Kenya has no data protection law. Some industries such as the Finance and Telecommunications industry have internal rules from the regulators which provide for a framework on how they should handle and manage the data and information of their customers. There is a Constitutional provision in Article 31 which dictates that each person has the Right to Privacy including the right to not have the privacy of their communications infringed.
In this past year, our lawmakers have been on overdrive. From having no law, we moved to having two proposed bills. (There was an initial draft in 2012/2013 which has since lapsed). Why the increased interest and motivation? Your guess is as good as mine – Nonetheless, as a consumer I’m happy about it.
We have had one bill from the Senate ICT Committee led by Gideon Moi and a second bill from the Ministry of ICT Taskforce. Each proposed bill has its pros and cons and we will not get into that here. What we will do, is review the final draft of the Ministry bill which is now on the Cabinet Secretary’s desk for presentation to the Cabinet to Parliament (The National Assembly) and as it is not a Counties – affecting bill, to the president for assent (With all relevant steps in between).
This review is not comprehensive on every single aspect of the law and is not exhaustive. It does not suffice as apt legal advice either to be used by persons to influence business decisions or operations. The author advises parties to engage and contract their own lawyers who will give the best legal advice for the given circumstances.
This law seeks to regulate the processing of personal data, to ensure that handling of personal data is guided by the overarching principles of data protection and to provide the data subjects’ proper rights and remedies to protect their personal data from unlawful processing.
The relevant Institution
This bill proposes to introduce the office of a Data Protection Commissioner which does not exist at the moment. During deliberation this was a key issue – whether there needs to be yet another entity created on our already inflated wage bill vis a vis giving the mandate to an existing entity which lacks expertise and independence.
Scope of Application
The bill applies to both Data Controllers (Who collects and normally owns the data) and Data Processors (Mostly 3rd parties who are contracted by the Data Controller to manage, store or organize the data).
The Bill also expands the scope of the law to cover a natural or legal person, public authority, agency or other body. It covers entities both established and resident in Kenya and those that aren’t, provided they process personal data of data subjects in Kenya.
Obligation to register at the Data Protection Commissioner
All data processors and data controllers will be required to register at the Data Protection Commissioner (DPC). For SMEs to note is that there will be clear guidelines on how to seek registration and the corresponding requirements. After registration, the entity is granted a Registration Certificate which is valid for three years.
Data Subject Rights
This bill gives a data subject several rights and is human-interest centered when it comes to management and handling of your personal data. So, what are these rights? The right to know how your information will be used, right to access your personal data, the right to object to its processing, right to the correction and deletion of false or misleading data. Consent to processing of personal data is extremely fundamental and the law places a burden to the organization to show that your informed consent was sought and obtained.
Of interest especially to mobile subscribers is the right to data portability which allows a user to ask a service provider to transmit their data to another service provider.
In case of a data breach, the law places an obligation on the provider to report to the Data Protection Commissioner and the data subject.
This refers to where your data can be stored or held. The initial draft of this bill indicated that all data for Kenyans was to be held in Kenya that has since been deleted providing for standard thresholds which service providers must meet for data to be stored in other countries.
The standards are: proof of appropriate security and protection safeguards, consent of the data subject and where the transfer is necessary for fulfillment of some legal obligation.
Privacy by Design
All entities are expected to implement technical and organizational measures which are by default for the customers’ privacy. For example, it should be the default setting that a company should not unnecessarily share personal data with third parties; that should be automatically checked so that even if a user does not alter their default settings (as most of us don’t) your fundamental right is upheld.
Sensitive Personal Data
This means data revealing the natural person’s race, health status, ethnic social origin, political opinion, belief, genetic data, biometric data, sex, sexual orientation, of the data subject. There are higher information management thresholds imposed for handling sensitive personal data, as this is normally used to institutionalize or enable discrimination of certain persons.
The law proposes administrative penalties for noncompliance of up to five million shillings, or in the case of an undertaking, up to 2% of its annual turnover of the preceding financial year, whichever is higher.
The general penalty for offenses under this proposed law is a fine not exceeding three million shillings or to an imprisonment term not exceeding two years or to both.
There are several key provisions of this law which will affect information management in Kenya. As a community, we are glad that more Kenyans are appreciating the value and importance of good data protection principles. Having this law in force is just the first step, but the most fundamental leap. This is because it acts as the foundation for all things privacy and information management in the digital age.