Kenya’s ICT Ministry has drafted a Bill to create safeguards for data held by companies and government agencies in the midst of growing concerns about the safety of personal data.
The Kenya Data Protection Bill 2018 lays down rules on how personal information can be collected, used, shared and stored by data handlers, and prescribes a fine of $50,000 or a five-year jail term for those who contravene the provisions.
Data controllers will have to seek an individual’s consent before collecting, processing, sharing or storing their data, and inform them about the cost, intended purpose, extent and period of use.
“A data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of his personal data for a specified purpose,” the draft states.
Common elements of modern data protection and privacy laws such as liability of data controllers and endorses the right to correction or to be forgotten, allowing individuals to demand correction or deletion of their data by an agency, are included in the draft.
Rafe Mazer, regulation lead at FSD Kenya, said the Bill is comprehensive and favours the consumer. “If approved, it will ensure proper data protection in Kenya,” he said.
The proposed law also recommends the creation of a Data Protection Commissioner — appointed by the ICT Cabinet Secretary — who will oversee the implementation and enforcement of the law.
“The policy document is comprehensive in defining the globally accepted standards of data privacy and protection,” said Tony Watima, an economist and public policy analyst.
“However, the fact that the commissioner is set to be a Cabinet appointee means they cannot effectively check the excesses of the executive.”
According to the rights group Article 19, more than half of Africa’s countries have no data protection or privacy laws. And nine of the 14 countries that have the laws in place have no regulators to enforce them.
In East Africa, only Rwanda has a data protection law — the ICT Act 2016 — that penalises intentional interception of services or modification of data without authorisation, and gives the regulatory authority the ability to impose sanctions in case of faults.
Uganda’s Data Protection and Privacy Bill was tabled in parliament in April 2016, where it still awaits debate, and Tanzania’s Personal Data Protection Bill, drafted in 2009, is yet to be published.
Kenya is setting up a National Integrated Identity Management System to centralise citizens’ data. Government-issued documents such as IDs, refugee cards, birth and death certificates as well as driving licences and passports will be stored at a single point.
“What we currently have are several agencies holding different parts of user data,” chair of the Kenya Blockchain Taskforce, Bitange Ndemo said.
The process will involve new, mass registration using a $30 million biometric data listing kit that will collect fingerprints, hand and earlobe geometry, retina and iris patterns and voice waves.
However, the country’s lack of laws to manage the privacy of individuals has raised concern.
“Without a law to protect consumer data, a breach would be disastrous,” Dr Ndemo told The EastAfrican. “Consumers need a powerful law that allows them to be in charge of their information, like the European Union’s General Data Protection Regulation.”
Meanwhile, telecoms operator Safaricom is also said to be toying with a similar idea. The company announced recently that it was considering fingerprint identification for key services such as replacement of subscriber identity module (SIM) cards to stem the growing wave of sim swap motivated financial fraud that has rocked the telecoms sector.
During the 2017 General elections in which Kenya introduced an electronic voter identification and votes transmission system, a joint Strathmore University and Privacy International report revealed that lack of a framework to protect voter data, openly exposed voters data to misuse, a flaw that saw millions of them bombarded with political texts that they had not subscribed to.