Kenya Data Protection Bill, 2013

A highlight of key provisions by Michael Murungi

Full text of the draft bill available from: The Commission for the Implementation of the Constitution

Sponsor: ICT Cabinet Secretary

Status: At the Attorney General's office, awaiting publication and debate in the National Assembly

Objectives:

• to give effect to Article 31(c) of the Constitution - the right of a person not to have ‘information relating to their family or private affairs unnecessarily required or revealed”

• to give effect to Article 31(d) of the Constitution - the right “not to have the privacy of their communications infringed”

• to regulate the collection, retrieval, processing, storage, use and disclosure of personal data

Definition of personal data - section 2 pg 5

Quite broad, and includes:

• information on race, gender, sex, pregnancy, marital status, nationality, ethnicity, colour, age, health, disability, religion, belief, culture, language, birth, education, criminal or employment history, financial transactions, any identifying number or symbol linked to the person, fingerprints, blood type, contact details including telephone number

• a person’s private communications

• a person’s private views or opinions about another person

• information given in relation to a grant, award or prize to be made to a person

Principles of data protection - that will guide the application of the Act - section 4, pg 6

• necessity of collecting information

• collection not to violate privacy

• informed consent of the data subject

• disclosure of purpose of collection of info - if the purpose changes, inform the data subject

• no unwarranted retention of information (info not to be kept for longer than necessary after its purpose has been achieved)

• distribution of info to be consistent with purpose of collection

• duty to ensure the info is accurate, updated and complete

• duty to take measures to safeguard data from loss, damage, destruction and unauthorised access

• data subjects have right to access the info and to demand correction

Person collecting personal data must ensure that the data subject is aware of the following: (section 7)

• that the info is being collected

• the purpose for collecting

• name and addresses of the collector, the custodian and any other agency that will receive the info

• the intended recipients of the info

• any law under which the info is collected (and whether it is mandatory)

• consequences of not providing the info fully or partly

• the right to access and correct the info

* For those who have already collected personal data through a procedure that meets this criteria, no need to go over the procedure again - section 7(4)

* If it is not practicable to comply with the above before collecting the info, then compliance can be reasonably soon after collecting the info - section 7(3)(a)

Exceptions to the procedure above, where: (section 9)

• The info is publicly available

• the collection of the info is required by law

• the collection of the data from a 3rd party is authorised by the subject

• the interests of the data-subject are not prejudiced

• the purpose for which the info is collected necessitates non-compliance with this procedure

• compliance is not reasonably practicable

• the info was not to be used to identify the data subject, including for statistical and research purposes

• the collection of the information is necessitated by:

  • need to avoid a threat to law and order by a public entity, including criminal investigation, prosecution and punishment

  • enforcing a financial penalty imposed by law

  • protection of public revenue and property

  • filing court proceedings

  • exemptions provided in the law on access to information

Availing information in good faith  - section 27

• where an agency ‘avails personal data in good faith’, no court proceedings may be brought against it for any consequences of availing the data

Right of access to data - section 13

• Where an agency keeps personal data or where a person believes that an agency is keeping his personal data in a readily retrievable form

  • the person shall have access to the data

  • the agency shall have a procedure for receiving, acting upon and responding to inquiries by the data subject about the nature of the information and requests to correct false or misleading data.

Commercial use of data - section 17

• Personal data not to be used commercially except if it is authorised by law or the consent of the data subject has been obtained.

Issuing unique identifier - section 18

• An agency that assigns ‘unique identifiers’ to people to take all reasonable steps to establish persons assigned

Punishment for interfering with personal data - section 19

• It’s an offence to ‘interfere’ with personal data or to ‘infringe’ on a person’s right to privacy. offence punishable by a fine of up to Kshs. 500,000 (USD 5,800) or 2 years jail or both

Oversight, enforcement and complaints procedure   - sections 20- 23

• To be the responsibility of the Commission on Administrative Justice - (established under the Commission on Administrative Justice Act, 2011)

• The functions and powers of the commission

  • receive and investigate complaints/violations of the Act

  • provide a dispute resolution mechanism

  • ensure that public entities have adequate safeguards for data protection

  • where there is a violation:

    • make an order stopping further acts of violation

    • order a remedying action by the perpetrator of the violation

    • make an order for such remedy/relief as it considers appropriate

    • where there is financial loss, benefit loss or humiliation, loss of dignity and injury, it may advise the complainant to seek damages in court against the respondent.

• The ICT Cabinet Secretary has power to make regulations under the Act