REPORTING A DATA BREACH IN KENYA
Data Protection in Kenya: Series 3
Recently, between the period of end of December 2023 and early January 2024 “The Pride of Africa” airline Kenya airways (KQ) suffered a data breach in cyberattack that led to the unauthorized access to sensitive information including police investigation reports, phone numbers, email addresses and passport information belonging to staffs and passengers of the airline.
This comes a few months after an unsuccessful cyberattack to the Kenyan government’s Ecitizen platform that allows access to all government services in Kenya. With this trend, there is need to understand what the Kenyan Data protection Law says and what to do in the event of such a criminal attack.
Section 43 of the Data Protection Act, 2019 provides a mechanism of how an entity as a Data Controller can report and notify the Data Commissioner of an unauthorized access that results to a data breach.
The law provides that where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data controller shall:
- Notify the Data Commissioner without delay, within seventy-two hours of becoming aware of such breach; and
- Communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established.
Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the delay.
Where a Data Processor becomes aware of a personal data breach, the data processor shall notify the Data Controller without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach.
The Data Controller may delay or restrict communication to the Data Subjects of a possible data breach or unauthorized access whenever it is necessary and proportionate for purposes of prevention, detection or investigation of an offence by a concerned relevant body. It is also worth noting that the communication of a breach to the Data Subject is not required where the Data Controller or Data Processor has implemented appropriate security safeguards which may include encryption of affected personal data.
The notification and communication to the Data Commissioner and Data Subject shall provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach, including:
- A description of the nature of the data breach;
- A description of the measures that the data controller or data processor intends to take or has taken to address the data breach;
- A recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
- where applicable, the identity of the unauthorized person who may have accessed or acquired the personal data; and
- the name and contact details of the data protection officer where applicable or other contact point from whom more information could be obtained.
Where and to the extent that it is not possible to provide all the above information at the same time, the information may be provided in phases without undue delay.
The Act also requires a Data Controller to record the following information in relation to a personal data breach:
- The facts relating to the breach;
- The breach’s effects; and
- The remedial action taken.
It is also important to note that by notifying, an unauthorized access or data breach, to the Data Commissioner you are not reporting yourself for any sanction by the Commissioner. It is a step of seeking help and assistance to avoid similar incidents or attacks in future.
At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya.
All rights reserved for A.O.WANGA ADVOCATES
www.aowangaadvocates.com