State deploys digital forensics in pursuit of data leakers  

Digital forensics

The Office of Data Protection Commissioner is set to acquire a package of digital forensics tools that will help it convict abusers of personal data.

Photo credit: Pool I Nation Media Group

The Office of Data Protection Commissioner (ODPC) is set to acquire a package of digital forensics tools that will help it convict more abusers of personal data as digital evidence proliferates.

“The Office of the Data Protection Commissioner (ODPC) would like to acquire a forensic tower, and a digital forensics software to aid in access, acquisition, analysis, investigations, and preservation of data with regards to personal data protection mandate,” it said.

“The solution will be used by the directorate of complaints, investigations, and enforcement to efficiently perform digital investigations related to personal data breaches” it added.

Commercial banks, technology companies like Safaricom, Airtel, and Telkom Kenya, media groups, retailers, hospitals, and hotels are among those targeted due to the vast amounts of customer information they hold.

Bars, restaurants, schools, law firms, property managers, real estate agencies, and betting companies are also among entities in risky sectors that are monitored for breaches.

Sharing or offering for sale personal information is now criminal and could land those responsible for their safe storage jail terms of up to six months or fines of up to Sh5 million.

Kenyans have in the past complained about the illegal sharing of personal information and invasion of privacy by marketing firms and some companies promoting products and services, which also see private security companies collecting data at premises' entrances also register.

Commonly stored data by businesses include ID numbers, phone numbers, employee records, customer details and transactions.

The purge on leakage of such data is meant to prevent the information from being used for fraud, phishing scams, and identity theft or defamation.

The Data Protection Regulations, 2021, which were gazetted in January 2022, require mandatory registration of data controllers and data processors including entities collecting and storing data.

The regulations target all public and private entities that deal with personal data including non-governmental organisations (NGOs) and churches.

Initially, organisations with an annual turnover of less than Sh5 million or less than 10 employees had been exempted from registration.