Day 4: Policy and Regulatory Framework on Privacy and Data Protection- Data Controllers and Processors

@Michael, on the issue of transfers outside Kenya, I foresee the need for
international agreement on what constitutes basic data protection.
Otherwise, some data processors will be able to build different products
for different jurisdictions while those who cannot will be limited in how
they can expand.
To balance the question of platform as a service with @Muraya\’s comments on
building the local data economy, maybe we need more evidence to determine
what our local capacity is. In addition, the policy needed to rope in other
stakeholders who are important for data protection, including the power
sector (KPLC etc), academia on skills gaps and KEBS et al on standards,
just to mention but a few.
I hear you on the lack of incentive on notification and note this under the
discussion on offences as one way to remedy this wold be to create an
offence of not notifying in case of a breach.

Il giorno mar 28 ago 2018 alle ore 00:58 Michael Pedersen via kictanet <
[email protected]> ha scritto:

> Listers,
>
> Regarding part IV of the draft I have noted the following points.
>
> *1. Transfers outside Kenya.*
>
> Very many (if not most) Kenyan websites/systems are hosted
> internationally, AWS, Rackspace, and all the usual suspects are widely
> used. As a result very often personal data is currently transfered
> internationally.
>
> My issue here is what constitutes \”proff\” that a foreign nation have
> \”adequate\” data protection laws? My first thought on this issue is that
> Europe due to GDPR would be considered \”adequate\”, whereas United States
> would NOT be considered having \”adequate\” laws.
>
> If this is the case/correct interpretation then this law will have a
> significant cost (money and time) for all the ones currently hosting in US
> who have to migrate their setup.
>
>
> *2. Platform as a service*
>
> In situations where your system is build on a global company\’s \”platform
> as a service\” (Google being the prime example) you have very little control
> of \”where\” the personal data is \”transfered\” – as Google have caching
> servers almost everywhere, essentially the data would/could be copied all
> over the globe.
>
> The limitation on international transfers – does it in-effect kill
> innovations that utilize global infrastructure such as this ?
>
>
> *3. Lack of incentive for notification*
>
> As I have mentioned elsewhere I think it is great that any breach that
> should happen requires that the affected person(s) be notified. However I
> feel that the draft very much creates no incentive for data-processors to
> actually full-fill this requirement – In-fact the way I read it it is very
> very tempting for processors who are subject to a breach to keep very quiet
> (i.e. they are committing an offence if they are subject to a breach – so
> better make sure no-one ever finds out that you lost some data).
>
>
> Kind regards
> Michael Pedersen
>
>
>
> On 27/08/2018 08:30, Grace Bomu via kictanet wrote:
>
>
> General obligations for controllers and processors are listed in part IV
> and they include upholding the principles of data protection, protecting
> the rights of the data subject, duty to notify the subject about processing
> and breaches, acquisition of consent and security safeguards as regards
> personal data. It would be interesting to hear from data controllers and
> processors, views on:
>
> Welcome to the discussion. Please point out any issues in the bill that
> are either very good and should be retained or problematic and should be
> improved. Tujadiliane.
>
>
>
> —
> Grace Mutung\’u
> Skype: gracebomu
> @Bomu
> PGP ID : 0x33A3450F
>
>
>
> _______________________________________________
> kictanet mailing [email protected]://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
>
> Unsubscribe or change your options at lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.dk
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people\’s times and bandwidth, share knowledge, don\’t flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
>
>
> _______________________________________________
> kictanet mailing list
> [email protected]
> lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
>
> Unsubscribe or change your options at
> lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people\’s times and bandwidth,
> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>