Data minimisation principles – government should lead by example
Kenyans line up to register as voters at Huduma Centre in Mombasa on February 13, 2017.
What you need to know:
- Data minimisation principle anticipates that whoever is collecting personal data, must ensure that the data they are collecting and processing is only adequate for the purpose stated.
- Collecting more information that is needed puts at risk the person whose personal data is collected, though most Kenyans easily disregard the potential of danger.
- There is a massive need to do capacity building across the whole public sector to bring employee practices and behaviors up to standard with the expectations of the law.
One of the most misunderstood data protection principles is known as the Data Minimisation Principle.
Section 25 (d) of the Kenya Data Protection Act (2019) puts it more precisely as follows:
Every data controller or data processor shall ensure that personal data is — adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
In other words, the data minimisation principle anticipates that whoever is collecting personal data, whether they are in the private or public sector, must ensure that the data they are processing complies with the following three-part test.
The three-part test looks at the following three parameters that must be met in order to be compliant with the data principle. This test expects that the data collected is:
- Adequate – it is sufficient to properly fulfill the stated purpose for data collection;
- Relevant – it has a rational link to that purpose; and that it is
- Limited to what is necessary, i.e. the data collector should not hold more data than what they need for the stated purpose.
To understand this basic principle, we can consider the process that young Kenyans undergo in order to acquire that coveted national ID card when they get of age.
Whereas the basic documents like parents’ national ID cards and applicant’s birth certificate are adequate for the purpose, you will find that some application centers also demand documents in violation of the relevance and limitation parameters. They may ask that the applicant brings the parents’ pay slips, log book or even water bill – items that are clearly not relevant to the purpose of issuing a national ID card to the applicant.
The data on the parents pay slip or water bill is way beyond what is needed to issue an ID card and is therefore extra data and violates the ‘limitation’ parameter.
Extra information
Most Kenyans would oblige to these violations of their privacy since they do not know or appreciate the abuse that accrues once the data collector has in possession extra information that was not prescribed or anticipated.
One obvious abuse of your pay slip data is to estimate the amount of bribe to demand from you to facilitate or hasten the process.
Another way one can abuse your water bill data is simply to be in possession of your geo-location in terms of where you live. Of course some Kenyans may claim even Uber and Safaricom knows where you live so it should not be a big deal.
However, it is a big deal because Uber and Safaricom may follow strict regulations on how that personal data is shared or accessed while that guy at the Chief’s camp may not operate under similar best practices – especially with the illegally acquired extra data.
The more limited the personal data he collects from you, the safer it is in terms of minimising the possibilities of abuse.
It’s almost a year since the Data Protection Act was assented to by the president and yet some government entities continue to operate is a free-style manner when it comes to data privacy.
There is a massive need to do capacity building across the whole public sector to bring employee practices and behaviors up to standard with the expectations of the Data Protection Act.
