Overview Of The Odpcs Guidance Note For Digital Credit Providers

Kenya’s financial services sector has undergone transformation driven by the proliferation of internet access and technological innovation. As a result, Digital Credit Providers (DCPs) have emerged as an alternative to traditional lending aimed at providing underserved and unserved Kenyans with quick and accessible credit solutions. The large volume of personal data processed by DCPs poses significant privacy concerns. To address this, the Office of the Data Protection Commissioner (ODPC) has published a comprehensive guide for DPCs to facilitate better adherence with the Data Protection Act, 2019 (DPA). This article provides a brief overview of the key data protection requirements and compliance obligations outlined in the Guidance Note.

ADHERENCE TO DATA PROTECTION PRINCIPLES

The Guidance Note places significant emphasis on the core principles of data protection providers under section 25 of the DPA and regulation 28-34 of the Data Protection (General) Regulations, 2021 which serve as a foundation for responsible data handling for DCPs. These are as follows:

1. Lawfulness, Fairness and Transparency: DCPs must process personal data in a manner that is non-discriminative, transparent and consistent with the specified lawful basis. In implementing these principles, DCPs must ensure their operations, procedures and practices are compliant with regulations and laws that are applicable to them.

2. Purpose Limitation: When collecting customer personal data, DCPs should ensure that it is only collected for clearly defined, legitimate purposes and should not be used for anything beyond those specified purposes. This purpose must be communicated to customers at the point of collection, and any changes to the purpose must also be promptly communicated.

3. Data Minimisation: This principle mandates DCPs collect and retain data that is only strictly necessary for fulfilling the purpose of processing. Collecting and retaining data that falls outside the purpose would be excessive and a violation of the DPA. This also limits the exposure of personal data should a breach occur.

4. Accuracy: DCPs should ensure that the data they process is accurate and up to date. DCPs should provide mechanisms for users to update their information and have mechanisms in place to erase inaccurate data.

5. Storage Limitation: DCPs must only store personal data for as long as it is necessary to fulfill the intended purpose. In implementing this principle, DCPs should have processes in place to regularly assess the relevance of the personal data they hold, with retention policies and schedules to guide the length of retention. Once this data has become obsolete, DCPs must delete or anonymise it. The DPA does not provide mandatory retention periods, this must be determined by the data handler.

6. Integrity and Confidentiality: DCPs must implement robust security measures to protect personal data from unauthorised access, accidental loss, or breaches. Additionally, personal data should be kept confidential, tampering and unauthorised disclosure.

LAWFUL BASIS FOR PROCESSING

In line with the principle of lawfulness, fairness and transparency, DCPs must have a lawful basis for processing personal data. If the lawful basis for processing data is ‘necessity’, this does not imply that the processing must be critical. The basis for processing should be more than merely convenient or routine in the industry, it must be proportionate to achieving a specific goal related to digital credit services. If the same objective can be achieved through less intrusive methods or by using less data, then processing personal data under the ‘necessary’ criterion cannot be justified and the lawful basis cannot apply.

Considering this, DCPs should and typically rely on lawful basis such as the necessity to perform a contract, compliance with legal requirements, or legitimate interest. These bases enable DCPs to collect and process data for the provision of credit services while safeguarding privacy and data. Section 30 of the DPA sets out the various lawful bases DCPs can rely on. These are as follows:

1. Performance of a contract: where data processing is necessary for the fulfilment of a contract, e.g. collecting borrower personal and financial data to assess creditworthiness.

2. Legitimate interest: where processing data serves a legitimate business interest that does not override the rights and freedoms of the data subject. When determining this, DCPs are mandated to carry out a legitimate interest assessment to balance their needs with the potential impact on individuals' privacy. In doing so, they must consider the following:

a. Would the individual reasonably expect their data to be used in this way?

b. Could the processing cause unwarranted harm to the individual?

c. Do the individual’s interests override the data handler’s in this case?

d. Is there a clear justification for proceeding with the processing despite any potential conflict with the individual’s interests?

As such, if a DCP relies on this lawful basis, they must be transparent about their plans for processing such that users are aware of the likely impact this may have on them. DCPs must also provide a means for individuals to object to the processing of their personal data on the grounds of legitimate interest.

3. Consent: Consent must be freely given, specific, unambiguous, and easily revocable. This is a lawful basis that has a high threshold as set out in the Data Protection (General) Regulations, 2021. Mere acceptance of terms and conditions does not amount to consent. Consent must be a statement or clear affirmative action signifying agreement to the processing. If relying on consent, DCPs must issue separate consent forms and maintain a record of this. It is also important to note that users can withdraw consent at any time.

4. Compliance with Legal Obligations: where DCPs are required to process certain personal data in order to comply with a legal or regulatory obligation, e.g. anti-money laundering laws, or reporting to credit reference bureaus. This lawful basis may not apply to the entirety of processing activities.

UPHOLDING DATA SUBJECT RIGHTS

The DPA provides individuals with specific rights related to their personal data. DCPs have a duty to uphold these rights when individuals choose to exercise these, without undue delay. These rights must be set out in a privacy notice or/ and terms and conditions, including the procedure for users to exercise them. Key rights include:

1. The right to access their personal data that is held by the data handler;

2. The right to be informed of the use to which their personal data is being put;

3. The right to rectification and erasure;

4. The right to object to the processing of all or part of their personal data;

5. The right to data portability;

6. The right to deletion of false or misleading data; and

7. The right to restrict processing of their personal data.

OBLIGATIONS OF DCPS UNDER THE DATA PROTECTION ACT

DCPs have specific duties under the DPA that ensure the ethical processing of personal data during the entire data lifecycle. These are as follows:

1. Duty to Notify: This encompasses the principle of transparency and the right to be informed as explored earlier. DCPs must notify users at the time of data collection, by providing the following:

1. The purpose of processing their data;

2. Means of collection – directly or indirectly;

3. Disclosure to any third parties;

4. Transfer of their personal data overseas;

5. how long it will be retained for;

6. The security provisions in place to safeguard their information; and

7. The contact information of their Data Protection Officer.

2. Data Security: DCPs must implement adequate security measures to protect personal data from breaches, unauthorised access, or misuse. These measures should encompass both technical and organisational measures such as encryption, access controls, privacy by design and default, data protection impact assessments (DPIAs), and employee training.

3. Data Storage: In line with the principle of storage retention, data should not be stored for longer than is strictly necessary. DCPs must create data retention schedules, which should cover the following:

1. The purpose for retaining the data;

2. The specified retention period;

3. Provisions for conducting periodic audits of the retained personal data;

4. Actions to be taken following each audit.

4. Data Sharing and Transfers: Any sharing of personal data with third parties must be governed by strict contractual agreements, such as Data Transfer Agreements, and the DCP must ensure that the third parties comply with data protection standards prior to any transfer. Furthermore, international data transfers must be handled with utmost care, with the security of individuals

personal at the forefront of these decisions. DCPs must ascertain that said transfer is being done with one or more of the following:

a. There are appropriate data protection safeguards;

b. The transfer is necessary; and/ or

c. Consent of the data subject is obtained.

5. Registration with the ODPC: DCPs are subject to mandatory registration with the ODPC as data controllers and/ or data processors, even if they meet the exemption criteria regarding their size and annual turnover.

6. Breach Notification: Should a data breach occur, DCPs must notify the ODPC within 72 hours of becoming aware. If this breach involves unauthorised access to personal data, DCPs must inform the affected data subject, in writing, within a reasonable timeframe, outlining the nature of the breach and steps taken to mitigate its effects. DCPs must also establish robust breach detection, investigation and internal reporting procedures in anticipation of such events occurring to help mitigate the harm and ensure efficiency in containing the breach.

LEGAL CONSEQUENCES OF NON-COMPLIANCE

Failure to adhere to statutory requirements, including the Central Bank of Kenya and ODPC compliance, can render a contract unenforceable. The Kenyan courts have addressed the issue of contracts that violate statutory provisions in several cases:

In Root Capital Incorporated v Tekangu Farmers Co-operative Society Ltd & Another [2016] eKLR, the High Court held that contracts failing to comply with statutory provisions may be deemed unenforceable. The Court referenced Patel v Singh (No.2) (1987) KLR 585, where the Court of Appeal found that a contract violating statutory provisions was illegal ab initio and could not be enforced.

Further, in Archbolds (Freightage) Ltd v S Spanglett Ltd (1961) IQB 374, Devlin LJ outlined three consequences of illegality in contracts:

i. A contract intended to be performed unlawfully is unenforceable.

ii. A party cannot enforce rights under an illegal contract if doing so requires reliance on an illegal act.

iii. A contract is void ab initio if its formation is expressly or impliedly prohibited by statute or is contrary to public policy.

Applying these principles, any agreement by a digital credit provider that violates ODPC data regulations risks being declared void and unenforceable.

CONCLUSION

To conclude, the ‘ODPC Guidance Note for Digital Credit Providers’ provides a comprehensive roadmap to help DCPs in handling personal data responsibly. By adhering to the contents set out therein, DCPs can better safeguard personal data and maintain

trust in this rapidly growing industry. For further support on how you can ensure compliance with the DPA in your organisation, please contact CM Advocates LLP at commercial@cmadvocates.com.

Written by: Maureen Odongo and Cherono Barno