By Florence A. Ogonjo
The Government of Kenya through the Ministry of Information Technology recently published draft regulations, the Data Protection (Civil Registrations) Regulations 2020 and called for a public participation hearing on 27th February 2020 at KICC, welcoming oral submissions and comments to the draft regulations.
The regulations are divided into six parts covering respectively; Preliminary, Data Protection Principles, Rights of the data subject, Obligations of the civil registration entity, Security Safeguards, and Miscellaneous provisions.
CIPIT took part in the public hearing sessions and took note of debates arising from the process as discussed below. Data Protection Principles
Ensuring that legal frameworks on data protection meet the objective of protecting the collection, processing, and storage of personal data requires that the frameworks are structured to adhere to the principles of data protection. The regulation has focused on two principles – consent and security safeguards, inadequately addressing other core principles on purpose limitation, storage limitation, adequacy, and data transfer.
In order to avoid abuse, there is need for clarity on all the principles. The principles give effect to the rights of a data subject. Abiding by these principles not only guarantees the right to privacy but also legally justifies the processing of personal data in a manner that respects the rule of law.
Processing of Personal Data relating to children.
Children are less aware of the risk involved in the processing of their personal data and therefore merit specific protection when their data is collected and used. Consideration must be given to clarity on privacy notices, reliance on direct consent of a child, the competence of the child in understanding what they are agreeing to, identification of risks and consequences of the processing and the implementation of age-appropriate safeguards.
The regulations fail to capture guidelines strengthening sec 33 of the Data Protection Act 2019 (DPA), especially on consent. Consent forms the legal basis for the collection and processing of personal data and must be clearly elaborated to avoid wide and incorrect interpretation.
Operationalization of the office of the Data Protection Commissioner
Section 5 of the DPA establishes the office of the Data Protection Commissioner (DPC) with the core function of implementation and enforcement of the Act The office of the DPC is vital in giving meaningful effect to the privacy principles set out under section 25 of the DPA and the fundamental right to privacy as provided for under Article 31 of the constitution of Kenya. The office is also key in giving effect to the regulations governing the processing of personal data.
The regulations preceded the operationalization of the office of the DPC, an act that should be to be remedied as some clauses of the regulation can only have effect through the office of the DPC. Regulation 6 on consent, regulation 21 on sharing of personal information with public agencies and regulation 27 on monitoring by Data Commissioner but to highlight a few rely on the presence of a DPC to enforce implementation.
The absence of the office of the DPC undermines the right to privacy and should be remedied before the regulations have effect to ensure accountability through oversight of the civil registries in the implementation of the data protection laws.
Part V of the regulation provides technical clauses that address security safeguards for the database and database systems. Privacy by design is a concept that has been adopted through the regulation. Securing personal data requires more than the technical, personnel and procedural safeguards, it requires the continuous assessment of risk and decisive ways to minimize and mitigate arising risks.
Reasonable safeguards should be put in place to protect personal data from loss, unauthorized access, destruction, use, modification or disclosure. Security of personal data processed by civil registries must, therefore, be handled with the complexity which it presents in upholding the right to privacy, the mechanisms adopted should further be contemplated under cybersecurity mechanisms under the cybersecurity strategy
Establishment of substantive issues through regulatory frameworks.
A regulation is a subsidiary legislation providing guidelines on how the provisions of the constitutive Act are applied. This is further clarified through the interpretation of a statutory instrument under the Statutory Instruments Act 2013. A statutory instrument is defined to mean, rule, order, regulation, direction, form, tariff of costs or fees, letters patent, commission, warrant, proclamation, by-law, resolution, guideline or other statutory instrument issued, made or established in the execution of a power conferred by or under an Act of Parliament under which that statutory instrument or subsidiary legislation is expressly authorized to be issued.
The regulation is an instrument structured to further clarify substantive issues raised in the act and therefore cannot be used to introduce new core principles. The data regulations introduce new laws that ought to have been effected through the DPA. Regulation 8 (2) for instance on the collection of personal data introduces the use of previously collected data for a new purpose other than which was initially intended.
Regulation 17 on retention of data provides for the storage of data in perpetuity, this provision undermines the principle of limitation and should have been adequately provided for in the act with the regulations giving further guidelines and clarification.
Data retention in perpetuity infringes on the right of an individual and failure to limit the period for which the data is stored increases security risks and raises concerns on the use of the data for a new purpose as contemplated in regulation 8(2) merely because it is available. This could potentially lead to poor decision-making processes which could have server implications.
Where the drafters contemplate introducing core issues through a regulatory framework, they are required to table the framework before the national assembly by virtue of section 3 and 14 of the Statutory instruments Act 2013 for purposes of ensuring that the overall regime is in accordance with the constitution and that the subsidiary legislation does not violate the statute.
The draft regulation is a only one step towards establishing a legal framework in addressing data protection but would not be meaningful without operationalisation of the office of the Data Protection Commissioner. Furthermore, the regulations can only cure aspects of data protection. There were other issues raised in the NIIMS judgment regarding that require addressing in order for the country to have an adequate and comprehensive digital ID. These include all privacy principles, protection of children as well as addressing issues of exclusion and potential exclusion of citizens without primary identification documents or biometrics.