Keynans are ‘guaranteed’ the ‘right’ to privacy under Article 31(c) and (d) of the Constitution, a ‘right’ that is supposedly given force by the Data Protection Act of 2019, but a survey by the consultancy firm Ernst & Young suggests that such rights and guarantees mean little.

Ernst & Young Survey

According to the Ernst & Young survey, more than one-in-five Kenyan companies share their customers’ personal and financial information without getting their consent to so.

41 per cent of companies surveyed transferred customer data to third-party service providers and more than 53 per cent did not customer approval before sharing the data.

In theory passing on data in this way is against the law whether it be done by private companies or government entities, carrying a penalty of up to Sh3 million, or ten years in prison for individuals involved, or up to Sh5 million or one per cent of turnover for firms contravening the Act.

Ernst & Young surveyed leading banks, asset managers, insurance companies, retailers and manufacturers.

According to the report personal information and client data was passed on for use in sending SMS alerts, to advertisers and law enforcement officers.

Data Protection Commissioner

Even though the government a Data Protection Commissioner, Immaculate Kassait, to head an independent office to investigate breaches of the data regulation law, the 2019 Data Protection Act has not as yet been implemented.

In January of this year the ICT Cabinet Secretary Joe Mucheru set up a Taskforce for the Development of the Data Protection General Regulations. With a term of just six months the Taskforce is mandated to develop data protection regulations, auditing the Act and identifying inconsistencies in the Act. At the end of this process the Task force is supposed to propose any new policy or legal and institutional framework that might be required to implement the Act.

Until the necessary action is taken Kenyans risk having their identities cloned, being the victims of fraud, or being subject to improper intrusion from state organisations.