By Mercy King’ori**

The era of digitisation has ushered in the development of many new technologies that have improved the way in which business is undertaken. One such improvement is in the area of data. Data-driven companies are likely to be the most competitive in this current era. This has attracted efforts from the government and private sector in collecting and sharing data from various sectors. There is a lot of personally identifiable information that is collected and archived in data stores; all of which is taking place in a regulatory environment devoid of a national data protection law.

Big data is defined as the voluminous, high velocity and different variety of information requiring specific technology and analytical methods for it to be transformed into value. The advantage of big data in the business world cannot be overemphasized with its importance ranging from cutting operating costs such as storage to determining how products should be tailored for advertising. Creating value out of these disparate data sets has been made possible using powerful data analytics tools such as Hadoop.

One particular way in which big data continues to be useful is in the Kenyan financial sector through Alternative Credit Scoring Models. One of the key drivers of economic change in Kenya is Small Medium Enterprises but one challenge these SMEs all face is access to financing. In response, there has been an increase in micro finance lending institutions which, unlike the brick-and-mortal banking sector, do not need collateral rather use different data points to assess one’s credit-worthiness. One such company is Tala which establishes a user’s financial identity by gathering 10,000 data points in a few seconds. As a result, information other than previous credit history is used to assess credit-worthiness.

Kenyans generate data from limited sources the most common one being their mobile phones and social media activity; noting that publicly available data is not detailed enough to assist in making decisions such as eligibility for a loan. These other data points may include mobile money payments and exam scores.  Branch, a digital lender uses an individual’s GPS data, SMS, call log data and contact list to determine ones loan size. While all these may be a noble attempt at ensuring that persons not previously eligible for loans receive credit to enhance their daily lives it does so in the face of numerous data privacy concerns.

The question of how data is sourced, stored and shared remains unclear to borrowers. This concern is further aggravated by the lack of a national law and regulations on data protection. Undoubtedly, there exist industry specific regulations on dealing with data however, a stand-alone piece of data protection legislation is necessary since industry specific regulations such as those applicable to Interswitch which is PCI-DSS compliant are tailored based on international requirements. This is not to mean that the Kenyan government has not made efforts at developing a national data protection law. The rise of big data has seen the government intervene in an attempt to offer protection to Kenyans with regards to how their data is used. Aside from the Kenya Information and Communication Act which has provisions on data protection, a draft Data Protection Bill is in the pipeline.

The draft bill has important provisions which will protect the data generated by Kenyans. One such provision is on data processing which relinquishes power to data subjects by requiring their consent in order to process their information. The Bill further provides for the adherence to the principles on data protection. It will be interesting to see how it all plays out given that some data controllers have terms and conditions that cause a data subject relinquish his/her right to consent. The Bill also deals with the commercial use by requiring that a person obtains express consent from the data subject before such data is commercialised. Data controllers have found a way to circumvent this provision even before enactment of the law through the already set terms and conditions that a user has to accept before using a product. Of course, an argument that organisations should be tasked with the duty of securing personal data through secure mechanisms in their databases may be raised but this duty cannot be wholly delegated to organisations to self-regulate. A more inclusive approach involving the government through its legislative arm would create more certainty in enhancing the right to data privacy.

The absence of consent has led to the usage of data in Kenya for a multitude of purposes even unrelated to those for which the data was provided. By giving people the opportunity to give consent and control how their data is used, the right to privacy is enhanced. Power to the data subjects will ensure that data ethics are maintained as we await a comprehensive piece of legislation. Concerted efforts from the various stakeholders; government bodies and private bodies need to ensure that the laws to be enacted are comprehensive. With the issues of privacy and consent not well addressed, Big Data is sure to cause Big Problems!

**Mercy King’ori is a Bachelor of Laws student at Strathmore University.