Data Research Center

In recent years, there has been an explosion of digital solutions offered by businesses as well as an uptick in the uptake of digital platforms by Governments in serving their citizens in the East African region. Along with this has come new legislation to govern this digital sphere. There is definitely a need for independent actors in this landscape that will serve the various sectors in numerous capacities to ensure that citizens’ rights are upheld, the spirit of the legislation is met while also ensuring that innovation is not stifled. The Data Policy Centre (DPC) seeks to serve in this capacity.

The long term goal of the DPC is contribute to the body of evidence available for those influencing policy in the areas of data protection, data bias, open data, and other issues pertaining to data governance with a focus on issues relevant to the Global South. All research objectives and outcomes of the center are designed are fact-based and politically – neutral. DPC aims to add evidence and impartial analysis to the ongoing local, national, and continent-level debates around data. The center is currently focused on issues of Data Protection and Privacy, specifically, on issues of implementation and enforcement of data protection laws within the region, in addition to commenting of the framing of data protection regulations.

Research on the Data Governance Structures of AI Across Africa.

The fast developing AI ecosystem in Africa promises to address the challenges on the continent by, in part, driving growth and development in the key sectors of agriculture, healthcare, public service and financial services. Data is at the core of the development and use of AI technologies.

Data governance (DG) is the process of managing the availability, usability, integrity, and security of the data based on data standards and policies that also control data usage.” 1 DG is the foundation of trustworthy AI as its development and use relies solely on data input. DG structures serve to prevent the misuse and or exploitation of data and play a significant role in the protection of the fundamental rights and freedoms of data subjects.

Developments in AI in Africa are predominantly driven by the private sector. There is growing interest from African governments in engendering strategies to govern AI locally, regionally, and across the continent.

Some African countries (22 out of the 54) have enacted of data protection legislation. National and regional data governance frameworks, e.g., the Supplementary Act on Personal Data Protection adopted by the Economic Community of West Africa States (ECOWAS), the SADC Model Law on Data Protection developed by the Southern Africa Development Community (SADC) in 2010 and adopted in 2013, the EAC Framework on Cyber Laws adopted by the East African Community (EAC), and the AU laws on data protection have played a big role in the creation of data governance structures within the continent. There is, however, as yet, no legislation specific to the regulation of AI on the continent.

Legislation will influence and impact development, adoption and growth of AI technologies in Africa. We seek to understand policies relating to data governance specific to AI on the continent; recommend policies to local, regional and global that will allow for equitable data practices, and the evolution of data practices in relation to AI technologies in both the private and public sectors.

1 Craig Stedman, Jack Vaughan , ‘What is Data Governance and Why does it Matter?’ (Tech Target , February 2020) <https://searchdatamanagement.techtarget.com/definition/data-governance>

The executive summary for the report:

Banking institutions, as with many other entities, are increasingly handling personal data owing to an increased use of different technologies to offer banking services. Increased handling of such personal data coupled with new statutory requirements relating to data protection have placed renewed emphasis on the efforts used by banks to create and communicate policies for handling data subjects’ information. This report analyses the publicly available data policies of commercial banks in Kenya, providing an overview of the approaches taken by the studied banks with respect to data protection for existing and prospective customers.

This report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). This standard comprises three broad indicators: data collection, data sharing, and the rights of data subjects. Compliance with these indicators is measured using tabulated analyses showing the individual and aggregated performance of the banks.

The report’s conclusions are derived from research conducted in Kenya in 2019 and 2020. A total of 32 policies were identified and analyzed, all of which were in existence prior to the enactment of the Kenya DPA. This report is therefore a baseline study of the policies; the report anticipates that there will be changes in banking policies as the DPA is put into practice. The findings in this report will be useful for comparative purposes as the DPA is implemented and enforced.

Key Findings

On average, the banks were found to be more likely to have unclear or incomplete policy provisions in all categories. Provisions relating to data collection were the most compliant while provisions relating to rights of data subjects had the lowest compliance score.

There is a notable variance in the performance of banks with regard to rights of data subjects. A large number of banks lacked any policy provisions in this category while a similarly large number of banks were clustered at the higher scores. This disparity suggests that the banks took two general approaches, i.e., to exclude policy provisions relating to data subjects’ rights altogether, or to incorporate such provisions clearly and completely.

Overall, provisions relating to the purpose of processing data were the most compliant among all provisions in all categories. Provisions relating to the rights of data subjects to object to the outcome of an automated decision were the least compliant. Clarity or completeness of provisions was a problem for a large number of the policies, and the overall readability of the policies may present challenges to banking customers that are likely to have a wide range of formal education.

Although the report highlights that the banking sector falls short of what we consider internationally-recognized norms in data protection, the data also show that data protection policies are widely present in the sector, and can be modified to become compliant.

Data Protection in the Processing of Health Data through EMR Systems in Kenya.

Summary

Electronic Medical Record(EMR) systems have been adopted in Kenya’s health sector to streamline and improve healthcare. Their introduction was informed by data complexity, volumes of patients served and the desire to have efficient health information systems. From 2010, their implementation and use was regulated solely by the Standards and Guidelines on the Implementation of EMR systems in Kenya before the enactment of the Data Protection Act(DPA) in 2019. The DPA established new rules and mechanisms for the processing of personal data that were not considered in the formulation of the Guidelines. On this basis, this policy brief sought to compare the Guidelines vis a vis the DPA, identifying gaps in relation to data protection in the processing of health data. An analysis of the findings identified that the Guidelines failed to adequately incorporate data protection principles and fully comply with the DPA’s confidentiality and security requirements. Appropriate recommendations are made to address existing gaps in the Guidelines.The information on the policy brief was primarily derived from extensive desktop research and a comparison of the Guidelines and the DPA. This policy brief is intended to inform the Ministry of Health, the Office of the Data Protection Commissioner (ODPC), and other relevant stakeholders in the health sector about the importance of aligning the Guidelines with the DPA’s data protection provisions.

International Data Transfer Principles in Kenya

Project description

The research project sought to establish a clear framework for conducting lawful international personal data transfers (IPDTs) under the existing provisions of the Kenya Data Protection Act (DPA). Section 48(b) DPA states that transfers of personal data outside Kenya are permitted only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and with respect to jurisdictions with commensurate data protection laws. However, the Kenyan data protection framework fails to enumerate the metrics for determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Importance of project

The inadequate nature of the current IPDT framework under the Kenyan DPA enables organizations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions. The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction. The policy brief proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Research methodology

This study determined principles that are necessary to evaluate the proportionality of a foreign jurisdiction’s data protection framework by conducting a comparative and situational analysis of the DPA and the EU GDPR and its supplemental guidelines (Article 29 Data Protection Working Party Adequacy Referential Guidelines) on cross border data transfers.

Main findings

The policy brief outlines 13 principles that need to be present within a foreign jurisdiction’s data protection framework in order to be considered ‘adequate’ to the Kenyan DPA and its subsequent regulations. The principles can be categorised into Content Principles and Procedural and Enforcement principles.

Data Governance in Africa

The aim of the Data Governance Resource Centre (DGRC) is to contribute to the body of evidence available for those influencing policy in data protection, data bias, open data, &amp; other issues pertaining to data governance with a focus on issues relevant to the Global South, in particular Africa. In response to this overarching aim the DGRC has embarked on a Data Governance Principles Project that will provide introductory and background information on what Data Governance is in the global context as well as in Africa. The research collates studies on data governance that have already been conducted, as well as provide understanding of data governance from both theory and practice by engaging with stakeholders within data governance on the continent.

As a result of the mapping and engagement with Stakeholders the DGRC visually represents the Regulators across the continent that provide for the regulation of both personal and other data. These regulators include Data Protection Regulations and Other Regulators tasked with regulating the provision of electronic communication services and products, sets standards for the ICT sector and protecting the rights and interests of consumers, service providers, suppliers, and manufacturers. This stakeholder map can be used to analysed and understand which regulators are involved in and responsible for the governance of data, development of policies for the governance of data and handling of complaints in relation to the governance of data.