DATA PROTECTION IN KENYA
Globally, there has been an increase in the tightening of data protection laws. This trend is now being felt locally, particularly with kenyans and the government embracing increased online services. Consequently, the collection and processing of personal information is a clear indication of a growing and advancing digital economy. However, of concern is the lack of comprehensive personal data protection legislation which in turn exposes citizens to the risk of their personal data being misused.
CURRENT LEGISLATION ON DATA PROTECTION
The exisitng legislation that governs the collection and use of personal data includes:
- The Constitution of Kenya, 2010 (the “Constitution”) which recognises the right to privacy including, the right not to have a citizen’s personal information in relation to their family or private affairs, unnecessarily required or revealed.
- The Access to Information Act No. 31 of 2016 (the “AIA”) which was passed to give effect to Article 35 of the constitution which recognises the right to access certain information. The AIA provides a framework for both public and private bodies to disclose information in line with constitutional principles relating to accountability and transparency.
- The Consumer Protection Act No. 46 of 2012 (the “CPA”) which protects information obtained in the course of exercising any power related to administration of the Act.
- The Kenya Information and Communications (Registration of Sim-Cards) Regulations,2015 (the “Regulations”) which were passed in pursuance of a directive requiring the registration of personal information of holders of all simcards issued in Kenya. To protect the sensitive personal data provided, the Regulations provide that an operator should take all reasonable steps to ensure the security and confidentiality of its subscribers’ registration particulars.
- The National Payment System Act No.39 of 2011 (“NPSA”) and its subsidiary regulations apply to payment systems and payment service providers including mobile service providers. It criminalises the use of confidential information for personal gain.
DATA PROTECTION BILL, 2018
In addition to the above, there is before parliament the Data Protection Bill (the “Bill”) which sets out the principles of data protection. The Bill attempts to:
- Provide a framework of rights for individuals with focus on the consent of the individual whose information is being processed;
- Impose strong obligations on data controllers reflecting the responsibilities associated with collecting, storing, using and analysing data; and
- Impose effective enforcement mechanisms such as establishment of a data protection authority.
The aim of the Bill is to promote the protection of personal data, provision of rights and remedies with regard to protection of personal data and provision of rights and remedies with regard to protection of personal data.
PERSONAL DATA DEFINED
The Bill defines personal data to include:
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, age, physical, psychological or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;
- Information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
- Any identifying number, symbol or other particular assigned to the individual;
- The fingerprints, blood type, address, telephone or other contact details of the individual;
- A person's opinion or views over another person;
- Correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- Any information given in support or in relation to an award or grant proposed to be given to another person; and
- Contact details of an individual.
PROVISIONS OF BILL
Fundamentally, the Bill seeks to guarantee privacy and protect data by giving the owner of data (Data Subject) extensive rights to control how the Data Subject’s personal data can be processed, applied or consumed by a user. In particular, the Bill requires that the consent of the Data Subject is provided at all times where personal information that has been collected is being utilised. Further, Data Subjects will have a right of access to their personal information and a right to demand for the correction of any inaccurate information.
The Bill regulates the collection, storage, disclosure, retention period and accuracy of personal data.
One of the principles guiding the interpretation and application of the Bill is that information is to be collected from the Data Subject and released to a third party only with the consent of the Data Subject. This comes in to fill a glaring loophole in the law because currently there is no express legal requirement for organisations collecting data (data controllers) to obtain consent from Data Subjects.
The Act also regulates the flow of personal information across the borders of the country. Personal data of a Data Subject is only to be transferred outside Kenya where:
- The party receiving the data is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
- The Data Subject consents to the transfer;
- The transfer is only necessary for the performance or conclusion of a contract between the agency and the third party; and
- The transfer is for the benefit of the Data Subject.
Section 15 of the Bill expressly provides for the protection and security of personal data against loss, damage or unauthorised destruction, unlawful access or unauthorised processing of data. It also introduces stiffer penalties which in turn provide better incentives to data controllers and processors to abide by the provisions of the Bill. Should it become law, interference with the personal data of a Data Subject or the infringement on a person’s right to privacy will be an offence punishable, on conviction, by either (i) a fine not exceeding KES. 500,000 (approximately USD 5,000), or (ii) imprisonment for a term not exceeding two (2) years, (iii) or both. Moreover, all public and private sector data controllers and processors will be bound by a general duty to process data in a manner that respects the privacy of an individual and that provides security against data breaches. Strong penalties and a strong, independent regulator are critical to the effectiveness of data protection law. Consequently, it is proposed that the Kenya National Commission on Human Rights be mandated as the body to oversee the implementation and enforcement of the Bill once it has been assented into law.
It is however proposed that matters related to national security, or matters related to the prevention, detection, investigation, prosecution or punishment of a crime, or matters related to safeguarding the rights of the Data Subject or another person, or matters related to public interest and matters related to compliance with an obligation imposed by law should not be subject to the restrictions of the Bill. Additionally, certain sections of the Bill shall also not apply to personal data collected for the purposes of history, research and statistics.
In April 2019, the Kenyan government announced that it would be registering all Kenyans in a new national digital database that would include biometric details as well as information on land ownership, establishments and assets. The aim of the programme was to facilitate the identification of people holding forged or false identification documents by collecting all data pertaining to an individual including name, age, identities of relatives, property owned and residence. This was in accordance with recent amendments to the Registration of Persons Act that allowed the government to collect people’s personal information – including DNA samples, biometric data like fingerprints and retinal scans and global positioning system (GPS) information to pinpoint their locations. The plan was met with opposition as many felt that it violated Kenyans’ privacy rights which although enshrined in the Constitution had no specific legislative framework that would guarantee the protection of personal sensitive data. The Data Protection Bill hopes to provide this framework.
 Kenya Human Rights Commission v Communications Authority of Kenya & 4 others  eKLR at paragraph 54 of the judgment, it was held that, ‘The processing of information by the data user/responsible party threatens the personality in two ways:  a) First, the compilation and distribution of personal information creates a direct threat to the individual's privacy; and (b) second, the acquisition and disclosure of false or misleading information may lead to an infringement of his identity.’