After the January terror attack left 21 people dead at a Kenyan hotel complex, the government announced that it would implement a law related to citizens’ personal data. The recent amendments to the Registration of Persons Act would allow the government to collect people’s personal information – including DNA samples, biometric data like fingerprints and retinal scans and GPS information to pinpoint their locations. The aim, authorities say, is to enhance security.
But the plan violates Kenyans’ privacy rights. These rights are enshrined in the Constitution and certain sectoral laws that deal with electronic and medical data. Unfortunately, there is no specific legal framework beyond this to guarantee that personal sensitive data is protected and people’s privacy is not violated without cause. A Data Protection Bill is under discussion by the lawmakers, but I believe it must be expedited or the Registration of Persons Amendments stalled until it’s passed.There are examples all over the world of data being manipulated or misrepresented by authorities.
This means it’s imperative to ensure that data is properly protected and that Kenyans’ data is carefully guarded. Proper legislation would provide a useful framework for this, and would bring the country in line with others on the continent that have such laws, among them South Africa, Angola, Morocco and Rwanda. In many ways, Kenya’s Data Protection Bill mirrors the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018.
These are the GDPR’s key principles:
in any instance where data is collected, a clear reason must be given;
any information an individual collects cannot be disclosed to other organisation or individuals, unless authorised by the law or given well informed consent by the person (known as the data subject) who provided their data to the original organisation;
data should be deleted when it is no longer needed for the stated purpose;
the data subject can request access to their data, erase it or rectify the information at any point;
personal information can’t be sent to a jurisdiction which doesn’t have similar data protection laws.