{"id":1046,"date":"2019-08-09T20:33:02","date_gmt":"2019-08-09T17:33:02","guid":{"rendered":"http:\/\/rilaniadvocates.legal\/?p=1046"},"modified":"2025-01-10T12:58:38","modified_gmt":"2025-01-10T12:58:38","slug":"introduction-to-the-principles-of-data-protection","status":"publish","type":"post","link":"https:\/\/rilaniadvocates.legal\/index.php\/2019\/08\/09\/introduction-to-the-principles-of-data-protection\/","title":{"rendered":"Introduction to the principles of data protection"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

The\nData Protection Bill, 2019 at clause 25 outlines 8 principles of data\nprotection. The purpose of these principles is to give organizations, companies\nor persons who process personal data guidance on how to handle the data. The\nBill places a duty on the data controller and processor to ensure compliance\nwith the principles.  <\/p>\n\n\n\n

The\npenalty for failure to apply these principles would be a fine not exceeding\nKshs. 3 million or imprisonment of a term not exceeding 2 years. <\/p>\n\n\n\n

History of the\nprinciples<\/strong><\/p>\n\n\n\n

In\n1980 the OECD Privacy Guidelines provided the earliest principles of data\nprotection. In 1981 the European Council\u2019s Convention for the Protection of\nIndividuals with regard to Automatic Processing of Personal Data provided for\nprinciples of data protection. The principles found in Article 5 are similar to\nwhat we have today in the Bill. <\/p>\n\n\n\n

In\n1995 the European Union adopted the European Union Directive 95\/46\/EC provides\nfor the principles of data quality. The Directive was superseded by the General\nData Protection Regulations in 2016 which expanded the principles. <\/p>\n\n\n\n

Principles under\nthe Data Protection Bill, 2019<\/strong><\/p>\n\n\n\n

Section\n25 of the Bill proposes that 25 every data controller or data processor shall\nensure that personal data is\u2014<\/p>\n\n\n\n

    \n
  1. processed\nin accordance with the right to privacy of the data subject;<\/li>\n\n\n\n
  2. processed\nlawfully, fairly and in a transparent manner in relation to any data subject;<\/li>\n\n\n\n
  3. collected\nfor explicit, specified and legitimate purposes and not further processed in a\nmanner incompatible with those purposes;<\/li>\n\n\n\n
  4. adequate,\nrelevant, limited to what is necessary in relation to the purposes for which it\nis processed;<\/li>\n\n\n\n
  5. accurate\nand, where necessary, kept up to date, with every reasonable step being taken\nto ensure that any inaccurate personal data is erased or rectified without\ndelay;<\/li>\n\n\n\n
  6. kept\nin a form which identifies the data subjects for no longer than is necessary\nfor the purposes which it was collected;<\/li>\n\n\n\n
  7. released\nto a third party only with the consent of the data subject; and<\/li>\n\n\n\n
  8. not\ntransferred outside Kenya, unless there is proof of adequate data protection\nsafeguards or consent from the data subject.<\/li>\n<\/ol>\n\n\n\n

    How does the Bill\ncompare to the EU General Data Protection Regulations?<\/strong><\/p>\n\n\n\n

    The\nGDPR has similar principles but they differ in a few small ways. The GDPR\nrequires that personal data is processed in a manner that ensures appropriate\nsecurity of the personal data, including protection against unauthorized or\nunlawful processing and against accidental loss, destruction or damage, using\nappropriate technical or organizational measures (\u2018integrity and\nconfidentiality\u2019). The Bill does not have this principle. <\/p>\n\n\n\n

    The Bill also adds that processing shall be done in accordance with the right to privacy and that personal data should not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. Under the GDPR Transfer of data outside the Jurisdiction is not a principle but it is covered under Chapter V of the GDPR.<\/p>\n\n\n\n

    Infringements of the basic principles for\nprocessing personal data under the GDPR are subject to a fine of up to \u20ac20\nmillion, or 4% of your total worldwide annual turnover, whichever is higher.<\/p>\n\n\n\n

    Exceptions to the principles<\/strong><\/p>\n\n\n\n

    There is no exception to the principles of lawful processing, minimization of collection, data quality, and adopting security safeguards to protect personal data. <\/p>\n\n\n\n

    However, the Act provides that the following will\nnot be required to comply with the other principles of data protection:-<\/p>\n\n\n\n

      \n
    1. Processing of data for purely personal or household activity<\/li>\n\n\n\n
    2. It is necessary for national security or public order<\/li>\n\n\n\n
    3. Disclosure is required under any written law or by an order of the court<\/li>\n\n\n\n
    4. Processing for journalism, literature, and art <\/li>\n\n\n\n
    5. Processing for research, history or statistics<\/li>\n\n\n\n
    6. Exceptions by the Data Commissioner<\/li>\n<\/ol>\n\n\n\n

      Why should the principles matter to you?<\/strong><\/p>\n\n\n\n

      If the Bill is passed\u2026<\/p>\n\n\n\n

      As a data processor or controller who is holding\npersonal data of your employees, suppliers or clients you will need to examine\nyour systems of processing to ensure that they are in line with the principles.\n<\/p>\n\n\n\n

      As a data subject if you know there are organizations or companies that have your personal data and they are not processing it in accordance with the principles then you will be able to make a complaint to the Data Commissioner. <\/p>\n\n\n\n

      In the articles to follow we will be examining each principle and how it will affect the data subject, data processor and data controller. <\/p>\n","protected":false},"excerpt":{"rendered":"

      The Data Protection Bill, 2019 at clause 25 outlines 8 principles of data protection. The purpose of these principles is to give organizations, companies or persons who process personal data guidance on how to handle the data. The Bill places a duty on the data controller and processor to ensure compliance with the principles.  The…
      Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":1787,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-series"],"_links":{"self":[{"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/posts\/1046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/comments?post=1046"}],"version-history":[{"count":1,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/posts\/1046\/revisions"}],"predecessor-version":[{"id":1834,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/posts\/1046\/revisions\/1834"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/media\/1787"}],"wp:attachment":[{"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/media?parent=1046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/categories?post=1046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rilaniadvocates.legal\/index.php\/wp-json\/wp\/v2\/tags?post=1046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}