The Data Protection Bill, 2018:A Step in the Right Direction

Data Protection Bill, 2018

The Bill has been brought to the floor of the Senate to promote protection of personal data, to regulate the manner in which the data may be processed, to provide persons with rights and remedies to protect their personal data and to regulate flow of personal information across borders of the country.

The Bill does not apply to processing of data by or on behalf of a public body involving national security or for purposes of prevention, detection and identification of proceeds of unlawful activities.

The right to privacy is guaranteed but the Bill sets out certain circumstances where it can limited such as;

  1. National security;
  2. Prevention, Detection and Identification of Proceeds of unlawful activities
  3. Safeguarding rights of the data subject or another person
  4. Public interest or;
  5. Compliance with an obligation imposed by the law.

A ‘data subject’ is defined as a person from whom personal data is obtained. In this regard, an agency that collects such data will have to do it directly from the data subject and only for a purpose that is explicitly defined, specific and lawful.

Where an agency collects, stores or uses personal data; it has to do so using lawful means or means that do not intrude to an unreasonable extent. The data has to be complete, accurate, up-to-date and not misleading.

Rights of a Data Subject

Right to;

  1. be informed by the agency of the use to which the subject data is to be put;
  2. access the data with respect to the data subject which is in possession of an agency;
  3. object to the collection or processing of all or part of data by an agency;
  4. correction of false or misleading data;
  5. deletion of misleading, false or data which has been objected to; and
  6. an explanation in respect of the processing of data and the outcome of such processing.


In addition, the agency has a duty to notify the data subject of how the information will be put to be use and who the intended recipients will be. It also gives the data subjects the right to access and correct the data in possession of the agency. This should be in writing. However, if an agency has notified the data subject during collection of that kind of information in the past, it will be not be required to notify again.

There are instances where an agency is exempted from all the above such as when the information is publicly available or where the agency is authorized to collect the data from a third party.

An agency shall take the necessary steps to ensure the integrity of personal data in its possession through the adoption of appropriate, reasonable, technical and organizational measures to prevent; either the loss, damage or unauthorized destruction; and unlawful access to or an unauthorized processing.

Where a person interferes with personal data of a data subject or infringes on the right of a person to privacy commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand shillings or to imprisonment for a term not exceeding two years, or to both. A data subject also has a right to decline to have their data collected or processed.

The Kenya National Human Rights Commission will oversee the implementation and enforcement of the Bill if it comes into force.

This article was written by
Sylvia Katua of Mzalendo Trust .
It was published on July 20, 2018.


You must login to comment