Members of the public sometimes receive messages on their phones informing them about products in the market, or about a service or an event.
How, they often wonder, do senders of such messages get their numbers? Does it bother you that your personal information is accessible and used without your consent?
When you enter a building, and you supply your name, ID number and phone details, do you also consent to your information being used in any other way, other than the reasons for giving your details? Is it even legal for a building management to require your personal information to allow you access to that building?
When Covid-19 struck, many of us received messages from the Ministry of Health on protocols to be observed. While this may be useful, do you have a say on how your private details should be used even by the government?
Financial affairs are particularly sensitive. Do you want people to know how you spend your money, whether you borrow, and whether you are in debt? There have been reports of information being passed between mobile lenders and other lending institutions so that people who may be in some financial difficulty receive unsolicited messages inviting them to take fresh loans to clear the first payment, thereby infringing on the data and privacy of borrowers. Do the terms and conditions of taking a loan from mobile lenders allow the lender to use a borrower's private information? Do those conditions allow the lender to use information about people who are not parties to the loan agreement?
Health information is something many people want to keep private. These examples show how our everyday engagements affect our right to privacy. These breaches also intersect with other rights such as expression, information, movement and residence, as well as human dignity for instance, the national intelligence service tapping into citizens’ phones or social media accounts to spy and use the information against them. Therefore, protection of the right to privacy involves protection of other rights, and breach of one right affects others.
THE LAW
Article 31 of our Constitution safeguards the right to privacy. It provides that every person has the right to privacy, which includes the right not to have their person, home, or property searched, their possessions seized, information relating to their family or private affairs unnecessarily required or revealed, or the privacy of their communications infringed.
The right to privacy is based on the idea that every human should have space to develop autonomously, have the liberty to interact with others, free from oppressive State intervention and extreme uninvited interference by other unwelcome individuals. We have the right to keep our personal matters to ourselves, unless there is good reason for others to know about them. This is why the Constitution protects the right to privacy.
In November 2019, President Uhuru Kenyatta signed the Data Protection Act. The Act gives effect to Article 31 on the right to privacy. It establishes the Office of the Data Commissioner, elaborates on the rights of citizens whose data is being collected, and regulates the processing of personal data and obligations of data collectors.
“Data”, under the Act means information that is held by someone else in some electronic database, or some other sort of filing system, or is any information held by a public institution. So it is any information given by you to someone else that they retain. And would cover the information if it is passed on to others to keep.
Privacy and fundamental human rights have to be protected to facilitate democratic space and good governance. This is the crucial reason why most democratic countries have data protection laws and regulations. The effort by the government to breathe life into and fortify the right to privacy and fundamental human rights by enacting the Data Protection Act and the regulations is laudable and a step in the right direction. However, more has to be done to ensure personal data and fundamental human rights such as privacy are protected.
The idea behind collecting personal data as provided for in the Data Protection Act is in the right place. Nonetheless, it can be undermined if people forgot that because data is a matter of public record does not mean that it is available for further processing, and its ‘public’ availability should not be construed as consent to its use for other purposes.
The fact that the authorities have information or data collected from citizens does not mean they can assume that citizens have given them the go ahead to use the information as they please. Moreover, even if there should be further processing of the data of an individual compelling reasons that override the fundamental freedoms, rights and interests must be given.
HOW YOUR DATA IS TO BE PROTECTED
The basic principles are first that personal information should not even be collected, if there is not good reason. If it is collected, it must be used only for the purpose for which it was collected, and must not be revealed to others — in a way that makes it possible to connect the information to the person it is about — without that person’s consent.
The Data Protection Commissioner was sworn in in November 2020. The functions of that office include overseeing the implementation of the Data Protection Act, exercising oversight on data processing operations, establishing and maintaining a register of people who collect and process data, and to receive and investigate complaints by any person about infringement of rights under the Act.
The Act and regulations have tried to address some of the problems that members of the public have been experiencing. For instance, commercial use of personal data to target marketing is regulated, and messages telling people they can opt-out of receiving marketing communications must be very clear, and the process free and simple and it must be easy to have unsolicited marketing messages stopped.
‘NATIONAL SECURITY’
Use of national security to justify infringing on citizens' privacy has been a headache for the protection and promotion of fundamental rights and freedom. The government would like to use it to have complete freedom to exercise state surveillance, thereby infringing on privacy and fundamental human rights. There have been numerous cases of police invading private residences to arrest citizens without authority, of surveillance by intelligence and other security services, without sanctions.
Mobile phones service providers have allowed intelligence personnel to access records of a person in criminal investigations, and digitization of services may allow anyone to confirm and publish details such as ownership of a vehicle, without the consent of the person concerned.
There are worrying exemptions in the Act. It simply does not apply if — “necessary for national security or public interest’ or any written law requires personal data to be disclosed (s. 51). These exemptions are wider than the Constitution allows.
There is a procedure for scenarios that would likely result in a high risk to the rights and freedoms of citizens whose data is being processed: a data protection impact assessment must be carried out before collected personal data is processed. The Huduma Number service would be an example. In fact, rolling out this system was delayed because of concerns — and a court order — about privacy of data. Now the regulations on that system say the Data Protection Act applies to it.
To conclude, data protection standards should be upheld as much as possible and comprehensive scrutiny should be specified to any limitation on the fundamental rights of citizens whose data has been collected, and the Office of the Data Protection Commissioner should consider and mitigate any prejudice to the privacy, fundamental rights and freedoms of citizens whose data is collected.
It is a hard area to understand but citizens should try to watch that the law is being properly used.
The author is a legal consultant and researcher at Katiba Institute
