What you need to know about the privacy of your data as a Kenyan taxpayer

The proposed Finance Bill 2025 contains a clause that could grant the Kenya Revenue Authority (KRA) automatic access to taxpayers’ personal data and trade secrets.

The Law Society of Kenya (LSK) and audit firm KPMG East Africa have since opposed this provision, arguing that granting such powers would significantly undermine taxpayers’ rights to due process and fair adjudication.

Ian Ciang’ombe, a lawyer and data protection expert at Westlands-based G. Mucee and Kimani Advocates, tells Citizen Digital that:

“Taxpayers as data subjects enjoy some rights and freedoms guaranteed under the Constitution of Kenya (CoK) 2010 and the Data Protection Act (DPA) and giving the taxman access to personal data undermines the rights and freedoms that are granted to the taxpayers.”

Ciang’ombe further says that the privacy of taxpayers’ data is guaranteed under Article 31 & 35 of the Constitution, with the data subject being granted several rights such as the right to access their personal data in the controller’s posession, in this instance, the taxman. The subject can object to part of, or the entirety of, their data being processed, and have misleading information corrected or deleted.

Ciang’ombe states that consent from the subject should be voluntary and informed, citing this as the backbone of data privacy.

“KRA has integrated e-Citizen data into the iTax system without consent from the taxpayers who are data subjects in this scenario. Not only is this unlawful, but it undermines the rights and freedoms of the taxpayers as data subjects,” he noted.

The advocate further says that the taxman, while processing data as a data controller, should be informed by principles outlined in Section 25 of the Data Protection Act (DPA) which emphasizes the right to privacy for data subjects and various principles governing how personal data is stored and used.

He added that the taxman is supposed to only collect relevant data needed for processing tax matters and it should be accurate data collected in a lawful and transparent manner.

Under Article 31 of the Constitution, the right to privacy is not an absolute right, meaning it can be limited or restricted.

The taxman, under this provision, can be granted automatic access to personal taxpayer data if there is a threat to national security and access to their data would aid in neutralizing the threat.

“Section 51 of the DPA provides an exemption to processing data outside the requisite provision of the DPA, should it be necessary for national security or public interest,” noted Ciang’ombe.

As a data controller, the taxman is obligated by the DPA to safeguard data belonging to taxpayers. Ciang’ombe stated that the authority can guarantee taxpayers that their data is safe by taking several measures.

“Carrying out a Data Protection Impact Assessment (DPIA) to ensure the rights of data subjects are protected and by ensuring that there are appropriate technical and organizational measures implemented that ensure data protection by design or by default,” he said.

“The authority is obligated to inform taxpayers how they plan to process their personal data and for what purpose the processing will be serving, giving a chance for the data subjects (taxpayers) to consent.”

As for the security of the taxpayers’ data in their posession, Ciang’ombe noted that the taxman is to develop a DPIA as well as adopting mechanisms used by the Internal Revenue Services (IRA), a department similar to the one in the United States government that is responsible for federal tax affairs.

Some of the mechanisms used by the IRS include firewalls which shield computers and networks as well as providing protection from outside attacks, two factor authentification (2FA) which adds an extra layer of protection other than a password, backing up software and services on hard drives to external resources among other measures based on technology.