Once again, the Taxman is in the public grapevine. The manner in which it plans to gather and mine taxpayers’ data continues to generate interest, perhaps on account of the magnitude of the impact the intelligence mechanism is likely to have on the peoples’ right to privacy. For instance, in a recent article published in the Daily Nation of 11th May 2022, Brian Bambani, wrote that The Kenya Revenue Authority (KRA) is setting up a forensic laboratory that will allow it to mine data from tax payer’s computers and mobile phones to detect tax and financial fraud. The article remarks that its lab will have the ability to:
extract, analyse data from all types of phones and tablets, should include full range of peripherals and accessories needed for mobile forensic investigations, including connectors … faraday bags, memory card readers, SIM and micro-SIM ID Cloning cards, camera of capturing images of the data or screenshots directly from the device…
This article finds it relevant to analyse KRA’s proposed data mining labs against the right to privacy and our Data Protection Act (DPA) and Data Protection Regulations (DPR). The main purpose of the right to privacy is to protect everyone from the unwarranted and unreasonable intrusion, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed. In the context of section 2 of the Data Protection Act, KRA is a data controller since it is has determined the purpose and means it intends to employ to process personal data of taxpayers. Furthermore, the mere fact that KRA intends to process collected data in its lab makes it a data processor for purposes of our data protection statute.
While there is a legitimate state interest in combating tax ad financial fraud, the nature of information sought to be collected by the taxman is “sensitive personal data” and invites extreme caution and care. “Sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject. In the case of Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) [2020] eKLR, it was held that such data is considered sensitive data because of the more serious impact of its loss or unauthorized disclosure, particularly in terms of the attendant social, reputational, or legal risks and consequences. In the case, the High Court emphasized that personal data can only be legally processed if there is an appropriate legal framework in which sufficient safeguards are built in to protect fundamental rights.
Since the proposed surveillance is in fact a limitation of the right to privacy, it must comply with the requirements of article 24 of the Constitution. First, KRA must ensure that it carries out its plan in compliance with the principles of data protection under section 25 of the DPA. KRA must have regard for the right to privacy of the data subject. Secondly, a statute must be enacted to guide the process of surveillance and to sanction the KRA surveillance, failure to which the limitation of privacy is likely to fail the constitutional scrutiny on grounds of illegality. KRA must ensure it has a transparent record of the information it has collected about each data subject, who must have reasonable access to such information. It must make it clear beforehand, the specific information it seeks to collect, to make it possible for the Data Protection Commissioner, Courts and the general public to assess whether the information it is collecting is legitimately and rationally connected to the specified purpose of surveillance. This means KRA must collect no more information than is necessary to achieve the purpose of surveillance, this is the proportionality test for limiting rights.
The Data Protection Act provides for the carrying out of data protection impact assessments prior to processing of data where such processing operations are likely to result in high risk to the rights and freedoms of data subjects. As already noted above, some of the information the taxman has indicated it seeks to collect by surveillance falls within the purview of “sensitive personal data” In this case the high risk of the surveillance infringing the rights of the general public is attributable to several factors, mainly because the proposed surveillance involves:
- combining, linking or cross-referencing separate datasets where the data sets are combined from different sources and where processing is carried out for different purposes;
- large scale processing of personal data;
- innovative use or application of new technological or organisational solutions.
The Data Impact assessment to be conducted by the Taxman must conform to the Third Schedule of the DPR. The taxman must also ensure it consults the Data Commissioner within sixty days from the date of the receipt of the impact assessment report. KRA should publish the data protection impact assessment report on its website to promote transparency and accountability, and to boost public confidence in the steps taken to ensure compliance with the right to privacy and the principles of data protection as set out in section 25 of the DPA. Therefore, KRA should make sure that it carries out this assessment in advance. Such an impact assessment will enable the taxman to achieve higher compliance levels of the principles of data protection, the limitation of rights test under article 24 and avoid liability in damages.
The Taxman must ensure that before rolling out the plan, it establishes elaborate technical and organisational measures to safeguard and implement the data protection principles. KRA must ensure it meets all the elements for the protection of personal data by design or by default that are necessary to implement the data protection principles outlined under section 25 of the Act. These principles also bear striking similarities with the requirements of articles 24 of the Constitution. More so, considering the fact that the information the taxman seeks to collect includes” sensitive personal information”, emphasis should be on the principle of data minimization, which can be achieved by:
- avoiding the processing of personal data altogether when this is possible for the relevant purpose. This can be done by employing other means of preventing tax fraud.
- Limiting the amount of personal data collected to what is necessary for Tax enforcement purposes. It should not collect data unrelated or irrelevant to tax enforcement.
- Before setting up the surveillance labs, it should demonstrate the relevance of the data to the processing in question.
- Pseudonymising personal data as soon as the data is no longer necessary to have directly identifiable personal data, and storing identification keys separately.
- anonymizing or deleting personal data where the data is no longer necessary for the purpose.
- the application of available and suitable technologies for data avoidance and minimization.
To meet its proportionality obligation, the taxman must have a clear framework for adhering to the principle of storage limitation, which can be achieved by:
- having clear internal procedures for deletion and destruction;
- determining what data and length of storage of personal data that is necessary for preventing tax and financial fraud;
- Justifying why the period of storage is necessary for combating financial fraud, and disclosing the rationale behind the retention period.
In conclusion, Parliament must enact a statute that gives the Taxman clear and specific guidance in respect of collection of data by the Taxman. It is noted that presently the only exceptions to the Data Protection Act are provided for under Section 51-55 of the Act. In the UK, to which the Kenyan Act is similar to, taxation and crime fall under the exceptions to data protection. It is imperative for clear provisions to govern this exception to avoid any unwarranted breach of data protection in the name of nabbing tax cheats.
This article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact Litigation vide litigation@wamaeallen.com
