Executive Summary
The recognition of the privacy as a fundamental human right, especially due to an increased advancement in the ICT sector both locally and internationally, has led to the formulation of the Data Protection framework in Kenya.
The policy is meant to safeguard the Personal Data Collected by both public and private sectors
Purpose of the Policy.
The major purpose of the policy is to enforce the development of privacy and data protection laws.
It’s also meant to develop a legal framework to govern the protection of personal data and establish an independent oversight authority that will ensure compliance of the policy and sound management practices to safeguard the rights of the data subjects, including children and the vulnerable groups (People with incapacity).
PRINCIPLES FOR DATA PROTECTION
The principles applying in the policy are based on global best practices in data protection. This principle includes
- Fairness and lawfulness and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Accuracy
- Confidentiality and Integrity
- Accountability
DATA SUBJECT RIGHTS
The policy also has stipulated the rights assigned to the owner of the data, which is not limited to
- Right to access to personal information;
- Right to information as to whether personal data is being processed;
- The right to rectification if the information held is inaccurate or incomplete or requires to be updated;
- The right to restrict the processing of their personal data;
And much more.
LEGAL GROUNDS FOR PROCESSING
The policy strives to ensure that the collection, processing, transmitting, using, storing and the disposal of personal data will be permitted only under a lawful and legitimate basis.
OBLIGATIONS FOR DATA PROCESSING
The section defines the key requirements of the data controller and data processor which includes:
- A data controller’s obligations
- Joint Data Controllers
- Data protection by design and default
- The protection of personal data by the Data Controller/Data Processor.
- How Data controller should manage any personal data breaches promptly and appropriately
- How Data controllers should uphold the rights of the data subject
- Challenge to Compliance by the Data controllers
INSTITUTIONAL FRAMEWORK
The policy will be the responsibility and accountability of the Cabinet Secretary in charge of matters Information, Communications and Technology.
There will be also the Office of the Data Protection Regulator which will be responsible for upholding the Bill of Rights and enforcing data protection procedures.
CONSEQUENCES OF NON COMPLIANCE
Any misuse of personal data, through loss, disclosure, or failure to comply with the data protection principles and the rights of data subjects, will result in a significant legal, and financial damages. Which may include penalties as per the Law.
MONITORING AND EVALUATION
The bill expects Office of the Data Protection Regulator to set up the framework to detect and deter data breaches. The Data controller will designate a Data Protection Officer who will monitor new and on-going data protection risks and update the relevant risk register of Data Controller.
SUMMARY
The Bill is still under review and the members of the public are still giving their comments, it will then be
approved to become law.
Get the Full Bill Here