Agency pledges action after complaints over political parties 'data breach'

Party membership

A number of Kenyans have discovered that they had been registered in various political parties without their consent.

Photo credit: File | Nation Media Group

What you need to know:

  • Kenyans have complained on social media about illegal access to their personal data, which saw some listed as members of political parties without their knowledge or consent.

Data Protection Commissioner Immaculate Kasait has promised to ensure sufficient security for personal data despite increased cases of unauthorised access.

Her statement on Friday came after Kenyans complained on social media about illegal access to their personal data, which saw some listed as members of political parties without their knowledge or consent.

Ms Kassait said her office wass engaging with data processors and controllers, including the Office of the Registrar of Political Parties (ORPP), on how best to ensure the data they store is protected from illegal access.

“This office has since held a meeting with ORPP to establish the status and resolved that the names of the complainants are to be deregistered by political parties," Ms Kassait said.

She noted that her office had by June 24 received over 200 complaints about the illegal enlisting.

The Political Parties Act provides that one can resign as a member of a political party at any time provided they write to the respective parties and send a copy to the parties’ registrar.

Other than irregular registration as members of political parties, there have been numerous complaints of people’s data being misused- forwarding to the Credit Reference Bureau (CRB) without their knowledge.

“The ODPC calls for patience from those aggrieved and assures the public that the office is taking steps to ensure the rights of data subjects are respected and protected,” said Ms Kassait.

Little progress

On November 16, 2020, Ms Kassait, former director of voter registration and election operations at the Independent Electoral and Boundaries Commission (IEBC), was appointed the country’s inaugural Data Protection Commissioner (ODPC).

Her office is the creation of the Data Protection Act that came into force on November 8, 2019. The appointment set the stage for the securitisation of the country’s data against unauthorised access.

However, almost a year down the line, little has been achieved by the office, with Kenyans demanding more.

In checking data misuse, the Act gives the ODPC powers to maintain a register of data controllers and regulate the processing of data, which includes health, biometric and personal data.

Under the Data Protection Act, data processors and controllers, whose data activities fall under the ODPC include National Registration Bureau (NRB), Hospitals, National Hospital Insurance Fund (NHIF), Banks, Telcos, IEBC, ORPP and the National Social Security Fund (NSSF).

It is highly likely that the intruders may have used data stored by controllers to illegally enlist Kenyans as members of the political parties or that they have their details sent to the Credit Reference Bureau (CRB).

The ORPP is also both a data controller and a data processor.

It is a data controller in the sense that it has the custody of the political parties’ membership register of about 16 million, and a processor, because it uses the membership register in the party elections.

The law further categorises information held by data controllers as personal data.

No data centres

But even as this happens, the delay in enacting regulations to implement the law could be the reason personal data remains exposed to unauthorized access.

Although the ICT Cabinet Secretary Joe Mucheru has published the draft Data Protection (General) Regulations 2021, the critical data infrastructure regulations are yet to be published.

The Data Protection (General) Regulations will help in the securitisation of the data in the country from unauthorised access.

Nominated MP Godfrey Osotsi, an IT expert, says prioritisation of the critical data infrastructure regulations is necessary to govern the setting up of data centres where the country’s data is to be held.

“So far this has not happened,” said Mr Osotsi. “I wonder how data that is not housed will be protected.”

With the 2022 General Election 13 months away, how the ODPC manages to ensure that the voters register is secure from illegal access remains a challenge.

During previous elections, Kenyans have complained of being denied the right to vote because their names have been irregularly expunged from the voter register despite having registered as voters.

The Elections Act stipulates that there shall be a voter register in each polling station, where the voters’ details must reflect before voting is allowed.