ELEMENTS OF A
DATA PROTECTION IMPACT ASSESSMENT UNDER THE KENYA DATA PROTECTION ACT, 2019.
This blog post was written by Amrit Labhuram.
INTRODUCTION
A Data Protection Impact Assessment (DPIA), means an assessment of the impact of the envisaged processing operations on the protection of personal data (any information relating to an identified or identifiable natural person), as defined under Section 31(4) of the Kenya Data Protection Act, 2019 (DPA, 2019). The DPA, 2019 as a legal instrument can trace its roots to the E.U. General Data Protection Regulation (GDPR), and embodies many of the legal obligations and duties as its European counterparts, including minimum requirements for a DPIA.
A DPIA allows for better decision-making at the implementation stage and avoids the need for costly subsequent improvements or potential leaks of personal data.
DPIAs can be regarded as an early warning system enabling all actors to systematically address potential deficiencies in a process that leads to the violation of fundamental rights and freedoms protected under articles 31(c) and 31(d) of the Constitution of Kenya 2010. These provisions ensure individuals the privilege not to have “information relating to their family or private affairs unnecessarily required or revealed” and the right not to have “the privacy of their communications infringed”, respectively. On the basis of the outcome of the analysis, the appropriate measures to remedy the risks should be adopted and implemented. A DPIA allows for better decision-making at the implementation stage and avoids the need for costly subsequent improvements or potential leaks of personal data. Thus, for data controllers (natural or legal person, public authority, agency or other body which determines the purpose and means of processing of personal data), it is an important instrument to demonstrate compliance with legal requirements.
KEY ELEMENTS & STAGES OF DPIAs
The GDPR came into force in May 2018 and attempts have been made to establish the key elements of a DPIA, derived from the extensive analysis of existing processes used in the EU. The processes were tested and approved in practice in the EU projects PIAF (Privacy Framework Impact Assessment) and SAPIENT in an extensive empirical assessment of existing DPIA schemes. The process developed ensures that results can be reproduced and verified, enabling amongst other things, the competent data protection authorities to check whether all legal obligations have been satisfied. The prescribed DPIA is formulated as a three stage process.
A) PREPARATION STAGE
Data controllers are obligated to perform a DPIA where a processing operation is likely to result in high risk to the rights and freedoms of the data subject, by virtue of its nature, scope, context and purposes, under section 31(1) DPA, 2019. The data controller is expected to undertake the following steps during the preparation stage.
1. Relevance threshold: Determining whether a DPIA is necessary based on the potential risks to the fundamental rights and freedoms of persons concerned. Under section 31(1) DPA, 2019, data controllers are expected to conduct DPIAs when there exists ‘High risks’ to the data subjects rights. High risk arises during the processing of sensitive personal data, which require higher protection under law, and if the high intensity of interference of data processing can lead to serious consequences for the data subjects and there are no effective safeguards or methods of intervention for data subjects.
2. Projecting Assessment: The goals and scope of assessment are determined alongside determining the competent personnel, such as the Data Protection Officer, and resources to be allocated to the DPIA.
3. Target of Evaluation: In order to evaluate whether a high risk is likely, the controller has to have an overview of the data processing in question. At this point, the systematic description of the data processing and its purposes, as well as the legitimate interests of the controller according to section 31(2)(a) DPA, 2019.
4. Identification of actors involved/ persons concerned: This is not limited to individuals working for the data controllers and those involved in the development and implementation of the processing but should extensively identify all person that will interact with personal data in any form.
5. Identification of relevant legal requirements: The legal requirements of a DPIA are enshrined under section 31(2) DPA, 2019, however there is a need to adhere to sector specific national legislation relating to processing of data if they are directly concerned with the processing of data.
6. Documentation of tasks and issues: The results of the preparation stage must be reported and documented in a standardized procedure.
B) EVALUATION STAGE
1. Identification of Protection Goals: The requirements of data protection are prescribed by law and can be operationalized as protection goals. The six key protection goals are:
- Availability: data accessible, comprehensible and processable in a timely fashion for authorized entities;
- Integrity: need for reliability and non-repudiation concerning information;
- Confidentiality: need for secrecy;
- Unlinkability: ensures data cannot be linked across different do mains and/or be used for purposes differing from the original intent;
- Transparency: data subjects have knowledge of all relevant circumstances and factors regarding the processing of their personal data; and
- Intervenability: control of the data subjects, as well as the controller or supervisory authority over the personal data.
It is important to note that the lawfulness of the processing of data is determined before a DPIA is conducted.
2. Identification of evaluation criteria and benchmarking: Every processing of data interferes with data subjects rights to private life and data protection. Therefore, protection standards need to be established based on the intensity of interference of the above mentioned rights, depending on the use of specific data or the kind of processing implemented. Data controllers in the EU implement three protection standards.
3. Identification of evaluation criteria and benchmarking: Every processing of data interferes with data subjects rights to private life and data protection. Therefore, protection standards need to be established based on the intensity of interference of the above mentioned rights, depending on the use of specific data or the kind of processing implemented. Data controllers in the EU implement three protection standards, namely:
- Normal: personal data are processed without the potential of high intensity of interference;
- High: special categories of personal data are processed and thus require a higher protection standard under the law; and
- Very High: personal data processed requires a high standard of protection under the law and additional risks are posed by insufficient data security or illegitimate changes of the purposes of processing
A High protection standard may be required when there is a cumulative effect of various aspects of data processing which by themselves would not demand a high level.These are for example scoring/profiling, automatic decisions which lead to legal consequences for those impacted, systematic monitoring, processing of special personal data, data which is processed in a large scale, the merging or combining of data which was gathered by various processes, data about incapacitated persons or those with limited ability to act, use of newer technologies or biometric procedures, data transfer to countries outside Kenya and data processing which hinders those involved in exercising their rights. If there is doubt and it is difficult to determine a high risk, a DPIA should nevertheless be conducted.
4. Evaluation of Risk: The risks are categorized according to the six protection goals and the process requires a comparison between the data controller’s envisaged risk management measures or measures determined during the course of the DPIA with a catalogue of referenced measures, which include auditing, encryption, privacy statements, information security management amongst others. Deviances from the reference measures should be assessed in light of their gravity and in how far they compromise the protection goals. Where analysis demonstrates failures to comply with protection goals, it leads to an assumption of deficiencies in the data protection policy that need to be redressed. It is at this stage that Necessity and Proportionality of the data processing envisaged by the data controller can be assessed, alongside the overall assessment of risk to the rights and freedoms of the data subjects. The two assessments satisfy the legal requirements of DPIA’s under section 31(2) (b) and (c) DPA, 2019.
B) REPORTS & SAFEGUARDS STAGE
1. Identification and Implementation of Appropriate Safeguards: Based on the result of the evaluation of risk at the end of the Evaluation Stage, a risk management plan has to be developed. This would fulfill the final minimum legal requirement of the DPIA under section 31(2)(d) DPA, 2019, that the DPIA must contain remedies to the risk identified including safeguards, security mechanisms, and measures to protect personal data. The above actions are undertaken while demonstrating compliance with DPA, 2019, and also taking into account the rights and legitimate interests of Data Subjects, and other persons concerned. The Action plan to address the risks should detail:
- Which safeguards are implemented to reduce the gravity of, or avoid interference with the fundamental rights or specific harm for persons concerned;
- Who is responsible to implement safeguards and the personnel to be consulted;
- By when these safeguards are to be implemented and which resources are available;
- The criteria to measure the results of safeguards; and
- Who is responsible to evaluate and document these criteria.
It is important to note that the lawfulness of the processing of data is determined before a DPIA is conducted.
2. Documentation and Publication of DPIA Report: The reports is to be ideally structured in a standardized form to facilitate evaluation and comparison by the Office of the Data Protection Commissioner (ODPC), other enterprises and the public.
3. Auditing of Evaluation of Risk: The DPIA report should be audited by an independent third party, and where appropriate, the ODPC as it is best positioned to handle the following scenarios, where:
- There are possible instances of conflicts of interest;
- There is a need to take due regard of the rights and interests of persons concerned when selecting safeguards;
- There is a need to provide adequate information to the public; and
- There is a need to ensure that the envisaged safeguards are actually implemented (oversight).
4. Supervision and Continuation: DPIAs in their nature are not linear or a singular process, but is repeated to ensure continuous supervision over the lifetime of the processing activity. Article 35 GDPR calls for reviews when there are changes in the risks posed by the processing of data, for example, whenever organizational or legal conditions change or new risks for data protection in general are identified. A similar approach should be adopted in Kenya to ensure a balance between ensuring a legally compliant processing activity and data controllers and data processors are not incurring unnecessary costs performing DPIAs. In the EU, Data Privacy experts have recommended that DPIAs are ideally conducted every 3 years.
B) CONCLUSION
The enactment of the DPA, 2019 ushers in a monumental shift towards the realization and enjoyment of the Right to Privacy as protected under the Constitution of Kenya, 2010.
At MacroSec we provide various cyber security services which tie into fulfilling the legal requirements of data handlers as per the DPA, 2019. These services include and are not limited to:
- Penetration Testing: This will provide data handlers validation of proper and adequate technical and organizational measures and safeguards have been implemented to ensure the integrity and safety of data subjects information. This would mainly involve simulation of a data breach and involve the actual extraction of protected data so as to assess the current state of security.
- Security Audit: This service, similar to Penetration Testing, involves the assessment of the adequacy of measures and policies undertaken by the data handlers and to ensure the security of the data collected from data subjects. During audits, our security team will assess the measures and safeguards and how well they have been implemented, E.g. Firewall deployment and if the adequate rules and settings have been configured.
- Compliance Consultancy: This service is aimed at ensuring compliance by all persons or entities involved in any data handling or processing activities. Furthermore, our team will advise on policy building to ensure best practices as per the legal requirements of the DPA, 2019.
We at MacroSec are committed to helping our customers with their data protection and privacy compliance by providing them with solutions that we have built into our services and contracts over the years. Get in touch with us and lets begin your security journey together.
AMRIT SINGH LABHURAM
Legal Consultant to MacroSec and Director at Macrotech Portal Ltd.