By Jackline Akello
The following post is the third of CIPIT’s analysis of the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on Section 25(e) which provides that personal data needs to be accurate, up to date and contains a right to rectify or erase inaccurate personal data.
As noted in our previous two posts, the Data Protection Bill, 2019,1 has been designed to give effect to the right to privacy provided under Article 31 (c) and (d) of the Constitution of Kenya, 2010, which states that – every person has a right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communication revealed. By using the word “includes”, the Constitution seems to allow a wide interpretation of the right, for example to cover all personal information.
The Data Protection Bill has set in place mechanisms for the protection of personal data by: establishing the Office of the Data Protection Commissioner which shall oversee the implementation and enforcement of the Act, making provisions for the regulation of processing of personal data, and, providing rights of data subjects and obligations of data controllers and processors.
The Bill in Section 25 additionally lays down principles2 intended to govern data protection, where data controllers3 and data processors4 are called upon to ensure that personal data is – processed5 in accordance with the right to privacy of the data subject6; processed lawfully, fairly and in a transparent manner (Principle of Lawfulness, Fairness and Transparency); collected for a specific, explicit and legitimate purpose (Principle of Purpose Limitation); adequate, relevant, limited to what is necessary in relation to the purposes for which it was processed (Principle of Data Minimization); Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay ( Principle of Accuracy), kept for no longer than is necessary for the purpose for which it was collected (Principle of Storage Limitation), released to a third party only with the consent of the data subject; and is not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.
This article focuses on the Principle of Accuracy laid out in Section 25 (e) of the Bill, which highlights the following key aspects: the need for personal data to be accurate, the need for personal data to be kept up to date, and the need for reasonable steps to be taken to erase or rectify personal data, where it is found to be inaccurate.
Section 25 (e) of the Data Protection Bill is similar to Article 5 (1) (d) of the GDPR. Article 5 (1) (d) of the GDPR, however, adds that, personal data shall be erased or rectified having regard to the purposes for which they are processed. Section 25 (e) on the other hand, sets no limit and allows for rectification or erasure of any inaccurate personal data. This section of the Bill is seen to essentially equip data subjects with more control over their personal data by allowing them to have any inaccurate data about them corrected without any qualification, as opposed to the GDPR that tends to limits this. The Bill in this case appreciates the fact that data subjects have rights over their personal data and the significance of allowing them to exercise control over their data.
It is important to note that the Data Protection Bill does not define the word “accurate”, neither does it define the word “inaccurate”. However, from an analysis of section 26 (d) & (e)7, the word “inaccurate” could be interpreted to mean false or misleading as to any matter of fact.
To reinforce the principle of accuracy, data subjects are further equipped with the right to rectification under Section 26 (d) & (e) where they are entitled to correction and deletion of false and misleading data about them.
Such false and misleading data is corrected and deleted at the request of a data subject as stated in Section 40 (1) (a)8, which obliges data controllers and processors to rectify it without undue delay, upon the request of the data subject. Where the data has been shared to a third party, the Bill calls upon the data controller to take all reasonable steps to inform the third party of the data subjects request for rectification.9 This therefore leaves data subjects with the burden of checking accuracy of their processed personal data.
Consequently, Section 34 (1) (a) also affords a data subject with an opportunity to contest the accuracy of their personal data. In this vein, a data controller or processor is required to restrict the processing of such data, upon the request of the data subject, for a period enabling the data controller to verify the accuracy of the contested data. This section can also be seen to be providing data subjects with more control over their personal data.
Data inaccuracy occurs in many forms ranging from mistakes made in historical records to mistakes made in personal records. For instance, an error in a historical record can be in the form of, a loan holder maintaining data about where a person has lived. If the person moves from point A to point B and their current residence is still listed as point A then their personal data would be inaccurate. Mistakes in personal records can also be made e.g. by having incorrect date of birth recorded.10
There is a high risk that if the data collected is not accurate and up-to-date, then the outcome of decision making processes will be inaccurate as key decision and policy making processes rely on data. In most scenarios, this could lead to a decision that an individual is not granted access to public services, or to welfare programs, or given a loan. For example, there have been incidences of individuals wrongly denied a loan or mortgage on their houses because the company in charge of reviewing their credit score had inaccurate information which brought down their rating, or because inaccurate information was registered by banking institutions which made an individual an undesirable customer.11
In conclusion, the Data Protection Bill comes in to cure such inaccuracies. It does this, first, by empowering data subjects through giving them control over their personal data. Data subjects can exercise such control by; requesting correction of ‘any’ inaccurate data about them12, contesting the accuracy of their data13, and keeping regular checks of their data for purposes of ensuring that it is up to date. Secondly, it does this by mandating data processors and controllers with the responsibility of; ensuring that data is accurate and not misleading in a way that could be harmful to the data subject, making efforts to keep personal data updated where reasonable and applicable, making timely efforts to correct or erase personal data when inaccuracies are discovered, reviewing all challenges to the accuracy of personal data and correcting or erasing where necessary (right to rectification). Implementation of this bill upon enactment will ensure accuracy of processed data as data subjects will have a channel for seeking for corrections. The Bill, in this case can be said to be in line with the Constitution by recognizing that data subjects have rights over their personal data.
1 A Bill that seeks to protect personal data.
2 Data Protection Bill 2019, s25.
3 Defined in Section 2 of the Act as; a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
4 Defined in Section 2 of the Act as; a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
5Defined in Section 2 of the Act to mean: Any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as-
- Collection, recording, organization, structuring;
- Storage, adaptation or alteration;
- Retrieval, consultation or use;
- Disclosure by transmission, dissemination, or otherwise making available, or;
- Alignment or combination, restriction, erasure or destruction.
6 Defined in Section 2 of the Act as; an identified or identifiable natural person who is the subject of personal data.
7 A data subject has a right to deletion of false or misleading data about them.
8 A data subject may request a data controller or processor to rectify without undue delay, personal data in its possession or under its control that is inaccurate, outdated, incomplete or misleading.
9 Section 40 (2) (a): Where the data controller has shared the personal data with a third party for processing purposes, the data controller or processor shall take all reasonable steps to inform third parties processing such data that the data subject has requested the rectification of such personal data in their possession or under their control that is inaccurate, outdated, incomplete or misleading.
10 GDPR Principles: Accuracy
11 A Guide for Policy Engagement on Data Protection, Part 3 Data Protection Principles, Transparency International
12 Right to Rectification, Section 26 (d) & (e).
13 Section 34 (1) (a): A data controller or a data processor shall, at the request of a data subject, restrict the processing of personal data where accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the data.