[kictanet] Policy and Regulatory Framework on Privacy and Data Protection (Draft)

Mwanah Cephas Okoth omwanaj at gmail.com
Sat Aug 11 12:15:48 EAT 2018 

Great notes. Under consideration.

On Sat, Aug 11, 2018 at 1:26 AM, Michael Pedersen via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> Hi Listers,
>
> Have just finished the first read-through of this document, here are my
> initial thoughts/questions/concerns (in no particular order)
>
> *Registration fee*
> I am concerned that the registration-fee might be prohibitive for many
> startup ICT businesses - especially since this is not just a cost that is
> meant to cover the actual cost of processing the application, but is
> intended to cover the entire cost of the office of the data protection
> regulator (as mentioned in section 12.2).
>
> This may lead to a situation where many/most startups either stay
> non-compliant with the law (in which case - then whats the point?), or they
> may be unable to launch new innovation due to compliance-costs.
>
>
> *Reporting frequency*
> As mentioned in section 11.4 the data protection officer needs to make
> regular compliance reports to "the office" but I could not find any mention
> of what "regular" means - is it once a year, once a month or ... It could
> be a rather significant administrative burden (especially for a SME) so
> that there are no quantification of "regular" worries me quite a bit.
>
>
> *Compliance levels*
> The way I see it a very high percentage of ICT startups would be subject
> to this law, but I fear that very few will have the capacity to actually
> become (and remain) compliant on this matter.
> If compliance levels remain low then few consumers/end-users/customers
> will be requesting compliant vendors or even aware of their rights
> according to this law a negative circle will be created where no-one expect
> compliance and hence no-one will offer it.
>
>
> *No Breach notification incentive*
> 8.2.6 and section 38.1 states that data controllers are obligated to
> notify on breaches - this is good and probably the most important element
> in my mind - accidents will happen but they key thing is that affected
> people gets notified (and of-course that measures are taken to prevent it
> happening again).
> However section 70.1+2 tells us that a data-controller who "looses" data
> will be committing an offense and subject to a fine of (max) 10million kes.
>
> This sounds to me like there are absolutely NO incentive to report a
> breach - in fact it kinda encourages data controllers to keep VERY quiet
> about breaches and hope that no-one notices.
> Would it not be smart to make so that if the breach was reported to "the
> office" prior to "the office" receiving any complaints then any subsequent
> fine/penalty would be discounted i.e. 50% - but it would be 100% if no
> reporting had happened...
>
> I just fear that the main point of the exercise - to ensure that people
> actually are aware if their data is "lost" and give them the ability to
> react before someone exploits their data.
>
>
> *Training / capacity*
> I wonder what kind of training program would be available for all the
> newly designated data protection officers.
> How are we going to ensure that they get up to speed with this (new)
> legislation fast (?)
>
>
> *Scope*
> Initially I thought that effectively every company in Kenya would have to
> register (and pay registration fee) - as everyone would have private data
> on their employees in some kind of "system" / HR-file. Although my gut
> kinda told me that it is not the intention.
>
> However section 56(a) sounds like it would exclude data obtained in
> relation to employment - Anyone else who have reached the same conclusion
> on this ?
>
>
> *Our own house*
> Looking internally I am actually in doubt if our company would need to
> register or not.
> Our company builds and runs HR/Payroll management systems - and the system
> does hold private data, because... that is kinda what the system does ;-)
> The reason that I am in doubt is when I read section 49(1)(c) where it
> explicitly exempts data related to assessment of taxes - and this is
> exactly what our system(s) does, so depending on how I read that we could
> be exempt (?) - but somehow I get the feeling that 49(1)(c) is intended
> specifically for government-bodies (read KRA) not private entities.. So am
> a little confused.
>
>
> *Security by design*
> Section 5.3.4 dictates that systems should incorporate "security by
> design", which is an absolutely great way to approach developing such
> systems.
> However from what I have seen being developed while interacting with
> various SME's and startups "security by design" is not a principle that
> very many apply, or even have on their "radar".
> To make things worse unless you do a very close evaluation of the actual
> systems and HOW they are developed it can be really hard to determine if
> they utilize "security by design"...
> All in all this sounds kinda like wishful thinking - If it's meant as a
> way of creating awareness of "security by design" then great - but can't
> really see it as a condition.
>
>
> Kind regards
> Michael Pedersen
>
>
>
>
> On 10/08/2018 21:51, Grace Githaiga via kictanet wrote:
>
> Dear Listers
>
> Please find the *Policy and Regulatory Framework on Privacy and Data
> Protection *here:
> https://www.kictanet.or.ke/?wpdmpro=policy-and-regulatory-
> framework-on-privacy-and-data-protection
>
> This is a consolidated document containing the draft policy and law, as
> drafted by the Task Force on Data Protection, which was constituted by the
> Cabinet Secretary, Ministry of ICT in May.
>
> The Task Force is requesting for comments from the public, which should be
> submitted by September 12, 2018.
>
> Please feel free to share the document with your networks.
>
> Best regards
>
>
> Githaiga, Grace
>
>
> Co-Convenor
> Kenya ICT Action Network (KICTANet)
> Twitter:@ggithaiga
> Tel: 254722701495
> Skype: gracegithaiga
> Alternate email: ggithaiga at hotmail.com
> Linkedin: https://www.linkedin.com/in/gracegithaiga
> www.kictanet.or.ke
>
> "Change only happens when ordinary people get involved, get engaged and
> come together to demand it. I am asking you to believe. Not in my ability
> to bring about change – but in yours"---Barrack Obama.
>
>
>
> _______________________________________________
> kictanet mailing listkictanet at lists.kictanet.or.kehttps://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.dk
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/omwanaj%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>


-- 



Okoth C. J
Team Leader.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20180811/999480fd/attachment.htm>

More information about the KICTANet mailing list