[kictanet] Day 4: Policy and Regulatory Framework on Privacy and Data Protection- Data Controllers and Processors

Grace Bomu nmutungu at gmail.com
Mon Aug 27 08:30:58 EAT 2018 

Good morning listers!
Welcome to data protection bill/policy discussions. Last week, we went
through the principles of data protection and rights of data subjects. We
covered the right to privacy in its different forms including the right to
be forgotten and consent.
Today, we shift gears a bit and consider the issue of data protection from
the point of the *processor and controller*. The bill defines a controller
as one who designs data processing and the processor as one who collects,
stores, retrieves , discloses, erases etc on behalf of a controller.

General obligations for controllers and processors are listed in part IV
and they include upholding the principles of data protection, protecting
the rights of the data subject, duty to notify the subject about processing
and breaches, acquisition of consent and security safeguards as regards
personal data. It would be interesting to hear from data controllers and
processors, views on:

   1.  restrictions on processing personal data (clause 30) where
   processors may not process data objected by the data subject or which has
   legal claims.What are the practical implications of restrictions? For
   example, if one company or government agency received a large number of
   objections in one period?
   2.  the protection of data subjects from profiling (clause 31). While we
   have seen negative effects of profiling during the political season, are
   there positives of profiling that could benefit the data subject and does
   this bill adequately balance both ends?
   3.  the bill makes it mandatory to notify data subjects in case of
   breach. How will this change sectors such as banking where issues of data
   breaches are never discussed with customers or the public in order to
   protect the confidence of the industry?
   4.  Finally, on the issue of sensitive personal data, which is subject
   to higher protection. Sensitive personal data includes person’s race,
   health status, ethnic social origin, political opinion, belief, personal
   preferences, location, genetic data, biometrics, sex life or sexual
   orientation. What are the practical implications for existing data sets
   held by for instance the registrar of persons, universities, schools,
   insurance companies etc? Is the list proposed by the bill exhaustive? The
   Senate bill for example defines categories such as trade union membership
   as sensitive data.


Welcome to the discussion. Please point out any issues in the bill that are
either very good and should be retained or problematic and should be
improved. Tujadiliane.



-- 
Grace Mutung'u
Skype: gracebomu
@Bomu
PGP ID : 0x33A3450F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20180827/9e052e2e/attachment.htm>

More information about the KICTANet mailing list