Kenya Parliament is debating the crucial Data Protection Bill. This process must be very transparent and participatory because the bill has significant effects on right to privacy of people of Kenya.
According to International Center for Policy and Conflict (ICPC) Executive Director Ndung’u Wainaina, already Director of Public Protection (DPP) is on record pursuing for state to be allowed to spy on Kenyans.
“Constitution of Kenya 2010 guarantees the right to privacy, which may be enforced by the Constitutional Court. The right to privacy is also protected under common law, with restrictions on the interception and monitoring of communications. Privacy is closely tied to, and underpins, the concept of human dignity, which ensures that individuals are empowered to make autonomous decisions about their lives without interference from the State, or from private actors. Privacy is also an important enabling right, providing the conditions for individuals to enjoy other human rights, such as the right to freedom of expression, association and peaceful assembly.” He said.
As stated by Wainaina, the Data Protection law purpose is to give full effect to the constitutional right to privacy by safe guarding personal information when it is processed by another party, and to regulate the manner in which personal information may be processed by establishing threshold of minimum conditions.
Further, Data Protection Law provides persons with rights and remedies to protect their personal information from processing that is not in accordance with the law.
“Already Kenya Government has admitted in court a serious breach of personal data in the Huduma Namba registration. “ He added.
The director noted that Members of Parliament must make sure that Data Protection law forces everyone responsible for using personal data to follow strict rules of ‘data protection principles’.
In this he says MPs must make sure the information is used fairly, lawfully and transparently; used for specified, explicit purposes; used in a way that is adequate, relevant and limited to only what is necessary; accurate and, where necessary, kept up to date; kept for no longer than is necessary and is handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.
Further, ICPC says there are four best practices that a good data protection law must be ingrained.
First, entities must not re-use or disclose personal information for purposes that do not link back to its original intended purpose calling for agencies to be transparent with individuals about how their data will be used, under a lawful basis; Entities will be required to take steps to ensure that personal information is kept secure and backed up through organizational and technical security measures; Data must only be kept for as long as it is needed – restricting the storage of personal information; Personal data will need to be accurate. In cases where it is not, corrections must be made. Individuals will have the right to update any of their personal information that is incorrect; and lastly the collection and storage of any data must be kept minimal; collecting only what is adequate and relevant for the intended purpose.
Wainana says Kenya Parliament should borrow leave from European Union on data protection noting that the 1995 European Union Data Protection Directive imposes a standard of protection on any country in which the personal data of European citizens is processed, and such data can only be processed in countries that can guarantee adequate levels of protection.
He added that the Communication Authority of Kenya must be legally empowered to be the Information Regulator enforcing the best governance practices of the protection of personal information
“ The final Data Protection law that Kenya Parliament will pass must expands individuals’ rights, extends the role and enforcement powers of data protection authorities(independent national supervisory authorities charged with monitoring compliance and investigating breaches), and places a stronger burden on data controllers (the entities who collect and process personal data) to be transparent and accountable to individual data subjects. The law must regulate the acquisition and use of personal data, particularly in the context of large internet companies and digital technologies.” He noted.