The Data Protection Bill, 2018 (the “Bill”) is proposed by the chairperson of the Committee on Information, Communication and Technology and Baringo County Senator, Gideon Moi and its contains provisions that will significantly change how public and private entities handle information entrusted to them. The Bill borrows from the General Data Protection Regulation (GDPR) passed by the European Union and makes Kenya the second country in East Africa after Rwanda to have legislation dedicated to data protection.
The Bill defines “data” as information which:
(a) is processed by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should be processed by means of such equipment;
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
(d) where it does not fall under (a), (b) or (c) above, forms part of an accessible record;
(e) or is recorded information which is held by a public entity and does not fall within any of (a), (b) (c) and (d) above.
Principals of data protection
Section 4 of the Bill provides that the following principles shall guide data interpretation and application:
(a) information shall be collected, processed, stored or dealt with in any other manner if it is necessary for or directly related to a lawful, explicitly defined purpose and shall not intrude on the privacy of the data subject;
(b) information shall be collected directly from and with the consent of the data subject;
(c) where information relating to the data subject is held by a third party, the information may only be released to another person or put to a different use with the consent of the data subject;
(d) the data subject shall be informed of the purpose to which the information shall be put and the intended recipients of that information at the time of collection;
(e) information shall not be kept for a longer period than is necessary for achieving the purpose for which it was collected;
(f) information shall not be distributed in a manner that is incompatible with the purpose for which it was collected with the consent of the person and subject to any notification that would attract objection;
(g) reasonable steps shall be taken to ensure that the information processed is accurate, up-to date and complete;
(h) appropriate technical and organizational measures shall be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorized access to personal information; and
(i) data subjects have a right of access to their personal information and a right to demand correction if such information is inaccurate.
Right to protection of privacy
Section 5 of the Bill provides that every person has the right to privacy with respect to their personal data. The Bill defines “personal data” as information about a person, including:
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the individual;
(b) information relating to the education, medical, criminal or employment history of the person or information relating to financial transactions in which the person has been involved in;
(c) an identifying number, symbol or other particular assigned to the individual;
(d) the fingerprints or blood type of the person;
(e) contact details including telephone numbers of the person;
(f) correspondence by a person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence to a third party; and
(g) a person’s views or opinions about another person and any information given in support or in relation to a grant, award or prize proposed to be made to a person.
Limitation of right to privacy
Section 6 of the Bill provides that the right to privacy, with respect to personal data, may be limited for the purpose of safeguarding overriding legitimate interests. It further provides that, the right to privacy may be limited for purposes of:
(a) national security;
(b) prevention, detection, investigation, prosecution or punishment of a crime;
(c) safeguarding rights of the data subject or another person;
(d) public interest; and
(e) compliance with an obligation imposed by law.
Data collection from data subjects
The Bill defines an “agency” as meaning a person who collects or processes personal data. Section 7 of the Bill stipulates that an agency shall, where it requires personal data from a person, collect such information directly from the data subject for a purpose which is specific, explicitly defined and lawful. It further provides that an agency shall not be required to collect personal data directly from a data subject where:
i) the data is a matter of public record;
ii) the data subject or a competent person (where the data subject is a child), has consented to the collection from another source;
iii) collection from another source would not prejudice the interests of the data subject;
iv) collection of data from another source is necessary: (a) for the prevention, detection, investigation, prosecution and punishment of crime; (b) for the protection of the interests of the data subject or another person; (c)to comply with an obligation imposed by law; or (d) in the interest of national security; or
v) compliance is not reasonably practical in the circumstances of the case.
The Bill provides that an agency shall collect, store or use personal data using lawful means or using means that, in the circumstances, do not intrude to an unreasonable extent, upon the personal affairs of the data subject.
Right of data subject
Section 9 of the Bill stipulates that a data subject has a right to:
i) be informed by the agency of the use to which the subject data is to be put;
ii) access the data with respect to the data subject which is in possession of an agency; and
iii) object to the collection or processing of all or part of data by an agency;
iv) correction of false or misleading data;
v) deletion of misleading, false or data which has been objected to; and
vi) an explanation in respect of the processing of data and the outcome of such processing.
Duty to notify
Section 10 of the Bill provides that before an agency collects personal data directly from a data subject, it shall in so far as is reasonably practicable, inform the data subject:
i) the fact that the information is being collected;
ii) the purpose for which the information is being collected and specify the use to which such information shall be put;
iii) the intended recipient of the information;
iv) the name and address of the agency that is collecting the information, the agency that will hold the information and whether or not any other agency will receive the information;
v) where the information is collected pursuant to any law: (a) the law requiring or authorising the collection of the information; (b) the procedure required to be undertaken in order to comply with the law; and (c) whether the supply of the information by that data subject is voluntary or mandatory;
vi) the consequences (if any) of failing to provide all or any part of the requested information; and
vii) the right of access to, and correction of, personal data.
Section 11 of the Bill provides the exception to the above duty by an agent to notify a data subject where the agency has, prior to collecting the information, taken steps in the recent past when collecting the same information or information of the same kind from that data subject. The section further provides that where an agency collects information as contemplated above, to be used for a different purpose from the one for which the information was first collected or where the circumstances of the data subject has changed the agency shall notify the data subject of the use to which the information shall be put to. It further provides that an agency shall notify a data subject that a waiver of his rights under this section shall be construed as consent and authorisation for the agency to collect the information.
Section 13 of the Bill provides that an agency shall not be deemed to have collected personal data if:
(a) the information is publicly available;
(b) the data subject authorised the collection of the data from a third party;
(c) non-compliance does not prejudice the interests of the data subject;
(d) non-compliance is necessary to: (i) avoid a threat to the maintenance of law and order by any public entity, including the prevention, detection, investigation, prosecution and punishment of an offence; (ii) for the enforcement of a law imposing a pecuniary penalty; (iii) for the protection of public revenue and property; (iv) for the institution of proceedings or the conduct of proceedings that have been instituted before any court, tribunal or the Kenya National Commission on Human Rights (the “Commission”) established under section 3 of the Kenya National Commission on Human Rights Act; or (v) for the purpose of an exemption as set out in the law relating to access to information;
(e) compliance would prejudice the purposes for which the information is collected;
(f) compliance is not reasonably practicable in the circumstances of the particular case;
(g) the information: (i) was not to be used in a manner which resulted in the identification of the data subject; or (ii) was used for statistical or research purposes and shall not be published in a form that could reasonably be expected to result in the identification of the data subject; or
(h) the information is collected pursuant to an authority granted under the Bill or any other written law.
Section 33 of the Bill provides for the oversight and enforcement functions of the Commission which are to:
(a) promote the protection and observance of the right to privacy;
(b) monitor, investigate and report on the observance of the right to privacy;
(c) formulate, implement and oversee programmes intended to raise public awareness of the right to privacy and obligations;
(d) receive and investigate any complaint relating to infringement of the rights of a person;
(e) provide a framework or mechanism for the effective management of conflicts and the resolution of disputes; and
(f) perform such other functions as may be prescribed by any other law or as the Commission may consider necessary for the promotion and protection of human rights.
The section further provides that the Commission shall, in performing its functions be guided by:
(i) the national values and principles of governance under Article 10 of the Constitution (national values and principals of governance binding all state organs, public officers and state officer such as patriotism, national unity, sharing and devolution of power, the rule of law, democracy and participation of the people, human dignity, equity, social justice, inclusiveness, equality, human rights, non-discrimination and protection of the marginalised, good governance, integrity, transparency and accountability, and sustainable development);
(ii) have regard to the applicable international information management and dissemination standards relating to data protection;
(iii) ensure that agencies have put in place adequate safeguards for the protection of personal data;
(iv) take statements under oath in relation to any investigation it is undertaking; and
(v) take such action as may be necessary for the performance of its functions.
Data processing
Section 14 of the Bill provides that an agency that processes personal data shall ensure that the data is processed:
i) without infringing the right to privacy of the data subject or another person;
ii) in a lawful manner; and
iii) in a reasonable manner.
It further provides that whenever personal data concerning a data subject is to be processed, the data subject shall have the right, upon request, to:
a) information relating to the person processing the data;
b) the place of origin of the data;
c) the use to which the data collected will be put to;
d) information relating to any other person to whom the data is to be transmitted;
e) the rectification of incorrect data; and
f) the deletion of processed data without the consent of the data subject.
Protection and security of personal data
Section 15 of the Bill provides that an agency shall take the necessary steps to ensure the integrity of personal data in its possession or control through the adoption of appropriate, reasonable, technical and organisational measures to prevent:
a) loss, damage or unauthorised destruction; and
b) unlawful access to or an unauthorised processing.
It further provides that an agency shall take reasonable measures to:
(i) identify reasonably foreseeable internal and external risks;
(ii) establish and maintain appropriate safeguards against the identified risks;
(iii) regularly verify that the safeguards are effectively implemented; and
(iv) ensure that the safeguards are continually updated.
The agency is also required to observe generally acceptable security practices and procedure, including specific industry or professional rules and regulations.
Retention of information
Section 19 of the Bill stipulates that an agency that collects or processes personal data shall not keep the data for a longer period than is provided under any law or necessary to achieve the purposes for which the data was collected or processed, unless:
i) the data subject consents to the retention;
ii) the retention of the data is authorised by law;
iii) the retention of the data is reasonably necessary for a lawful purpose related to a function or activity or the retention of the data is required by virtue of a contract between the parties to the contract.
The section further provides for the exceptions to the obligation on the agency not to keep the data for a longer period than is provided under any law or necessary to achieve the purposes and this includes where the personal data is retained for purposes of: (a) history; (b) statistical; or (c) research. It further stipulates that where an agency retains data for historical, statistics or research purposes, it shall ensure that such personal data is protected against access or use for unauthorised purposes and shall, at the expiry of the retention period, destroy or delete personal data in a manner that prevents its deconstruction in an intelligible form.
Prohibition on processing of special personal information
The Bill defines “special personal information” as: (a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or biometric information of a data subject; or (b) any information about a data subject relating to the alleged commission of an offence or any proceedings in respect of any offence allegedly committed by a data subject. Section 24 provides that an agency shall not process special personal information unless:
(a) where processing of such personal information is carried out with the consent of the data subject;
(b) it is required under national or international law; or
(c) it is for the purpose of statistical or research purposes; or
(d) it is publicly available.
Personal data of children
Section 29 of the Bill stipulates that an agency shall not process personal data of a child unless:
(a) the processing is carried out with the prior consent of the parent or guardian or any other person having the authority to make decisions on behalf of the child;
(b) it is necessary to comply with the law;
(c) it is for research or statistical purposes; or
(d) it is publicly available.
Trans border flow of personal data
Section 31 of the Bill provides that an agency shall not transfer personal data of a data subject outside the territory of the Republic of Kenya unless:
(i) the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
(ii) the data subject consents to the transfer;
(iii) the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
(iv) the transfer is for the benefit of the data subject.
Offenses and sanctions
Section 38 of the Bill provides for offences and their sanction and stipulates that a person who collects or processes personal data in any manner contrary to the provisions of the Bill commits an offence and is liable, on conviction, to a fine not exceeding Kenya shillings five hundred thousand shillings (Kshs. 500,000/-) or to a term of imprisonment not exceeding five (5) years, or to both.
It further provides that any person who:
(i) without reasonable excuse, obstructs, hinders or prevents the Commission or any other person from the performing their functions or the exercise of their powers;
(ii) makes any statement or gives any information to the Commission or any other person exercising powers under the Bill, knowing the statement or information to be false or misleading;
(iii) holds himself or herself out as having authority to perform any action or exercise any powers when he or she does not hold that authority; or
(iv) without reasonable cause, fails to comply with any notice issued under the Bill,
commits an offence and is liable, on conviction, to a fine not exceeding Kenya shillings one hundred thousand shillings (Kshs. 100,000/-) or to a term of imprisonment not exceeding two (2) years, or to both.
It further provides that where an offence under the Bill has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributed to any negligence on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, that person as well as the body corporate shall be guilty of that offence.
The Bill is still at its early stages and it shall be interesting to see if any amendments shall be proposed to it and if it shall be promulgated.
© Andrew Ndikimi
The author is a Kenyan advocate with ten (10) years post admission experience and is a senior lawyer heading the intellectual property and information and technology department at O&M Law LLP, Park Place, Limuru Road & 2nd Parklands Avenue Junction, Nairobi, Kenya.
Telephone: +254722613888/ +254739935929
Email: andrew@omlaw.co.ke
Website: www.omlaw.co.ke