Sensitive Personal Data: How and When To Process
By Jane Ombiro, CIPP/E Data Protection Associate South-End Tech Limited
Sensitive personal data is any data which reveals a person’s race, health status, ethnic-social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or sexual orientation of the data subject.
Data controllers and Data Processors alike are advised to employ higher standards of data protection compliance measures when handling sensitive personal data. Such data when processed could pose a significant risk to the fundamental rights and freedoms of a data subject. It is to this end, that the Data Protection Act, 2019 prohibits the processing of sensitive personal data except under certain circumstances, which are spelt out in the Act.
First and foremost, when processing sensitive personal data, controllers and processors must abide by the principles of data protection. Lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and the right to privacy are some of the principles that controllers and processors must comply with when processing sensitive personal data.
In addition to abiding by the principles of data protection, controllers and processors may process sensitive personal data under the following circumstances:
- In the course of legitimate activities of a foundation, association or non-governmental organisation (NGO) with a political, philosophical, religious or trade union aim. This exception covers religious institutions such as churches, temples, mosques and political parties among others. The processing must relate solely to the members of the organization or persons with regular contact with the organization so long as the personal data is not disclosed outside the organization without the consent of the data subject.
- When the data subject has made the sensitive personal data public. The law allows processing sensitive personal data in instances where the data subject has intentionally made the data public. The data could be made public through social media, TV interviews, newspapers or magazines.
- Processing is necessary to establish, exercise or defend a legal claim. The law allows Data Controllers to process personal data if it is necessary for them to establish, exercise or defend a legal claim. A good example is when a medical negligence claim has been brought against a medical institution and the institution needs to adequately prepare its defence; it must process the claimant’s health data.
- To protect the vital interest of the data subject or another person. The Data Protection Act 2019 allows the processing of sensitive personal data when it is necessary to protect the vital interest of the data subject or of another person where the data subject is physically or legally incapable of giving consent. The Act is silent on what constitutes vital interest, however, guided by recital 46 of the GDPR, vital interest in Kenya could be construed to include matters of life and death.
- Processing is necessary for carrying out the obligation and exercising the specific rights of the controller or of the data subject. This exception could be construed to include legal obligation under employment law, wherein controllers are allowed to process sensitive personal data of their employees or potential employees.
In conclusion, data controllers and processors are generally prohibited from processing sensitive personal data except under the conditions stipulated in the Data Protection Act, 2019 and with strict adherence to the principles of data protection.
Contact South-End Tech Limited for your Data Protection Technology Support and keep your sensitive data safe
Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email