ARTICLE 19 Eastern Africa and KICTANet, an information communications and technology (ICT) policy and regulation think tank, have brought together representatives from the Kenyan government, the ICT sector and others to discuss data protection and innovation in Kenya’s digital environment.
Speaking at a roundtable event, representatives from the banking sector, the government, the Kenya Revenue Authority, the Mozilla software group, academia, and legal and non-governmental organisations discussed the Office of the Data Protection Commissioner’s Guidance Note for the Communication Sector. They acknowledged that Kenya’s evolving digital landscape presents a constant tension between fostering innovation in the ICT sector and the need to ensure robust data protection measures. Discussions centred on collaborative efforts, measured adjustments to business models, and the development of a clear framework for user consent and security. Data Protection Commissioner Immaculate Kassait also attended and spoke at the event.
As well as emphasising the importance of prioritising robust data protection alongside innovation, speakers acknowledged the need for the telecom industry to be proactively engaged. Proposals included enhancing transparency reporting, ensuring informed consent for data, and addressing stakeholder concerns about surveillance carried out by security agencies.
Through consensus, the panel called for institutions to adopt a responsible approach to using and applying data in their work and the need for a delicate balance between transparency and competitive practices.
Data Protection Commissioner Immaculate Kassait emphasised the need to adhere to data protection principles and the importance of data protection and privacy across all sectors, including finance, healthcare, and telecommunications. She highlighted her office’s concerns regarding privacy in the telecommunications sector: data collection and tracking, misuse of personal data, surveillance, encryption and decryption, and cybersecurity breaches.
Kassait said her office had developed tailored guidance to address the unique data security and privacy concerns within sectors including finance, health, telecom and private security. In addition, she highlighted the importance of equipping personnel with the knowledge and skills to handle data responsibly.
Kassait also acknowledged the importance of fostering partnerships between regulators and the private sector to develop and implement effective data protection strategies.
Kenya’s communications sector encompasses various service providers, including those in telecommunications, broadcasting, postal, and courier services. These providers operate under licences issued by the sector’s regulatory body, the Communications Authority (CA).
The Data Protection Act and its accompanying Regulations define the duties and obligations of both the regulator and service providers regarding people’s personal information.
The Office of the Data Protection Commissioner Guidance Note clarify the interpretation and implementation of the Act and Regulations as they apply to communications. The guidance covers a range of data protection topics, including: how core data protection principles, like purpose limitation and data minimisation, are applied within the communications industry; lawful justifications for collecting and processing personal data; the obligations of both the sector regulator and service providers as they act as data controllers or data processors; and the rights individuals have regarding their data, such as access and rectification.