Tough calls await Kenya’s first data commissioner

While undergoing vetting, new Data Commissioner Immaculate Kassait’s former role put her in an awkward position.  

Kassait was until last month the director of voter education partnerships and communications at the Independent Electoral and Boundaries Commission (IEBC), a body that is no stranger to controversy over the handling of personal data. 

In the 2017 General Election, employees from the elections watchdog disclosed the personal data of millions of registered voters such as names, phone numbers and ward locations to political aspirants. 

The information was then used to spam users with campaign text messages in the days leading up to the elections.  

.

Keep Reading business

•  NCPB sets in motion plans to compensate farmers for fake fertiliser
•  Governors reject revenue Bill, demand Sh439.5 billion allocation
•  Firm linked to fake fertiliser calls for arrest of Linturi, NCPB boss Premium
•  KPLC to pay Sh500 million for Nakumatt fire tragedy
•  Scented success: Passion for cologne birthed my venture Premium

Kassait, who was sworn in last month for a six-year non-renewable term, said she was well prepared to take on the job of data regulator, a responsibility that traverses virtually all sectors of the economy, including financial, manufacturing, service and public governance. 

“There can be no hotter job to serve in this country as that of serving in an election management body. I believe I am prepared because I have served in a highly political environment, and you cannot be better prepared,” she said. 

As the Data Commissioner, Kassait’s role is growing in importance by the day as more entities in both the public and private sectors digitise their operations in a bid to survive. 

Experts say the outbreak of the Covid-19 pandemic has fast-tracked the digitisation process in many economies by several years, increasing the scale and scope of challenges that regulators will face in the coming months. 

According to the 2019/2020 Africa Cyber Security Report from Serianu, a cybersecurity and business consulting firm, unsecured remote connections across the country increased by 50 per cent in the second quarter of this year as more Kenyans worked and schooled from home. 

“In the last few months, we have seen a quick reconfiguration of entire IT systems to accommodate working from home and remote meetings as well as the implementation of business continuity plans,” said Serianu Chief Executive William Makatiani. 

“The upshot of a disruption of what was previously the normal course of business and an attendant rise in reliance on technology was the increase in cybersecurity attacks as criminals stepped up their foray into weak and exposed networks,” he added. 

According to the report, criminals used a range of tools, including phishing and malware attacks, database manipulation and remote access to secured servers to steal confidential data. Other weak points identified included the abuse of privileged access, for example where system administrators leak passwords to criminals, as well as the deployment of rogue devices such as employees’ smartphones and laptops. 

Among financial institutions like banks, micro-lenders and Saccos, attacks targeted ATMs, mobile banking apps, debit and credit systems and identity management databases. 

This year also marked a rise in the number of attacks targeting non-financial sector entities.

Manufacturing, insurance, healthcare and State entities recorded an uptick in attacks that targeted their payment systems, document storage and management databases, identity management systems and email networks. 

The survey, which collected feedback from 300 IT and security professionals, further gave troubling insights into the gaps that exist in both private and public entities regarding data protection. 

According to the report, 25 per cent of those surveyed were unfamiliar with the Kenya Data Protection Act, 2020, while 45 per cent said they were aware of the law but yet to read it extensively. Only 30 per cent said they were a little bit familiar with the Act. 

The report further indicated that 72 per cent of the organisations surveyed collected Kenyans’ personal data that was identifiable, directly or indirectly, while 45 per cent of those sampled said they transferred this data to third parties. 

When asked if their organisation has implemented processes to ensure they can protect the privacy and security of their customers’ data, only 26 per cent said they had.       

As the country’s new data regulator, Kassait will be the one to ensure all entities conduct interactions with customers and the public within the framework of the Data Protection Act, 2020.

This also includes State actors that have often been accused of being at the centre of violations against data privacy. 

In April this year, the Court of Appeal allowed the Communications Authority of Kenya (CA) to carry on with the development of a Device Management System (DMS), subject to public and stakeholder consultations.

Mobile network operators had successfully sued to stop the industry regulator from installing the device, alleging it could be used to intercept and listen in to subscribers mobile communications.    

CA, however, said the device was only to identify and blacklist counterfeit mobile devices being used in the country, a claim that was disputed by the telcos.

In its submissions, for example, Safaricom said the CA only gave the specifications and design of the system developed by the Lebanese information technology firm Invigo Offshore Sal.   

The court ruling gives the CA - and the Data Commissioner - the chance to ensure that the deployment of the DMS is done with appropriate participation and consent of telcos and consumers.  

Among Kassait’s other immediate tasks will be to ensure the integrity of the controversial National Integrated Identity Management System (NIIMS), popularly known as Huduma Namba.

The system is intended to create and operate a national population register, but some lobby groups fear it could be abused.

She is also expected to rein in data processors and controllers that have been sharing such data without consent, selling it to or manipulating it for political reasons.

Those targeted include mobile service providers, banks, health service providers and even State departments, such as the Registrar of Persons and IEBC.

These institutions have in their possession large amounts of data, which remained unprotected until last year when Parliament passed the Data Protection Act.