Data Protection bill is finally out – The key principles

Monday August 27 2018

The Ministry of ICT finally published the proposed Privacy and Data Protection Bill and is seeking public comments on the same. We seek to provide an overview of the general principles behind this bill. First we must recognise three key actors within the Data Protection regime: the data controllers, processors and subjects.

Data controllers determine the purpose for and the manner in which the data collected on citizens is processed. Typical examples of data controllers include government departments like immigration, police and agencies like Independent Electoral and Boundaries Commission (IEBC), universities and hospitals among others.

Private sector data controllers would include your mobile service providers, banks, hospitals, supermarkets and insurers.

We should not forget the smaller data controllers like your neighbourhood garbage collecting company or security agency that possess private information about you.


The second key actors are data processors. They are those entities hired by the data controllers to process personal data on their behalf. 


For example, the French company hired by IEBC in the last general election to host our data in the cloud and provide the results transmission system acted as the data processors for the electoral commission. The IEBC was the data controller.

That security guard who expects you to declare your private data before granting you access into the office block would be another example of data processor - acting on behalf of that company you wish to visit.

Finally, the data subject is the person whose personal data is held by either the data controllers or processors. The essence of a data privacy and protection regime is to ensure that the rights of the data subjects are secured and guaranteed.


In jurisdictions where there is little or no data protection frameworks, the data controllers and processors tend to have a field day, doing anything and everything they may want with the data they have collected.

Often, the data controllers have no legal or regulatory obligation to protect citizens’ data. The citizens have no avenues for recourse in the event their data is abused.

The bill seeks to define the obligations of data controllers and processors with regard to protecting the rights of the subjects.

The data controller will be obligated to secure the citizen data by ensuring that they institute procedures and implement systems that secure the personal information from confidentiality and integrity breaches. The bill also proposes the office of a data commissioner to regulate the sector.

The data commissioner will be expected to define data guidelines and standards and ensure that data controllers and processors comply.


For example, in case of data breaches, the data controller will be required to alert the subjects concerned and demonstrate to the commissioner that proper measures have been put in place to mitigate against future breaches.

The bill also accords the data subject several rights. The key one being the right of consent. This right obligates data controllers to explain why they want to collect your data, how long they will keep it, how they will process it and if applicable, whom they intend to share it with.

They will then seek consent from you - before they proceed to collect your information. Most data controllers are silent on these parameters and prefer to collect as much data about you without your knowledge.

The data commissioner will expect sampled evidence of consent sought for the various data-sets held by the various controllers.

Furthermore, such consent is not perpetual and data subject would retain the right to be forgotten. 


If you moved from one service provider to another, you should be able to demand that your former service provider surrenders the history of your mobile transactions to you and deletes the same from their system.

That data belongs to you and you should be able to decide who, how, when and where it can be used. 

But there would be exceptions, particularly with respect to government related data. The data protection bill is to empower the citizen, to reclaim and exercise his or her data rights.

Do not miss out on the ongoing public conversations on the Data Protection Bill at the Kenya ICT Action Network and the Jadili platforms.

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @Jwalu