Data protection Act – lessons from Kenya
What you need to know:
- The membership of the taskforce is important since it needs to reflect the different skill-sets required of the data-protection landscape.
- The input collected would then be reviewed to enrich the draft documents.
Kenya is amongst the few African countries that have a data protection Act.
The data protection legislation is a critical pillar for any country that aims to harness emerging opportunities in the digital economy, while protecting the rights of its citizens.
Lack of a comprehensive data privacy and protection law implies that the digital service providers would have undue advantage over consumers potentially leading to data breaches – with little or no repercussions to the service providers.
If there are no repercussions or penalties, the service providers would tend to ignore or relax costly data privacy and data security procedures that would have otherwise pre-empted or reduced the risk or exposure citizen data faces online.
EXPERIENCES
Having had the privilege of serving on the Kenyan Data Protection Task-Force, I thought it would be useful to share experiences that could guide other African countries to put in place their data protection legislation.
First and foremost, we must acknowledge that the Data Protection Bill had been in Kenyan parliament for over 10 years with little or no progress towards enactment.
However, in early 2018, the ICT minister put together and gazetted a taskforce of 12 members to restart and escalate the process that had time and again failed to gain traction.
The membership of the taskforce is important since it needs to reflect the different skill-sets required of the data-protection landscape.
Of critical importance, the taskforce should have talent from policy, legal, regulatory and technical background in data privacy and security.
Additionally, it is mandatory to have a well-resourced and competent secretariat that is able to follow, engage and record proceedings of various types of meetings.
MEETINGS
These meetings would take various forms including but not limited to expert consultations, workshops, public participation and taskforce retreats.
Since the taskforce members are technically part-time consultants, the chair and the secretariat must provide proper record keeping to ensure effective continuity from one meeting to the next.
In terms of actual execution of the mandate, the gazette notice provided the terms of reference that guided and directed the taskforce on the deliverables and their timelines.
The overarching deliverable was of course to have a draft data protection policy and a Draft Data Protection Bill for Cabinet approval and subsequent forwarding to the ICT parliamentary committee.
POLICIES
A lot more work should be expected at the beginning of the mandate since the taskforce members must get familiar with various data protection policies and acts within and beyond Africa.
Engaging legal students to research and present the pros and cons of the various policies and acts was a great strategy that enabled taskforce members to quickly identify the key thematic data protection principles or domains.
Sessions with global expert reviewers also helps in dissecting and resolving contentious issues or clauses that always exist within any data protection regime.
PUBLIC CONSULTATIONS
After about nine months of meetings, workshops, expert reviews, retreats and consultations with the appointing authorities, a draft policy and Bill would be ready for public consultations.
The drafts would be available online for citizens to review and send comments in preparation for the face-to-face meetings with the taskforce members. The input collected would then be reviewed to enrich the draft documents.
More and geographically dispersed public participations is always recommended but budgetary constraints means that most of consultations would happen online and key stakeholders and contributors invited for in-depth engagement with the taskforce.
Eventually the refined draft policy and Bill is submitted to the respective minister or cabinet secretary who then seeks Cabinet approval and transmits the documents to Parliament.
The job of the taskforce ends there, and that of Parliament begins.
Parliament has its own independent process that typically goes through another series of public participation, first, second, third reading and subsequent transmission to the President for enactment.
I do hope this is helpful to those countries wishing to start this journey, or are at various stages of implementing a data protection regime.
