The current set of laws glosses over protection of personal information. FILE PHOTO | NMG
Summary
- The current set of laws glosses over protection of personal information.
Do you give out your
personal information randomly and willfully? Do you inquire why the
information is being collected and the purpose for collecting it? More
interestingly, does your business collect personal information from
clients? Do you seek consent before collecting it? Do you explain the
purpose for collecting such information? How long do you store the
information?
Victim or villain, this one is for you
because the days of using consumer’s personal information in a laissez
faire manner are numbered, the writing is indeed on the wall. Article 31
of the Constitution of Kenya 2010 guarantees the right to privacy which
includes the right not to have information relating to one’s family or
private affairs unnecessarily revealed or the privacy of one’s
communications infringed.
The world has become a global
village. Technology has come of age in many a country and Kenya has not
been left behind. As a matter of fact, a recent study shows that Kenya
is leading globally in share of internet traffic coming from mobile
phones overtaking Nigeria, which was at the top in 2017.
At
83 per cent, Kenya is now at the top, with Nigeria coming in second at
81 per cent. The technological wave has been gradual but consistent.
Massive volumes of data are being collected, stored and transmitted at
the click of a button across a wide spectra including the
telecommunication, hospitality, banking and retail sectors. In spite of
Kenya’s credentials at technological dexterity, the reverse is true when
you begin discussing the legal and institutional framework specifically
touching on personal data protection.
Kenya has neither enacted any piece of legislation specifically
touching on personal data protection nor ratified any convention on the
same. We have the Kenya Information and Communication Act, 1998 which
glosses over the aspect of personal data protection. This Act having
been passed in 1998 before the 2010 Constitution does not reflect the
aspirations of ‘Wanjiku’ which are encompassed in Article 31 of the
Constitution. We equally have the recently passed Computer Misuse and
Cybercrimes Act, 2018 (whose legislative intent was to nip in the bud
bloggers and other ‘keyboard activists’ but this is a discussion for
another forum)which is more of a penal law aimed at punishing
Cybercrimes than it is a substantive law addressing inter alia Personal
Data Protection.
All is not lost however and this may
well be Kenya’s watershed moment in personal data protection. First, the
African Union (AU) which Kenya is a state party recently adopted the
African Union Convention on Cyber Security and Personal Data Protection.
The AU adopted the convention in the Twenty third Ordinary Session of
the Assembly, held in Malabo, Equatorial Guinea, 27th June 2014.
Kenya
being a partially Monist and Dualist state is required to either ratify
the convention or pass a domesticating statute for it to be binding
Law. This is in accord with Article 2(5) and (6) of our Constitution.
Some of the salient features of the Convention are the principles of
data protection, the rights of a data subject and the corresponding
duties of a data controller. It provides for five key principles which
form the basis for the rights and duties.
In common
parlance these principles are: Processing of personal data shall be done
with the consent of the data subject; collection, processing, storage
and transmission of personal data shall be done in a lawful and
non-fraudulent manner; personal data shall be collected for a specific
purpose and shall not be stored for longer than is necessary; data
collected must be accurate and up to date; transparency in disclosure of
personal data held by a data controller; and confidentiality and
security of personal data processing.
Some of the
noteworthy duties of an organisation collecting personal data are;
ensuring that the processing of personal data shall be confidential and
that the data controller must put in place appropriate measures to
ensure the security of personal data. We are yet to ratify the
convention hence it still does not form part of our laws but if the
current legislative mood on data protection is anything to go by, then
it may not be long before we domesticate it.
Secondly
the Data Protection Bill, 2018 is currently going through the
legislative process before the Senate having been sponsored by Baringo
Senator and Chairperson of the Committee on Information, Communication
and Technology, Gideon Moi. The Bill’s maturity date was 30 May 2018 and
it is awaiting presentation before Senate for its first reading. It has
nine principles which are hook, line and sinker similar to those of the
AU treaty above. These principles govern how personal data shall be
utilised.
All principles bespeak of the need to protect
one’s personal information from misuse. Some of the salient principles
are the requirement to obtain consent from the data subject before
collecting personal data; collecting data in a manner that does not
intrude on the privacy of the subject; organisations shall also not keep
personal information for longer than is necessary; unfettered access by
the data subject of the information held by an organisation.
EDWIN MUNGA, Legal consultant and advocate of the High Court of Kenya.
No comments :
Post a Comment