By Malcolm Kijirah
This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which i
Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of
Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.
These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used
For example, it should be a primary privacy concern to any Kenyan citizen how the data they use in their communications online or over the phone, is stored by local telecommunication companies, who can access this data(for example if required for national security purposes), and for how long this data is held by these companies.
It is an open secret that the Bill borrows heavily from
- The purpose limitation principle – a Data controller or Data processor should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
- The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.
The question then follows, how this principle is effected in this Bill. From this blogger’s review, aspects of this principle are espoused in the following clauses:
- Section 28(3) provides that a data controller or processor shall collect, use or store personal data for a lawful, specific and explicitly defined purpose (purpose limitation principle).
- Section 29(c) on the duty to notify, a data controller shall be mandated to inform the data subject of the purpose for which the personal data is collected (purpose limitation principle).
- Section 34(b) provides that processing of personal data may be restricted where personal data is no longer required for the purpose it was intended for (purpose limitation principle).
- Section 39 provides for limitation of retention of personal data and outlines some exemptions (storage limitation principle)