Data protection is the area of law that protects the personal data of every individual in Kenya. This is covered in the Data Protection Act 2019.
Personal data covers areas such as name, phone number, email address, IP address, NSSF number, NHIF number and many others. In a nutshell, personal data is defined as any data that can be used to identify an individual.
Data protection only covers individuals and not other legal entities like companies and organizations. The real estate sector handles a lot of personal data hence they will be held to higher standards. In this article, we focus mainly on image rights concerning site visits, open house events, title deed ceremonies and CCTV installation in property management.
- Principles of data protection
The principles of data protection are guidelines that individuals and organizations handle personal data ethically and legally. They are the critical standards used to steer data controllers and processors in the right direction. These principles are clearly stated in the Kenyan Data Protection Act 2019 and all major data protection laws. The issues discussed will be based on the principles below:-
- Lawfulness, fairness and transparency
- Integrity and confidentiality
- Accuracy
- Data Minimization
- Purpose Limitation
- Storage Limitation
- Accountability
- The legality of your actions
Image rights refer to an individual’s ability to control the commercial use of their likeness, such as their face, name or voice. Data Collection- agencies should get consent from data subjects before using their images for commercial purposes. Property images should not feature pictures of clients, employees or passers-by who you do not have a contract with. When you invite clients to open days, site visits or any other events, be careful to let them sign a model release or the invitation should have a notice of crowd filming. Even a notice of crowd filming should be limited to social posts and not direct commercial/ marketing activities. The people in the images still have a right to the images and therefore can request for their images to be removed.
READ MORE – Rental Income Tax in Kenya: What Landlords Need to Know About the New Data Collection Exercise.
- CCTV Installation
A property management agency is required to put up notices in case they install CCTV within a property. And this can only happen in public areas. The processing of data in this case will be based on legitimate interest. As a controller, you are also required to handle the data properly to avoid any breaches.
- Collection of the Images
As an organization you are required to collect only what you need, avoiding data hoarding. This is both a legal compliance principle and a good business practice. In this case, make sure your photographers take photos of the necessary people only and not every random person who happened to be around during the occasion. Especially in the Tiktok era, be very cautious of your marketing team taking too many random videos without proper planning. It would be prudent for the organization to embed best practices in every department to maintain only relevant images with proper consent.
READ MORE – Tips for capturing stunning property photos and videos
- Handling of the Images
After collecting images, voice recordings and videos, it is prudent to make sure the data collected is used as agreed with the data subjects. In this case, the agencies have to explain why the image or videos are collected, where it will be used, who should have access, and how long it should be used. All these are within the rights of the data subject and have to be well documented to show proof to the authorities when needed.
- Your Responsibility
The burden of proving the legal basis of processing will always lie with the data controller. You have the full responsibility to show that you got consent from the data subjects in the right way.The act of consent is defined as any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes through a statement or by a clear affirmative action that signify agreement to the processing of their personal data.
To break it down, unequivocal basically means that there is no doubt that the person consented. There should be no room for assumption. It should also be free and not coerced. Specific and informed consent requires that you as an organization collecting these information (Images and videos) should have explained to the data subject why you are taking the photos, for how long you will use them, where you will use them and make sure you keep it well. If you can prove that the data subject understood all this and signed on it, then you become a responsible data controller.
Accountability requires that you store the information safely and have organizational and technical measures to protect the information. In the event of a breach or leakage of information, it is your responsibility to inform the authorities. In this case report to the Office of the Data Protection Commissioner (ODPC) and the data subjects within 72 hours of your knowledge of the event.
Failure to comply with this will lead you to hot soup as we will see in the cases below. Just to note, the biggest number of cases reported to the ODPC were related to images and most times the data controllers got fined due to ignorance or recklessness. Let us review some of the cases and why there was a penalty.
We have seen the authorities crack down on irresponsible data controllers and penalize them heavily for reckless handling of images and other personal data. In context images, I would particularly touch on a few that stood out.
- Oppo Kenya Case
Social media has been the biggest tool that offers freedom of speech but as usual every freedom comes with a responsibility. One of them is that you do not infringe on other people’s rights. Oppo was the first controller to be fined by the ODPC. They got the maximum penalty of 5 million for not only using an image without consent but also refusing to remedy the situation.
- Cyrus Mwaniki v Expressway
The complainant was a former employee of the Expressway company and even after the termination of the contract they still used his video of how to use their equipment. The complainant was given a consent form which he never returned meaning consent was never recorded. Moja Expressway company was found liable and was fined Kes 500,000 to be paid to the complainant for the use of his image.
- Casa Vera Lounge Case
With the habit of promoting their business by posting activities of the club, Casa Vera ended up being used as an example. They were fined Kes 1,850,000 for posting the images of a reveller without his consent. The ODPC also gave a warning to the rest of the restaurants to avoid sharing images and videos without consent. This created a buzz with the owners asking how they could work around it but a clear solution was never agreed upon.
Conclusion
For any organization to run smoothly in the modern-day environment, it is critical to be mindful of personal data. Compliance is no longer a reserve of big cooperation and the consequences are far-reaching and expensive. Even though there is no legal requirement to have a data protection officer, it is still necessary to have someone minding your compliance, whether it is an internal or external person.