A New Dawn Looming for Protection of Personal Data

Introduction

Kenya is experiencing an upward surge in social and economic growth which is largely attributed to the exponential advancement in technology. At the crux of technological advancement is the collection, transmission and storage of data between various government agencies, private sectors and social classes. All these transformative developments in technology have raised pertinent concerns about usage and safety of personal data in the hands of various government institutions and actors.

Closer home, Strathmore University and Privacy International in a report published on the 2nd May 2018, revealed that lack of a regulatory framework to protect data, openly and largely exposed voter data to misuse in the 2017 elections.  The Report recommended establishment of an effective Institutional and Legal framework to combat misuse of personal data.

Recently, the Cabinet approved the Data Protection Policy and Bill which originates from the Ministry of Information, Communications and Technology to signify its commitment towards protection of the sacrosanct right to privacy provided under Article 31 of the Constitution of Kenya. The Bill is founded on the best International standards of Data Protection and in particular, closely resembling General Data Protection Regulation (the “GDPR”) enacted by the 28 member European Union bloc countries. The Bill also complies with African Union Convention on Cyber Security and Personal Data Protection adopted by the Africa Union.

What’s next after Cabinet approval?

The Bill relates to a matter reserved for the National Government under Schedule Four, Part 1 of the Constitution of Kenya 2010. Therefore Parliament in accordance with the Standing Orders will introduce the Bill and subject it to the relevant House Committee for scrutiny and further consideration. At this stage if there are significant changes likely to be made on the approved policy, the House will invite views of the Executive for value addition and further clarifications on issues arising from the Bill. Subject to the mandatory constitutional principle of public participation, Parliament will call for views from state entities, the public and other stakeholders.

Upon passing by Parliament, the Speaker of the National Assembly will submit the approved Bill to the President for assent and subsequent publication in the Kenya Gazette.

Highlights of the Bill

The Bill defines Data as all data including data in electronic or manual form. Further, it introduces Data Controller as one responsible for determining the purpose and means of processing of personal data, Data Processor who processes personal data on behalf of the data controller and Data Subject who is the subject of personal data who are at the core of data protection. This therefore expands the scope of the law to cover to natural or legal persons, public authorities, agencies, entities both established and resident in Kenya and those that are not, provided they process personal data of data subjects in Kenya.

Further, the Bill establishes an independent office of the Data Protection Commissioner headed by a Data Protection Commissioner. The Data Protection Commissioner is charged with the general oversight, implementation and enforcement of the Bill.

Starkly embedded in the Act, are key principles regulating the processing of personal data which require consent of the data subject for processing of personal data and an unequivocal assurance of lawfulness, accuracy, transparency, confidentiality and security in handling and processing of personal data.

Notably, the Bill grants a wide range of rights to a Data Subject allowing them to be in charge of the usage of their information save in where processing of data relates to matters of national security or order, disclosure ordered by the court or law, prevention or detection of crime, apprehension of an offender or assessment or collection of tax or duty. The Bill further proscribes cross-border transfer of personal data unless such countries or entities have met the adequate safeguards spelt out in the Bill for maintaining the required protection for the privacy rights of the data subjects in relation to their personal data.

In addition, the Bill provides for the corresponding duties of a Data Controller who should be guided by the above stated principles in handling and processing of personal data. The overarching factor in these obligations is the requirement of consent to processing of personal data and the law places a burden to the organization to show that consent was sought and obtained.

The Bill creates the offences of unlawful processing of data by both Data Processors and Data Controllers, unlawful access and subsequent disclosure to a third party of personal data without prior authority of the Data controller or Data processor and any sale of data obtained in the above circumstances. Non-compliance and breach of the provisions of the Bill attracts administrative penalties of a fine up to five million shillings or imprisonment for a period not exceeding five years.

Conclusion

The legislation is timely considering the current Huduma Namba registration exercise that has raised numerous concerns over the safety of personal data. The legislation is intended to create safeguards for data held by the government agencies in the midst of growing concerns about the safety of personal data.

Additionally, all businesses with ties to the European Union or dealing with any investors or businesses from the European Union will be required to align their internal policies with the principles of this law, which mirrors the GDPR in order to secure the confidence of the businesses from that investors’ region.

It is imperative therefore for governments, companies and businesses to embrace digital transformation that guarantees the highest standard of data protection at the heart of their business models.

At the heart of this transformation is the cultural and behavioral change management which must be institutionalized at all levels. This is a process and a lot will be required from both the public and private sector.

The Bill is still under review and will no doubt be amended following the public participation and parliamentary processes and we note to keep you apprised of any development.