NCIA PAYS A COURTESY CALL TO THE DATA PROTECTION COMISSIONER

The Centre recently paid a courtesy call to the office of the Data Commissioner to explore areas of possible collaboration. The Data Protection Act, No. 24 of 2019 (DPA) is considered one of the most progressive data privacy laws in Africa. It has robust provisions on the proper handling of personal data to ensure that the rights of data subjects are protected. It elaborates the roles and responsibilities for all data controllers and processors established in Kenya or are processing data touching on data subjects in Kenya.

NCIA team led by the Registrar during a courtesy visit at the office of the Data Commissioner. Next to the Registrar is Mr. Oscar Otieno, Deputy Data Commissioner in charge of Investigations and Enforcement.

The Act outlines the mandate of the Office of the Data Protection Commissioner (ODPC) and grants powers to the data commissioner to facilitate conciliation, mediation and negotiation of disputes arising from the Act. The office has developed and ADR framework as a guide to the general pubic on settling of disputes submitted to the ODPC through conciliation, mediation, and negotiation.

During the Deputy ODPC noted that since 2021 when the Data Commissioner came on board, the office has received over 2000 complaints touching on the data protection act and upon analysis of the complaints, 700 were identified as meeting the threshold for further investigation. He observed that being a fairly new office, the office lacked the capacity to process the cases hence the need to enter into a partnership that would help process and resolve the complaints in a timely manner. He noted that ADR was one of the avenues the institution was considering instead of applying the investigation and enforcement process which requires resources that were not available to them. He noted that the institution was looking at having facilitators to conduct ADR. He noted that two areas of possible collaboration was in the provision of hearing facilities and ADR facilitators noting that once the areas of collaboration are identified, the institutions should enter into an MOU.

The Registrar noted that the collaboration would require an assessment of the powers given to the ODPC including whether the powers allows her to delegate or deputize other offices to perform the function. He gave the example of the KPA Act which designates NCIA by statute to be the appointing authority. On facilitators, the Registrar noted that training through capacity building of ODPC facilitators can be done by having a curriculum specific to the institution. The Center he noted would train the facilitators and by the time they list with ODPC, they have a certification from NCIA to ensure quality assurance.

In terms of managing the accreditation database, a discussion on who manages it will be necessary including whether there will be a cross list. The Registrar noted that a time would come when there would be matters that cut across different jurisdictions adding that the training should consider building capacity for this kind of skills requirement.With the ADR framework in place, the ODPC anticipates to resolve data protection disputes quickly through their ADR mechanism and ensure reduction in the complaints lodged at the office which would otherwise take long to resolve. The Registrar in his closing remarks noted that if required, the Centre would be willing to assist in case management in order to lift the burden from the ODPC .We look forward to a fruitful collaboration with the Office of the Data Commissioner as we support the implementation of their ADR framework in line with their mandate.