Kenya releases draft guidance on biometrics, age assurance

Kenya’s data protection authority has issued draft guidance notes on the country’s Data Protection Act, including notes on the processing of biometric data and age verification intended to protect children online.

It its Guidance Note about the Processing of Children’s Data, the Office of the Data Protection Commissioner (ODPC) says “all methods of age verification must be proportionate, privacy preserving and adheres to the principle of data minimization.”

Its instruction is familiar from other, like-minded documents globally. Mechanisms for age assurance “should be proportionate and grounded on a risk-based approach,” so that sites posing higher risks are subject to more stringent measures. Data protection by design and a requirement for data protection impact assessments are also included.

Age verification also appears under the section on accountability, which lists implementing “age verification mechanisms” among “proactive steps to protect personal data” that data handlers should put in place.

The Guidance Note about the Processing of Biometric Data is a substantive document that lays out how to apply data protection principles during biometric processing, including definitions, privacy concerns, a legislative framework and legal basis for processing biometric data, regulatory compliance, and personal data rights.

“All entities in processing biometric data are subject to mandatory registration with the Office of the Data Protection commissioner,” it says.

“Additionally, the data controller must ensure that only necessary personal biometric data is processed, considering the amount of data processed, the extent of its processing, storage period, accessibility, and cost of processing.”

In ensuring compliance, global biometric standards come into play. The guidance says that “in order to avoid any future interoperability challenges, Data Controllers and/or Processors are advised to adhere to the released standards and other future standards.” It lists ISO/IEC 39794-1, ISO/IEC 39794-4 and ISO/IEC 39794-5, among others. It also includes a compliance checklist for service providers.

Article Topics

Africa  |  age verification  |  biometric data  |  biometric identifiers  |  biometrics  |  children  |  data privacy  |  data protection  |  Kenya  |  Kenya ODPC