Unlawful use of personal data by digital lenders has emerged as a key public concern during the ongoing countrywide awareness programme on data protection that is being undertaken by the Office of Data Protection Commissioner (ODPC).
The sensitization is targeting data controllers and processors in the counties and aims to ensure that the personal data they collect from Kenyans is used for only the intended purpose.
Members of the public have lamented that digital lenders have illegally obtained their personal information, especially phone numbers, which they use to lure them into taking unsolicited credit.
ODPC officials who were in Nyeri and Laikipia counties for this exercise, however, noted that while some of this data was obtained unlawfully from the data collectors and process, individuals who are referred to as data subjects have also been irresponsible and have provided their personal information without due diligence.
Mr. Boniface Wamai, a Data Protection Officer in charge of registration, advised data subjects to familiarize themselves with the ‘terms and conditions’ of digital lenders before taking loans.
‘Some of you have allowed the creditors to access all your contacts, and in the event of non-repayment, the lenders embark on harassment of these contacts,’ he said.
He noted, however, that following numerous complaints from the public, ODPC was relooking at these terms and conditions to see if they were aligned with the provisions of the Data Act of 2019.
Compliance officer Ali Samow said that some digital lenders have already registered with ODPC and are willing to conduct their business in compliance with the law.
Data controllers and processors who suffer a data breach where personal information in their custody is lost have been asked to report the breach to the Office of the Data Commissioner within 72 hours and to also inform the data subject of this development.
Personal data protection in Kenya is governed by the Data Protection Act of 2019. The Act gives effect to Article 31(c) and (d) of the Constitution of Kenya, that contain the right to privacy, which is a fundamental human right. It provides for the protection of personal data by requiring organisations to obtain consent from individuals before collecting, using, or disclosing their personal information.
The Office of the Data Commissioner is responsible for ensuring compliance with data protection laws in Kenya. ODPC officers said that part of their mandate was to engage with entities that collect and process personal data to enlighten them on their obligations and the need to comply with the Data Protection Act.
While those handling personal data are compelled by the law to protect this information, individuals have been urged to be mindful of the privacy of their own personal data by taking steps such as reading the privacy policies of those they give their data to and being cautious about sharing personal information online.
Under the Act, data collectors and processors are obligated to register with the ODPC, as the office has a mandate to regulate them. These entities are also required to undertake a Data Protection Impact Assessment (DPIA), which entails identifying possible data breaches and putting in place measures to mitigate these risks.
Source: Kenya News Agency