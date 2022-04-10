Data protection has been brought into sharp focus following the developments of the past week. The law is both a shield and sword and data laws are not an exception. Data protection is about securing personal information against unauthorised unlawful access. Data privacy is about who has authorised that access.

Recent announcements of re-registration of SIM cards and registration for Nairobi Expressway use expose the callous reception and application of our data protection laws. It posits a challenge to do more to enlighten the public but also a thumbs-up to the people who understand the spirit and the letter of data protection and privacy laws. Processing of personal data has guidelines that any data controller must abide by the law to sanitise the process.

Personal data must be collected in accordance with Section 30 of Data Protection Act 2019 under the bases of contractual purposes; public interest; compliance with a legal obligation; legitimate interest; protection of vital interest; and historical, statistical, journalistic, literature, art or scientific research.

Must give consent

A data subject must give consent to all data processing procedures relating to him or her by a statement or clear affirmative action that signifies agreement to the process. For instance, the lawful purpose for collection of private data, flexibility of giving and withdrawing consent and even the duration which you intend to possess the data; and any mechanisms available that enable you destroy the data when it is no longer required or has served its purposes and even where the data shall be stored.

Kenyans have too much explicit private data in several hands out there, which is dangerous and compromises the efficacy of data protection laws. Data processing is turning a new leaf with the 2019 Act and Data Protection Regulations (2021).

Privacy by design requires organisations to build data protection considerations into their data processing operations and not last-minute compliance issues. The principles include, first, privacy as the default setting, meaning that the strictest privacy settings should apply without any manual input from the end user.

Security

Secondly, privacy is embedded into design by limiting the data you need to collect, process and store, reduce risk of data breach and limit impact on breach. Thirdly, positive sum, not zero sum; both security and privacy are equally significant and unnecessary trade-offs should be avoided.

Fourth, end-to-end security; protect privacy continuously through data life cycle, up to and including deletion. Fifth, visibility and transparency; where independent verification of internal compliance processes should be possible. Lastly, respect user privacy; give customers opportunities to opt out.

Kenyans have a watchdog in the Data Protection Commissioner, who tips the justice scale from the hitherto imbalance in the data privacy powers monopolised by data controllers. The right to privacy is constitutional. Data laws must be adhered to.