The Independent Electoral and Boundaries Commission (IEBC) is under the spotlight over the transfer of electoral data.

The Data Protection Act, 2019 says personal data should not be transferred outside Kenya unless there is proof of adequate protection safeguards or consent from the data subject.

Forms 34A, which are all over the IEBC’s portal, expose phone numbers, IDs/ passport numbers and full names of agents and officials in blatant breach of privacy laws.

The IEBC should have compelled Smartmatic company to conceal some digits in the phone contacts and ID/passport numbers by embracing privacy by design in the Kiems kits and IT systems as an inbuilt default setting.

Before data is transferred, the Data Protection Commissioner must be satisfied that its subjects are as protected as they are under the Kenya Data Protection Act, 2019.

This is only possible through a risk assessment. To ensure the protection of personal data, the IEBC has several parameters to consider on the receiving territory.

Basic freedoms

First, respect for human rights and basic freedoms and relevant legislation on public security, defence, national security, criminal law and access by public authorities.

Secondly, recognition of the rights of citizens and foreigners within the territory, without discrimination on the basis of immigration status.

Thirdly is, rule of law, including national legislation in force and regulatory/professional rules.

Fourth, independent supervisory authorities ensure compliance with the law.

Lastly, international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments or from its participation in multilateral or regional systems in relation to the protection of personal data.

The IEBC must sign a contract that allows the restricted transfer of data with appropriate safeguards that are binding and have enforceable rights and effective remedies for persons whose personal data is transferred.

IEBC can also enter into a contract incorporating standard data protection clauses recognised or issued in accordance with the Kenya data protection regime.

Data may also be transferred if the international organisation has signed up for a code of conduct, which has been approved by the Data Protection Commissioner or has ISO 27701 certification.

These documents must be deposited with the Data Protection Commissioner.