The Hidden Dimensions Of Data Privacy

Data privacy and data protection are often used interchangeably, yet they mean different things even though they are linked to each other. Data protection, the traditional realm of security professionals, is about securing data against unauthorised access. Data privacy concerns arise wherever personal information is collected, stored, or used, and the data subject is not in control of such activities. Another perspective says data protection is about securing data against unauthorised access. Data privacy is about authorised access — who has it and who defines it. Another way to look at it is this: data protection is essentially a technical issue, whereas data privacy is a legal one. To compound to the confusion, the Storage Networking Industry Association (SNIA), says the laws and regulations that cover “the management of personal information” are typically grouped under “privacy policy” in the United States and under “protection policy” in the EU and elsewhere. The ever-faithful Quora has an entire thread viewed by millions attempting to define them legally.

Dr Fernando Wangila, (PhD) Senior Deputy Director, Head of ICT and Innovation, National Transport and Safety Authority (NTSA), brings it home. “Data protection is a technical domain where we have a fortress around our data. But it does not mean that if there is a fortress, then it is private. Data protection cannot protect data unless the personal data is protected by technology. If someone can steal personal data, then it means privacy is not guaranteed, which puts us at risk of security breaches.” He further adds that data protection is related to trade, services and exchange of goods in the digital economy. Insufficient protection reduces consumer lose confidence while on the flip side, there is such a thing as too much protection resulting in a poorly developed system of service. A need for balance between the two now becomes apparent.

Anthony Muiyuro, Senior Manager, Cybersecurity & Resilience, Ernst & Young, defines privacy as “rights and obligations of personal data broadly speaking. It is about accountability. It is the intention that is coming out very clearly from the legislation. Looking at the key common principles that underpin them.”

A CIO East Africa survey, 61 percent of organisations have a data privacy policy and strategy. It means their organisations inspire comfort and trust that they will not sell or misuse someone’s data. At the same time, 31 percent do not have any, leaving them vulnerable to relevant crises, with 7 percent who did not know if such a thing existed. The biggest issue that came out clearly during the Data Privacy: Governance of the Hidden Dimension webinar recently is the principles of data protection and privacy as consent. Below, a couple of practical situations that Dr Fernando offers prove how critical an organisation’s data protection and privacy policy is.

When you mpesa, the recipient never gets a chance to consent, which is one of the principles of data privacy and protection. Instead, they simply get this money with receipt presuming acceptance which presumes consent. Should privacy and protection laws apply, an individual would be able to say yes to the money, or no and reject it, especially in an accidental case. But we are deeply familiar with mpesa transfers that have gone awry and the frantic search and beseeching where the stranger has kept the money, which is tantamount to theft.
If you pay Kshs 550, you can use someone’s plates to do a search and find out details such as who owns the car, chassis number, right down to its colour. Ideally, the owner of the vehicle should get an alert, opt to say yes you can allow the search or no, this violates my privacy, and why is this information not protected, then subsequent action will be taken.
When the Credit Reference Bureau (CRB) does not update your data fast enough such that you are blacklisted, it can create legal and financial issues.
Do you give fake names and numbers when you have to sign in to enter a building? In the case of Dusit, books came in handy to verify the number of occupants across different buildings. While it is not wrong to have this information, the bigger question is less about how your data is used and more about why said data is being collected and critically, where do these books go when they are full?

if you pay Kshs 550, you can use someone’s plates to do a search and find out details such as who owns the car, chassis number, right down to its colour. Ideally, the owner of the vehicle should get an alert, opt to say yes or no. This violateS privacy, and why is this information not protected?

More legal challenges in data protection laws include:

In a world suffering from data obesity, Dr Ferdinand identifies the challenges of technologies such as cloud computing. If your data lives in a data centre, say AWS, that exists in another country, yet you as a data subject is a Kenyan citizen, which jurisdiction governs your data? This raises issues with Big Data and IoT.
We rely on the Constitution, which takes precedence in case of conflict. Chapter 4 on Human Rights activates and dictates the privacy of people’s data, but on its’ own it is not as solid. The Data Protection Act 2019 deals with it more comprehensively. In court, the supreme law is the Constitution. If it overrules an act, there is a problem. It, therefore, means the pair of laws must work hand in hand. There needs to be synchronicity between them.
Legal, treaty and international laws govern certain sets of data privacy and data protection policies. It demands a high degree of synchronicity. With the universality of the General Data Protection Regulation (GDPR), countries are attempting to unify laws. It will lead to international similarities. That being said, Kenya also needs to give the DPA 2019 laws and GDPR time to mature.

The challenge has been losing control. We have no idea what our data is being used for. What are some of the controls from an organisational perspective? How are they using what is being collected? Who is responsible for protecting data privacy? How is it collected, used, stored, processed, protected?

An issue that is emerging when it comes to data is about consent, the ownership of data and right of erasure. Dr Fernando points out that “if there was a referendum now, consent should be added to the constitution, then we would be fine.”

Antony reiterates the value of data by observing that, “The challenge has been losing control. We have no idea what our data is being used for. What are some of the controls from an organisational perspective? How are they using what is being collected? Who is responsible for protecting data privacy? How is it collected, used, stored, processed, protected? Now that we say it is the new oil.” Someone in the organisation must be assigned the work of handling data. Internally, business owners need to be sure data is safe. Why is privacy so important? He says, “We are using digital platforms to live, and this has brought in serious concerns. Companies use them on an unprecedented scale, an advantage they possess as an organisation. So what are the controls an organisation needs to touch on?”

Also, how do you give control back to the subject? How many Kenyans, for instance, are empowered enough to know they have the rights? Rights to information, access, clarity, discretion, erasure, a say in how their data is being used, stored, disposed, restriction of processing, and finally the right to object by opposing the use of their data? Most organisations don’t understand data they collect, send out, own or process, a very critical pillar for end to end perspective. The beauty of data privacy and data protection policies can be said to be its newness. Right now is the inevitable phase of adoption to go through. Court systems are now aware of what these issues are and how to handle them. They may not be there yet, but as we give them time to adapt, it is recognised that this is a game-changer. And this means the need to upscale, training and awareness along with reskilling and reeducation.