A cross-section of Kenyans were surprised when they received a text message from the Ministry of Health indicating that the Ministry will be sending information on the CoronaVirus. The questions floating on social media included where the Ministry had obtained private mobile phone numbers and whether it was an invasion of privacy and misuse of personal data to send such messages en masse. On a preliminary note, the State has your contacts, whether you signed for huduma numba, provided your phone number during the census or not. So, this in my view is a non-issue. What concerns me is what the State does with personal data in their custody and who is granted access to this data.

When the High Court issued orders to the effect that the government should track down and isolate the 239 people who had arrived aboard a China Southern Airlines flight, the orders were received with a sigh of relief. Justice Makau ordered the Ministries of Foreign Affairs, Interior and Health to track, re-examine, confine and quarantine the passengers. This indicates a measure of limitation to the right to privacy and movement of these passengers. The State has to carryout targeted surveillance and process personal data of these 239 individuals.

Data has shown that Singapore managed to contain the virus through certain measures that perhaps would not be applicable in Kenya. One, through mass and targeted surveillance by the State of persons with the virus and persons who were in physical contact with these individuals. Two, the State keeps elaborate records/data of these individuals and strictly enforces quarantine orders. Singapore does not have provision for the right to privacy in its Constitution. However, the Singapore Constitution does provide that subject to any law relating to the security of Singapore, public order or public health every citizen of Singapore has the right to move freely throughout Singapore. Legal orders specific to management CoronaVirus have limited the right to free movement in Singapore and this has worked to contain the spread of the virus.

Article 31  the Kenya Constitution provides for the right to privacy, on the other hand, Article 24 indicates that a right or fundamental freedom in the Bill of Rights shall not be limited except by law and then only to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors.

Section 30 of the Data Protection Act, 2019 indicates that a data processor or data controller may process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Section 46 states that personal data relating to health may be processed if one of the reasons is that the processing is necessary for reasons of public interest in the area of public health. Section 51 provides that the processing of personal data is exempt from the provisions of this Act if it is necessary for national security or public interest.

The challenge with the Data Protection Act is that it does not specifically define public interest. Perhaps, this is an intentional omission to provide for a broad interpretation of the phrase which in my view is subject to abuse. But, on public health matters like the CoronaVirus crisis we may rely on Section 46 and Section 51 that provides for exemption on processing of personal data necessary for public interest matters. Article 24 of the Constitution may also be interpreted to argue that limiting data subject rights in the prevailing circumstances is justifiable. This means that the State, any other data controller or data processor may lawfully collect and process data relating to the CoronaVirus.

But what should be the safeguards? We are guided by the Data Protection Act, 2019 and World Health Organisation directives on processing of personal data during health emergencies. Data processors and data controllers dealing with CoronaVirus data and in extension any health emergency data should ensure they –

Inform the public that personal data will be processed when the need arises; Safeguard the privacy, anonymity and dignity of individuals. In certain instances, personal data may be pseudonymised or anonymised; Safeguard people and populations from being stigmatised, discriminated upon unnecessarily or unfairly targeted; Ensure security of data; and Process the data only for the purpose of dealing with the health emergency.