Data Privacy and Protection in Kenya
This past month the court of public opinion weighed in on the case of a “Miss Soba” whose picture was taken whilst being administered an alcohol breathalyser test. While it turned out she was sober, the paper has since used the picture on several different occasions unrelated to the first. Understandably, this has caused her some distress, as she had asked that the paper cease to use the picture citing that it was a violation of her privacy rights. Never mind the irony of this opinion piece being published in the same paper, but the story and the responses it has garnered raises some interesting questions and food for thought about the state of Data Privacy and Protection in Kenya. The Kenya Data Protection Bill, 2018 was a response to the growing pressure for governments and private organizations the world over to recognize the right to privacy as a fundamental human right, due in no small part to the ubiquity of technology in our daily lives. The European Union passed their General Data Protection Regulation – GDPR, giving their citizens (Data subjects) for the first time, explicit power over their data. They have the GDPR. We have our Data Protection Bill. R Miss Soba and the band of supporters would be happy to know, reform is on the horizon to protect how data is collected, the purpose for which it is used, for how long it can be stored and indeed, the fairness or lawfulness of it all, among others. The premise of the Data Protection Bill, as with the GDPR is the extension of certain rights to the individual whose data is collected/is to be collected: The Right to be informed that data is to be collected and what kind of data; the right to access the data collected about you at any time; the right to correction if data maintained about you is incorrect; the right to erasure should you no longer wish your data to be used for any purpose; the right to restriction of processing should you wish to only allow your data to be used for a specific purpose of your choosing and nothing more; the right to data Portability should you wish to move data maintained about you from one organization to another; the right to object processing of data; and the right to not be subject to directed marketing based on data collected about you. This is a glaring example of the need for this bill to be passed into law to hold accountable government and corporations for how they handle private data and it is a wonder why Kenya drags its feet. Learn how you can get more information in the course we offer at Sentinel Africa. Meanwhile, Uganda recently assented into law the Data Protection and Privacy Act, 2019, signaling a positive step towards empowering data subjects on the collection and use of personal data. This personal data includes names, addresses, date of births, Identification Numbers, biometric data etc.
While at first glance the push for Data Protection seems an additional burden in terms of the investment that will need to be in place to meet the technical and organizational requirements for Data Protection by Design and by Default, Hiring a Data Protection Officer in some cases etc. this law also presents an opportunity for organizations that want to differentiate themselves as a responsible custodian of their customers right to privacy and confers upon those that take the necessary steps to comply, a competitive advantage.
Written by Rodah Owako- Senior Security Consultant at Sentinel Africa Consulting.
Get more information on our training opportunities here.