Day 4: Policy and Regulatory Framework on Privacy and Data Protection- Data Controllers and Processors

On Mon, Aug 27, 2018 at 8:48 AM Grace Bomu via kictanet <
kictanet@lists.kictanet.or.ke> wrote:

> Good morning listers!
> Welcome to data protection bill/policy discussions. Last week, we went
> through the principles of data protection and rights of data subjects. We
> covered the right to privacy in its different forms including the right to
> be forgotten and consent.
> Today, we shift gears a bit and consider the issue of data protection from
> the point of the *processor and controller*. The bill defines a
> controller as one who designs data processing and the processor as one who
> collects, stores, retrieves , discloses, erases etc on behalf of a
> controller.
>
> General obligations for controllers and processors are listed in part IV
> and they include upholding the principles of data protection, protecting
> the rights of the data subject, duty to notify the subject about processing
> and breaches, acquisition of consent and security safeguards as regards
> personal data. It would be interesting to hear from data controllers and
> processors, views on:
>
> 1. restrictions on processing personal data (clause 30) where
> processors may not process data objected by the data subject or which has
> legal claims.What are the practical implications of restrictions? For
> example, if one company or government agency received a large number of
> objections in one period?
>
> BO: As mentioned in my first intervention, i still think we are at a
nascent stage as country in so far as developing our information society is
concerned. For example we don\’t have a proper national addressing system.
KRA has tried to register Landlords and it has been an uphill task.
Restrictions on processing personal data are likely to be misused. The end
result would be preference for manual processes that are easy to manipulate
as we have seen with the electoral system.

1. the protection of data subjects from profiling (clause 31). While we
have seen negative effects of profiling during the political season, are
there positives of profiling that could benefit the data subject and does
this bill adequately balance both ends?

BO: Profiling is critical for the information economy especially in so far
as big data analytics is concerned. You need to Know Your Customer before
Investing. There is no problem with profiling provided consent is provided.
I think the bill is balanced in this respect.

1. the bill makes it mandatory to notify data subjects in case of
breach. How will this change sectors such as banking where issues of data
breaches are never discussed with customers or the public in order to
protect the confidence of the industry?

BO: I don\’t see this affecting the Industry very much. In the past, we had
all buried our heads in the sand. I am seeing cases in which local
companies are increasingly notifying their customers whenever they have
downtime and system challenges. Banks have started following suit and being
proactive. Users play a part in many Cyber Security Incidences and as such
they will need to be involved in any efforts geared towards addressing the
Cyber Security challenges faced by banks.

1. Finally, on the issue of sensitive personal data, which is subject
to higher protection. Sensitive personal data includes person’s race,
health status, ethnic social origin, political opinion, belief, personal
preferences, location, genetic data, biometrics, sex life or sexual
orientation. What are the practical implications for existing data sets
held by for instance the registrar of persons, universities, schools,
insurance companies etc? Is the list proposed by the bill exhaustive? The
Senate bill for example defines categories such as trade union membership
as sensitive data.

BO: I find the term sensitive sensational. Broadly personal data should be
handled respectfully and within prescribed guidelines provided there is
consent from the owner or user. In the long term we need more awareness on
why personal data should be respected and less regulation around the same
otherwise the end result will be endless tension between the state and
citizens and vice versa considering the kind of litigous society we have
become. That said, i beleive the list may not be exhaustive at this point.
Once the bill comes into effect, it might need some amendments.

>
> Welcome to the discussion. Please point out any issues in the bill that
> are either very good and should be retained or problematic and should be
> improved. Tujadiliane.
>
>
>
> —
> Grace Mutung\’u
> Skype: gracebomu
> @Bomu
> PGP ID : 0x33A3450F
>
> _______________________________________________
> kictanet mailing list
> kictanet@lists.kictanet.or.ke
> lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
>
> Unsubscribe or change your options at
> lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people\’s times and bandwidth,
> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>