322
The Data Protection Bill, 2018
history;
statistical; or
research.
Agency that retains data for historical, statistics or
research purposes shall ensure that personal data is
protected against access or use for unauthorised purposes.
An agency shall, at the expiry of the retention
period, destroy or delete personal data in a manner that
prevents its deconstruction in an intelligible form.
20. Subject to this Act or any other written law, an
agency that holds personal data that was obtained in
connection with one purpose shall not use the data for any
other purpose.
Misuse of
information.
21. A person shall not use, for commercial purposes,
personal data obtained pursuant to the provisions of this
Act unlessit has sought and obtained express consent from
data subject; or
it is authorised to do so under any other written
law and the data subject has been informed of such
use when collecting the data from the data subject.
22. (1) An agency that assigns unique identifiers to
persons shall take all reasonable steps to ensure that unique
identifiers are assigned only to persons whose identity is
clearly established.
(2) An agency shall not require a person to disclose
any unique identifier assigned to him or her unless the
disclosure is for one of the purposes for which that unique
identifier was assigned or for a connected purpose.
23. A person who interferes with personal data of a
data subject or infringes on the right of a person to privacy
commits an offence and is liable, on conviction, to a fine
not exceeding five hundred thousand shillings or to
imprisonment for a term not exceeding two years, or to
both.
Commercial use
of a
Use of unique
identifiers.
Interference with
personal data.
PART III--PROCESSING OF SPECIAL
INFORMATION
24. (1) An agency shall not process special personal
information,
Prohibition on
processing
of
special