As the world marks Data Privacy Day on 28th January 2023, Kenya has been busy this week with a series of activities organized by the Office of the Data Protection Commissioner (ODPC) to commemorate the day. The week-long events will culminate in a two-day Data Privacy Conference at the KICC themed “Promoting Data Privacy in a Digitally Transformed Economy”.

According to the ODPC, the aim of the Data Privacy Conference is focused on raising awareness among businesses and individuals and promoting conversations about the importance of protecting the privacy of their personal information, especially in the era where digital adoption has taken root across the globe in all spheres of the economy. Data is indeed the currency of the new age.

In the midst of the ongoing data protection conversation, the National Treasury has released the draft Budget Policy Statement (BPS), which sets out the government’s priority programmes, policies, and reforms to be implemented in the Medium-Term Expenditure Framework. One of the proposals in the draft BPS seeks to integrate KRA’s tax system with the telecommunication companies as part of the Administration’s economic turnaround plan and efforts to scale up revenue collection by the Kenya Revenue Authority (KRA).

The move will allow the taxman access to real-time mobile money transactions by Kenyans while enabling it to match the information against tax remittances in a bid to nab tax evaders. Available information indicates a huge discrepancy in the volume of funds moved via mobile money transactions, and KRA has no visibility. KRA is, therefore, motivated to expand the tax base and ensure that all taxpayers pay their fair share of taxes. Invariably, monitoring M-PESA and other mobile money transactions will; likely grant KRA unfettered access to personal data belonging to Kenyans. Consequently, this will undoubtedly raise personal data protection concerns.

KRA is within its legal mandate to access information that facilitates tax compliance. However, to avoid running afoul of the data protection law and incurring the ire of Kenyans, KRA should ensure that the system’s integration with telcos is strictly compliant with the law and enhances public trust in the discharge of the Authority’s mandate.

We highlight some legal considerations KRA will likely focus on if the system integration proposal sees the light of day through the Finance Act of 2023.

• Data Protection Impact Assessment (DPIA)

The Data Protection Act, 2019 requires data controllers to conduct data protection impact assessments when a new processing activity is likely to result in high risk for data subjects. This usually includes a review of any proposed engagement to ensure data protection alignment. The need for a DPIA includes a regulatory obligation where it should be submitted to the ODPC 60 days before the commencement of the processing of personal data in the event the proposed data processing is likely to result in a high degree of risk to data subjects.

The proposal to integrate KRA’s system with the telcos is highly likely to require a DPIA to be conducted before it is rolled out.

• Data Privacy Policy

KRA already has in place a data privacy policy https://www.kra.go.ke/images/documents/Data-Privacy-Policy.pdf According to the Policy, KRA collects personal information, including your email, National ID number/passport number/alien ID, date of birth, income, employer, address, phone number, profession, bank account, business ownership, property, citizenship, source of income and social media. Personal information is collected using the Authority’s systems when you submit the details.

Notably, the Policy stipulates the purpose for which the Authority uses the personal data. The personal data provided by a taxpayer is used to help in communication. For example, to contact taxpayers in response to questions, solicit taxpayer feedback, provide technical support, and inform taxpayers about tax procedures.

KRA will therefore be required to update its Policy should the purpose change if and when the system integration is rolled out. The purpose limitation principle requires that personal data be collected only for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes. If KRA collects personal data for one reason, it may not use it for any other purpose unless the data subject’s express consent has been granted.

• Integrity and confidentiality

KRA is responsible for ensuring that reasonable steps have been taken to implement security safeguards. This includes ascertaining the integrity of all employees or third parties authorised to access an individual’s personal data. KRA currently has mechanisms and digital platforms that ensure personal data protection. Some measures include encryption, purpose limitation, anonymization, restricted access rights and audit trails. The Authority also has an information-sharing policy that governs third parties.