Data Protection Bill

Definitions of Data:

Data 'means information which (a) is processed by means of equipment operating automatically in response to the instructions given for that purpose; (b) is recorded with the intention that it should be processed by means of such equipment; (c) is recorded as part of a filing system or with the intention that it should form part of a relevant filing system...'.

Main Focus of Document:

Provides for the protection of personal information

Target Beneficiaries or Sectors:

N/A

Key Elements:

The Act is in force to regulate the collection, retrieval, processing, storage, use and disclosure of personal data.

Key details include: 13. (1) A data subject may, pursuant to Article 35 (2) of the Constitution, request an agency that holds personal data relating to him or her to correct or delete false or misleading data. (2) An agency which holds personal data shall, if so requested by a data subject or on its own initiative, take steps to correct or delete false or misleading data. (3) Where an agency rejects a request under subsection (1), it shall inform the data subject of the rejection and the reasons for the rejection in writing. (4) An agency may reject a request under subsection (1) on the basis that the request does not amount to a request for the correction or deletion of data. (5) Where an agency rejects a request by a data subject to correct data, the agency shall, if so requested by the data subject, attach to the data that it holds, in such manner as to be read together with that data, a statement provided by the data subject making the request. (6) Where an agency attaches a statement provided by a data subject under subsection (5), that agency shall, if reasonably practicable, inform each person, body or agency to which the personal information has been disclosed of the attached statement. (7) Where an agency receives a request pursuant to subsection (1), the agency shall inform the data subject of the action taken in relation to the request.

14. An agency that holds personal data shall take reasonable steps to ensure that having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant and not misleading.

15. An agency that holds personal data shall not keep the data for a longer period than is required for the purposes for which the information may lawfully be used.

16. Subject to this Act or any other written law, an agency that holds personal data that was obtained in connection with one purpose shall not use the data for any other purpose.

17. A person shall not use for commercial purposes, personal data obtained pursuant to the provisions of this Act unless: (a) it has sought and obtained express consent from data subject; or (b) it is authorised to do so under any other written law.

18. (1) An agency that assigns unique identifiers to persons shall take all reasonable steps to ensure that unique identifiers are assigned only to persons whose identity is clearly established. (2) An agency shall not require a person to disclose any unique identifier assigned to him or her unless the disclosure is for one of the purposes for which that unique identifier was assigned or for a connected purpose.

19. For the purposes of this Act, a person who interferes with personal data of a data subject or infringes on the right of a person to privacy commits an offence and is liable, on conviction, to a fine not exceeding one hundred thousand shillings or to imprisonment for a term not exceeding two years, or to both.