THE DATA PROTECTION BILL, 2018 Bill for AN ACT of Parliament to give effect to Article 31(c) and (d) of the Constitution; to promote the protection of personal data; to regulate the manner in which personal data may be processed; to provide persons with rights and remedies to protect their personal data; and to regulate the flow of personal information across the borders of the country; and for connected purposes.
OBJECTS AND PRINCIPLES OF PROTECTION OF PERSONAL DATA:
The following principles shall guide the interpretation and application of this Act —
- Information shall be collected, processed, stored or dealt with in any other manner if it is necessary for or directly related to a lawful, explicitly defined purpose and shall not intrude on the privacy of the data subject
- Information shall be collected directly from and with the consent of the data subject;
- Where information relating to the data subject is held by a third party, the information may only be released to another person or put to a different use with the consent of the data subject;
- The data subject shall be informed of the purpose to which the information shall be put and the intended recipients of that information at the time of collection;
- Information shall not be kept for a longer period than is necessary for achieving the purpose for which it was collected;
- Information shall not be distributed in a manner that is incompatible with the purpose for which it was collected with the consent of the person and subject to any notification that would attract objection;
- Reasonable steps shall be taken to ensure that the information processed is accurate, up-to date and complete; Principles of data protection.
- Appropriate technical and organizational measures shall be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorized access to personal information;
- Data subjects have a right of access to their personal information and a right to demand correction if such information is inaccurate.
Its effect and response on Public Sector i.e. DCI, DPP, Evidence in court etc.
The effect on law enforcement such the DCI if not granted explicit access to user data may mean that for the DCI to carry out investigations may need to consent the owner of the data so as not to infringe his/her right to privacy. However, on matters on National security the law makes it possible for the law enforcement to be granted access to personal data.
However, this being debatable may lead to more time in delivery of investigation results as a result of law battles barring the law enforcement from accessing personal data using court orders especially incases where there is no supportive evidence as to such to make it admissible for the investigation bodies to access the data. This may result to delayed justice or no justice at all.
According to the Bill, companies will now have to inform users of any personal data they are collecting, the purpose for collecting that data and how long the same will be stored. The law also gives users the right to decline to have their data collected or processed as well as demand to have false data corrected or deleted upon demand.
A person found guilty of interfering with the personal data of others or infringes on their right to privacy will be liable, on conviction, to a fine not exceeding Sh500,000 or to imprisonment for a term not exceeding two years, or to both.
The Bill is, however, mum on penalties or fines subject to corporates found guilty of the same and leaves it to the complaints commission to decide the course of action.
This comes in the wake of a global push to create legislation that safeguard the data and privacy of users as digital technologies become more ubiquitous.
Its effect on data analysts and marketing companies on how they use data they mine from apps, websites etc.
Marketing and data analytics may be required to agree with the user for the two to explicitly access, manipulate and modify the data at will and store the data as per user revocation on the terms of agreements. However, as this industry infringe a lot of privacy on the user data, they make it possible by hiding their terms is long scrolls of which do not attract any need of the user attention. Majority of the users end up agreeing to the terms so as to access his/her information. Unfortunately, ignorance is no defense and the user cannot complain in a court of law of any damaged caused.
How it will affect cyber security.
The Data protection bill may have a positive impact on cybersecurity, as data handling will be safely regulated and does not expose the data to a bigger threat landscape. By minimizing the threat landscape may mean less data exfiltration on data infiltration resulting to a safer cyberspace. However, the confidentiality, Integrity and Availability of data will always be compromised as the Law may not fully cover the data protection implementation procedures, and the ever-growing skills and sophistication of the threat actors
Advantages of the bill
- Better data handling and protection by both public and private sector
- User right to data privacy ensured
- User consent on handling of his/her data ensured
- User control on what should happen to his data ensured.
Disadvantages of the bill.
- Additional cost to data analytics and market intelligence companies as they bring onboard the user
- Delayed justice in law enforcement where the user needs to agree for his/her data accessed