Principles Of Data protection
Every data controller or data processor shall ensure that personal data is—
(a) processed in accordance with the right to privacy of the data subject;
(b) processed lawfully, fairly and in a transparent manner in relation to
any data subject;
(c) collected for explicit, specified and legitimate purposes and not further
processed in a manner incompatible with those purposes;
(d) adequate, relevant, limited to what is necessary in relation to the
purposes for which it is processed;
(e) collected only where a valid explanation is provided whenever
information relating to family or private affairs is required;
(f) accurate and, where necessary, kept up to date, with every
reasonable step being taken to ensure that any inaccurate personal
data is erased or rectified without delay;
(g) kept in a form which identifies the data subjects for no longer than is
necessary for the purposes which it was collected; and
(h) not transferred outside Kenya, unless there is proof of adequate data
protection safeguards or consent from the data subject.
Read This : New Law Article
Commercial Use Of Data
A person shall not use, for commercial purposes, personal data obtained
pursuant to the provisions of this Act unless the person—
(a) has sought and obtained express consent from a data subject; or
(b) is authorised to do so under any written law and the data subject has
been informed of such use when collecting the data from the data
subject.
(2) A data controller or data processor that uses personal data for commercial
purposes shall, where possible, anonymise the data in such a manner as to ensure
that the data subject is no longer identifiable.
(3) The Cabinet Secretary, in consultation with the Data Commissioner, may
prescribe practice guidelines for commercial use of personal data in accordance
with this Act.
Grounds For Processing Sensitive Personal Data
Processing of sensitive personal data
No category of sensitive personal data shall be processed unless section 25
applies to that processing.
Permitted grounds for processing sensitive personal data
Without prejudice to section 44, sensitive personal data of a data subject may
be processed where—
(a) the processing is carried out in the course of legitimate activities with
appropriate safeguards by a foundation, association or any other notfor profit body with a political, philosophical, religious or trade union
aim and on condition that—
(i) the processing relates solely to the members of the body or to
persons who have regular contact with it in connection with its
purposes; and
(ii) the personal data is not disclosed outside that body without the
consent of the data subject.
(b) the processing relates to personal data which is manifestly made
public by the data subject; or
(c) processing is necessary for—
(i) the establishment, exercise or defence of a legal claim;
(ii) the purpose of carrying out the obligations and exercising
specific rights of the controller or of the data subject; or
(iii) protecting the vital interests of the data subject or another
person where the data subject is physically or legally incapable
of giving consent.
Personal data relating to health
(1) Personal data relating to the health of a data subject may only be processed
—
(a) by or under the responsibility of a health care provider; or
(b) by a person subject to the obligation of professional secrecy under
any law.
(2) The condition under subsection (1) is met if the processing—
(a) is necessary for reasons of public interest in the area of public health;
or
(b) is carried out by another person who in the circumstances owes a duty
of confidentiality under any law