REPORTING A DATA BREACH IN KENYA

Data Protection in Kenya: Series 3

Recently, between the period of end of December 2023 and early January 2024 “The Pride of Africa” airline Kenya airways (KQ) suffered a data breach in cyberattack that led to the unauthorized access to sensitive information including police investigation reports, phone numbers, email addresses and passport information belonging to staffs and passengers of the airline.

This comes a few months after an unsuccessful cyberattack to the Kenyan government’s Ecitizen platform that allows access to all government services in Kenya. With this trend, there is need to understand what the Kenyan Data protection Law says and what to do in the event of such a criminal attack.

Section 43 of the Data Protection Act, 2019 provides a mechanism of how an entity as a Data Controller can report and notify the Data Commissioner of an unauthorized access that results to a data breach.

The law provides that where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data controller shall:

  1. Notify the Data Commissioner without delay, within seventy-two hours of becoming aware of such breach; and
  2. Communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established.

Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the delay.

Where a Data Processor becomes aware of a personal data breach, the data processor shall notify the Data Controller without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach.

The Data Controller may delay or restrict communication to the Data Subjects of a possible data breach or unauthorized access whenever it is necessary and proportionate for purposes of prevention, detection or investigation of an offence by a concerned relevant body. It is also worth noting that the communication of a breach to the Data Subject is not required where the Data Controller or Data Processor has implemented appropriate security safeguards which may include encryption of affected personal data.

The notification and communication to the Data Commissioner and Data Subject shall provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach, including:

  1. A description of the nature of the data breach;
  2. A description of the measures that the data controller or data processor intends to take or has taken to address the data breach;
  3. A recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
  4. where applicable, the identity of the unauthorized person who may have accessed or acquired the personal data; and
  5. the name and contact details of the data protection officer where applicable or other contact point from whom more information could be obtained.       

Where and to the extent that it is not possible to provide all the above information at the same time, the information may be provided in phases without undue delay.

The Act also requires a Data Controller to record the following information in relation to a personal data breach:

  1. The facts relating to the breach;
  2. The breach’s effects; and
  3. The remedial action taken.

It is also important to note that by notifying, an unauthorized access or data breach, to the Data Commissioner you are not reporting yourself for any sanction by the Commissioner. It is a step of seeking help and assistance to avoid similar incidents or attacks in future.

At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya.

All rights reserved for A.O.WANGA ADVOCATES

www.aowangaadvocates.com

4 Comments

Join the discussion and tell us your opinion.

vpn special couponreply
April 6, 2024 at 1:38 pm

You could definitely see your enthusiasm within the article you write.
The arena hopes for even more passionate writers such as you
who aren’t afraid to say how they believe. Always go after your heart.

Here is my web blog … vpn special coupon

vpn coupon code 2024reply
April 6, 2024 at 11:06 pm

Can I simply just say what a comfort to uncover somebody who actually knows what they are
talking about on the web. You certainly understand how
to bring an issue to light and make it important.
More and more people ought to read this and understand this
side of your story. I can’t believe you’re not more popular because you
definitely have the gift.

Feel free to surf to my blog: vpn coupon code 2024

homepagereply
April 7, 2024 at 6:05 am

My spouse and I stumbled over here coming from a different web address and thought I might as well check things out.
I like what I see so now i’m following you. Look forward to going over your web page for a
second time.

my blog homepage

vpn 2024reply
April 7, 2024 at 9:04 am

Very nice article, totally what I was looking for.

My website … vpn 2024

Leave a reply