Kenya has appointed its first Data commissioner. Mrs Immaculate Kassait was sworn in by the Chief Registrar of the Judiciary on the 16th November 2020. This is a welcome appointment almost a year after the Data Protection Act came into force on 25th November 2019. She will serve a single term of six (6) years and will not be eligible for a re-appointment.
The Functions of the Office of the Data Commissioner.
Mrs Kassait’s office will oversee and enforce the provisions of the Act. Her first task will be to appoint other members of the Office of the Data Commissioner which will have the following function in implementation of the Act:
- oversee the implementation of and be responsible for the enforcement of this Act;
- establish and maintain a register of data controllers and data processors;
- exercise oversight on data processing operations, either of own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with this Act;
- promote self-regulation among data controllers and data processors;
- conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law;
- receive and investigate any complaint by any person on infringements of the rights under this Act;
- take such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public;
- carry out inspections of public and private entities with a view to evaluating the processing of personal data;
- promote international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements; and
- undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals;
The Data Commissioner has a number of options under the Act, that can be exercised to ensure that Data Controllers and Data Processors uphold the constitutional right to privacy. Her office has the power to;
- Conduct investigations on own initiative, or on the basis of a complaint made by a data subject or a third party
- Impose administrative fines for failure to comply with the Act; and
- Upon obtaining a warrant from a Court, may enter and search any premises for the purpose of discharging any function or exercising any power under this Act.
This appointment brings to life the Data Protection Act as it can now be enforced. Entities that process large volumes of personal information are expected to have commenced their compliance efforts lest they form what would be regarded as “low hanging fruits” for the privacy regulator.