Explainer: What is consent? Data Protection Commissioner breaks it down

As the country discusses Sh9 million fines slapped on three institutions by the Office of the Data Protection Commissioner, the agency has broken down the meaning of their orders and what Kenyans should do if they feel their rights have been violated.

Those fined are Casa Vera Lounge, a nightclub in Kilimani, which has been fined Sh1.8m for posting pictures of a reveller on its social media platform without the customer's consent.

Mulla Pride, operator of KeCredit and Faircash mobile lending apps, have been slapped with a Sh2.9m fine for failing to comply with data protection rules, including obtaining and using contact information of people obtained by third parties, and harassing them to ensure loan payments.

But it was the Sh4.5 million fine on Roma School, the highest for any education institution, which has sent shockwaves. The school was fined for posting pictures of a minor without parental consent.

But what really is consent?

According to the Data Protection Commissioner, consent means permission for something to happen or agreement to do something. Consent is “willing, positive cooperation in an act” or the expression of a desire to engage in an activity. 

True consent isn't coerced by force, threats or intimidation. Silence is not consent.

Read: State seeks orders to protect data collected by Worldcoin

Further, the data commissioner describes consent as any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement signifying agreement to the processing of personal data relating to the data subject.

What is consent before collecting data?

Consent may be obtained after a notice (e.g., a privacy policy) is given to an individual in clear and plain language, specifying the personal data sought to be collected, and the purpose of processing along with contact details of an officer designated by the company for answering questions of individuals relating to personal data.

Who is a data controller?

A data controller determines the purposes and means of the processing of personal data.

Who is a data processor?

A data 'processor' means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller's interests rather than their own. The data controller determines the purposes for which and the means by which personal data is processed. 

Read: Worldcoin saga - MPs demand answers on fate of Kenyans' personal data

Who is a data subject? 

The identified or identifiable living individual to whom personal data relates.

What is data processing?

Means any operation or sets of operations performed on personal data e.g. collection, recording, organisation, structuring, storage, adaptation, and alteration among others.

At what point should consent be sought?

Consent should or must be sought before the commencement of processing data. You are likely to need to consider consent when you want to use or share someone's data in a particularly unexpected or potentially intrusive way, or in a way that is incompatible with your original purpose.

Therefore, consent should be given before the processing activity.

It may be sufficient to ask for a data subject’s consent once. However, data controllers and or data processors must obtain new and specific consent if purposes for data processing change after consent is obtained.

Read: You've failed Kenyans, MPs tell Data Commissioner Immaculate Kassait over Worldcoin saga

What requirements must be met before processing data?

As a rule, the processing of personal data can always take place if the data subject has given consent. However, for consent to be valid, it must be voluntary, specific, informed and explicit.

Can your data be processed without your consent?

Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and based on the consent of the person concerned, or some other legitimate basis laid down by law.

What are the conditions for consent? 

1. A data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.
2. Unless otherwise provided under the Data Protection Act, a data subject shall have the right to withdraw consent at any time.
3. The withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal.
4. In determining whether consent was freely given, account of whether, among others, the performance of a contract, including the provision of a service, is conditional on consent to the performance of that contract. 

Should I ask for consent every time l handle personal data? 

The answer to that question is No. It is a common misconception that consent is required for all data processing activities. 

Data processing could be based on other lawful bases such as the performance of a contract or legitimate interests. 

Read: Health ministry proposes legislation to protect data

Obtaining a person’s consent before processing their personal data is one of the ways in which organisations can lawfully process personal data.

There are other legal bases for processing personal data where consent is not required.

Is consent a silver bullet? 

Data controllers and data processors are advised that consent does not waive or negate their obligations under the Data Protection Act. 

If a data subject consented to have their personal data processed contrary to legal requirements, the data subject would still be considered in contravention of those requirements.