Notifiable Data Breaches Flashcards
What constitutes a notifiable data breach in Kenya?
A data breach is considered notifiable when it poses a real risk of harm to the data subject. This includes breaches involving: <br></br> (a) Personal identification number and specified personal data or classes of personal data listed in the Second Schedule. <br></br> (b) Data breaches involving an account with a data controller or processor, including the data subject’s name/number, password, security codes, biometric data, etc.1
What are some examples of personal data or circumstances that trigger a notifiable data breach under the Second Schedule?
- Wages, salary, commission, bonuses, or other types of remuneration.
- Income from the sale of goods or property.
- Credit/Debit card numbers.
- Bank account numbers.
- Information identifying a child in conflict with the law or in need of care and protection.
- Private keys used for secure electronic records and signatures.
- Debt information, liabilities, and investment details.
- Health insurance policy details.234
Does a data breach need to be publicly available to be considered notifiable?
No
A data breach can be considered notifiable even if the information is not publicly available.
The mere fact that a breach has occurred and
poses a real risk of harm is sufficient to trigger notification requirements.5
What information must a data controller include when notifying the Data Commissioner of a notifiable data breach?
The notification must include details such as:
1. Date and circumstances of becoming aware of the breach.
2. Steps taken to address the breach.
3. Details of the breach (how it happened, data affected, number of data subjects impacted, potential harm).
4. Actions taken to mitigate harm and remedy the breach.
5. Contact information for an authorized representative.678
What if the data controller chooses not to inform the data subject about a notifiable data breach?
If the data controller decides not to communicate the breach to the affected data subject, they must provide the Data Commissioner with the justification for not notifying the data subject.
This justification should be based on the conditions outlined in section 43(1)(b) of the Data Protection Act.9
Can a data subject independently report a suspected personal data breach?
Yes
A data subject can notify the respective civil registration entity and the Data Commissioner in writing within 14 days of suspecting a personal data breach.1011
What is a “data subject”?
A data subject is an identified or identifiable natural person.
This means the information relates to a specific individual who can be directly or indirectly identified through factors like
* name,
* ID number,
* location data,
* online identifiers, or
* physical,
* physiological,
* genetic,
* mental,
* economic,
* cultural, or
* social identities.1
What is meant by “wages, salary, fee, commission, bonus, gratuity, allowance or other remuneration?”
These terms refer to any form of financial compensation paid or payable to a data subject for work performed, either under a contract of service (employment) or a contract for services (freelance/independent work).3
Provide examples of data breaches related to a data subject’s financial information.
- Leakage of an employee’s salary details.
- Unauthorized access to a freelancer’s invoice containing their fees and payment terms.
- Exposure of a customer’s credit card number due to a security flaw on an e-commerce platform.
- Disclosure of a client’s bank account details during a data breach at a financial institution.34
Define “information that identifies, or is likely to lead to the identification of the data subject who is a child in conflict with the law or in need of care and protection.”
This refers to any information that could reveal the identity of
1. a child involved in legal proceedings or
2. requiring social services support.
This includes details that might not explicitly name the child but could be used to deduce their identity based on context or other available information.4
What are examples of data breaches involving vulnerable children?
- Disclosure of records from a juvenile detention center, exposing the identities of minors involved in criminal activities.
- A leak from a child welfare organization that reveals details about children in foster care, potentially putting them at risk.4
What is a “private key” in the context of electronic records and signatures?
A private key is a secret cryptographic code used to create a digital signature and decrypt information encrypted with a corresponding public key.
It’s crucial for ensuring authenticity, integrity, and confidentiality in electronic transactions.4
Explain data breaches related to private keys.
- A hacker gains access to a company’s private key, allowing them to forge digital signatures and compromise the integrity of electronic documents.
- An employee loses a storage device containing their private key, potentially enabling unauthorized access to sensitive data encrypted with the corresponding public key.4
What constitutes “domestic abuse, child abuse or sexual abuse involving or alleged to involve the data subject?”
This involves any information pertaining to incidents of physical, emotional, or sexual violence within a family or involving a child, whether substantiated or alleged.
This includes reports, investigations, and support service records that could identify the victim, abuser, or other involved individuals.5
Illustrate situations where a data breach could expose sensitive information about abuse.
- A leak from a domestic violence shelter database reveals the identities and locations of individuals seeking refuge from abusive partners.
- A hacker compromises the systems of a child protection agency, gaining access to case files containing details about child abuse investigations.5
