*Kenya Data Protection Bill, 2013* A highlight of key provisions by Michael Murungi Full text of the draft bill available from: The Commission for the Implementation of the Constitution<http://www.cickenya.org/index.php/legislation/bill-tracker> *Sponsor**:* ICT Cabinet Secretary *Status: *At the Attorney General's office, awaiting publication and debate in the National Assembly *Objectives: * - to give effect to Article 31(c) of the Constitution - the right of a person not to have ‘information relating to their family or private affairs unnecessarily required or revealed” - to give effect to Article 31(d) of the Constitution - the right “not to have the privacy of their communications infringed” - to regulate the collection, retrieval, processing, storage, use and disclosure of personal data *Definition of personal data - *section 2 pg 5 Quite broad, and includes: - information on race, gender, sex, pregnancy, marital status, nationality, ethnicity, colour, age, health, disability, religion, belief, culture, language, birth, education, criminal or employment history, financial transactions, any identifying number or symbol linked to the person, fingerprints, blood type, contact details including telephone number - a person’s private communications - a person’s private views or opinions about another person - information given in relation to a grant, award or prize to be made to a person *Principles of data protection - *that will guide the application of the Act - section 4, pg 6 - necessity of collecting information - collection not to violate privacy - informed consent of the data subject - disclosure of purpose of collection of info - if the purpose changes, inform the data subject - no unwarranted retention of information (info not to be kept for longer than necessary after its purpose has been achieved) - distribution of info to be consistent with purpose of collection - duty to ensure the info is accurate, updated and complete - duty to take measures to safeguard data from loss, damage, destruction and unauthorised access - data subjects have right to access the info and to demand correction *Person collecting personal data must ensure that the data subject is aware of the following: *(section 7) - that the info is being collected - the purpose for collecting - name and addresses of the collector, the custodian and any other agency that will receive the info - the intended recipients of the info - any law under which the info is collected (and whether it is mandatory) - consequences of not providing the info fully or partly - the right to access and correct the info ** **For those who have already collected personal data through a procedure that meets this criteria, no need to go over the procedure again - section 7(4)* ** If it is not practicable to comply with the above before collecting the info, then compliance can be reasonably soon after collecting the info - section 7(3)(a)* *Exceptions to the procedure above, where: *(section 9) - The info is publicly available - the collection of the info is required by law - the collection of the data from a 3rd party is authorised by the subject - the interests of the data-subject are not prejudiced - the purpose for which the info is collected necessitates non-compliance with this procedure - compliance is not reasonably practicable - the info was not to be used to identify the data subject, including for statistical and research purposes - the collection of the information is necessitated by: - need to avoid a threat to law and order by a public entity, including criminal investigation, prosecution and punishment - enforcing a financial penalty imposed by law - protection of public revenue and property - filing court proceedings - exemptions provided in the law on access to information *Availing information in good faith * - section 27 - where an agency ‘avails personal data in good faith’, no court proceedings may be brought against it for any consequences of availing the data *Right of access to data *- section 13 - Where an agency keeps personal data or where a person believes that an agency is keeping his personal data in a readily retrievable form - the person shall have access to the data - the agency shall have a procedure for receiving, acting upon and responding to inquiries by the data subject about the nature of the information and requests to correct false or misleading data. *Commercial use of data - *section 17 - Personal data not to be used commercially except if it is authorised by law or the consent of the data subject has been obtained. *Issuing unique identifier - *section 18 - An agency that assigns ‘unique identifiers’ to people to take all reasonable steps to establish persons assigned *Punishment for interfering with personal data - *section 19 - It’s an offence to ‘interfere’ with personal data or to ‘infringe’ on a person’s right to privacy. offence punishable by a fine of up to Kshs. 500,000 (USD 5,800) or 2 years jail or both *Oversight, enforcement and complaints procedure * - sections 20- 23 - To be the responsibility of the Commission on Administrative Justice - (established under the *Commission on Administrative Justice Act, 2011*<http://www.kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=CAP.%20102A> ) - The functions and powers of the commission - receive and investigate complaints/violations of the Act - provide a dispute resolution mechanism - ensure that public entities have adequate safeguards for data protection - where there is a violation: - make an order stopping further acts of violation - order a remedying action by the perpetrator of the violation - make an order for such remedy/relief as it considers appropriate - where there is financial loss, benefit loss or humiliation, loss of dignity and injury, it may advise the complainant to seek damages in court against the respondent. - The ICT Cabinet Secretary has power to make regulations under the Act Kindest regards, Michael M. Murungi On 10 May 2014 13:27, Michael Murungi <michaelmurungi@gmail.com> wrote:

Ephraim You can download and review the Access to Info and Data Protection Bills on this link <http://www.cickenya.org/index.php/legislation/bill-tracker> - please let us know what you find. Will also try and do a summary and share

Kindest regards, Michael M. Murungi

On 10 May 2014 00:39, Ephraim Percy Kenyanito via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

Interesting read especially with the ongoing ideas on fresh registration people:

http://www.itwebafrica.com/ict-and-governance/256-kenya/232836-kenyas-data-p...

Best Regards, ​​ *Ephraim Percy Kenyanito*

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/michaelmurungi%40gmail...

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

An example of what sound policy causes.... http://blogs.office.com/2014/04/18/office-365-operated-by-21vianet-becomes-g... Regards Murigi / Stanley Muraya *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32* On Sat, May 10, 2014 at 5:27 PM, Ephraim Percy Kenyanito via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Hi Muraya,

Sorry for late reply.

I have been in little access to networks since morning due to travels,

I had seen the Bill earlier but am not sure if its the same version as the final one. I will go through this final draft on the CIC website and send you my 2 cents.

Otherwise we can go though it and see how we interpret it as Michael has shared.

Thanks again Michael for the link.

Michael, my only plus to this is that at least its great that info collected has to be used only for the purpose colllected and it prevents situations such as political parties from registering people using MPESA/ YU Cash/ Airtel Money agents transaction registers.

Hope to hear more discussions around this Bill.

My 2 cents, Ephraim Percy Kenyanito (Mobile)

*Kenya Data Protection Bill, 2013*

A highlight of key provisions by Michael Murungi

Full text of the draft bill available from: The Commission for the Implementation of the Constitution<http://www.cickenya.org/index.php/legislation/bill-tracker>

*Sponsor**:* ICT Cabinet Secretary

*Status: *At the Attorney General's office, awaiting publication and debate in the National Assembly

*Objectives: *

-

to give effect to Article 31(c) of the Constitution - the right of a person not to have ‘information relating to their family or private affairs unnecessarily required or revealed” -

to give effect to Article 31(d) of the Constitution - the right “not to have the privacy of their communications infringed” -

to regulate the collection, retrieval, processing, storage, use and disclosure of personal data

*Definition of personal data - *section 2 pg 5

Quite broad, and includes:

-

information on race, gender, sex, pregnancy, marital status, nationality, ethnicity, colour, age, health, disability, religion, belief, culture, language, birth, education, criminal or employment history, financial transactions, any identifying number or symbol linked to the person, fingerprints, blood type, contact details including telephone number -

a person’s private communications -

a person’s private views or opinions about another person -

information given in relation to a grant, award or prize to be made to a person

*Principles of data protection - *that will guide the application of the Act - section 4, pg 6

-

necessity of collecting information -

collection not to violate privacy -

informed consent of the data subject -

disclosure of purpose of collection of info - if the purpose changes, inform the data subject -

no unwarranted retention of information (info not to be kept for longer than necessary after its purpose has been achieved) -

distribution of info to be consistent with purpose of collection -

duty to ensure the info is accurate, updated and complete -

duty to take measures to safeguard data from loss, damage, destruction and unauthorised access -

data subjects have right to access the info and to demand correction

*Person collecting personal data must ensure that the data subject is aware of the following: *(section 7)

-

that the info is being collected -

the purpose for collecting -

name and addresses of the collector, the custodian and any other agency that will receive the info -

the intended recipients of the info -

any law under which the info is collected (and whether it is mandatory) -

consequences of not providing the info fully or partly -

the right to access and correct the info

** **For those who have already collected personal data through a procedure that meets this criteria, no need to go over the procedure again - section 7(4)*

** If it is not practicable to comply with the above before collecting the info, then compliance can be reasonably soon after collecting the info - section 7(3)(a)*

*Exceptions to the procedure above, where: *(section 9)

-

The info is publicly available -

the collection of the info is required by law -

the collection of the data from a 3rd party is authorised by the subject -

the interests of the data-subject are not prejudiced -

the purpose for which the info is collected necessitates non-compliance with this procedure -

compliance is not reasonably practicable -

the info was not to be used to identify the data subject, including for statistical and research purposes -

the collection of the information is necessitated by: -

need to avoid a threat to law and order by a public entity, including criminal investigation, prosecution and punishment -

enforcing a financial penalty imposed by law -

protection of public revenue and property -

filing court proceedings -

exemptions provided in the law on access to information

*Availing information in good faith * - section 27

-

where an agency ‘avails personal data in good faith’, no court proceedings may be brought against it for any consequences of availing the data

*Right of access to data *- section 13

-

Where an agency keeps personal data or where a person believes that an agency is keeping his personal data in a readily retrievable form -

the person shall have access to the data -

the agency shall have a procedure for receiving, acting upon and responding to inquiries by the data subject about the nature of the information and requests to correct false or misleading data.

*Commercial use of data - *section 17

-

Personal data not to be used commercially except if it is authorised by law or the consent of the data subject has been obtained.

*Issuing unique identifier - *section 18

-

An agency that assigns ‘unique identifiers’ to people to take all reasonable steps to establish persons assigned

*Punishment for interfering with personal data - *section 19

-

It’s an offence to ‘interfere’ with personal data or to ‘infringe’ on a person’s right to privacy. offence punishable by a fine of up to Kshs. 500,000 (USD 5,800) or 2 years jail or both

*Oversight, enforcement and complaints procedure * - sections 20- 23

-

To be the responsibility of the Commission on Administrative Justice - (established under the *Commission on Administrative Justice Act, 2011*<http://www.kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=CAP.%20102A> ) -

The functions and powers of the commission -

receive and investigate complaints/violations of the Act -

provide a dispute resolution mechanism -

ensure that public entities have adequate safeguards for data protection -

where there is a violation: -

make an order stopping further acts of violation -

order a remedying action by the perpetrator of the violation -

make an order for such remedy/relief as it considers appropriate -

where there is financial loss, benefit loss or humiliation, loss of dignity and injury, it may advise the complainant to seek damages in court against the respondent.

-

The ICT Cabinet Secretary has power to make regulations under the Act

Kindest regards, Michael M. Murungi

On 10 May 2014 13:27, Michael Murungi <michaelmurungi@gmail.com> wrote:

...

Ephraim You can download and review the Access to Info and Data Protection Bills on this link <http://www.cickenya.org/index.php/legislation/bill-tracker> - please let us know what you find. Will also try and do a summary and share

Kindest regards, Michael M. Murungi

On 10 May 2014 00:39, Ephraim Percy Kenyanito via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

Interesting read especially with the ongoing ideas on fresh registration people:

http://www.itwebafrica.com/ict-and-governance/256-kenya/232836-kenyas-data-p...

Best Regards, ​​ *Ephraim Percy Kenyanito*

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/michaelmurungi%40gmail...

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/murigi.muraya%40gmail....

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.