Kenya Parliament is debating the crucial Data Protection Bill. This process must be very transparent and participatory because the Bill has significant effects on the right to privacy of the people of Kenya.
Already Director of Public Protections is on record pushing for State to be allowed to spy on Kenyans. The Constitution of Kenya 2010 guarantees the right to privacy, which may be enforced by the Constitutional Court.
The right to privacy is also protected under common law, with restrictions on the interception and monitoring of communications. Privacy is closely tied to, and underpins, the concept of human dignity, which ensures that individuals are empowered to make autonomous decisions about their lives without interference from the State, or from private actors.
Privacy is also an important enabling right, providing the conditions for individuals to enjoy other human rights, such as the right to freedom of expression, association, and peaceful assembly.
The Data Protection law purpose is to give full effect to the constitutional right to privacy by safeguarding personal information when it is processed by another party, and to regulate the manner in which personal information may be processed by establishing a threshold of minimum conditions.
Further, Data Protection Law provides persons with rights and remedies to protect their personal information from processing that is not in accordance with the law. Already, the Kenya Government has admitted in court a serious breach of personal data in the Huduma Namba registration.
Members of Parliament must make sure that Data Protection law forces everyone responsible for using personal data to follow strict rules of ‘data protection principles’. MPs must make sure the information is:
- Used fairly, lawfully and transparently.
- Used for specified, explicit purposes.
- Used in a way that is adequate, relevant and limited to only what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is necessary.
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.
Further, there are four best practices that a good data protection law must be ingrained:
Entities must not re-use or disclose personal information for purposes that do not link back to its original intended purpose. Agencies are required to be transparent with individuals about how their data will be used, under a lawful basis.
Securing data and information
Entities will be required to take steps to ensure that personal information is kept secure and backed up through organizational and technical security measures.
Data must only be kept for as long as it is needed – restricting the storage of personal information.
Personal data will need to be accurate. In cases where it is not, corrections must be made. Individuals will have the right to update any of their personal information that is incorrect.
The collection and storage of any data must be kept minimal; collecting only what is adequate and relevant for the intended purpose.
Kenya Parliament should borrow a leaf from European Union on data protection. The 1995 European Union Data Protection Directive imposes a standard of protection on any country in which the personal data of European citizens is processed, and such data can only be processed in countries that can guarantee adequate levels of protection.
The Communication authority of Kenya must be legally empowered to be the Information Regulator enforcing the best governance practices of the protection of personal information
The final Data Protection law that Kenya Parliament will pass must expand individuals’ rights, extends the role and enforcement powers of data protection authorities (independent national supervisory authorities charged with monitoring compliance and investigating breaches), and place a stronger burden on data controllers (the entities who collect and process personal data) to be transparent and accountable to individual data subjects.
The law must regulate the acquisition and use of personal data, particularly in the context of large internet companies and digital technologies.