Five things Kenyans should consider in data protection bill

Guests follow proceedings during a data protection consultation forum at the Museums of Kenya in Nairobi on October 2, 2018. PHOTO | SALATON NJAU

What you need to know:

  • Proposed law should help to protect citizens against misuse as well as promote privacy.

Data protection is currently one of the challenges policymakers face in our times. You have probably entered a university or building and the guard at the gate asks you to leave your national identity card and phone number.

If you are as concerned as I am, have you ever asked yourself whether your personal information is safe? Have you ever wondered what the university or building owner does with your personal information after you leave? If you have not had these questions then you should start asking yourself this, “is my personal information safe?”

It is with this in mind among other important facts that states should have data protection laws.

The Data Protection Bill 2019 is currently being taken through public participation.

However, Kenyans should have these five things in mind as they scrutinise the proposed new law.

The first thing that a data protection law should have is that it must prohibit reuse and disclosure of your data. For us to understand the concept of reuse. We must first define use.

The concept of (primary) use requires the guard at the entrance of the building to only use the data for identifying you. That data should not, for example, be used later for any other purpose such as using the phone number you left to call you.

However, at some instances, the building you left your data may want to use it again. This is what we call reuse (secondary use).

By reuse I mean data being used for an additional purpose other than you gave it to be used for. Reuse of data can be classified into three categories.


The first category is what is referred to as recycling. This happens when data collectors use information for the same purpose more than once. For example, the security guard using the information you left the previous day to identify you. This is not illegal and it only becomes illegal in cases where consent has been withdrawn.

The second category is referred to as repurposing. This happens when data collectors use data for an extra purpose other than recycling. This mostly happens in cases where you attend an event and the organisers ask for your personal information such as e-mail address.

The main purpose of the address is it should be used as a tool for identification.

However, this organisation uses the same address to inform you about the next event or a new product.

Lastly, another way data is reuse is by recontextualising it. This happens when a data collector sells data to a third party who may use the information for a different purpose other than the initial one. For example, the guard at the building selling your information to politicians who want to change the Constitution and have not collected the required number of signatures. Legally, recontextualisation and repurposing viewed are illegal and it should not happen. They should only happen with the full consent of the data subject. Organisations are, therefore, required to be transparent with individuals about how their data will be used.

The second thing that a good data protection law should have is the requirement of minimum data collection. This requires a data collector to collect information that is adequate, relevant and limited to what is necessary to the purpose they intend to use the data. For example, the security guard should not require you to submit your birth certificate in addition to your identification as they don’t need this information.


Another thing that a Kenyan should have in mind is that the data that is kept on them is accurate. This means that you should have a right to correct the information an organisation has on you.

In addition to correction, you are allowed to change the information when need be. Lastly, if you intend to leave a service provider, you should have the right to have your data completely deleted from their servers.

What Kenyans should also have in mind is that data must only be retained for as long as it is necessary. Therefore, the owners of the building should not keep your data for long. This requires data collectors to draw a schedule on how long they intend to keep your data based on use. Your data should be kept for a reasonable time and thereafter completely deleted. This goes a long way in upholding data security.

Lastly, it would be unfair for us to develop a data protection law without including clauses on security, confidentiality and integrity. The data collected from you should be kept in a secure place to prevent it from getting to unauthorised persons. This will require data collectors to take steps to ensure the data they collect is secure as well as reasonable. This will be achieved by encryption, resilience or the restoration process. Additionally, data collectors should have systems that detect and report data breach before they cause harm.

Any data protection legislation that contains these five aspects should be viewed as a progressive. This combined with the user rights should make up a very progressive data protection law that protects democracy and the rule of law.

Mugweru is a lawyer and data protection enthusiast.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.