KRA must follow the law in plans to mine tax data

Times Tower, the KRA headquarters

Times Tower, the KRA headquarters.

Photo credit: File | Nation Media Group

The Kenya Revenue Authority (KRA) has recently revealed that its setting up a forensic laboratory that will allow it to mine data from tax payer’s computers and mobile phones to detect tax and financial fraud.

The main point of consideration, however, is how well the authority is going to ensure compliance with Article 31 of the Constitution of Kenya on the right to privacy, the Data Protection Act, 2019 and the Data Protection Regulations 2021, which will hopefully come into force in the next couple of weeks.

While the move by KRA aims to minimise tax and financial fraud, the same should not be at the expense of the rights of citizens. The taxman wants to enlist a special software to access data from Macintosh computers, iPhone, iPad and other smartphones.

Pertinent issues of consideration are centred on the right to privacy as provided under Article 31 of the Constitution of Kenya particularly the right not to have the privacy of one’s communication infringed on.

Access to information in computers and smart phones, emails, texts, audio, videos, image files and other transactional data automatically translates to access to individuals’ personal data. Perhaps, there is need to ensure that in programming of the forensic software to limit its access to the financial aspects.

Further, the said plan would involve processing of data. The mere act of acquiring and processing data makes KRA both a data controller and processor, meaning the authority not only determines the purpose and means of processing the data acquired, but also how that data is to be processed and utilised.

In light of this, the authority should bear in mind the principles of data protection as highlighted under Section 25 of the Data Protection Act.

A critical question to bear in mind is whether KRA will be objective enough to uphold the rights of Kenyans as provided for in the law , for example, will companies and individuals be required to give consent before their personal data is accessed?

The authority also seeks to expand its surveillance through mass flow meters in alcohol factories. This may be deemed as discriminatory as the move is sector specific. If KRA aims to curb tax evasion, the same should cut across all sectors and not be seen to target a particular one.

What then should the authority consider improving on moving forward?

The taxman should create a fully-fledged internal data protection unit to advise on the data processing requirements under the law and all relevant applicable laws, to facilitate capacity building of staff involved, provide advice on data protection and facilitate collaboration with the office of the Data Commissioner.

Lastly, the Data Protection Act provides for the carrying out of data protection impact assessments prior to processing of data where such processing operations are likely to result in high risk to the rights and freedoms of data subjects. KRA should make sure that it carries out this assessment in advance

Ms Mumbua is a lawyer at Prof Musili Wambua & Co. Advocates. [email protected]


You're all set to enjoy unlimited Prime content.