What is the Process of the Appointment of the Data Commissioner?
Section 6 of the Data Protection Act, 2019 provides for the procedure of the appointment of the Data Commissioner.
The Public Service Commission is to whenever a vacancy arises in the position of the Data Commissioner, initiates the recruitment process.
The Public Service Commission is to within seven days after being notified of the vacancy invite applications from persons who qualify for nomination and appointment for the position of the Data Commissioner.
The Public Service Commission is to then within twenty-one days of receipt of applications:
- Consider the applications received to determine their compliance with the Act.
- Shortlist the qualified applicants.
- Publish and publicise the names of the applicants and the shortlisted applicants.
- Conduct interviews of the shortlisted persons in an open and transparent process.
- Nominate three qualified applicants in the order of merit for the position of Data Commissioner.
- Submit their names to the President.
The President shall nominate and, with approval of the National Assembly, appoint the Data Commissioner.
What are the Qualifications of a Data Commissioner?
Section 7 of the Data Protection Act, 2019 provides for the qualifications for the appointment as the Data Commissioner if the person—
- holds a degree from a university recognized in Kenya in — (i) data science; (ii) law; (iii) information technology; or (iv) any other related field.
- has the knowledge and relevant experience of not less than ten years.
- meets the requirements of Chapter Six of the Constitution.
- holds a master’s degree.
The Data Commissioner is to be appointed for a single term of six years and is not be eligible for reappointment.
What are the Functions of the Office of the Data Commissioner?
Section 8 of the Data Protection Act, 2019 provides for the functions of the Office of the Data Commissioner. These include:
- Overseeing the implementation of and be responsible for the enforcement of this Act.
- Establishing and maintain a register of data controllers and data processors.
- Exercising oversight on data processing operations, either of own motion or at the request of a data subject, and verifying whether the processing of data is done in accordance with this Act.
- Promoting self-regulation among data controllers and data processors.
- Conducting assessments, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether the information is processed according to the provisions of this Act or any other relevant law.
- Receiving and investigating any complaint by any person on infringements of the rights under this Act.
- Taking such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public.
- carry out inspections of public and private entities with a view to evaluating the processing of personal data;
- Promoting international cooperation in matters relating to data protection and ensuring the country’s compliance with data protection obligations under international conventions and agreements.
- Undertaking research on developments in data processing of personal data and ensuring that there is no significant risk or adverse effect of any developments on the privacy of individuals.
- Performing such other functions as may be prescribed by any other law or as necessary for the promotion of object of this Act.
What are the Powers of the Office of the Data Commissioner?
Section 9 of the Data Protection Act, 2019 provides for the functions of the Office of the Data Commissioner. These include to:
- Conduct investigations on own initiative, or on the basis of a complaint made by a data subject or a third party.
- Obtain professional assistance, consultancy or advice from such persons or organisations whether within or outside public service as considered appropriate.
- Facilitate conciliation, mediation and negotiation on disputes arising from this Act; (d) issue summons to a witness for the purposes of investigation.
- Require any person that is subject to this Act to provide explanations, information and assistance in person and in writing.
- Impose administrative fines for failures to comply with this Act.
- Undertake any activity necessary for the fulfillment of any of the functions of the Office.
- Exercise any powers prescribed by any other legislation.
When Does A Vacancy in the Office of the Data Commissioner Arise?
Section 10 of the Data Protection Act, 2019 provides for the circumstances that the Office of the Data Commissioner can become vacant, these scenarios are if the Data Commissioner—
(b) Resigns from office by notice in writing addressed to the President.
(c) Is convicted of an offence and sentenced to imprisonment for a term exceeding six months without the option of a fine.
(d) Is removed from office on the grounds of—
- Inability to perform the functions of the office.
- Arising from mental or physical infirmity.
- Non-compliance with Chapter Six of the Constitution of Kenya 2010.
- Gross misconduct.
What is the Procedure for the Removal of the Data Commissioner?
Section 12 of the Data Protection Act, 2019 provides for the procedure for the removal of the Data Commissioner through the presentation of a complaint to the Public Service Commission setting out the alleged facts constituting that ground.
Subject to Article 47 of the Constitution of Kenya 2010, the Public Service Commission is to consider the complaint and, if satisfied that the complaint discloses a ground shall —
- investigate the matter expeditiously;
- report on the facts; and
- make a recommendation to the Cabinet Secretary.
Prior to any action above the Data Commissioner is to be —
(a) Informed, in writing, of the reasons for the intended removal.
(b) Offered an opportunity to put in a defence against any such allegations.
That’s all folks.
Author: Robert Muoka, Data Protection and Privacy Consultant at Sheria Online
Data Protection Act, 2019