The Data Protection Bill, 2018: A Move towards Tangible Regulation
On nearly a daily basis, you often are required to provide information about yourself that is personal. You walk into an office of a service provider, or download a form from their website which you then fill and submit so that can you receive certain services. You give this information without really knowing whether that information will be used for purposes other than those you gave it for or who else will see or receive it.
Privacy International, a UK-based charity that promotes the right to privacy across the world notes that despite increasing recognition and awareness of data protection and the right to privacy across, there is still a lack of legal and institutional frameworks, processes, and infrastructure to support the protection of data and privacy rights. At the same time, the increasing volume and use of personal data, together with the emergence of technologies enabling new ways of processing and using it, mean that an effective data protection framework is more important than ever.
Cognizant of this need, the Kenyan Parliament is considering a bill called the Data Protection Bill which when passed, will regulate how your personal data can be collected, stored, used or processed by another person while observing your right to privacy. You may also be the person on the other side of the scale – the one receiving other people’s personal information most likely because you need it as part of your due diligence for a commercial deal, or to enable you provide the services you do to clients or customers. The Bill is relevant to you too because if passed, it will regulate how you should collect, store, use or process the information.
In this article, we highlight salient features of the Bill, which if when passed, may apply to you.
What Kind of Personal Information is covered?
- Race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, age
- Physical/mental health, disability, religion, conscience, belief, culture, language and birth
- Education, medical, criminal or employment history of the person
- Identifying number, symbol assigned to the person
- Fingerprints or blood type
- Contact details
- Correspondence to or from the person that is of a private or confidential nature
- Information given for a grant, award or prize proposed to be made to the person
What Principles Would Apply When Handling the Information and/or Data?
- Its collection, storage, use or processing must be necessary for a lawful, explicitly defined purpose
- It must be collected directly from and with the consent of the person
- It may only be released to another person and put to a different use with the consent of the person
- Steps must be taken to ensure it is accurate, up-to date, complete and that it is safeguarded against the risk of loss, damage, destruction, or unauthorized access
- The person has a right to access to the personal information
What Specific Steps are required to be taken by the Data Recipient?
- Notify the person of the use to which the information will be put to;
- Notify the person that if they waive their rights they will have permitted you to collect it
- Take necessary steps to ensure the integrity of personal data you have or control
- Take steps to correct or delete false or misleading data
- If you reject the person’s request, inform them in writing the reasons for the rejection.
- Do not keep data for a longer period than necessary or as provided under any law.
- Do not transfer the data outside Kenya unless under specific outlined circumstances.
- No profiling: making a decision based on automated processing of the data which has a legal implication on or significantly affects them without any human intervention. Notably however, profiling is legal where necessary for maintenance of law and order by any public entity.
- Notify the person and the Kenya National Commission on Human Rights and take steps to ensure the restoration of the integrity of the information system as soon as possible after you discover unauthorized access or processing of the data.
As of January 2018, statistics showed that over 100 countries around the world had enacted comprehensive data protection legislation, and around 40 countries were in the process of enacting such laws. Kenya is in the latter category. Once the Bill is passed into law, businesses will need to be aware of what their rights and obligations will be in order to handle personal data in compliance with the law. That said, the Bill – as is – does point you and I in the direction that regulation of personal data in Kenya is taking. Are you ready for it?
By Miriam Maina and Pauline Njau