The time has come when we need to develop comprehensive legislation that protects our personal data. One of the major cornerstones of information security is the Freedom of Information Act (F.I.A) that should be enacted in Kenya as soon as possible.
Personal information is these days collected by various organizations. The loyalty cards in supermarkets gather our purchasing data and hospitals are crammed with electronic medical records. Educational institutions, banks, companies and the government have become massive repositories of personal information. These entities are called data controllers and under the F.I.A they have to comply with certain legal obligations. Personal information, in this context, is data about where you purchase goods or services, how these purchases are paid for, the delivery address for the same, your home address and names.
Before we outline those obligations let us expound further on who a data controller is because it could include you. A data controller is a title given to a person or entity (individual, company or organization) that decides why personal data is held and the way in which such data is dealt with. Any local company that holds personal data and uses it to do business is a data controller. That kiosk owner who keeps a record of customers who purchase on credit is also a data controller. If you hold a list of your friends’ addresses so that you can send them a Christmas card then you are, strictly speaking a data controller.
Data controllers in Kenya should be subjected to two main legal obligations once the F.I. A is enacted. They should first comply with the eight principles of good information handling. The data controller is obligated to: process personal data fairly and lawfully, obtain and process personal data only for one or more specified and lawful purposes, ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held, ensure that personal data is accurate and, where necessary, kept up to date, ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained, process personal data in accordance with the rights of the individuals to whom the information relates, ensure that personal data is kept secure and finally ensure that personal data is not transferred to a country that does not provide an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates. These obligations if entrenched as a law would go a long way in protecting your personal information.
We shall outline the second legal obligation in next week’s article and examine the risks we individually and collectively face when our personal information is not protected by legislation.