Day 4: Policy and Regulatory Framework on Privacy and Data Protection- Data Controllers and Processors

Grace, et al,

Data residency + sovereignty is most relevant here.

IT + Information professionals cannot honestly affirm or swear on oath
about decency of the physical environment data (storage/servers) occupy if
they cannot (physically) access the same. We know how welcome (dark)
Africans are in the EU (+UK) where multi national data centers serving our
region are usually situated.

(i) How do we evaluate data centers in localities where Africans must beg
(pay) for visas to visit?
(ii) How do our Courts summon EU/UK residents/citizens \”protecting\” our
data in their localities?
(iii) How do we prosecute EU residents/citizens handing over our data to
their relevant authorities?

In short, the data processors and controllers should be subject to Kenya
residency and laws especially if our data (backups) resides outside our

While at it, why not use this Data Protection Bill to define some Chief
Information Officer (CIO) roles?

The GDPR separates the role of the CIO and the DPO and in reality they
cannot really exist without consulting each other.

The CIO role is wider than data protection. It also includes Access to
Information (ACT should include/define other CIO roles).

We MUST end the business/fraud of lawyers being paid more (to launder
funds) than is allocated to IT projects increasing transparency and
security in our communities and society.

On Mon, Aug 27, 2018 at 9:33 AM Grace Bomu via kictanet <> wrote:

> Good morning listers!
> Welcome to data protection bill/policy discussions. Last week, we went
> through the principles of data protection and rights of data subjects. We
> covered the right to privacy in its different forms including the right to
> be forgotten and consent.
> Today, we shift gears a bit and consider the issue of data protection from
> the point of the *processor and controller*. The bill defines a
> controller as one who designs data processing and the processor as one who
> collects, stores, retrieves , discloses, erases etc on behalf of a
> controller.
> General obligations for controllers and processors are listed in part IV
> and they include upholding the principles of data protection, protecting
> the rights of the data subject, duty to notify the subject about processing
> and breaches, acquisition of consent and security safeguards as regards
> personal data. It would be interesting to hear from data controllers and
> processors, views on:
> 1. restrictions on processing personal data (clause 30) where
> processors may not process data objected by the data subject or which has
> legal claims.What are the practical implications of restrictions? For
> example, if one company or government agency received a large number of
> objections in one period?
> 2. the protection of data subjects from profiling (clause 31). While
> we have seen negative effects of profiling during the political season, are
> there positives of profiling that could benefit the data subject and does
> this bill adequately balance both ends?
> 3. the bill makes it mandatory to notify data subjects in case of
> breach. How will this change sectors such as banking where issues of data
> breaches are never discussed with customers or the public in order to
> protect the confidence of the industry?
> 4. Finally, on the issue of sensitive personal data, which is subject
> to higher protection. Sensitive personal data includes person’s race,
> health status, ethnic social origin, political opinion, belief, personal
> preferences, location, genetic data, biometrics, sex life or sexual
> orientation. What are the practical implications for existing data sets
> held by for instance the registrar of persons, universities, schools,
> insurance companies etc? Is the list proposed by the bill exhaustive? The
> Senate bill for example defines categories such as trade union membership
> as sensitive data.
> Welcome to the discussion. Please point out any issues in the bill that
> are either very good and should be retained or problematic and should be
> improved. Tujadiliane.
> —
> Grace Mutung\’u
> Skype: gracebomu
> @Bomu
> PGP ID : 0x33A3450F
> _______________________________________________
> kictanet mailing list
> Twitter:
> Facebook:
> Domain Registration sponsored by
> Unsubscribe or change your options at
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people\’s times and bandwidth,
> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.