Taxman erred by exposing taxpayers’ personal details

Customers wait to be served as well as keeping social distancing at the Kenya Revenue Authority (KRA) Eldoret branch offices [Peter Ochieng, Standard]

This week's public release of defaulting taxpayers by the Kenya Revenue Authority (KRA) suggests that even important and reputable state agencies have yet to internalise the recently enacted Data Protection Act.

What line did they and others cross when they share personal information publicly with our consent?

Citing several laws, the KRA publicly listed the names and Personal Identification Numbers (PIN) of 62,727 taxpayers who they allege, failed to file their tax returns. They further threatened them publicly with deregistration and cancellation from the system within thirty days. Painful at times given runaway economic recession, public debt and corruption, paying and reporting taxes are legal obligations. They are also a fundamental contract between citizens and the state. The easiest way to grind a state into the ground is to stop paying taxes. The one law the Commissioner overlooked is the Data Protection Act (2019). Under the Act, KRA is a data controller with access to the personal information of over 4.4 million people. They are bound by the Act to process personal data only in ways that respect the public’s right to privacy.

Profiling, naming and shaming individuals or companies using information that is shared for a specific purpose for another is against this law.

Under the law, each of us has the right to be informed and consent before our personal data is placed in the public domain or shared with third parties. Furthermore, the Authority may have been required to do a data protection impact assessment to ascertain what the impact of this action would have on the taxpayers themselves, their businesses/livelihoods, partners and clients.

Amnesty International Kenya and Infotrak Research and Consulting Ltd timely released their opinion poll on data protection public awareness levels this week also. Released eighteen months since the Data Protection Act was commenced and five months since the appointment of an independent Office of the Data Protection Commissioner, the opinion poll findings give us significant insights into the understanding of Kenyans.

Half of Kenyans polled understand they have a right to privacy. Only a third of Kenyans are aware of the Data Protection Act. Only eight per cent are aware that they can report violations to the Data Protection Commissioner's Office.

Strathmore CIPIT Director Dr Isaac Rutenberg recently noted that the role of the Office of the Data Protection Commissioner as a public protector is not understood well enough. The findings must catalyse a sense of urgency for intensive civic education among the public, state, and business agencies.

Perhaps the Office of the Data Protection Commissioner could consider Lawyers Hub Director Linda Bonyo’s recent recommendation of a one-year grace period for compliance. The newly created Office of the Data Protection Commissioner must be supported from all quarters. Sixteen meetings consulting the public on General Data Protection Regulations is a good start. So too will be generous public financing by the National Assembly in the 2021/2021 budget.

Despite KRA’s misstep this week, the new law and independent Data Protection Office places Kenya well ahead of several African countries. Comprehensive public education and swift enforcement of the Data Protection Act must be intensified. Government, business and other agencies must also learn to avoid illegally and unethically sharing personal information without our prior consent.