Why your personal data should remain private

Tuesday November 12 2019

Two related and contradictory things happened last week.

Earlier in the week, the Independent Electoral and Boundaries Commission (IEBC) lost a court case against the Orange Democratic Movement (ODM) that related to data privacy.

Towards the end of the same week, the president finally assented to the Data protection Act that has been rotating in and out of Parliament over the last ten years.

Firstly, lets deal with the ODM case against IEBC.

The gist of the case is that the IEBC had declined to pass to ODM the complete data set of Kibra voters, and had instead shared a redacted version that protected the voter’s national ID and telephone numbers.

IEBC argued that these two identifiers were personal to the voter and therefore required the voters personal consent so as to be shared to third parties.


On the other hand, ODM had argued that the IEBC was hiding crucial information needed for voter verification, which was against the voter’s rights and the political parties’ right to verify the voter register.

Please by the IEBC lawyers that individual voters could confirm these personal details rather than going through third party political entities did not carry the day and the court ruled in favour of ODM.


The electoral body subsequently complied with the ruling and handed over the un-redacted data set that contained the voter’s personal details to ODM.

While the case was being heard and determined, there was a lot of buzz on the social media, with the majority wondering why try to protect personal data that we so willingly dish out at various touch points during our day.

We do share our national IDs with those security guards stationed virtually in all public and private buildings. We dish out the same to those mobile money kiosks when we want to cash our money.

We do the same in banks, hospitals, schools, churches, supermarkets, etc.

The key to appreciating data privacy is not by looking at how careless you are with your private information at an individual level.

One should instead look at what it means if we are, collectively as a nation, careless with our personal data. Being careless as a country, continent or global level changes the dynamic.

Perhaps a better analogy would be to think in terms of your bank statement.

If you notice you are losing one shilling every month on your bank statement, you can choose to ignore the fact and assume it is just some insignificant twelve bob a year.

But if you come to realise that your banker is collecting this shilling from all his other one million customers every month, then the dynamic and value of the matter become significantly different.

Suddenly, you may not wish to be part of a bunch of careless customers, willing to contribute a million shillings every month to some unknown beneficiary within the bank.

This is exactly the same situation with your personal data. Its value increases exponentially with the type and scale of the data collection process.


It may cost you nothing – or so you think – to surrender you personal data. However, it confers unmerited power and advantage to whoever is collecting and consolidating personal data at a constituency, national or global scale.

Now back to the Data Protection Act.

The presidential assent to the Data Protection bill last week marks a new beginning in the type and nature of the relationships that citizens will have with their data collectors (data controllers) going forward.

The biggest impact will be that data controllers such as the IEBC, mobile money vendors, security guards, etc., will no longer be allowed to share your personal details with third parties without your explicit consent.

In other words, if last week’s court ruling was to be made this week, the judgment would have been completely different given that we now have a substantive law to protect citizen privacy.

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT.

Email: [email protected], Twitter: @Jwalu