Make data commission fully functional

Residents register for the National Integrated Identity Management System at AIC Burnt Forest in Uasin Gishu County on April 24, 2019. Data protection will be the biggest issue in the next decade. PHOTO | FILE | NATION MEDIA GROUP

What you need to know:

  • Private companies and political parties similarly hold such data. Sadly, they have shared this data with third partie.

The National Assembly’s committee on ICT is set to collect views nationwide on the Data Protection Bill in a bid to achieve the wide public participation missed in others, like the Huduma Namba Bill.

Data is the new oil. The oilfields are not in the earth, but in the data collected through everyday activities, such as using a mobile phone or applying for a driver’s licence.

Data protection will, hence, be the biggest issue in the next decade. It therefore requires a strong institutional framework to ensure a functioning data economy.

The institution has to be independent and fully empowered to enforce the law.

Given the government’s ambition to collect copious amounts of very sensitive data, such as during the Huduma Namba registration and the national population census, there is a horde of sensitive personal information that sits in the hands of state agencies.

Private companies and political parties similarly hold such data. Sadly, they have shared this data with third parties without the consent of the subjects.

EMPOWERMENT

Yes, we have independent commissions, but most lack enforcement powers, reducing them to mediating and reporting progress rather than the more robust role of holding stakeholders accountable.

In Estonia, the government holds the agency overseeing the biometric identity system in high regard and the law creates a data protection inspectorate, similar to our Data Protection Commission.

The inspectorate has powers to warn controllers and processors where their operations are likely to infringe on data protection and order rectification, erasure and termination of processing of personal data, including destruction or archiving.

The body also has powers to prevent damage to rights and freedoms that protect personal data, implement restrictions on processing of personal data and fine data processors and controllers contravening the law.

That would empower our commission to conduct such duties and be easily accessible even to those not tech-savvy.

DEFINED MANDATE

However, our draft law envisions, under Clause 33(1)(d), to only receive and investigate complaints on infringement of people’s rights.

This limits it to a reporting body in case of violation by the State — to which, ironically, it reports. So how would it play its role?

Instead of mere reporting roles, the agency should be similar to the Ethics and Anti-Corruption Commission.

The EACC has a prosecution department that investigates and prosecutes corruption cases, which is complemented by the Judiciary’s specialised High Court Anti-Corruption Division and Anti-Corruption Magistrate’s Court.

Data has become central to our lives and, with the rise in data breaches, cases of related litigation will increase. As the bill is implemented, the Chief Justice should create cyber, data and adjudication divisions.

Since the commission would be in charge of prosecution of data crime cases with the aid of the Director of Public Prosecution, it should train a special team of police officers on handling cyber and data evidences and investigations.

We need a fully functioning data protection system with a good policy that is actualised.

Mr Yousif is a senior programme and advocacy officer, citizenship at Namati, a human rights NGO. [email protected] @MustafaM_KE