How Kenya’s new personal data protection law could affect researchers

The risk of infringing on privacy is growing by the day given the increased frequency and granularity of the data being collected, and advances in the technology for processing them. This has, inevitably, led to the need for laws to secure personal data privacy.

Researchers and research data are not exempt: advances in big data analytics for research have driven the collection of even more significant amounts of data. Researchers have traditionally self-regulated. But personal data protection laws have begun to increase restrictions. Researchers need to be aware.

In Kenya, a new law came into force late last year that significantly affects researchers. Passed in 2019, the Kenya Personal Data Protection Act was designed to bring the protection of personal data from misuse in Kenya into the 21st century.

It’s a significant step forward because it facilitates lawful use of personal data, including research, thus strengthening individuals fundamental rights. The appointment of Kenya’s first Data Protection Commissioner in November finally operationalised the law.

The Act governs the use, processing, and archiving of personal data, establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, stipulates the data producers’ rights, and specifies the obligations of the data controllers and processors.

It has significant implications for researchers in general, and for those involved in the health sector in particular. The Act defines health data as data related to the state of physical or mental health of the data subjects.

In research, health data can be from reviewing patient records or accessing the national health databases’ information.

The issue of what data is collected, and what’s done with it, has become much more urgent in the light of accelerated efforts to find a COVID-19 vaccine.

Draft regulations have been issued by Kenya’s new commissioner for COVID-19 research. These provide a litmus test on how the new law could affect research and what the data processors and controllers need to be aware of.

The proposed regulations for COVID-19 reflect the law’s new requirements. These are that researchers can only collect data from individuals and that personal data may only be used to detect, contain and prevent the spread of COVID-19.

The role of the Data Commissioner is to enforce the new law by registering and monitoring the appointment of Data Protection Officers, data controllers and data processors. The person is also responsible for sensitising the public about data issues and providing a code of practice to accompany the Act.

Data controllers are those who determine the purpose and means of personal data processing. Data processors, on the other hand, processes the personal data on behalf of the data controller. For example, scientists process data through the research lifecycle: collection, analysis, and publication. A data subject is someone who is the subject of personal data.

Researchers need to know the new law’s implication for research that uses personal data. They also need to know who data processors and data controllers are for research and academic institutions.

For example, data processors can include those who offer transcription services and DNA sequencing or translation services for data analysis companies. Research institutions and universities would be the data controllers through their designated authority.

The new law anticipates the tremendous cost of hiring a data protection officer. It makes provision for sharing across institutions by enabling research institutions to come together as a consortium to hire one.

The law also has provisions that exempt data meant for research if it is anonymised. Genetic data and biometric data (including DNA) are considered to be sensitive and identifying information. Therefore, studies that involve an individual’s sequence data would fall under the regulation but would be subject to the exemptions on personal data for research.

The law requires express, explicit, unequivocal, free, specific, and informed consent to personal data processing from the data subjects. Researchers were already required to get consent to collect personal data for research by obtaining ethical approval for the study.

But the need for specific consent, specifying data collection during data planning and creation, may impede research and data reuse as it is challenging to clearly outline the scope of the use of personal data for research.

Personal data relating to a data subject’s health can only be processed under the responsibility of a healthcare provider, for the public interest, or by a person subject to the obligation of professional secrecy under any law.

The new law stipulates that personal data can’t be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.