- National Transport and Safety Authority
- The various registration entities: Civil Registration; Immigration; and the National Registration Bureau.
A DPIA may be required to be carried out by private bodies that collect and process data that may put data subjects at risk. Some of the private entities that will be affected include
- Medical Industry
- Telecommunication industry
- Banking Industry
- Mobile lending entities
- Insurance Industry
A DPIA may be required to be carried out by Civil society groups that work with vulnerable groups in the society such as children, women, and the LGBTQ communities.
Useful links and sources
- The Kenya Data Protection Act
- The Guidance Note on Data Protection Impact Assessment
- Republic vs Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology and other (ex-parte Katiba Institute and Yash Pal Ghai) Judicial Review Application No. E1138 of 2020
Please note that the information above is for knowledge purposes only and should not be construed to be legal advice or relied on as such.
Tevin Mwenda is an Advocate of the High Court of Kenya and a data policy associate at KICTANET.