Humphrey Odhiambo, Head of Partnerships & Content, usually champions the transformation of this industry going forward. With that head start, he shoots the opening question at Nyimbi Odero, the first jury member on this virtual panel. In the context that we’ve been fighting battles to ensure we are immersed in privacy, we also simultaneously leave a long trace of footprints all over, when we travel or move from place to place and have no qualms about exposing our locations. “…when I go to Mombasa I post about it, when I go to Nyandarua, I post about it, it typically doesn’t show that I am very private, so are these traces overrating the elements of privacy?” Humphrey inquires.
“Privacy is context-dependent,” Nyimbi answers, “…there are multiples of privacy, I would argue, there is privacy between one individual and another, one individual and a group and between groups”. As an individual, “you periodically trade privacy for services,” he continues. Which is quite true in that, at a hospital, you give private information and extremely personal details in the hope and expectation that it stays within the confidential confines of doctor and patient. On the other hand, “there is a dynamic tension between service delivery and individual privacy”. You want to keep your information private to guard yourself and reduce any unwarranted interference in your life. How that happens usually varies.
“For instance, in my firm we have about 5000 people globally and I’ve got to track that people are putting in their work hours. We have resorted to a very old scheme, like a timer in a cyber café that tracks how long you’ve been online, we use the same method, that takes your photo, counts your key strokes and takes screenshots to ensure that you’re doing your hours as well as also counting them,” he explains.
In this case, you are actively trading privacy because it is necessary. But it isn’t exactly the same case as with a doctor or lawyer, to whom you wouldn’t want to put your utmost private information, out to the public. Well, privacy is important but there are multiple cases whereby you have to relinquish your private information to be able to make use of a service. “Although, the key idea is you need to have individual personal control over when how private your information, to whom and how it is used, and for what purpose,” he continues on. Your personal data is a valuable asset that you trade for services and goods.
“Are people really interested in the rights in regard to this law?”, Humphrey asks. “Absolutely…would I want my medical records available to everybody? Not at all. Do I want what I do in my personal time available to my employer? Maybe not. So I am interested in control of where information about me is available and to what purpose it is put,” Nyimbi answers.
Otilia Phiri joins in, “If I could echo what Nyimbi highlighted, I also believe that for the most part people are invested in being sure that they can understand how their data is being used and collected, for what purpose and who it is being shared with.” It may vary with generations, perhaps with millennials, there is a feel that their trade of personal data might take on a different meaning because of growing up in a digital world. In regard to information, they are bigger on the sharing economy, thus they may have different boundaries.
“What do we take into account on the data law?”, Humphrey shoots toward Oren Mwaniki. “With some key areas in regard to mentioning of the Act, one of the biggest ones is the data commissioner office coming into play. There will be a lot of guidance needed from that office, in terms of the nitty gritty on how control will be enforced. As much as the act is in play, there is still work that needs to be done,” he answers. There must be some direction given to organizations on how to properly and appropriately comply to the Act.
Humphrey fires a follow up at Phiri, “What are the risks that are associated with, more particularly, non-compliance of this law?”, he asks. “There are some penalties that have been set up in the regulations and so failure to comply can lead to, financial penalties and criminal liabilities depending on the type of breach that would’ve occurred,” she responds. It’s quite a significant penalty for organizations to start consider taking seriously.
Colonel Ombati chimes in to expound on the risks in regard to non-compliance with this new law. “The risks are quite wide. One of the issue is with personal data of Kenyans, organizations and governments being exposed and this is not only to malicious actors but to nation states. Remember the current threat to any nation state is being propagated through the cyber environment,” he says.
Therefore, it’s increasingly important that all entities from national level to individual complying to these requirements as they are put in place to protect. “The only challenge that I see from the national cyber command center is jurisdiction, this is a challenge that affects most of the entities that control or manage data, including the cloud computing entities” he adds on.
“Oren, they say that the devil is in the details and to this effect yes we have a law, yes we have an office to oversee how it’s going to be executed but from your own perspective do you see this law as enforceable? And if so, to what extent?” Humphrey queries.
“It is definitely plausible, I think the provisions that have been made are in line with a lot of industry standards,” Oren responds. The challenge now comes in form of implementations. “This is where the rubber meets the road, speak to any CIO, that’s the question they will have,” he continues on. So organizations are urged to begin being proactive and to embark on the journey now, as more information is to be relayed by the data and protection commissioner. In this regard, Col. Ombati believes “it is enforceable to the fullest extent and it depends on collaborations and working together as agencies with respect to its implementation.”
“What would be the immediate next step to this?” Mr. Odhiambo follows up. Nyimbi intercedes, “There are multiple issues that the law addresses and some it doesn’t. We have admitted that we constantly put out personal data, even though it might be personally affecting us, we have lost the right to it because it’s in the public domain. If I collect your public domain data then create a posit of public information about you, it can reveal a tremendous amount of content. Unfortunately, as far as I see, the most important information about a person which they have either wittingly or unwittingly put into the public domain, is not protected by the data privacy act.”
For instance, Section 28 of the law excludes from protection any information you have personally put out in the public. So if you post your location, or put out an order you’ve just purchased online, all this information is not subject to the law. There is still a lot of practice around the enforcement of this law, that needs to be elaborated. While it does protect information such as banking details or insurance information, it doesn’t guard you from the political actor who’s going to scrape the web in order to develop some kind of personality profile and to try to mess about your personal or purchasing decisions. “It is well intentioned but has not yet fully fleshed out every issue that needs to be addressed,” he finalizes.
“I hold a lot of information and if my privacy is at risk or perhaps interfered with, such that they can access this information, where does the balance really come in at the end of the day? Guide us,” Humphrey asks as he points the arrow at the Kernel.
“You cannot de-conflict privacy and security. Security is very vital for anybody to enjoy in privacy. In the scenario whereby someone has given his personal information to an organization, whether in the country or outside, it will call for provocation of the regulations within that nation state. If it’s in Kenya, we already have provisions within the legal infrastructure including the Computer Misuse and Cyber-Crimes Act and the Data Protection Act,” Colonel Ombati answers. Alluding to the fact that, we already have laws that exist that are able to manage any issues or crimes that will threaten any individual who is a Kenyan.
The Colonel also remarks that, “Many of us are posting a lot of data online, we need to protect this data that we own. And if we are to give it out then, it must be in a framework that it can be accounted for. Organizations within the country, with the compliance of the law must practice security control safeguards that will protect individual’s data, and it also calls for awareness at that level. It’s the responsibility of the individuals, the organizations and the nation state.”
The time was coming to a close… “under two minutes,” to wind up, Humphrey specifies. “How prepared should the organizations be, going forward?” he inquires last. Phiri responds with, “Maybe I would say two things, working for technology service providers we are actually here to support entities as they go through the journey, we have developed tools over the years that can support that privacy. The other thing is international standards. Develop standards around data privacy and security.”
Mr. Odero wraps up with, “You need to centralize data and control, track the location of data that systems and processes have. That is what every organization needs to begin consciously thinking about. There is data sitting on laptops on serves and in databases, do you know what data is sitting on each of your employees’ laptops? Some of these things still need to be addressed.” Leaving us with some true questions to ponder.
And with this, finalizes the virtual panel as the jury have discussed and shared dialogue around the law of this virtual land.
Do you have a story that you think would interest our readers? write to us email@example.com