Government must pass four important laws before digitising citizen data

What you need to know:

  • Collecting, storing, maintaining and disseminating citizen data in an environment that does not protect it exposes the public to serious privacy concerns. 

  • Given that new cybercrimes are always being invented, the Cybercrime Act should instead focus on defining the roles of critical players such as information security experts, police, prosecution, Judiciary and the regulator in the fight against cyber criminals.

The government has recently embarked on various digital projects in an effort to improve efficiency and delivery of public services. Some notable ones include the project to provide every citizen with a unique digital identity card, the Safaricom security project to install monitoring cameras in major towns and many more at the county levels of government.

No one doubts the expected productivity gains from these projects. However, collecting, storing, maintaining and disseminating citizen data in an environment that does not protect it exposes the public to serious privacy concerns. 

Specifically, there is no legal framework that provides some level of assurance that this information is, for example, kept confidential and used solely for the purpose for which it was collected.

Furthermore, there is no legal framework to force government to ensure that this citizen data is given the technical and procedural protection it deserves to minimize the information security attacks that have become regular.

MATURE LEGISLATION

In developed economies where digitized citizen data is the norm, mature legislation exists to address these concerns.  Four critical laws come to mind: a Data Protection Act, an Access to Information Act, an e-Transaction Act and a Cybercrime Act. 

In the case of Kenya, all the above are missing though some have been (and still are) in the production pipeline for over ten years.

The Data Protection Act would outline the necessary ecosystem to provide assurance that citizen data collected is well managed and protected from the perspective of confidentiality, integrity and availability.

In particular, it mandates the data collector (government, business enterprise, etc.) to observe certain levels of professionalism when handling the citizen data and provides penalties in the event this is not observed. For example, it would prescribe penalties for misuse of personal data for marketing purposes, when it was originally collected for say health, security or telecommunication purposes.

ADJUDICATING ONLINE DISPUTES

The Access to Information Act is what used to be called the Freedom of Information Act. It would spell out the conditions and mechanism under which citizens can request the government to make available to citizens any data held about them. This is not only for purposes of transparency and accountability but also for purposes of verifying if their private data is indeed correctly captured.

The e-Transaction Act would seek to provide a comprehensive legal framework for electronic commerce both at the local and the international levels. It would provide legal backing for purchases made online, and provide mechanisms for courts to adjudicate disputes arising from goods and services exchanged online. 

With such a law, one should be able to comfortably search, locate, buy and have property transferred to them with all the above processes having been completed online and while being very legally binding.

With such an increasing level of online activity, criminals will also move their trade online and the Cybercrime Act should therefore kick in. 

LIMITING CRIME OPPORTUNITIES

However, it should not focus on listing all possible cybercrimes and their corresponding penalties. The list of such crimes is ever growing and will never be exhaustive.

Given that new cybercrimes are always being invented, the Cybercrime Act should instead focus on defining the roles of critical players such as information security experts, police, prosecution, the Judiciary and the regulator in the fight against cybercriminals.

Its objective should be to ensure that the opportunity to commit whatever cybercrime there will be is extremely limited by the roles each of the above players is executing. Prevention rather than cure should be the overarching philosophy behind the Cybercrime Act.

These are the pieces of legislation that the executive branch of a “digital” government should be directing its "tyranny of numbers" in Parliament to enact. 

Without these prerequisite laws, Kenya will enter a digital world where everyone is for themselves, hoping that God being for us all can protect us from cybercriminals.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Twitter:@jwalu