Data Breaches Imperil Privacy

This article was originally published at page 21 of the Star Newspaper of September 20, 2018

We have recently witnessed data breaches that have led to the publication of private facts about many Kenyans. These private facts have been obtained from telephone conversation records , intrusion into individual digital photo libraries, and breach of public institution’s databases.

We also suffer a barrage of unsolicited messages from telemarketers, scammers and even cyber frauds.

Oped1

August 2018 was a peak month in media reports of Kenyans reporting an increase in phone scams. Kenyans were asked, via texts, to send their personal details and ended up having their SIM cards swapped and their mobile money accounts emptied. The Kenyan Directorate of Criminal Investigations (DCI) ended up arresting a total of 22 suspects, among them Safaricom employees and University students, in connection with the scam.

Now more than ever, there is a need for awareness among Kenyans regarding data rights. Personal data is any information relating to an identified or identifiable natural person. Some of the information includes: personal email addresses, tax records, immigration records, health records, police records, finger prints, bank records, consumer habits, and marriage status.

While Article 34 of the Constitution of Kenya, 2010 guarantees the right to privacy, Kenya lacks a legally binding comprehensive data protection framework. The country also retains laws which permit undue violation of privacy on citizen data.

The need for a comprehensive data protection framework cannot be opposed. Such a framework must of necessity guarantee at least seven key rights for all Kenyans as data subjects. A brief on each of the said rights suffices.

RIGHT TO ACCESS TO PERSONAL INFORMATION

Firstly, Kenyans have a right to know what personal data an organisation holds about them and be provided with a copy.

RIGHT TO BE INFORMED WHETHER PERSONAL DATA IS BEING PROCESSED

Secondly, Kenyans should be informed whenever anyone is processing their personal data, how long they will retain the data and and who it will be shared with.

RIGHT TO RESTRICT PROCESSING

Thirdly, Kenyans have a right to limit the way that an organisation uses their data and only allow for storage of the personal data but no other purpose.

RIGHT WITHDRAW CONSENT FROM PROCESSING

Fourthly, in instances where Kenyans had authorised the processing of their personal data and later change their minds; they can later revoke the permissions granted to the companies.

RIGHT TO OBJECT TO AUTOMATED DECISION MAKING AND PROFILING

Fifthly, Kenyans have a right to reject any attempt to allow only machines to make legally binding decisions over them based on profiling of their race, sex, pregnancy, marital status, health status, ethnic or social origin, colour, age, disability, religion, conscience, belief, culture, dress, language or birth.

RIGHT TO REDRESS AND EFFECTIVE REMEDY

Sixth, Kenyans should be able to complain a competent authority that is impartial and independent and seek remedy whenever their right to privacy has been infringed.

RIGHT TO RECTIFICATION

Seventh, Kenyans should be able to correct any inaccurate data about them by providing additional information to make the rectifications. An example is when the date on the birth certificate is different from the date in the Identification Card.

Personal data protection is an essential pre-requisite to the meaningful exercise of freedom of expression, as people are much more likely to express themselves openly in the knowledge that their communications are private and secure.

As many of us would not go to bed at night and leave the door unlocked, fearing that someone would come into the privacy of our homes and rob and harm us, or even just go through our belongings, we should exercise the same amount of caution with our personal information.

This article was originally published at page 21 of the Star Newspaper of September 20, 2018

By Ephraim Percy Kenyanito

Ephraim is a trained lawyer and an Associate of the Chartered Institute of Arbitrators with over eight years in the International Trade, Technology, Media and Telecommunications Law industry. Between 2014 and 2018 he served as the youngest advisor on Internet Governance to two UN Secretary Generals Ban Ki–moon and António Manuel de Oliveira Guterres. Additionally, since 2013 he has served as an Independent Expert to two ICANN Implementation Advisory Groups. Further, since 2012, Ephraim has executed international development projects with a diverse range of leading international institutions across 46 African Union member countries. Presently, Ephraim does research at the nexus of the Domain Name System and Business and Human Rights (BHR) with an international institution, ARTICLE 19. He is also a member of the GFCE Advisory Board, Digital Peace Now, European Commission GIPO advisory group among other board positions. He is also a full member of the International Association of Privacy Professionals (IAPP) and Pan African Lawyers Union (PALU). Ephraim is currently pursuing Postgraduate qualifications in Technology, Media and Telecommunications Law at Queen Mary University of London and holds an LLB (with Honours) where his thesis examined the Relationship Between Domain Names and Geographical Indications with a special focus on .wine and .vin applications.

Leave a Reply