Access to Information and Data Protection (in Kenya)

On one hand, The Access to Information Act 2016 gives the public the right to access certain government information. This Act defines ‘‘information” as all records held by a public entity or a private body, regardless of the form in which the information is stored, its source, or the date of production. This includes information held in written documents, reports, memos, letters, notes, emails and draft documents; non-written documentary information, such as material stored on or generated by computers and databases, video and tape recordings, maps and photographs; and information which is known to an agency but which has not yet been recorded in writing or otherwise.  On the other hand, Kenya enacted the Data Protection Act, 2019 (the Act/DPA) to regulate the collection and processing of data (especially of personal data including ‘legal persons’) in Kenya. The Act outlines the principles of data protection. It further stipulates the rights of persons whose data is collected, including the right to: be informed of the use to which their personal data is to be put; access their personal data in custody of a data controller or data processor; to correction of false or misleading data; and to deletion of false or misleading data about them. 

Data protection law attaches enforceable rights and duties to personal data – a concept it defines very broadly. Further, on its processing by data controllers, those who collect and use personal information in myriad contexts both within and outside government. Fundamental in data protection law is the purpose for which any given information is collected. Usually the purpose is specific, direct and routine – for example, to administer a benefits scheme; to provide household goods or banking services to customers; to issue a driving licence. Typically, the personal data is not going to be published. The data should be accurate, relevant and up to date. To this end the law gives individuals rights to seek rectification or erasure of their personal data.

“The gathering and holding of personal information on computers, data banks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.”ICCPR, Article 17 G.C. No. 16-10

What do we really mean by ‘Data Protection’? 

Privacy and data protection are two interrelated Internet governance issues. Privacy is usually defined as the right of individuals to control their own personal information  – that is to know (how it is used including sharing with third parties) and to say no (to its disclosure). Privacy will often apply to a personal sphere. Data protection is the legal mechanism that ensures privacy. It could also be said that the purposes of data protection is the protection of privacy or protection of personal information. Nothing explains it better than this example: physical contact falls under privacy but not under data protection. Alternatively, when someone gives their address to a hotel for billing purposes data protection rules apply, but it will generally not be a privacy matter. Consequently, privacy and data protection have situations in which they apply individually (like in the previous example) or together like in the Google Spain case. The adage “The Internet never forgets” is no longer correct in the European Union due to the ruling on 13 May 2014 where the European Court of Justice ruled that persons may, under certain circumstances, request search engine providers to delete links to web pages which contain personal data from their list of results (case C-131/12).

A broader view

Data rights count for more than just privacy; they are about freedoms to shield oneself from any undesirable control from either state or non-state actors. Personal data must be treated as an intrinsic human right. These rights are guaranteed in the United Nations International Bill of Human Rights, as contained in the International Covenant on Civil and Political Rights (ICCPR). These rights had been with us as far back as 10 years before the advent of the big tech firms in the 2000s