Sensitive personal data is any data which reveals a person’s race, health status, ethnic-social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or sexual orientation of the data subject.
Data controllers and Data Processors alike are advised
to employ higher standards of data protection compliance measures when handling
sensitive personal data. Such data when processed could pose a significant risk
to the fundamental rights and freedoms of a data subject. It is to this end,
that the Data Protection Act, 2019 prohibits the processing of sensitive
personal data except under certain circumstances, which are spelt out in the
Act.
First and foremost, when processing sensitive personal data,
controllers and processors must abide by the principles of data protection.
Lawfulness, fairness and transparency, purpose limitation, data minimization,
accuracy, storage limitation and the right to privacy are some of the
principles that controllers and processors must comply with when processing
sensitive personal data.
In addition to abiding by the principles of data protection,
controllers and processors may process sensitive personal data under the
following circumstances:
- In
the course of legitimate activities of a foundation, association or
non-governmental organisation (NGO) with a political, philosophical,
religious or trade union aim. This exception covers religious
institutions such as churches, temples, mosques and political parties
among others. The processing must relate solely to the members of the
organization or persons with regular contact with the organization so long
as the personal data is not disclosed outside the organization without the
consent of the data subject.
- When
the data subject has made the sensitive personal data public. The
law allows processing sensitive personal data in instances where the data
subject has intentionally made the data public. The data could be made
public through social media, TV interviews, newspapers or magazines.
- Processing
is necessary to establish, exercise or defend a legal claim. The
law allows Data Controllers to process personal data if it is necessary
for them to establish, exercise or defend a legal claim. A good example is
when a medical negligence claim has been brought against a medical
institution and the institution needs to adequately prepare its defence;
it must process the claimant’s health data.
- To
protect the vital interest of the data subject or another person. The
Data Protection Act 2019 allows the processing of sensitive personal data
when it is necessary to protect the vital interest of the data subject or
of another person where the data subject is physically or legally
incapable of giving consent. The Act is silent on what constitutes
vital interest, however, guided by recital 46 of the GDPR, vital interest
in Kenya could be construed to include matters of life and death.
- Processing
is necessary for carrying out the obligation and exercising the specific
rights of the controller or of the data subject. This exception
could be construed to include legal obligation under employment law,
wherein controllers are allowed to process sensitive personal data of
their employees or potential employees.
In conclusion, data controllers and processors are generally
prohibited from processing sensitive personal data except under the conditions
stipulated in the Data Protection Act, 2019 and with strict adherence to the
principles of data protection.