CONTENTIOUS CLAUSES

CS Mucheru, senators strike deal on data protection bill

Heads of state and private institutions will be jailed or fined if they share information without consent

In Summary

• Bill seeks to protect personal data from misuse by Government agencies and private agencies

• Mucheru proposed the establishment of an independent regulatory authority to oversight Data Protection under the proposed law

ICT CS Joe Mucheru before the ICT Senate committee on Tuesday, March 18, 2019
ICT CS Joe Mucheru before the ICT Senate committee on Tuesday, March 18, 2019
Image: EZEKIEL AMING'A

ICT Cabinet Secretary Joe Mucheru and senators have agreed on contentious clauses in a bill seeking to protect vital personal data of Kenyans and foreigners living in Kenya.

The Data Protection and Privacy Bill 2018 was introduced in the House last July but got stuck after Mucheru petitioned the Senate’s ICT Committee over some clauses.

The proposed law seeks to protect personal data from misuse by government agencies and private agencies.

 

“This bill ensures that whoever handles your data, will not use it to discriminate you, but use it for very legitimate reasons as stipulated in the Constitution,” Mucheru said.

Yesterday, the committee chaired by Baringo Senator Gideon Moi, who is also the sponsor of the bill, agreed to incorporate all the amendments proposed by the ministry.

Mucheru proposed the establishment of an independent regulatory authority to oversight data protection under the bill. The original one had proposed that the Communication Authority of Kenya to oversight the Act.

“Best practices provide for the establishment of an independent (institutional and financial independence) to deal solely with data protection,” he said.

The CS further argued that lack of human capacity and work overload at CAK would have hindered effective oversight of the Act.

The CS also proposed the establishment of a register of all persons or institutions processing data to allow for sufficient and effective oversight of the processing activities.

He further proposed the introduction of a data protection assessment clause to identify foreseeable internal and external risks in the processing of huge amounts of data.

 

"We need to also remove the commencement date to allow the progressive application of the law. Application of the proposed law will require capacity building," he said.

If the bill is passed and signed into law, heads of institutions, government or private agencies which share their employees or clients' personal data will be jailed for five years or fined Sh500,000 or both.

The bill will move to the Third Reading when senators resume from recess next Tuesday.

If the Senate approves it, the bill will go to the National Assembly for approval or otherwise. Moi said the process would be concluded in two months.

According to the bill, agencies should not collect and process data on a person’s information, his race and ethnic origin, religious beliefs, political persuasions and health status unless there is a special reason to do so.

“An agency shall not transfer personal data of a subject outside the territory of the Republic of Kenya unless the subject consents the transfer and it will be beneficial to the subject,” the bill states. 

“Where an offence has been committed by a body corporate body with the consent or connivance of or to be attributed to any neglect on the part of any director, manager or secretary, that person as well as the body corporate, shall be guilty of that offence,” reads the bill.