This week the Government of Kenya launched the National Integrated Information Management System (NIIMS) in several pilot counties. This move was immediately met by a swift run to court by Kenya Human Rights Commission (KHRC), Kenya National Human Rights Commission (KNHCR) and the Nubian Rights Forum amongst others to stop the NIIMS roll out. Part of the reasons cited in pleadings filed include lack of a proper data protection framework.
This week I also had a conversation about NIIMS and the cases filed to halt implementation and someone was of the view that they don’t need data protection because ‘they have never been hacked’. This inspires my post today….
What is Data protection and why should I care ¯\_(ツ)_/¯
While cybersecurity is a key concern, data protection is much broader than ‘not been hacked.’ It includes observance of the following principles:
- Lawfulness, fairness and transparency – you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation – you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
- Data minimisation – you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
- Accuracy – you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
- Storage limitation – You must delete personal data when you no longer need it. The timescales in most cases aren’t set. They will depend on your business’ circumstances and the reasons why you collect this data.
- Integrity and confidentiality – You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What does this mean for NIIMS?
Government needs to be very clear on:
- what information they are collecting, where and how they store it, what it will be used for, how it will be accessed and who will be able to access your personal information.
2. Exactly what your biometric information will be used for and this needs to be linked to specific laws that provide for such utilisation of your personal data.
3. How corrections can be made for example to GPS information if you relocate.
4. How and where the information is being stored and the security measures in place to protect against unauthorised access.
Currently, Kenya does not have a Data Protection law in force. There is a draft Data Protection Policy awaiting cabinet approval and promulgation, a Draft Data Protection National Assembly Bill and a Senate Data Protection Bill. Hopefully, the case battles will end in the passing of a data protection law by parliament and the promulgation of the Draft Data Protection Policy.