AN1 Legal

AN1-2022-001 Privacy Policy Outline

Instructions:

  1. The template provided is a generic document designed for a typical transaction as described below. Special amendments or additional clauses may be necessary depending on the nature of the transaction and the terms agreed between the parties. Where instructions are provided for respective clauses, please review the instructions carefully and modify the clause to suit the circumstances in your transaction. If in doubt, or if dealing with a complex scenario or transaction, please seek legal advice from an Advocate.
  2. This article is written in the context of handling data relating to adults. Additional special conditions apply when handling data relating to minors.

Template Copyright Licence:

  • Free for commercial use. No attribution required.

An organisation whose activities involve collection, storage, processing and dissemination of data relating to natural persons (individuals) who are resident in Kenya (referred to as “data subjects”) is required to provide certain information to data subjects.

This requirement applies if data is handled through:

  • Automated means; or
  • Non-automated means, where such data forms part of a filing system.

This means that any organisation that systematically handles data from Kenyan residents – whether at a physical premises or virtual space – is required to publish a privacy policy. That includes data relating to customers, visitors, job applicants, employees, etc.

If you wish to review your organisation’s privacy policy for compliance purposes, or you have been tasked with drafting a privacy policy, this checklist may be just what you need. The attached template provides an outline of a privacy policy that satisfies the requirements under the Data Protection Act (No. 24 of 2019), and also includes other recommended contract clauses.

IMPORTANT NOTES:

  • The objective of a privacy policy is to focus on privacy-related issues. A separate contract is often necessary to govern the actual transaction between the parties, for example an employment contract, or customer terms & conditions. The contract governing the transaction is treated as the primary contract, while the privacy policy is treated as a secondary (ancillary) contract. In this instance, certain important clauses will typically be included in the primary contract, so they need not be duplicated in the privacy policy.
  • If a software that collects cookie data will be used, a separate cookie policy should be prepared. Alternatively, the provisions can be incorporated in the privacy policy.
Clause Number Title Guidelines on Required or Recommended Provisions Statutory Reference
1 Effective Date

Indicate the date from which the policy takes effect.

If applicable, state that this revised policy supersedes prior versions of the policy.
2 Parties

Identify the parties to the policy, being the data controller / data processor and the data subject. The data subject may be a named individual or a defined category of persons (for example employees or website visitors).

If appropriate, a detailed description of the parties can be set out in the primary contract.
3 Definition of Terms

Identify key words or phrases used in the policy and provide a corresponding definition, for example:

  • Authorised Representative
  • Personal Data
  • Sensitive Personal Data

If cookie policy provisions are being incorporated in the policy, include a definition of the term “Cookie”.

We recommend that the definitions in the policy should not negate or erode the definitions in Section 2 (Interpretation) of the Data Protection Act.

 Section 2, Data Protection Act
4 Interpretation

Outline special rules that apply when interpreting the policy. Without these rules, the meaning or application of certain provisions may be misunderstood.

For example, indicate that the privacy policy shall be read as part and parcel of the primary contract.
5 Capacity

Indicate that the data subject must be over the age of eighteen (18) years.

If any person is acting on behalf of a corporate entity, or as an agent on behalf of a principal, the person must warrant and undertake that he / she has legal authority and explicit consent from the data subject to consent to the privacy policy, disclose Personal Data and exercise the rights of the data subject.

Reserve the right to confirm authority of a representative through such means as may be necessary. We recommend that you also reserve the right to withhold services until adequate confirmation is obtained.

NOTE: Additional special restrictions apply when handling personal data relating to minors.

 Sections 27, 33, Data Protection Act
6 Consent

Specify the mode of acceptance of the policy – whether through manual signature, or electronic signature, or ticking a checkbox on a physical or online form, or any other overt (clear and intentional) action by the data subject. The specified action shall be deemed to be confirmation that the data subject has read, understood and voluntarily accepts the terms of the policy.

If practicable, inform the data subject whether collection of the requested personal data is required by law, and whether submission of the requested data is optional or mandatory. If need be, distinguish optional data from mandatory data.

If cookie policy provisions are being incorporated in the privacy policy, indicate whether collection of cookie data is optional or mandatory. Different rules may apply for different categories of cookie data.

Indicate that by consenting to the policy the data subject also expressly consents to the following (as applicable):

  • Collection of personal data from the data subject (or an authorised representative), processing, storage and use in connection with one or more of the purposes set out in the policy.
  • Collection of personal data from third parties, processing, storage and use in connection with one or more of the purposes set out in the policy.
  • Transfer, processing and storage of personal data outside Kenya. If appropriate, this provision should incorporate sensitive personal data.
  • Storage of personal data in raw form after expiry of the retention period for compliance purposes, or for reference in resolution of subsisting or potential complaints or disputes.
 Sections 27, 28(1), 28(2)(c), 30(1)(a), 32, 39(1)(c), 49(1), Data Protection Act
7 Purpose

Assure the data subject that personal data will be collected, transmitted, processed, stored and used for the purposes set out below, and shall not be handled in a manner that is incompatible with the specified purposes.

The purposes may include the following (as appropriate):

  • Data handling in such manner as may be approved by the data subject or an authorised representative;
  • Performance of a contract entered into by the data subject;
  • Public interest, fulfillment of the mandate of a public authority, or delivery of public goods and services;
  • Statutory compliance;
  • Protection of rights or interests of the data subject or other persons;
  • Resolution of complaints and disputes;
  • Fulfillment of other legitimate interests provided that data processing shall not prejudice the rights and legitimate interests of the data subject;
  • Preparation of historical, statistical, journalistic literature or artistic works, or conduct of scientific research;
  • Commercial purposes including direct marketing;
  • Automated decision-making.

If personal data relating to family or private affairs is requested, provide a valid explanation.

If cookie policy provisions are being incorporated in the privacy policy, indicate any special purpose for which cookie data is being collected.

The stated purpose(s) should not contravene any other law, code of ethics or contract that governs the activities of the data controller / data processor.

 Sections 25(c), 25(e), 26(a), 29(c), 30(1), 34(2), 35(2), 37(1)(a), Data Protection Act
8 Nature of Personal Data Handled

Specify the nature of personal data collected, transmitted, processed, stored and used. Such data should be limited to what is necessary in order to fulfill the specified purposes.

If cookie policy provisions are being incorporated in the privacy policy, indicate the type of cookie data collected.

If practicable, inform the data subject whether collection of the requested personal data is required by law, and whether submission of the data is optional or mandatory. If need be, distinguish optional data from mandatory data.

 Sections 25(d), 29(b), 29(g), Data Protection Act
9 Rights and Responsibilities of Data Subject

Inform the data subject of his / her rights, which may be exercised by the data subject or an authorised representative:

  • To access and update personal data;
  • To request for erasure of personal data;
  • To have inaccurate personal data rectified;
  • To restrict or object to processing, and to withdraw consent to processing (which shall not affect prior processing);
  • To receive personal data in a structured, commonly used and machine-readable format;
  • To transmit data to another data controller or data processor.
  • If technically possible, to arrange for direct transfer of data to another data controller or data processor.

Where practicable, we recommend that the data subject should be responsible for ensuring that his / her personal data is up to date at all times.

Where the data controller or data processor has shared the personal data with a third party for processing purposes, the data controller or data processor should take all reasonable steps to inform third parties of data rectification or erasure request.

 Sections 25(f), 26, 27, 29(a), 32(2), 32(3), 34, 36, 38, 40, Data Protection Act
10 Consequences of Data Handling Restrictions

Indicate the consequences that ensue if the data subject:

  • Withholds all or any part of the requested data;
  • Withholds consent to the privacy policy; or
  • Withdraws consent to, or restricts, processing of personal data;
  • Requests for erasure of personal data.

If cookie policy provisions are being incorporated in the privacy policy, indicate what would be the outcome if the data subject withholds consent to collection of cookie data.

We recommend that a data controller / data processor should reserve the right to retain certain personal data for compliance purposes, and for reference in resolution of existing or potential complaints or disputes. In this case, inform the data subject that certain data will be retained, but processing will be restricted.

 Sections 29(h), 30(1)(a), 34, 40(3), Data Protection Act
11 Access to Data; Account Management

Indicate how the data subject can access his / her personal data.

Where appropriate, consider indicating the precautions that a data subject can or should take to safeguard the security of his / her account.
12 Response Time; Applicable Fees

Indicate the response time within which requests from the data subject will be addressed. Note that data porting requests must be addressed within thirty (30) days; this period may be extended depending on the complexity and volume of data porting requests.

Indicate whether the requests will be attended to free of charge, or at a nominal fee.

 Sections 34(3), 38(6), 38(7), Data Protection Act
13 Automated Decision Making If applicable, indicate that the data controller or processor may rely on automated data processing to make specified decisions that are likely to significantly affect the data subject. In such event, the data subject should be notified as soon as practicable, and in writing, that a decision has been taken based solely on automated processing. The data subject may – within a reasonable period after receiving such notification – request the data controller or data processor to re-consider the decision. Section 35, Data Protection Act
14 Data Retention

Indicate the period for which personal data will be retained in raw form, which should be long enough to satisfy the purpose for which data was collected and processed plus such additional period as necessary:

  • For compliance purposes;
  • For any other lawful purpose (such as reference in resolution of existing or potential complaints or disputes);
  • For historical works, statistical works, journalistic literature, artistic works, or research purposes.

Upon lapse of the specified retention period, the raw data should be erased or anonymised or pseudonymised.

 Sections 34(3), 39, Data Protection Act
15 Data Protection Safeguards

If practicable, outline the technical and organizational security measures taken to ensure the integrity and confidentiality of the data, for example:

  • Adoption of a risk assessment and compliance matrix;
  • Implementation of technical safeguards to ensure data protection;
  • Anonymisation, pseudonymisation or encryption of personal data;
  • Storage of data back-ups.
 Sections 25(g), 37(2), 41, Data Protection Act
16 Data Sharing

If practicable, inform the data subject of:

  • Third parties to whom personal data will be transferred;
  • Safeguards adopted by third parties.
 Section 29(d), Data Protection Act
17 Transfer of Personal Data Outside Kenya

If applicable, indicate that personal data (including sensitive personal data) will be transferred out of Kenya for reasons consistent with the specified purposes.

We recommend that the data controller / data processor should highlight key data protection safeguards adopted by the data recipient(s).

 Sections 25(h), 48, 49, Data Protection Act
18 Communication

If applicable, indicate that the data controller / data processor may use personal data to send communication to the data subject, for example:

  • System notifications;
  • Account-related communication;
  • Direct marketing communication.

If personal data will be used to send marketing communication to the data subject, confirm that a simple opt out mechanism will be provided.

We recommend that the data controller / data processor should reserve the right to continue sending certain communication that is essential in relation to the specified purposes even after the data subject opts out from marketing communication.

If the data controller or data processor administers social media or other publicly-accessible platforms, we recommend the following additional provisions:

  • Notify the data subject that such platforms are operated under separate policies and practices; and
  • Caution the data subject that any data they submit to such platforms is likely to remain publicly accessible;
  • Indicate that the data subject is solely responsible for any data that he / she opts to submit in such platforms, and exclude liability for any data privacy breach that may occur as a result of the data subject sharing his / her personal data in such platforms.
19 Requests; Complaints

Indicate the contact details of the data controller / data processor – particularly the contact details through which the data subject can submit requests relating to exercise of his / her rights.

Outline a complaint handling mechanism.

 Section 29(e), Data Protection Act
20 Modification

If the right of the data controller or data processor to modify the policy is not already provided for in the primary contract – or if the policy is not incorporated by reference in the primary contract – we recommend that this clause should be set out in the policy.

Also indicate how the data subject will be notified of such modifications.

Where applicable, notify the data subject that use the concerned service should be discontinued if the data subject disagrees with the modifications. Also indicate that if consent to modifications is withheld, prior versions of the policy shall continue to apply based on the consent earlier provided.

References:

  • Data Protection Act (No. 24 of 2019)

Related Content:

Accessibility

  • ABX – Subscription required
  • ACX – Free
  • ANX – Free
  • AB11-001 Data Protection Compliance Standards
  • AB11-002 Data Protection Compliance Tools

Further Updates:

Laws, procedures and fees are prone to change at any time. If you wish to notify us of any further updates concerning this article, please contact us through the My Query portal, and be sure to quote the article reference number (example: ABX-XXX).