Data Research Center

In recent years, there has been an explosion of digital solutions offered by businesses as well as an uptick in the uptake of digital platforms by Governments in serving their citizens in the East African region. Along with this has come new legislation to govern this digital sphere. There is definitely a need for independent actors in this landscape that will serve the various sectors in numerous capacities to ensure that citizens’ rights are upheld, the spirit of the legislation is met while also ensuring that innovation is not stifled. The Data Policy Centre (DPC) seeks to serve in this capacity.

The long term goal of the DPC is contribute to the body of evidence available for those influencing policy in the areas of data protection, data bias, open data, and other issues pertaining to data governance with a focus on issues relevant to the Global South. All research objectives and outcomes of the center are designed are fact-based and politically – neutral. DPC aims to add evidence and impartial analysis to the ongoing local, national, and continent-level debates around data. The center is currently focused on issues of Data Protection and Privacy, specifically, on issues of implementation and enforcement of data protection laws within the region, in addition to commenting of the framing of data protection regulations.

Research on the Data Governance Structures of AI Across Africa.

The fast developing AI ecosystem in Africa promises to address the challenges on the continent by, in part, driving growth and development in the key sectors of agriculture, healthcare, public service and financial services. Data is at the core of the development and use of AI technologies.

Data governance (DG) is the process of managing the availability, usability, integrity, and security of the data based on data standards and policies that also control data usage.” 1 DG is the foundation of trustworthy AI as its development and use relies solely on data input. DG structures serve to prevent the misuse and or exploitation of data and play a significant role in the protection of the fundamental rights and freedoms of data subjects.

Developments in AI in Africa are predominantly driven by the private sector. There is growing interest from African governments in engendering strategies to govern AI locally, regionally, and across the continent.

Some African countries (22 out of the 54) have enacted of data protection legislation. National and regional data governance frameworks, e.g., the Supplementary Act on Personal Data Protection adopted by the Economic Community of West Africa States (ECOWAS), the SADC Model Law on Data Protection developed by the Southern Africa Development Community (SADC) in 2010 and adopted in 2013, the EAC Framework on Cyber Laws adopted by the East African Community (EAC), and the AU laws on data protection have played a big role in the creation of data governance structures within the continent. There is, however, as yet, no legislation specific to the regulation of AI on the continent.

Legislation will influence and impact development, adoption and growth of AI technologies in Africa. We seek to understand policies relating to data governance specific to AI on the continent; recommend policies to local, regional and global that will allow for equitable data practices, and the evolution of data practices in relation to AI technologies in both the private and public sectors.

1 Craig Stedman, Jack Vaughan , ‘What is Data Governance and Why does it Matter?’ (Tech Target , February 2020) <https://searchdatamanagement.techtarget.com/definition/data-governance>

The executive summary for the report:

Banking institutions, as with many other entities, are increasingly handling personal data owing to an increased use of different technologies to offer banking services. Increased handling of such personal data coupled with new statutory requirements relating to data protection have placed renewed emphasis on the efforts used by banks to create and communicate policies for handling data subjects’ information. This report analyses the publicly available data policies of commercial banks in Kenya, providing an overview of the approaches taken by the studied banks with respect to data protection for existing and prospective customers.

This report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). This standard comprises three broad indicators: data collection, data sharing, and the rights of data subjects. Compliance with these indicators is measured using tabulated analyses showing the individual and aggregated performance of the banks.

The report’s conclusions are derived from research conducted in Kenya in 2019 and 2020. A total of 32 policies were identified and analyzed, all of which were in existence prior to the enactment of the Kenya DPA. This report is therefore a baseline study of the policies; the report anticipates that there will be changes in banking policies as the DPA is put into practice. The findings in this report will be useful for comparative purposes as the DPA is implemented and enforced.

Key Findings

On average, the banks were found to be more likely to have unclear or incomplete policy provisions in all categories. Provisions relating to data collection were the most compliant while provisions relating to rights of data subjects had the lowest compliance score.

There is a notable variance in the performance of banks with regard to rights of data subjects. A large number of banks lacked any policy provisions in this category while a similarly large number of banks were clustered at the higher scores. This disparity suggests that the banks took two general approaches, i.e., to exclude policy provisions relating to data subjects’ rights altogether, or to incorporate such provisions clearly and completely.

Overall, provisions relating to the purpose of processing data were the most compliant among all provisions in all categories. Provisions relating to the rights of data subjects to object to the outcome of an automated decision were the least compliant. Clarity or completeness of provisions was a problem for a large number of the policies, and the overall readability of the policies may present challenges to banking customers that are likely to have a wide range of formal education.

Although the report highlights that the banking sector falls short of what we consider internationally-recognized norms in data protection, the data also show that data protection policies are widely present in the sector, and can be modified to become compliant.

Data Protection in Kenyan Health Sector

An Overview of Data Protection in Kenyan Health Sector

An Overview of Data Protection in Kenyan Health Sector

The use of big data analytics and new technologies in the health sector has considerably changed how health data is being used, accessed, analyzed, and shared between health professionals and individuals. Organizations that handle health data and embrace these new techniques and practices have to maintain a high standard of security and privacy. Privacy and confidentiality of health data is not a new concept within the health sector, as its existence and practice are grounded on creating and maintaining trust. This concept dates back to the creation of the Hippocratic oath. The obligation of privacy and confidentiality prohibits the unintended sharing of health data. Rapid technological advancements in the health sector have made privacy and confidentiality now more than ever important. Thus, data protection plays a significant role in protecting the processing of health data and binds healthcare providers not only by oath but also by law.


An Overview of Data Protection in Kenyan Health Sector

Data Protection in the Processing of Health Data through EMR Systems in Kenya

Data Protection in the Processing of Health Data through EMR Systems in Kenya.

Electronic Medical Record(EMR) systems have been adopted in Kenya’s health sector to streamline and improve healthcare. Their introduction was informed by data complexity, volumes of patients served and the desire to have efficient health information systems. From 2010, their implementation and use was regulated solely by the Standards and Guidelines on the Implementation of EMR systems in Kenya before the enactment of the Data Protection Act(DPA) in 2019. The DPA established new rules and mechanisms for the processing of personal data that were not considered in the formulation of the Guidelines. On this basis, this policy brief sought to compare the Guidelines vis a vis the DPA, identifying gaps in relation to data protection in the processing of health data. An analysis of the findings identified that the Guidelines failed to adequately incorporate data protection principles and fully comply with the DPA's confidentiality and security requirements. Appropriate recommendations are made to address existing gaps in the Guidelines.The information on the policy brief was primarily derived from extensive desktop research and a comparison of the Guidelines and the DPA. This policy brief is intended to inform the Ministry of Health, the Office of the Data Protection Commissioner (ODPC), and other relevant stakeholders in the health sector about the importance of aligning the Guidelines with the DPA's data protection provisions.


Data Protection in the
Processing of Health Data
through EMR Systems in Kenya

Developing Data Protection Guidelines For The Health Sector In Kenya

Developing Data Protection Guidelines For The Health Sector In Kenya

Kenya adopted the Data Protection Act (DPA) in 2019, fortifying individuals’ right to privacy and strengthening protection of their personal data. The DPA introduced new standards for processing of personal data for which health data is a special category, sensitive personal data. With the continued adoption and use of technology in the Kenyan health sector, it is inevitable that there will be a continued rise in the production and processing of data. Sector specific guidelines on data protection are vital in ensuring the implementation and compliance with the provisions of the act throughout personal data processing activities. This policy brief highlights, the existing laws and policies in the health sector, and the extent to which they provide for data protection highlighting the need for sector specific guidelines. It identifies existing policy gaps and makes recommendations on areas that must be considered in the development of data protection guidelines for the health sector in Kenya.

International Data Transfer Principles in Kenya

Project description

The research project sought to establish a clear framework for conducting lawful international personal data transfers (IPDTs) under the existing provisions of the Kenya Data Protection Act (DPA). Section 48(b) DPA states that transfers of personal data outside Kenya are permitted only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and with respect to jurisdictions with commensurate data protection laws. However, the Kenyan data protection framework fails to enumerate the metrics for determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Importance of project

The inadequate nature of the current IPDT framework under the Kenyan DPA enables organizations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions. The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction. The policy brief proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Research methodology

This study determined principles that are necessary to evaluate the proportionality of a foreign jurisdiction’s data protection framework by conducting a comparative and situational analysis of the DPA and the EU GDPR and its supplemental guidelines (Article 29 Data Protection Working Party Adequacy Referential Guidelines) on cross border data transfers.

Main findings

The policy brief outlines 13 principles that need to be present within a foreign jurisdiction’s data protection framework in order to be considered ‘adequate’ to the Kenyan DPA and its subsequent regulations. The principles can be categorised into Content Principles and Procedural and Enforcement principles.

Data Governance in Africa

The aim of the Data Governance Resource Centre (DGRC) is to contribute to the body of evidence available for those influencing policy in data protection, data bias, open data, and other issues pertaining to data governance with a focus on issues relevant to the Global South, in particular Africa. In response to this overarching aim the DGRC has embarked on a Data Governance Principles Project that will provide introductory and background information on what Data Governance is in the global context as well as in Africa. The research collates studies on data governance that have already been conducted, as well as provide understanding of data governance from both theory and practice by engaging with stakeholders within data governance on the continent.

As a result of the mapping and engagement with Stakeholders the DGRC visually represents the Regulators across the continent that provide for the regulation of both personal and other data. These regulators include Data Protection Regulations and Other Regulators tasked with regulating the provision of electronic communication services and products, sets standards for the ICT sector and protecting the rights and interests of consumers, service providers, suppliers, and manufacturers. This stakeholder map can be used to analysed and understand which regulators are involved in and responsible for the governance of data, development of policies for the governance of data and handling of complaints in relation to the governance of data.

 

Data Governance Report

This report examines what data governance is and provides introductory and background information taking into account the global and African contexts. Although not a definitive representation of all the relevant standards and policies that are currently being applied, it does consider what data governance is and why it matters especially from an African perspective.

Data Governance Principles

Data governance comprises legal and human rights requirements, technological, security and economical considerations. It is these aspects that inform how data is managed within an organisation, and determine the principles that are considered in the development of frameworks. The data governance principles can be grouped into four categories —organisation, alignment, compliance and common understanding. Herein we record the most commonly applied and considered data governance principles.

Data Governance Frameworks

Data governance is not a one size fits all and so the frameworks adopted by organisations are specific to the organisation and its need. We have put together key considerations that have a bearing on what an organisation would need to consider when developing its frameworks. This Data Governance framework, therefore provides broad considerations that can be applied to inform data governance frameworks adopted by an organization.

Why Data Protection Matters for Development: The Case for Strengthening Inclusion and Regulatory Capacity.

A policy note from Centre For Global Development that draws on insights gained from the Governing Data for Development project. The note summarizes key takeaways from the interviews, roundtables, and working group meetings we held over the last two years with more than 100 experts working on different facets of data policy. It also offers suggestions for policymakers seeking to regulate data use while keeping up with rapidly evolving digital practices and provides recommendations for how the international development community and high-income countries can promote a more inclusive digital economy and a level regulatory playing field.

The AfCFTA and Data Governance Frameworks in Africa

Background
UNDP, in partnership with the United Nations Conference on Trade and Development UNCTAD), the Economic Commission for Africa (ECA), the International Trade Centre (ITC) and the Trade Law Centre (tralac) hosted a session at the UNCTAD Global E-Commerce week (2022) to discuss how data could be treated in the digital trade instrument of the AfCFTA and governed coherently in all AfCFTA protocols. Amid global discussions on the governance of international data flows, consultations and surveys with the African private sector indicate emerging concerns regarding the impact of individual country policies on firms’ ability to engage in cross-border digital trade. The possibility of a continental Data Policy Framework will be an important factor in unlocking cross – border trade.
The session report alongside contains more insights from the proceedings.

CIPIT took part in the session vide Dr. Melissa Omino’s participation on the panel.

Understanding Cybersecurity and Data
Protection in Mauritius, Kenya, and Zimbabwe

Summary
Data governance relies heavily on security. However, due to a lack of precise definitions in legislation, there is frequent confusion between data protection and cybersecurity. These two topics are misunderstood and confused due to a lack of understanding of how to approach them effectively. As a result, because the approach is derived from the comprehension, it typically varies significantly from country to country.

Over time, legal policies and frameworks have lagged behind technological advances, especially in cybersecurity and data protection. Long-term, this could create legislative gaps regarding data governance and emerging technologies. This study examined the cybersecurity and data protection laws in Mauritius, Kenya, and Zimbabwe in an effort to comprehend their perspectives on cybersecurity and cybercrime, as well as the reasons for their disparities. It identified current issues at the intersection of cybersecurity and data protection in the studied countries and evaluated their cybersecurity and data protection approaches.

 


 

Contextualising Political Advertising Policy to Political Micro-Targeting in Kenyan Elections

Summary
The changing nature of election campaigns in Kenya over the years fuelled an investigation as to how data driven campaigns have been utilised by political parties to reach the electorate. Technological advancements have made political actors to utilise online communication to reach voters through social media platforms such as Facebook and even Twitter. The rise of these social media platforms and the existence of big data have also contributed to the practice of political microtargeting. The purpose of the report was to find out the extent of political microtargeting in the 2022 Kenyan general election campaigns, to analyse the laws applicable to microtargeting in Kenya together with their existing shortcomings and to find out how external policy initiatives can inform Kenya’s regulatory approach on political microtargeting.
The methodology used involved the collection of data through desktop research, doctrinal research which was useful in analysing existing Kenyan laws and comparative research which was used in assessing policy initiatives from other countries and making appropriate recommendations. The investigation also involved data collection that focused on paid Facebook advertisements for political candidates that took part in the 2022 presidential and gubernatorial elections held in each of the 47 counties in Kenya.
The findings from the report indicate that:

  • The data collected showed that political microtargeting took place in the 2022 general elections to a certain extent.
  • There are laws in Kenya which are applicable to the regulation of political microtargeting.
  • External policy initiatives will play a fundamental role in informing Kenya’s regulatory approach to political microtargeting.

The full report contains the detailed analysis of the study that was conducted and the findings that were obtained.

National Statistical Offices in the Digital Era

Summary
The Digital Era and Data: Considerations for National Statistical Office (NSOs) in the Digital Data Ecosystem.

This report focuses on the digital transformation in National Statistical Offices NSOs in the digital era, focusing on changes in their data collection practices, and the transition from traditional roles to new roles introduced through digitization. The research report highlights the changes and challenges facing NSOs in leveraging new data sources, and in the adoption and implementation of new technologies in carrying out their function as the official statistical body. As producers of official statistics, NSOs play a significant role in informing stakeholders’ decision-making processes especially as the decisions relate to societal needs and policy formulation. Transitioning to digitized processes and approaches of collecting processing and disseminating statistical information suggests the ability to leverage new data sources for modernized statistical systems, this will influence and improve data collection processing and dissemination processes. Part of this report focuses on Kenya’s national statistical office, the Kenya National Bureau of Statistics (KNBS), the principal agency of the government of Kenya for collecting, analyzing, and disseminating official statistical information. The main focus is to evaluate the changes that have been adopted with reference to its overall functioning role with the adoption of technology and digitization from a technical and organizational perspective, further looking at its legislative composition and relation to data protection. It also looks at traditional modalities that have been replaced with technology and makes recommendations with respect to any identified gaps. This is in consideration of the legal systems that enable the adoption of technology and use of data with a primary focus on the offices’ data governance structures and data protection policies.