Access to Information and Data Protection (in Kenya)
On one hand, The Access to Information Act 2016 gives the public the right to access certain government information. This Act defines ‘‘information” as all records held by a public entity or a private body, regardless of the form in which the information is stored, its source, or the date of production. This includes information held in written documents, reports, memos, letters, notes, emails and draft documents; non-written documentary information, such as material stored on or generated by computers and databases, video and tape recordings, maps and photographs; and information which is known to an agency but which has not yet been recorded in writing or otherwise. On the other hand, Kenya enacted the Data Protection Act, 2019 (the Act/DPA) to regulate the collection and processing of data (especially of personal data including ‘legal persons’) in Kenya. The Act outlines the principles of data protection. It further stipulates the rights of persons whose data is collected, including the right to: be informed of the use to which their personal data is to be put; access their personal data in custody of a data controller or data processor; to correction of false or misleading data; and to deletion of false or misleading data about them.
Data protection law attaches enforceable rights and duties to personal data – a concept it defines very broadly. Further, on its processing by data controllers, those who collect and use personal information in myriad contexts both within and outside government. Fundamental in data protection law is the purpose for which any given information is collected. Usually the purpose is specific, direct and routine – for example, to administer a benefits scheme; to provide household goods or banking services to customers; to issue a driving licence. Typically, the personal data is not going to be published. The data should be accurate, relevant and up to date. To this end the law gives individuals rights to seek rectification or erasure of their personal data.
What do we really mean by ‘Data Protection’?
Privacy and data protection are two interrelated Internet governance issues. Privacy is usually defined as the right of individuals to control their own personal information – that is to know (how it is used including sharing with third parties) and to say no (to its disclosure). Privacy will often apply to a personal sphere. Data protection is the legal mechanism that ensures privacy. It could also be said that the purposes of data protection is the protection of privacy or protection of personal information. Nothing explains it better than this example: physical contact falls under privacy but not under data protection. Alternatively, when someone gives their address to a hotel for billing purposes data protection rules apply, but it will generally not be a privacy matter. Consequently, privacy and data protection have situations in which they apply individually (like in the previous example) or together like in the Google Spain case. The adage “The Internet never forgets” is no longer correct in the European Union due to the ruling on 13 May 2014 where the European Court of Justice ruled that persons may, under certain circumstances, request search engine providers to delete links to web pages which contain personal data from their list of results (case C-131/12).
A broader view
Data rights count for more than just privacy; they are about freedoms to shield oneself from any undesirable control from either state or non-state actors. Personal data must be treated as an intrinsic human right. These rights are guaranteed in the United Nations International Bill of Human Rights, as contained in the International Covenant on Civil and Political Rights (ICCPR). These rights had been with us as far back as 10 years before the advent of the big tech firms in the 2000s
The Human Rights Committee at the UN, in 1988, added the following to Article 17 of the ICCPR, on the Right to Privacy:
“The gathering and holding of personal information on computers, data banks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.”ICCPR, Article 17 G.C. No. 16-10
“…relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted.”ICCPR, Article 17 G.C. No. 16-8
“…every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes…If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.”ICCPR, Article 17 G.C. No. 16-10
30 years later, the General Data Protection Regulation (GDPR) has been established as a regulation in the European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). In Africa, data protection laws have gained traction; from 54 countries, about half have passed data protection laws in the last decade.
Kenyan law imposes strict requirements associated with informed content on the gathering of personal data. To the extent possible, personal data must be collected directly from individuals subject to their express consent in the prescribed form. The processing of personal data by a data subject must be an express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action. Any personal data sharing between parties should also be approved by the Office of the Data Protection Commissioner and has to be guided by a valid agreement with the data subject.
Open Government and Data Protection are not incompatible
We deem the right to information and the right to privacy as being complementary in nature; in fact, it ensures accountability and protections including from state overreach. Still, these two rights also tend to overlap when it comes to privacy interests perceived to override access to information interests; in fact, in the ATI Act in Kenya, privacy is listed as a limitation of right to access information.
But privacy should not be construed to mean that government systems and processes should not be transparent or accountable. Transparency should be interpreted as the need for citizens to understand how government decisions are made. It does not extend to publishing private records or exposing security risks to individual or collective interests. Rather, it is concerned with ensuring that the public are actively participating in government. The lack of transparency can conceal bad practices such as graft and other forms of fraud.