Online, our data comprises our lives. With all the shopping and interacting we do on the web, interested observers can tell where we’ve been, who we went with, what we ate there, etc. Data collection is a part of the modern world and its why companies like Facebook and Google are so profitable.

It can be helpful. Data collection streamlines the adverts we get on social media. It helps keep the apps on our phones and laptops streamlined to our needs and interests.

The collection of all our data can also feel invasive.

The Kenyan Government’s latest Data Collection Act came into force on the 25th of November 2019. It stipulates a number of changes to your rights. You could read the whole document here. But if you haven’t got the time, we have compiled a short list of its most important and salient points. This article will explain why this document is important and how its stipulations may affect you.

This act hopes to bring Kenya into alignment with the EU’s General Data Protection Regulations. Indeed, much of the language seems to have been lifted directly from that, or another, similar document.

Why is that important? It is important because Data Protection is important. It is important to online users like you and me because we value our privacy, because we want to know our online activity is being protected from prying eyes.

This has ramifications on business. Because the consumer cares so much about data protection, Kenyan tech businesses are unlikely to win foreign investment unless those investors trust in the Kenyan safeguards. The hope is that they will trust those safeguards better if they align themselves with internationally recognised protection.

This brings us to point number 2: this legislation is likely to encourage growth in the tech industry.

Tech companies such as M-Pesa, for example, are built on revolutionary ideas. They have, however, been stunted in their reach because the country they operate out of fails to comply with international regulations.


By aligning itself with European standards, Kenya’s legislation hopes to achieve that legitimacy.

Now, on to the document itself.

The Data Protection Act is a very large, legal document and most of it is very dry text. It is designed to protect users from the abuses of external parties. Therefore, it is valuable to understand how far your protection goes.

Firstly, a note on terminology. Much of the document discusses how your data can be processed.

Data processing’ means any operation which is performed on your personal data. (That includes collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.) When they say ‘processing’ they mean ‘doing absolutely anything to’.

That may not have been the most interesting read. But it is essential to understanding what the rest of the document means to you. That’s because:

The ‘data subject’ (that’s you) has a number of rights that you should know about.

  • Firstly, you have the right to be informed of the processing of your personal data. If the authorities or any other ‘processors’ are collecting or disseminating anything documented about you, they have to tell you about it.
  • Secondly, you can access whatever data that is in their custody. If any interested party has been processing your data, they first have to inform you of this. Once they have, you have the right to see what they have collected.
  • Lastly, you have the right to the correction, erasure or deletion of misleading or false data.
  • You can take your consent away at any time. But that does not mean what they have collected while they had your consent will be erased. Bare that in mind.

Consent, however, is an interesting issue in Data processing. Many of us will be worried about how our data can be used and what say we have in that use.

Unfortunately, there is no clear answer to the question of under what circumstances can they use our data. Yes, they must seek your consent before they process any of your personal data. But, and it’s a big BUT, your consent can be worked around. Below is an example of how an interested party can do so:

  • Natural or legal persons, public authorities, agencies and any “other body which … determines the purpose and means of processing of personal data” (which seems like it could mean anyone) are not allowed to process your personal data without your consent. Unless, that is, one of a number of stipulations are met. One of those stipulations is if the data is being processed for purposes that are “journalistic, literature and art”.

Art and literature are up to interpretation, and journalism is anything you want it to be. So, if the interested parties want legal legitimacy to process your data, it seems like the just have to say it’s for an art project.

That said, there will be a code of conduct drawn up with regards to data processing for art, literature and journalism. So, these are just guidelines for future legislation at this point.

Those are some of the more important things to know about this new document. None of this means, I will stress, that governments and companies intend to misuse your data. But it is important to understand what can be done with it.