Data Protection Bill, 2018
The Bill has been brought to the floor of the Senate to promote protection of personal data, to regulate the manner in which the data may be processed, to provide persons with rights and remedies to protect their personal data and to regulate flow of personal information across borders of the country.
The Bill does not apply to processing of data by or on behalf of a public body involving national security or for purposes of prevention, detection and identification of proceeds of unlawful activities.
The right to privacy is guaranteed but the Bill sets out certain circumstances where it can limited such as;
A ‘data subject’ is defined as a person from whom personal data is obtained. In this regard, an agency that collects such data will have to do it directly from the data subject and only for a purpose that is explicitly defined, specific and lawful.
Where an agency collects, stores or uses personal data; it has to do so using lawful means or means that do not intrude to an unreasonable extent. The data has to be complete, accurate, up-to-date and not misleading.
Rights of a Data Subject
In addition, the agency has a duty to notify the data subject of how the information will be put to be use and who the intended recipients will be. It also gives the data subjects the right to access and correct the data in possession of the agency. This should be in writing. However, if an agency has notified the data subject during collection of that kind of information in the past, it will be not be required to notify again.
There are instances where an agency is exempted from all the above such as when the information is publicly available or where the agency is authorized to collect the data from a third party.
An agency shall take the necessary steps to ensure the integrity of personal data in its possession through the adoption of appropriate, reasonable, technical and organizational measures to prevent; either the loss, damage or unauthorized destruction; and unlawful access to or an unauthorized processing.
Where a person interferes with personal data of a data subject or infringes on the right of a person to privacy commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand shillings or to imprisonment for a term not exceeding two years, or to both. A data subject also has a right to decline to have their data collected or processed.
The Kenya National Human Rights Commission will oversee the implementation and enforcement of the Bill if it comes into force.