Justice Chandrachud of the Indian Supreme Court, while delivering the judgment in Justice K.S. Puttaswamy (Retd.) vs Union of India defines the right of Privacy as the right to be left alone. The Constitution of Kenya, at Article 31 enshrines the right to privacy which includes the protection of individual’s information relating to family or private affairs and their communication.
Article 31(b) and (d) enshrines the rights of an individual to silence his past events in life that are no longer occurring by allowing individuals to have information, relating to their family or private affairs and the privacy of their communication not revealed unnecessarily.
The right is normally viewed as a remedy which in some circumstances enables one to demand for the delisting of information about them. It is however, not expressly recognized in International Human Rights instruments.
The Constitution Article 35 also enshrines the right of access to information with a rider that an individual has a right to the correction or deletion of untrue or misleading information that affects the person. There is an inherent conflict between the right to access information and the right to privacy under Article 31.
The ease of access and permanence of personal information in the internet has its downsides because the autonomy of the individual and control over personal data that the individual may wish to keep from the public is compromised.
However, the challenge of balancing between the right to privacy and the right to access to information is majorly occasioned by the conflicting interests of the individual and those of the public. What an individual considers private might be highly needed for research and to support academicians. It might also be in the interest of the public that the information be public despite the discomfort it occasions the individual i.e., in the case of a sex offender or a bankrupt.
The recently enacted Data protection Act 2019 which most organizations are yet to understand establishes a new legal framework. The Act heavily borrows from the European Union General Data Protection Regulations (EUGDPR).
It is imperative that Data Controllers and processors quickly familiarize themselves with the provisions of the Act with a view to ensure compliance since the handling of all data affecting Data subjects is now under strict regulation.
On the other hand, the Access to Information Act, 2016 defines personal information as
Information about an identifiable individual, including but not limited to;
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, age, physical, psychological or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;
- information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
- any identifying number, symbol or other particular assigned to the individual;
- the fingerprints, blood type, address, telephone or other contact details of the individual;
- a person’s opinion or views over another person;
- correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- any information given in support or in relation to an award or grant proposed to be given to another person;
- contact details of an individual.
It is a legal requirement that court decisions, health records bankruptcy filings among others remain accessible for a definite period of time and such information cannot be deleted or hidden from public access due to the notion of privacy.
On the contrary, the onus is upon data controllers to strive and ensure that the balance between the right to privacy and the right to access to information as envisaged in the constitution is sustained.
THE CASE OF THE JUDICIAL SERVICE COMMISSION (JSC)
The Judicial Service Commission (JSC) is established under Article 171 of the Constitution and its mandate as set out under Article 172 is to promote and facilitate the independence and accountability of the Judiciary and the efficient, effective and transparent administration of Justice.
In promoting judicial independence, the Judicial Service Commission must ensure that there is judicial accountability. The principles of judicial independence and accountability complement each other, and it is on this basis that the JSC under Article 168 exercises power to receive and consider complaints and Petitions against Judges.
The Constitution under Article 168 provides for the grounds upon which a Judge of a superior Court may be removed from office. Under Article 168 (2) the removal of a Judge may be initiated by the JSC acting on its own motion or on a Petition of any person to the JSC.
Functions
The Functions of the Commission under the Constitution and is as follows;
- Recommend to the President persons for appointment as judges
- Review and make recommendations on condition of service for judicial officers and staff
- Receive complaints against, investigate and remove from office or otherwise discipline registrars, magistrates, other judicial officers and staff of the judiciary.
- Prepare and implement programs for the continuing education and training of judges and judicial officers and,
- Advise the national government on improving the efficiency of the administration of justice.
Article 252 of the Constitution states that the Commission;
- May conduct investigations on its own initiative or on a complaint made by a member of the public
- Has the powers to issue summons to a witness to assist for the purpose of its investigations
From the above rendition, it is clear that the JSC in performance of its mandate harnesses a lot of what can be considered personal information. The Data Protection Act imposes a duty upon Data Controllers like JSC who determines the purpose and means of processing personal data. The DPA at section 18-24 requires that all Data Controllers and Data Processors be registered.
Section 64 of the DPA imposes a penalty notice of up to Kshs. 5 million in case of breach and thus the JSC in the execution of its mandate is expected to handle in compliance with the principles and obligations of personal data protection.
The requirements of Data Protection Impact Assessment under section 31of the DPA ensures that personal data of individuals is not dealt with in a manner that infringes on the rights of the individual or even the public.
The right to erasure as envisaged under section 40 of the DPA is what engenders the right to be forgotten in Kenya albeit in a much-restricted form.
The JSC conducts its interviews for Judges and Magistrates in public through its website and sometimes uses its social media accounts like Facebook and twitter to post the proceedings for public viewing in efforts to ensure transparency and accountability enshrined under Article 10 of the Constitution.
It is plausible that an individual would approach the JSC seeking to exercise the right of erasure and that any data regarding the individual that the Commission has in its possession or has shared with a 3rd party be erased. This is the point when there would be need to balance the individual’s right to privacy and the public’s right to access of information.
The right to access Information is enshrined under Article 35 of the Constitution and provided for under the Access to Information Act, 2016 (ATI). This is the right that an individual has to access information held by public authorities acting on behalf of the state. The ATI was aimed at ensuring that citizens were capable of tracking whatever was going on in government in order to expose corruption, administrative injustices and other malpractices. The ATI puts the obligation on the state to simply provide information albeit with exemption on matters relating to Intelligence and National Security.
In Katiba Institute v Presidents Delivery Unit & 3 others [2017] eKLR the right to access to information was found to be a foundational right on which other rights and freedoms depended on, thus for any meaningful protection of the other rights, the right of access to information becomes crucial for effective participation n the democratic governance of the country.
Public institutions are also obligated in terms of section 22 of ATI to provide a report on access to information covering the preceding year to the Commission on Administrative Justice.
CONCLUSION
The right to access to information and the right to privacy have conflicting claims that must be balanced. This conflict is clearly captured by section 6(d) of the ATI which limits the access of information which would involve the unwarranted invasion of the privacy of an individual other than the applicant or the person on whose behalf an application has with proper authority been made.
It is notable that the DPA was meant for giving effect to Article 31 (c) and (d) on the right to Privacy. Although an individual has a right of erasure under section 40 of the DPA and the right and the right to limit access to information invading his privacy, there is need for a delicate balance to ensure that the right to access information by the public as enshrined under Article 35 of the Constitution is not compromised.
The access to information by an individual is further limited by section 6(g) even if it relates to him personally especially if the said information is in the custody of a public entity like the JSC or any other private entity and the said entity is considering a matter which it feels might undermine the said considerations.