[kictanet] Kenya’s data protection bill ready for adoption

Ephraim Percy Kenyanito ekenyanito at gmail.com
Sat May 10 17:27:10 EAT 2014


Hi Muraya,

Sorry for late reply.

I have been in little access to networks since morning due to travels,

I had seen the Bill earlier but am not sure if its the same version as the
final one. I will go through this final draft on the CIC website and send
you my 2 cents.

Otherwise we can go though it and see how we interpret it as Michael has
shared.

Thanks again Michael for the link.

Michael, my only plus to this is that at least its great that info
collected has to be used only for the purpose colllected and it prevents
situations such as political parties from registering people using MPESA/
YU Cash/ Airtel Money agents transaction registers.

Hope to hear more discussions around this Bill.

My 2 cents,
Ephraim Percy Kenyanito (Mobile)

*Kenya Data Protection Bill, 2013*

A highlight of key provisions by Michael Murungi

Full text of the draft bill available from: The Commission for the
Implementation of the
Constitution<http://www.cickenya.org/index.php/legislation/bill-tracker>

 *Sponsor**:* ICT Cabinet Secretary

*Status: *At the Attorney General's office, awaiting publication and debate
in the National Assembly


 *Objectives: *

   -

   to give effect to Article 31(c) of the Constitution - the right of a
   person not to have ‘information relating to their family or private affairs
   unnecessarily required or revealed”
   -

   to give effect to Article 31(d) of the Constitution - the right “not to
   have the privacy of their communications infringed”
   -

   to regulate the collection, retrieval, processing, storage, use and
   disclosure of personal data


 *Definition of personal data - *section 2 pg 5

Quite broad, and includes:

   -

   information on race, gender, sex, pregnancy, marital status,
   nationality, ethnicity, colour, age, health, disability, religion, belief,
   culture, language, birth, education, criminal or employment history,
   financial transactions, any identifying number or symbol linked to the
   person, fingerprints, blood type, contact details including telephone number
   -

   a person’s private communications
   -

   a person’s private views or opinions about another person
   -

   information given in relation to a grant, award or prize to be made to a
   person


 *Principles of data protection - *that will guide the application of the
Act - section 4, pg 6

   -

   necessity of collecting information
   -

   collection not to violate privacy
   -

   informed consent of the data subject
   -

   disclosure of purpose of collection of info - if the purpose changes,
   inform the data subject
   -

   no unwarranted retention of information (info not to be kept for longer
   than necessary after its purpose has been achieved)
   -

   distribution of info to be consistent with purpose of collection
   -

   duty to ensure the info is accurate, updated and complete
   -

   duty to take measures to safeguard data from loss, damage, destruction
   and unauthorised access
   -

   data subjects have right to access the info and to demand correction


 *Person collecting personal data must ensure that the data subject is
aware of the following: *(section 7)

   -

   that the info is being collected
   -

   the purpose for collecting
   -

   name and addresses of the collector, the custodian and any other agency
   that will receive the info
   -

   the intended recipients of the info
   -

   any law under which the info is collected (and whether it is mandatory)
   -

   consequences of not providing the info fully or partly
   -

   the right to access and correct the info

 ** **For those who have already collected personal data through a
procedure that meets this criteria, no need to go over the procedure again
- section 7(4)*

** If it is not practicable to comply with the above before collecting the
info, then compliance can be reasonably soon after collecting the info -
section 7(3)(a)*


 *Exceptions to the procedure above, where: *(section 9)

   -

   The info is publicly available
   -

   the collection of the info is required by law
   -

   the collection of the data from a 3rd party is authorised by the subject
   -

   the interests of the data-subject are not prejudiced
   -

   the purpose for which the info is collected necessitates non-compliance
   with this procedure
   -

   compliance is not reasonably practicable
   -

   the info was not to be used to identify the data subject, including for
   statistical and research purposes
   -

   the collection of the information is necessitated by:
    -

      need to avoid a threat to law and order by a public entity, including
      criminal investigation, prosecution and punishment
      -

      enforcing a financial penalty imposed by law
      -

      protection of public revenue and property
      -

      filing court proceedings
      -

      exemptions provided in the law on access to information


 *Availing information in good faith * - section 27

   -

   where an agency ‘avails personal data in good faith’, no court
   proceedings may be brought against it for any consequences of availing the
   data


 *Right of access to data *- section 13

   -

   Where an agency keeps personal data or where a person believes that an
   agency is keeping his personal data in a readily retrievable form
    -

      the person shall have access to the data
      -

      the agency shall have a procedure for receiving, acting upon and
      responding to inquiries by the data subject about the nature of the
      information and requests to correct false or misleading data.


 *Commercial use of data - *section 17

   -

   Personal data not to be used commercially except if it is authorised by
   law or the consent of the data subject has been obtained.


 *Issuing unique identifier - *section 18

   -

   An agency that assigns ‘unique identifiers’ to people to take all
   reasonable steps to establish persons assigned


 *Punishment for interfering with personal data - *section 19

   -

   It’s an offence to ‘interfere’ with personal data or to ‘infringe’ on a
   person’s right to privacy. offence punishable by a fine of up to Kshs.
   500,000 (USD 5,800) or 2 years jail or both


 *Oversight, enforcement and complaints procedure  * - sections 20- 23

   -

   To be the responsibility of the Commission on Administrative Justice -
   (established under the *Commission on Administrative Justice Act,
2011*<http://www.kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=CAP.%20102A>
   )
   -

   The functions and powers of the commission
    -

      receive and investigate complaints/violations of the Act
      -

      provide a dispute resolution mechanism
      -

      ensure that public entities have adequate safeguards for data
      protection
      -

      where there is a violation:
       -

         make an order stopping further acts of violation
         -

         order a remedying action by the perpetrator of the violation
         -

         make an order for such remedy/relief as it considers appropriate
         -

         where there is financial loss, benefit loss or humiliation, loss
         of dignity and injury, it may advise the complainant to seek
damages in
         court against the respondent.


   -

   The ICT Cabinet Secretary has power to make regulations under the Act





Kindest regards,
Michael M. Murungi



On 10 May 2014 13:27, Michael Murungi <michaelmurungi at gmail.com> wrote:

> Ephraim
> You can download and review the Access to Info and Data Protection Bills
> on this link <http://www.cickenya.org/index.php/legislation/bill-tracker> -
> please let us know what you find. Will also try and do a summary and share
>
> Kindest regards,
> Michael M. Murungi
>
>
>
> On 10 May 2014 00:39, Ephraim Percy Kenyanito via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Interesting read especially with the ongoing ideas on fresh registration
>> people:
>>
>>
>> http://www.itwebafrica.com/ict-and-governance/256-kenya/232836-kenyas-data-protection-bill-ready-for-adoption
>>
>> Best Regards,
>>  ​​
>> *Ephraim Percy Kenyanito*
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/michaelmurungi%40gmail.com
>>
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20140510/a34063c3/attachment.htm>


More information about the KICTANet mailing list