As Kenya continues to record surging numbers of data breaches against new data protection law – focus now turns to service providers in both public and private sectors.
The scope and level of data violations is voluminous, expensive and complex.
A lot of data breach can be linked to organized criminal activity, others to outright sale to interested parties and in other cases – poor handling, storage and transmission landing in wrong hands.
Kenya Power, for instance, handles huge personal information about its clients – which information is shared with the Kenya Revenue Authority (KRA) to nab tax cheats especially on rental income.
That information is accurate as to the names of persons, plot numbers, postal address as well as the size of properties.
Talking of KRA, a lot of personal data is in the hands of the taxman who has thousands of employees. The information here is about people’s businesses, income and sources of such income – including tax compliance levels.
It is easier for the Directorate of Criminal Intelligence to comb through such data to easily find their target. That does not mean that all listed persons are actual owners – but through them – the beneficial owners would be identified.
The August 9 elections, for instance, places the Independent Electoral and Boundaries Commission (IEBC) on the spot. A lot of personal data – from names, ID numbers and fingerprints remain susceptible to moving into wrong hands thanks to missing strategy to avert data violation.
Election officials will have access to servers and huge volumes of data for all Kenyans registered to vote. It all depends with how such information may be found useful by different parties.
Elsewhere, banks, mobile network operators, water firms, retail chains, security at sensitive public and private buildings – and literally everywhere – people offer their personal information either for security checks and or compliance.
Attempts to centralize such information through the infamous Huduma Namba failed after the multi-billion government project ran into legal headwinds.
With the Office of the Data Protection Commissioner (ODPC), a creation of the Data Protection Act, in place – calls for compliance with the law are being loud and practical with each passing day.
Unfortunately, Kenyans are not reporting personal data violations as they ought to – with the ODPC saying only 400 complaints have been recorded so far.
Reasons for slow uptake could largely be hinged around low level awareness, apathy complaining about public institutions to a Government agency and lack of easy of reporting such violations.
Telephony companies that must comply with the privacy envisaged under Article 31(c)(d) of the Constitution of Kenya.
The call for enterprises to protect sensitive personal data cannot be over-emphasized. At the same time, many businesses do not encrypt data for the majority of their use cases, and the ones that do typically have a gap in their data protection where data is most at risk of a breach.
Cofek is working to set up a personal data violation online portal. In the meantime, Kenyans are encouraged to report personal data violation to: firstname.lastname@example.org