Guidance on understanding the Data Protection Act, 2019 requirements

Yes. Public sector customers are generally permitted to use cloud services. However, this is subject to public sector customers complying with the legislative and regulatory requirements which govern aspects of the use of cloud services.

The Kenyan Government promotes growth and adoption of new technologies as part of its Kenya Vision 2030 project. Public Sector customers which intend to use cloud, have  to adhere to the ICT Authority Cloud Computing Standards 2019, the Data Protection Act, 2019 (the “DPA”) and other applicable laws.

No. However, where the use of cloud services involves the processing of personal data, the DPA makes provision for the regulation of the processing of personal data and provides for the rights of data subjects and obligations of data controllers and data processors. The General Regulations to the DPA, 2021 (the “General Regulations”) set out the procedures for enforcement of the rights of the data subjects and provides for specific requirements on the duties and obligations of data controllers and data processors. The DPA and the General Regulations also describe the types of security controls that public sector customers are required to deploy and implement when personal data is to be processed.

Below is a selection of specific provisions in the General Regulations which are applicable where personal data is processed. This is not a summary of the General Regulations, nor is it intended to be a substitution for a full review thereof. Public sector customers will have to understand the requirements of the General Regulations in their entirety, together with the DPA, and take legal advice where necessary.

Data Policy and Data Retention

A data controller or data processor is required to develop and continuously maintain a data protection policy. This policy should outline the data handling processes which are to be implemented by the data controller or data processor. This may include information regarding the nature of personal data which is collected and held and processes for a data subject to access its personal data and exercise its rights in relation to the personal data that is held.

A data controller or data processor must further establish and continuously implement a data retention schedule which determines how long personal data is retained before it is ultimately deleted. This schedule forms part of the data protection policy.

Cross Border Data Flow

Transfers of personal data outside of Kenya can only take place under any one of the following circumstances:

• the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, which include transfers to jurisdictions with commensurate data protection laws;
• the transfer is necessary for the fulfillment of a lawful right or obligation arising out of: a contract; a matter of public interest; the establishment, defense or exercise of a legal claim; to protect the vital interests of a data subject or other persons; or, for the purpose of a legitimate interest pursued by the data controller or the data processor, which interest is not overridden by the interest of the data subject; or
• the data subject consents to the transfer of the personal data.

Additionally, if any personal data is strategic to the interests of the state, it must be processed through a server and data centre in Kenya and at least one serving copy of the personal data must be stored in a data centre located in Kenya.

AWS provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of security standards and regulations. This can be attested by our ISO 27018 certification and further by our ISMS standards and security controls and services with our ISO 27001 and ISO 27002 certifications.

Under the shared responsibility model, AWS provides the certified required services for security of the cloud which public sector customers can utilise and configure to meet the security in the cloud requirements. Using the Well Architected Framework will assist public sector customers meet the design requirements for a secure deployment.

All information about where to request reports can be found Compliance Reports & Certifications. This also includes links to internal FAQs about each of the compliance programs.

AWS is committed to offering public sector customers a strong compliance framework and advanced tools and security measures that they can use to evaluate, meet and demonstrate compliance with the applicable legal and regulatory requirements.

Potential public sector customers who are using or planning to use AWS services can take the following steps to better understand their compliance needs:

• Consider the purpose of the workload(s) under consideration and the relevant categories of data in order to anticipate which legal and regulatory requirements may apply.
• Assess the materiality or criticality of the relevant workload(s) in light of local requirements. For example, health-specific data is protected under Kenya Standards and Guidelines for Health Systems, 2017, Health Information System Policy, and the Kenya Data Protection Act, 2019. Analyses and guidance from customers’ own legal is required to assess which workloads and data can be moved to AWS.
• Review the AWS Shared Responsibility Model and map AWS’ responsibilities and customer responsibilities according to each AWS service that will be used. Customers can also use AWS Artifact to access AWS’ audit reports and conduct their assessment of the control responsibilities.