SECOND SCHEDULE General (r.37 (1)& (3))

The following personal data or circumstances amount to a notifiable data breach—

1. The amount of any wages, salary, fee, commission, bonus, gratuity, allowance or other remuneration paid or payable to the data subject by any person, whether under a contract of service or a contract for services.

2. The income of the data subject from the sale of any goods or property.

3. The number of any credit card, charge card or debit card issued to or in the name of the data subject.

4. The number assigned to any account the data subject has with any entity that is a bank or finance company.

5. Any information that identifies, or is likely to lead to the identification of, the data subject who is a child in conflict with the law or in need of care and protection.

6. Any private key of or relating to a data subject that is used or may be used —

(a)  to create a secure electronic record or secure electronic signature;

(b)  to verify the integrity of a secure electronic record; or

(c)  to verify the authenticity or integrity of a secure electronic signature as provided under the Kenya Information and Communications (Electronic Certification and Domain Name Administration) Regulations, 2010 or any other related law.

7. The net worth or creditworthiness of a data subject.

8. The deposit or withdraw of monies by a data subject with any entity.

9. The withdrawal by the individual of moneys deposited with any entity or a payment system.

10. The granting by a person of advances, loans and other facilities by which the data subject, being a customer of the entity, has access to funds or financial guarantees.

11. The existence, and amount due or outstanding, of any debt —

(a)  owed by the data subject to an entity; or

(b)  owed by an entity to the data subject.

The incurring by the entity of any liabilities on behalf of the data subject.

The payment of any moneys, or transfer of any property, by any person to the individual, including the amount of the moneys paid or the value of the property transferred, as the case may be.

14. The data subject’s investment in any capital markets products.

15. Any term and condition, premium or benefits payable, or any detail relating to the condition of health, from an accident, health, or life policy of which the data subject is the policy owner or a beneficiary.

16. The assessment, diagnosis, treatment, prevention or alleviation by a health professional of any of the following affecting the data subject—

(a) any sexually‐transmitted diseases;

(b)  Human Immunodeficiency Virus Infection;

(c)  mental disorder;

(d)  substance abuse and addiction.

17. The provision of treatment to the individual for or in respect of —

(a)  the donation or receipt of a human egg or human sperm; or

(b)  any contraceptive operation or procedure or abortion;

18. Any of the following—

(a)  the donation and removal of any organ from the body of the deceased individual for the purpose of its transplantation into the body of another individual;

(b)  the donation and removal of any specified organ from the individual, being a living organ donor, for the purpose of its transplantation into the body of another individual;

(c)  the transplantation of any organ mentioned in paragraph (a) or (b) into the body of the individual.

19. The suicide or attempted suicide of the individual.

20. Domestic abuse, child abuse or sexual abuse involving or alleged to involve the data subject.

21. Any of the following—

(a)  information that the individual is or had been adopted pursuant to an adoption order made under the Children Act No 8 of 2001, or is or had been the subject of an application for an adoption order;

(b)  the identity of the natural father or mother of the data subject;

(c)  the identity of the adoptive father or mother of the subject;

(d)  the identity of any applicant for an adoption order;

(e)  the identity of any person whose consent is necessary under that Act for an adoption order to be made, whether or not the court has dispensed with the consent of that person in accordance with that Act.

 

154  Second Schedule