Introduction to the principles of data protection

The Data Protection Bill, 2019 at clause 25 outlines 8 principles of data protection. The purpose of these principles is to give organizations, companies or persons who process personal data guidance on how to handle the data. The Bill places a duty on the data controller and processor to ensure compliance with the principles. 

The penalty for failure to apply these principles would be a fine not exceeding Kshs. 3 million or imprisonment of a term not exceeding 2 years.

History of the principles

In 1980 the OECD Privacy Guidelines provided the earliest principles of data protection. In 1981 the European Council’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data provided for principles of data protection. The principles found in Article 5 are similar to what we have today in the Bill.

In 1995 the European Union adopted the European Union Directive 95/46/EC provides for the principles of data quality. The Directive was superseded by the General Data Protection Regulations in 2016 which expanded the principles.

Principles under the Data Protection Bill, 2019

Section 25 of the Bill proposes that 25 every data controller or data processor shall ensure that personal data is—

1. processed in accordance with the right to privacy of the data subject;
2. processed lawfully, fairly and in a transparent manner in relation to any data subject;
3. collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
4. adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
5. accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
6. kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
7. released to a third party only with the consent of the data subject; and
8. not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

How does the Bill compare to the EU General Data Protection Regulations?

The GDPR has similar principles but they differ in a few small ways. The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). The Bill does not have this principle.

The Bill also adds that processing shall be done in accordance with the right to privacy and that personal data should not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. Under the GDPR Transfer of data outside the Jurisdiction is not a principle but it is covered under Chapter V of the GDPR.

Infringements of the basic principles for processing personal data under the GDPR are subject to a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.

Exceptions to the principles

There is no exception to the principles of lawful processing, minimization of collection, data quality, and adopting security safeguards to protect personal data.

However, the Act provides that the following will not be required to comply with the other principles of data protection:-

1. Processing of data for purely personal or household activity
2. It is necessary for national security or public order
3. Disclosure is required under any written law or by an order of the court
4. Processing for journalism, literature, and art
5. Processing for research, history or statistics
6. Exceptions by the Data Commissioner

Why should the principles matter to you?

If the Bill is passed…

As a data processor or controller who is holding personal data of your employees, suppliers or clients you will need to examine your systems of processing to ensure that they are in line with the principles.

As a data subject if you know there are organizations or companies that have your personal data and they are not processing it in accordance with the principles then you will be able to make a complaint to the Data Commissioner.

In the articles to follow we will be examining each principle and how it will affect the data subject, data processor and data controller.