Kenyan landlords need to understand their responsibilities under data protection laws. This guide explains the legal requirements and best practices for handling tenant data.
Under Kenyan law, data controllers and processors must register with the Data Protection Commissioner. Failure to register when required can result in severe penalties, including fines up to 3 million Kenyan shillings, imprisonment for up to three years, or both. While some small businesses with annual revenue below 5 million shillings and fewer than 10 employees are exempt from mandatory registration, landlords do not qualify for this exemption. The regulations explicitly state that anyone processing personal data for property management, including selling land, must register as a data controller or processor. If property management is delegated to another entity, that entity must register instead.
In their regular business activities, landlords collect and process various types of sensitive personal data. The Data Protection Act defines sensitive personal data as information revealing a person’s race, health status, ethnic or social origin, conscience, beliefs, genetic data, biometric data, property details, marital status, family details (including names of children, parents, or spouses), sex, or sexual orientation.
Two common types of sensitive data handled by landlords include biometric data and personal information. Biometric data is often collected for secure access systems in buildings. Without proper safeguards, this data could be vulnerable to theft, potentially leading to identity theft or other security breaches. Landlords often collect data from their tenants, visitors to the premises and their employees. Personal information such as family details, property information, marital status, and employment information is typically obtained during background checks and due diligence processes. This information requires protection from data breaches and must be processed according to law.
Before processing sensitive personal data, landlords must follow specific guidelines. They need to adhere to the data protection principles outlined in Section 25 of the Data Protection Act, which require that data is collected and processed in a manner that respects privacy rights. This means collecting data only for legitimate purposes with consent, gathering only what’s necessary for the specific purpose, and retaining data only for as long as needed. Additionally, landlords must ensure that processing is necessary for carrying out their obligations and exercising specific rights as data controllers. For example, biometric data may be required to generate security passes that prevent unauthorized access to premises.
Data processing encompasses a range of activities including collection, organization, storage, modification, retrieval, use, disclosure, transmission, alignment, restriction, and destruction of data. Landlords typically process data by collecting tenant information (such as full name, birth date, contact details, rental history, references, employment and income details, and credit history), storing this data, and sometimes sharing it with third parties like debt collection agencies, utility service providers, or repair services.
When processing tenant data, landlords must consider several key factors. First, they must obtain informed consent from tenants before processing their data. Tenants have the right to know why their data is being collected and how it will be used. Best practices include sharing clear policies about data processing, disclosing these policies before implementation, ensuring they comply with the Data Protection Act, and giving tenants adequate time to review policies before providing consent.
Second, landlords must maintain accurate tenant records. This involves updating details as they change, erasing any false information, and keeping former tenant data only for a reasonable duration. The law stipulates that personal data should be kept only as long as necessary for the purpose for which it was collected.
Third, landlords must balance legal compliance with data protection requirements. In certain situations, the law may require landlords to record or disclose tenant information for law enforcement purposes or routine legal compliance. While sensitive personal data normally requires consent before disclosure, Section 51(2) of the Data Protection Act provides an exception when “disclosure is required by or under any written law or by an order of the court.” For instance, in the case of Muimara Estate Residents Association v Nairobi City County & 2 others (2018), the court compelled a landlord to disclose tenant information. Similarly, the Landlord and Tenant Act requires landlords of controlled tenancies to maintain rent books with tenant records. Even though these records are legally required, they remain protected under the Data Protection Act.
The landlord-tenant relationship creates various legal duties, including the obligation to protect tenant privacy rights under Article 31 of the Kenyan Constitution. A lack of awareness regarding these rights and obligations can hamper the realization of privacy rights. Tenants may be unaware when their privacy rights are being infringed, while landlords might not understand what actions constitute breaches of duty. However, it’s important to remember that ignorance of the law does not constitute a valid defense. Compliance with privacy regulations is essential to avoid penalties under the Data Protection Act.
For landlords seeking to ensure full compliance with data protection laws, including updating tenancy agreements to incorporate data protection provisions.
