Data Research Center

In recent years, there has been an explosion of digital solutions offered by businesses as well as an uptick in the uptake of digital platforms by Governments in serving their citizens in the East African region. Along with this has come new legislation to govern this digital sphere. There is definitely a need for independent actors in this landscape that will serve the various sectors in numerous capacities to ensure that citizens’ rights are upheld, the spirit of the legislation is met while also ensuring that innovation is not stifled. The Data Policy Centre (DPC) seeks to serve in this capacity.

The long term goal of the DPC is contribute to the body of evidence available for those influencing policy in the areas of data protection, data bias, open data, and other issues pertaining to data governance with a focus on issues relevant to the Global South. All research objectives and outcomes of the center are designed are fact-based and politically – neutral. DPC aims to add evidence and impartial analysis to the ongoing local, national, and continent-level debates around data. The center is currently focused on issues of Data Protection and Privacy, specifically, on issues of implementation and enforcement of data protection laws within the region, in addition to commenting of the framing of data protection regulations.

 

Research on the Data Governance Structures of AI Across Africa.

The fast developing AI ecosystem in Africa promises to address the challenges on the continent by, in part, driving growth and development in the key sectors of agriculture, healthcare, public service and financial services. Data is at the core of the development and use of AI technologies.

Data governance (DG) is the process of managing the availability, usability, integrity, and security of the data based on data standards and policies that also control data usage.” 1 DG is the foundation of trustworthy AI as its development and use relies solely on data input. DG structures serve to prevent the misuse and or exploitation of data and play a significant role in the protection of the fundamental rights and freedoms of data subjects.

Developments in AI in Africa are predominantly driven by the private sector. There is growing interest from African governments in engendering strategies to govern AI locally, regionally, and across the continent.

Some African countries (22 out of the 54) have enacted of data protection legislation. National and regional data governance frameworks, e.g., the Supplementary Act on Personal Data Protection adopted by the Economic Community of West Africa States (ECOWAS), the SADC Model Law on Data Protection developed by the Southern Africa Development Community (SADC) in 2010 and adopted in 2013, the EAC Framework on Cyber Laws adopted by the East African Community (EAC), and the AU laws on data protection have played a big role in the creation of data governance structures within the continent. There is, however, as yet, no legislation specific to the regulation of AI on the continent.

Legislation will influence and impact development, adoption and growth of AI technologies in Africa. We seek to understand policies relating to data governance specific to AI on the continent; recommend policies to local, regional and global that will allow for equitable data practices, and the evolution of data practices in relation to AI technologies in both the private and public sectors.

1 Craig Stedman, Jack Vaughan , ‘What is Data Governance and Why does it Matter?’ (Tech Target , February 2020) <https://searchdatamanagement.techtarget.com/definition/data-governance>

The executive summary for the report:

Banking institutions, as with many other entities, are increasingly handling personal data owing to an increased use of different technologies to offer banking services. Increased handling of such personal data coupled with new statutory requirements relating to data protection have placed renewed emphasis on the efforts used by banks to create and communicate policies for handling data subjects’ information. This report analyses the publicly available data policies of commercial banks in Kenya, providing an overview of the approaches taken by the studied banks with respect to data protection for existing and prospective customers.

This report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). This standard comprises three broad indicators: data collection, data sharing, and the rights of data subjects. Compliance with these indicators is measured using tabulated analyses showing the individual and aggregated performance of the banks.

The report’s conclusions are derived from research conducted in Kenya in 2019 and 2020. A total of 32 policies were identified and analyzed, all of which were in existence prior to the enactment of the Kenya DPA. This report is therefore a baseline study of the policies; the report anticipates that there will be changes in banking policies as the DPA is put into practice. The findings in this report will be useful for comparative purposes as the DPA is implemented and enforced.

Key Findings

On average, the banks were found to be more likely to have unclear or incomplete policy provisions in all categories. Provisions relating to data collection were the most compliant while provisions relating to rights of data subjects had the lowest compliance score.

There is a notable variance in the performance of banks with regard to rights of data subjects. A large number of banks lacked any policy provisions in this category while a similarly large number of banks were clustered at the higher scores. This disparity suggests that the banks took two general approaches, i.e., to exclude policy provisions relating to data subjects’ rights altogether, or to incorporate such provisions clearly and completely.

Overall, provisions relating to the purpose of processing data were the most compliant among all provisions in all categories. Provisions relating to the rights of data subjects to object to the outcome of an automated decision were the least compliant. Clarity or completeness of provisions was a problem for a large number of the policies, and the overall readability of the policies may present challenges to banking customers that are likely to have a wide range of formal education.

Although the report highlights that the banking sector falls short of what we consider internationally-recognized norms in data protection, the data also show that data protection policies are widely present in the sector, and can be modified to become compliant.

EMR Systems

Project description

The research project sought to establish a clear framework for conducting lawful international personal data transfers (IPDTs) under the existing provisions of the Kenya Data Protection Act (DPA). Section 48(b) DPA states that transfers of personal data outside Kenya are permitted only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and with respect to jurisdictions with commensurate data protection laws. However, the Kenyan data protection framework fails to enumerate the metrics for determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Importance of project

The inadequate nature of the current IPDT framework under the Kenyan DPA enables organizations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions. The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction. The policy brief proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Research methodology

This study determined principles that are necessary to evaluate the proportionality of a foreign jurisdiction’s data protection framework by conducting a comparative and situational analysis of the DPA and the EU GDPR and its supplemental guidelines (Article 29 Data Protection Working Party Adequacy Referential Guidelines) on cross border data transfers.

Main findings

The policy brief outlines 13 principles that need to be present within a foreign jurisdiction’s data protection framework in order to be considered ‘adequate’ to the Kenyan DPA and its subsequent regulations. The principles can be categorised into Content Principles and Procedural and Enforcement principles.