November 8th 2019 has marked a new milestone towards protecting the privacy of Kenyans. This is the day that President Kenyatta signed the long-awaited Data Protection Bill 2019 into law. The Act gives effect to Article 31 (c) and (d) of the Constitution of Kenya, 2010 which guarantee every person the right to privacy. The new law seeks to regulate the collection and processing of data in Kenya. It also includes stipulations to persons and organizations who are involved in the collection and processing of data. Here are some key highlights:
Definition of key terms
Personal Data – any information relating to an identified or identifiable natural person.
Data Subjects – an identifiable natural person who is the subject of the data.
Data processor – natural or legal person, public authority, agency or another body which processes personal data on behalf of the data controller.
Data Controller – natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purpose and means of the processing of personal data.
The new law also has provisions of how data must be processed. They must uphold the data subject’s right to privacy; lawfully; limited to the purpose for which it is collected; limited to the purpose for which it is collected; accurate and up to date; kept in a form which identifies the data subjects for no longer than is necessary, and not transferred outside Kenya save as permitted in the Act. As a Kenyan, you also have the right to know how your information is handled, right to ask for the deletion and/or editing of incorrect data.
Office of the Data Protection Commissioner
The law will see the establishment of the office of a Data Protection Commissioner ‘DPC’. The DPC will be employed by the Public Service Commission upon appointment by the President subject to the approval of the National Assembly.
There will also be the registration of Data Controllers and processors. These are third parties that will manage, store, and sort personal data. They can be to natural or legal persons, agencies and public authorities. It is an offence to act as a data controller or processor unless you are registered with the DPC.
Additional benefits include notification of a breach to the DPC within 72 hours and to the affected data subjects without delay. Personal data may also not be transferred outside Kenya unless the said transfer has been approved by the DPC. Data controllers will have to prove that there is an existence of appropriate safeguards for the data being transferred.
Penalties for non-compliance
In case of non-compliance, the law provides for stiff penalties. Upon conviction, one will be fined Ksh 3 million or an imprisonment term not exceeding ten (10) years or both.