How Kenya's new personal data protection law could affect researchers
The risk of infringing on privacy is growing by the day given the increased frequency and granularity of the data being collected, and advances in the technology for processing them. This has, inevitably, led to the need for laws to secure personal data privacy.
Researchers and research data are not exempt: advances in big data analytics for research have driven the collection even more significant amounts of data. Researchers have traditionally self-regulated. But personal data protection laws have begun to increase restrictions. Researchers need to be aware.
In Kenya, a new law came into force late last year that significantly affects researchers. Passed in 2019, the Kenya Personal Data Protection Act was designed to bring the protection of personal data from misuse in Kenya into the 21st century. It's a significant step forward because it facilitates lawful use of personal data, including research, thus strengthening individuals fundamental rights. The appointment of Kenya's first Data Protection Commissioner in November finally operationalised the law.
The Act governs the use, processing, and archiving of personal data, establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, stipulates the data producers' rights, and specifies the obligations of the data controllers and processors.
It has significant implications for researchers in general, and for those involved in the health sector in particular. The Act defines health data as data related to the state of physical or mental health of the data subjects. In research, health data can be from reviewing patient records or accessing the national health databases' information.
The issue of what data is collected, and what's done with it, has become much more urgent in the light of accelerated efforts to find a COVID-19 vaccine. Draft regulations have been issued by Kenya's new commissioner for COVID-19 research. These provide a litmus test on how the new law could affect research and what the data processors and controllers need to be aware of.
The proposed regulations for COVID-19 reflect the laws new requirements. These are that researchers can only collect data from individuals and that personal data may only be used to detect, contain and prevent the spread of COVID-19.
Specific consent and anonymisation
The role of the Data Commissioner is to enforce the new law by registering and monitoring the appointment of Data Protection Officers, data controllers and data processors. The person is also responsible for sensitizing the public about data issues and providing a code of practice to accompany the Act.
Data controllers are those who determine the purpose and means of personal data processing. Data processors, on the other hand, processes the personal data on behalf of the data controller. For example, scientists process data through the research lifecycle: collection, analysis, and publication.
A data subject is someone who is the subject of personal data.
Researchers need to know the new law's implication for research that uses personal data. They also need to know who data processors and data controllers are for research and academic institutions. For example, data processors can include those who offer transcription services and DNA sequencing or translation services for data analysis companies. Research institutions and universities would be the data controllers through their designated authority.
The new law anticipates the tremendous cost of hiring a data protection officer. It makes provision for sharing across institutions by enabling research institutions to come together as a consortium to hire one.
The law also has provisions that exempt data meant for research if it is anonymised. Genetic data and biometric data (including DNA) are considered to be sensitive and identifying information. Therefore, studies that involve an individual's sequence data would fall under the regulation but would be subject to the exemptions on personal data for research.
The law requires express, explicit, unequivocal, free, specific, and informed consent to personal data processing from the data subjects. Researchers were already required to get consent to collect personal data for research by obtaining ethical approval for the study. But the need for specific consent, specifying data collection during data planning and creation, may impede research and data reuse as it is challenging to clearly outline the scope of the use of personal data for research.
Personal data relating to a data subject's health can only be processed under the responsibility of a healthcare provider, for the public interest, or by a person subject to the obligation of professional secrecy under any law.
The new law stipulates that personal data can't be transferred outside Kenya "unless there is proof of adequate data protection safeguards or consent from the data subject."
The Act was not formulated to regulate research data. But some sections affect research. The data protection regulations that will follow should have the scientist's interests at heart and promote research. Researchers should be given time to align their work by the new law.
There are also some unanswered questions. For example, exemptions for research data seem to only apply to the processing. Does this restrict the transfer of personal data meant for research? What does this mean for publishing research data, where the journals are based outside the country? What does this mean for research collaboration?
The restriction is a concern since many countries in Africa are yet to adopt a similar Act.
Additionally, compliance with the Act requires adopting research practices —consent, anonymisation—to protect personal data that are not commonly used. Research data management practices are missing in most academic and research institutions, bringing to question how they would be able to enforce the Act.
There is also still the need to sensitise and equip Kenyan data controllers and producers with the skills to comply with the new law. Research and academic institutions must come up with research data management policies aligned with the provision of the Act to guide researchers and to hire data protection officers.