Day 6: Policy and Regulatory Framework on Privacy and Data Protection- Institutional Framework
Thank you Liz for the comparison with access to information, which was
initially meant to twin with data protection. Your concerns on funding and
sustaining the office of the DPC are not far fetched. We have also noted
your contribution on transition to the data protection regime and enhancing
the independence of the office by separating it from control of the
executive.
Il giorno gio 30 ago 2018 alle ore 13:29 Liz Orembo <[email protected]>
ha scritto:
> Grace,
>
> Considering that commissions like the Judiciary and the KNHRC are getting
> very little allocations (and the rumors that *sirkal* is broke), DPC will
> mostly rely on license fees from data processors. Perhaps we should ask if
> that\’s enough to sustain the office and to discharge all the duties
> outlined in this policy. How many data processing entities are we going
> to license? And at what reasonable fee?
>
> I’m still trying to figure out DPCs level of independence given that the
> commissioners are appointed from the ministry. Can it independently handle
> data protection issues between citizens and other state agencies? and who
> should give exemptions?
> Lastly, to avoid the challenges experienced with the ATI, the policy
> should give guidelines on the initial works of the DPP in promoting the
> policy. And how long is the transition period?
>
> My quick thoughts.
>
> On Wed, Aug 29, 2018 at 10:22 PM Grace Bomu via kictanet <
> [email protected]> wrote:
>
>> Listers,
>> I would have hoped for more views on this topic as it is one of the key
>> differences between this draft bill and the Senate data protection bill.
>> Should there be a harmonisation of the two bills, your input on how the
>> data protection regime will be enforced will be useful for the nation.
>> I therefore really hope that we find time to consider this matter and
>> give our views.
>>
>> Tomorrow we shall look at issues we missed out while going through the
>> draft, key among them being exemptions from certain provisions of the law.
>>
>> Goodnight,
>>
>>
>> Il mercoledì 29 agosto 2018, kanini mutemi <[email protected]> ha
>> scritto:
>>
>>> Good morning Grace,
>>>
>>> I don’t think the Office of the DPC is set up to be an independent
>>> office. That the DPC will be appointed by the CS is comparable to the
>>> elusive ‘independence of the Communication Authority’. The obvious concern
>>> is that this will water down the DPC’s watchdog powers when it comes to
>>> regulating the government as a controller and processor. The best the
>>> Office will be able to do is make recommendations to other government
>>> offices to comply with the Act.
>>>
>>> Setting up a new body may also be a problem in the case of data
>>> protection. For context purposes, Acts that were passed in 2016 are just
>>> now being fully operationalised. Anything that requires the setting up of
>>> yet another government office has grave budgetary implications and
>>> unfortunately the restructuring takes quite some time. A legal framework on
>>> data protection is urgent- we don’t have the luxury of time.
>>>
>>> Good discussion!
>>>
>>> On 29 Aug 2018, at 08:20, Grace Bomu via kictanet <
>>> [email protected]> wrote:
>>>
>>> Good morning listers,
>>> The office of the data protection commissioner (DPC) is established as a
>>> state office and is expected to be independent. The DPC will however be
>>> appointed by the Cabinet Secretary, ICT. To qualify for the office, one
>>> needs to have extensive knowledge in data science, law, IT and related
>>> fields and meet requirements on leadership and integrity(Chapter six of the
>>> Katiba)
>>> The functions of the DPC include: oversight and enforcement of the Act;
>>> registration of data processors and controllers; control over data
>>> processing activities; promotion of self regulation of actors;
>>> investigation of complaints; creation of awareness on the Act; ensure
>>> compliance with international obligations; research and related functions
>>> from other laws.
>>>
>>> Powers of the DPC include: investigations; obtain professional
>>> assistance if need be; facilitate alternative dispute resolution; issue
>>> witness summons; request for information from persons governed by the bill.
>>> Further, the DPC may request for data audits (clause 20); appointment of
>>> guardian for child online services (clause 29)
>>>
>>> Apart from the usual sources of funds (allocation by Parliament,
>>> donations, grants etc) the bill also states that the office of DPC may be
>>> funded by funds accrued in performance of its functions.
>>>
>>> Some public fears on creation of yet another public body are based on
>>> concerns about funding the body, an expectation that registration will mean
>>> paying for licences and that there is not sufficient capacity in the
>>> country to oversee data protection. The bill however only proposes that DPC
>>> issues certificates and does not mention registration fees.
>>>
>>> To guide our discussion today, questions include:
>>>
>>> 1. Are the functions and powers of the DPC adequate to implement the
>>> law? Are there any overboard provisions?
>>> 2. Considering that the government is a major data processor and
>>> controller, is the office of the DPC as structured in the bill sufficiently
>>> independent?
>>>
>>>
>>> As usual, please point out any good or problematic clauses.
>>> Welcome to the discussion
>>>
>>>
>>>
>>>
>>>
>>> —
>>> Grace Mutung\’u
>>> Skype: gracebomu
>>> @Bomu
>>> PGP ID : 0x33A3450F
>>>
>>>
>>>
>>> —
>>> Grace Mutung\’u
>>> Skype: gracebomu
>>> @Bomu
>>> PGP ID : 0x33A3450F
>>>
>>>
>>> _______________________________________________
>>> kictanet mailing list
>>> [email protected]
>>> lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: www.facebook.com/KICTANet/
>>> Domain Registration sponsored by www.eacdirectory.co.ke
>>>
>>> Unsubscribe or change your options at
>>> lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>> for people and institutions interested and involved in ICT policy and
>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>> sector in support of the national aim of ICT enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people\’s times and bandwidth,
>>> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>>
>>>
>>
>> —
>> Grace Mutung\’u
>> Skype: gracebomu
>> @Bomu
>> PGP ID : 0x33A3450F
>>
>>
>> _______________________________________________
>> kictanet mailing list
>> [email protected]
>> lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: www.facebook.com/KICTANet/
>> Domain Registration sponsored by www.eacdirectory.co.ke
>>
>> Unsubscribe or change your options at
>> lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people\’s times and bandwidth,
>> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>
>
>