The Data Protection Bill, 2012
those steps.
(7) Where an agency receives a request made pursuant to subsection
(1), the agency shall inform the data subject of the action taken as a
result of the request.
Use of information.
14. An agency that holds personal data shall take reasonable
steps to ensure that, having regard to the purpose for which the
information is proposed to be used, the information is accurate, up
to date, complete, relevant, and not misleading.
Storage of
information.
15. An agency that holds personal information shall not keep the
information for longer than is required for the purposes for which
the information may lawfully be used.
Misuse of information.
16. Subject to this Act or any other written law, an agency that
holds personal information that was obtained in connection with
one purpose shall not use the information for any other purpose.
Commercial use of
data.
17. A person shall not use for commercial purposes personal
information obtained pursuant to the provisions of this Act unless—
(a) given express consent by data subject; or
(b) authorised to do so under any other written law.
Use of unique
identifiers.
18. (1) An agency that assigns unique identifiers to individuals
shall take all reasonable steps to ensure that unique identifiers are
assigned only to individuals whose identity is clearly established.
(2) An agency shall not require an individual to disclose any unique
identifier assigned to that individual unless the disclosure is for one
of the purposes in connection with which that unique identifier was
assigned or for a purpose that is directly related to one of those
purposes.
Interference with
personal information.
19. For the purposes of this Act, a person who interferes with
personal information of a data subject or practices breaches in
relation to the right to privacy commits an offence and is liable, on
conviction, to a fine not exceeding Kshs. 100,000 and to a term of
imprisonment not exceeding two years, or to both.
12