New Penal Code reinforces protection of personal info

Mostinventions come about when a person thinks of a way to make life better.

These inventions then evolve as technology advances or as needs change. But the most important of all, people need to live in a safer environment, which is free from violation of their rights.


To make life more meaningful, laws constantly evolve to keep up with the changes in society. It is in this context that the amendment of the Penal Code was well-thought out.


Obviously, an amendment brings changes and/or improvement of something already in place. The new Penal Code [Law nº 68/2018 of 30/08/2018 determining offences and penalties in general] is timely as Rwanda moves so rapidly like a flowing stream in various aspects of life.


Indeed, Rwanda is a dynamic and forward-looking country. The new Penal Code covers general principles governing offences and penalties as well as offences and penalties in general.

From various developments in the new Penal Code, this column will single out data protection (personal information) in the area of information and communication technologies.

Data privacy, as a policy issue, emerged only in the wake of the information and communication technologies revolution in the late 1960s and early 1970s.

At that time, there was an increase in the use of computers to process information about individuals. This prompted the need to have data protection legislation so as to ensure the proper use of personal information.

The legislation imposes obligations on those who hold such personal information, while giving rights to those the information is about—data subjects. The development of technology arose the issue of trans-border trade, and therefore more sharing of personal information, facilitated by the development of computer technology.

Indeed, rapid progress in the field of electronic data collection, processing and sharing of personal information necessitated regulation.

Although these developments offered considerable advantages in terms of efficiency and productivity, they also gave rise to concerns that these otherwise positive advancements would have an adverse impact on the privacy of individuals and that this would be exacerbated when personal information was transferred from one computer to another and from one country to another.

It is in this perspective that Rwanda, like many ICT-advanced countries, enacted ICT law n°24/2016 of 18/06/2016 governing information and communication technologies, especially in Article 124 which stipulates that “notwithstanding other provisions of this Law, every subscriber or user’s voice or data communications carried by means of an electronic communications network or services, must remain confidential to that subscriber and or user for whom the voice or data is intended”.

The provision generally protects personal information, which is commonly accessed in computers and other technology gadgets. 

Equally, the new Penal Code reinforces the security and confidentiality of personal information.

Its Article 160 (collection of individuals’ personal information in computers) states that “Any person who, in bad faith, records, collects individual’s personal information or who archives or uses other ways of keeping the personal information in computers and other specialized equipment in a manner that is likely to adversely affect the individual’s honour or his/her privacy, commits an offence.

Upon conviction, he/she is liable to imprisonment for a term of not less than six (6) months and not more than one (1) year and a fine of not less than one million Rwandan francs (FRW 1,000,000) and not more than two million Rwandan francs (FRW 2,000,000)”.

However, paragraph 1 of the foregoing provision precludes liability if such a collection, of personal information, is performed in a professional manner or in the context of one’s duty and legally recognised do not qualify as an offence. Data protection law restricts the processing of personal data, and grants legal rights to individuals how they are processed.

Broadly speaking, data protection aims to empower individual with a certain level of control of their personal information, and the ways it is used. Therefore, it is prohibited to use or transfer personal information without the consent of the concerning individual [a data subject].

Furthermore, the requirements that personal data must be processed fairly and for a specified purpose cover many instances where an interference with privacy would have to be justified. These specific requirements of data protection help safeguard against interference with fundamental rights.

At global level, the Organisation for Economic Co-operation and Development (OECD) developed important Guidelines that introduced a set of principles that should be followed by data controllers processing personal information.

These guides have been a stepping stone to many countries to craft their own laws with respect to their contexts. One of these Guidelines is ‘Collection Limitation Principle’ where the personal information must be collected fairly and lawfully and with the knowledge or consent of the individual concerned.

Aside from the ICT law, noted earlier, the new Penal Code imposes sanction if anyone accesses another person’s information in computer, or perhaps from social media, and uses it without the concerned individual’s consent constitutes an offence. Quite similarly, the ICT law primarily places duty on data controller, to determine the purposes and means of the processing of personal information.

Let’s guard, jealously, as a matter of principle, our personal information. 

The writer is a law expert.


Subscribe to The New Times E-Paper

For news tips and story ideas please WhatsApp +250 788 310 999    


Follow The New Times on Google News