What a personal data protection law mean for you

Tuesday May 15 2018

We have argued for the enactment of a data protection law, but many Kenyans may not know the benefits such a law would bring, both at the national and individual level.

At the national level, the benefit of the law is simply that Kenya would have joined the community of nations that respect citizens’ privacy and places a higher premium on securing their electronic records.

Because of the digital nature of global trade, most developed countries would prefer to trade only with countries that have similar levels of digital security and legal regime. This is the only way they can provide assurance that their citizen data remains secured – even as it traverses beyond their borders due to trade requirements.

Lack of a data protection regime is therefore a sure way of losing out on trade opportunities, which will ultimately be taken up by other African countries that have already enacted such laws.


But beyond the business incentives for enacting the laws, citizens stand to gain more, through enhanced obligations placed on entities or agencies that collect their data.


These entities, called data controllers and data processors, include actors form both the public and private sector.

Examples from the public sector would include agencies that deal with sensitive citizen data, such as the IEBC, Immigration Department, NTSA, police, hospitals and universities. In the private sector, banks, telcos and mobile phone operators come top of the list.

All these data controllers will be under obligation to protect citizen data by offering the following services to their data subjects or the citizens.

The first service is “Access”. Citizens need to have access to the data collected about them. Whereas this is a fairly standard expectation in the private sector, it is not always the case in the public sector.

Kenyans who have sought a “Certificate of Good Conduct” from the Directorate of Criminal Investigations will know how hectic it is to access such records.


Ideally, it should be as simple as accessing your online bank statement. Whether designated as a criminal or not, it is your right to know as much in the simplest and shortest way possible.

Another example can be picked from some of our universities where final-year students keep complaining that they are unable to access their academic transcripts dating back to their first year.

Your academic history is your history. The university is simply a custodian of it and should not purport to own the data such that you are made to beg for it. In the new regime, data controllers will be obliged to have electronic mechanisms that facilitate, rather than frustrate, your ability to access your records.

The same rationale would apply to health providers, churches and others that keep your records in trust. They will therefore need to review their data-processing procedures so as to align them to the Access obligations.


The second service is known as ‘Breach Notification’.

Once a security breach occurs, the data controllers will be obliged to inform the affected citizens. If someone hacks into the records of your bank, telco or electoral agency it is your right to be notified or alerted.

The current practice is, of course, to protect the corporate reputation at the expense of the citizen’s right to know.

This obligation to notify customers will obviously force corporates to invest better in data security as a way of avoiding the more expensive option of having to alert customers about data breaches.

The third notable service is the ‘Right to Consent’. Once citizen data has been collected for one purpose, it cannot be diverted to another purpose without explicitly seeking the citizen’s consent.


This means data collected by the IEBC for election purposes cannot be shared with third parties or agencies without first getting consent from the voter. Data recorded from your mobile money transactions cannot be shared with the Kenya Revenue Authority without your consent.

Similarly, hospitals, educational institutions and others cannot share your records with third parties without your consent. These are some of the rights that citizens will enjoy once the data protection regime kicks in.

However, a lot of capacity building will need to be done after the enactment phase in order to realise most of these benefits. But in the meantime, Kenyans should look forward to very interesting times ahead and protect their rights over their data.

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @Jwalu