Data protection rights in Kenya

The Constitution of Kenya is always the first point of reference when looking for rights. In it, Kenyans are guaranteed the security of their inherent rights. Every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed. The Data Protection Act is the law enacted by the National Assembly to primarily secure Kenyans’ data. It defines data as information and classifies it into information which:

1. Is processed by means of equipment operating automatically in response to instructions given for that purpose.
2. Is recorded with intention that it should be processed by means of such equipment.
3. Is recorded as part of a relevant filing system.
4. Where it does not fall under paragraphs (1), (2) or (3), forms part of in accessible record.
5. Is recorded information which is held by a public entity and does not fall within any of paragraphs (1) to (4).

In summary, data is information about a person that is processed and/or recorded by a public or private entity.

Responsibilities of the data controller and data processor

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. Whereas a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. The data controller and data processor have the following responsibilities under the Data Protection Act.

1. Every data controller or data processor shall ensure that personal data is processed in accordance with the right to privacy of the data subject.
2. Every data controller or data processor shall ensure that personal data is processed lawfully, fairly and in a transparent manner in relation to any data subject.
3. Every data controller or data processor shall ensure that personal data collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.
4. Every data controller or data processor shall ensure that personal data is accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
5. Every data controller or data processor shall ensure that personal data is not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
6. Every data controller or data processor shall ensure that personal data is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
7. Every data controller or data processor shall ensure that personal data is collected only where a valid explanation is provided whenever information relating to family or private affairs is required.
8. Every data controller or data processor shall ensure that personal data is kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected.
9. Every data controller or data processor shall ensure that personal data is processed in accordance with the right to privacy of the data subject.

Rights of the data subject

A data subject is an identified or identifiable natural person who is the subject of personal data. The data subject has the following rights under the Data Protection Act.

1. Right to be informed of the use of their personal data

The data subject should be informed of the intended use prior to the processing or recording of data. A statutory obligation is placed on the data controller and processor to disclose the intended use of the data prior to processing or recording it.

2. Right to consent

Consent is a necessary ingredient to the processing and recording of data. It must be express, unequivocal, free, specific and informed. The decision to share information about yourself should be made from a point of information and done willingly. The use of the data collected should be lawful and be for a specific and explicit purpose. This is intended to discourage phishing, spying and other unethical and illegal practices for personal or commercial gain.

3. Right to privacy

Information must be collected, processed and recorded in due regard of your right to privacy enshrined in Article 31 of the Constitution.

4. Right to access their personal data in custody of data controller or data processor

This is necessary to ensure the accuracy of information recorded and to grant access to update the data. An update may include a change of address, name or even status. This will ensure proficiency in delivery of goods and services in both public and private/commercial sectors. 

5. Right to object to the processing of all or part of their personal data

The purpose and use of the data must be disclosed and the data subject reserves the right to object to its use in whole or part. Any further transmission to another data controller or processor should have accompanying consent. There is an added responsibility on the data controller and processor to ensure that the data is not shared outside of Kenya and to safeguard the data outside our borders. Data collected should also be limited to only what is necessary for the specified purpose. For that reason, the data subject can object to the processing of part of the data which they consider unnecessary. This includes the collection/processing of data on family and private affairs.

6. Right to correct of false or misleading data

The data subject has the right to have false or misleading data corrected.

7. Right to deletion of false or misleading data about them

The data subject has the right to not only have false or misleading data deleted or rectified, but to have the entire record deleted. It is unnecessary to keep holding on to data beyond its use and these data should be deleted after a reasonable period.