Stiff penalties for those who abuse private data

National Assembly Committee on Communication, Information and Innovation Chairman William Kisang during a public hearing on Data Protection Bill, 2019. [Boniface Okendo, Standard]
MPs have proposed stiff fines and lengthy prison sentences for individuals and companies that illegally obtain citizens’ personal data.

The penalties also target those who disclose or sell private data to third parties.

The recommendations are contained in a report of the National Assembly Departmental Committee on Communication, Information and Innovation on the Data Protection Bill, 2019.

The bill, which has been undergoing public hearings, states: “A person who commits an offence under this Act for which no specific penalty is provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding 10 years.”

SEE ALSO :Tech industry players push for changes in data rules

The recommendations are among a raft of changes the William Kisang-led committee is proposing to the Government-sponsored Bill.

The report was tabled in the House last week and its proposals will be considered when lawmakers return from recess in the next 10 days.

The bill defines personal data as "any information relating to an identified or identifiable natural person".

For More of This and Other Stories, Grab Your Copy of the Standard Newspaper.

Jail term

The bill had initially provided for a jail term of two years for law breakers, but stakeholders who appeared before the House team, including Amnesty International, termed the penalty lenient, and advised it be enhanced.

SEE ALSO :Don’t block State from spying, Haji tells MPs

The lawmakers said this initial penalty "may not serve the purpose of ensuring protection of personal data".

The proposed legislation seeks to give effect to the right to privacy as provided for in the Constitution by setting out the requirements for the protection of personal data processed by both public and private entities.

There have been concerns on the safety of private information in the hands of various entities, including Government agencies.

Early this year, Kenyans raised questions on the safety of information collected during the Huduma Namba registration exercise. The Government insisted that the information was secure.

Among those likely to be affected by the stiff penalties are mobile phone service providers, health practitioners, financial service providers and Government agencies that store large amounts of individuals' data.

MPs have also tightened conditions under which personal data may be obtained. They recommend that no Kenyan be forced to provide private information without informed consent.

Valid explanation

The committee wants such data to be provided "only where a valid explanation is provided".

“The additional principle was aimed at ensuring that data subjects are duly informed of the reasons for collection of data relating to private and family affairs so that they can make informed decisions before granting their consent,” the report states.

A data collector will also be required to inform persons from whom data is being collected about any third parties that will access the data, and the safeguards put in place to ensure the security and safety of such information.

In cases where State agencies seek personal data for public interest, such data will only be obtained thorough ex parte court orders, the committee has recommended.

Do not miss out on the latest news. Join the Standard Digital Telegram channel HERE.

Data Protection Bill2019Private DataLaw