The Ministry of ICT issued an invitation to members of the public to comment on the data protection regulations on civil registrations through the press. We submitted our comments, which you can read in detail here.
We essentially raised five points of concern with the regulations:
- issues around the operation of consent under the Regulations,
- issues pertaining to the rights of children, the imposition of fees to exercise fundamental rights over personal data,
- issues around automated processing,
- and the lack of detail regarding the processing and use of sensitive data in particular.
On Consent
On consent, our contention is that the current formulation of the regulations does not specify that consent should be sought for each and every new purpose that the government intends to use the data. For instance if your personal data was collected for the use of civil registration and tomorrow the government wants to use it for say, analysing citizen health patterns, then they should come back to you and seek your express permission to use your data for the new purpose.
Section 8 of the Regulations deals with the collection of personal data. Section 8(2) states, “where a civil registration entity intends to use personal data for a new purpose, it shall ensure that the new purpose is compatible with the initial purpose.”
On the face of it, the language in s. 8(2) would appear to conflict with the provisions of ss. 6 and 7 of the Regulations, which taken as a whole read, in our view rightly, as requiring the data subject to provide specific and informed consent to each and every instance of their personal data being used by a civil registration entity.
On the rights of children
Our contention is that as they currently stand, the Regulations do not establish a clear process for a data subject to reaffirm, amend, or revoke consent at the point at which they come of age. In other words, if your parents gave permission for the government to use your data in a certain way when you were a child, you should have the leeway to revoke or amend that consent when you become an adult.
In addition, section 15(b) of the regulations makes reference to the need for civil registration entities to safeguard “the best interests of the child” but does not say how a civil registration entity would determine the best interests of a child on a case-by-case basis. We urged the ministry to clarify this point, either by inserting a specific reference to existing statutory provisions or explicitly provide such guidance to safeguard the best interests of a child, or a statement confirming that this is a matter that the Data Commissioner will explore further.
On charging fees
Should you wish to access your data from the government, Section 10(4) stipulates that there is a fee to be paid when you request access to your personal data. Section 13 makes reference to a fee for transferring data elsewhere should you choose to exercise that right.
Both the right to access one’s personal data and a request for data to be transferred are integral data rights and we contend that Kenyans should not be made to pay for such rights. First, because imposing fees on one’s right to access or transfer personal data is like imposing fees for you to access your own home. Secondly, the latest available data from the World Bank, in 2015 over 36% of the Kenyan population subsisted on less than USD 1.90 a day – and all of these people would not be able to afford accessing their data. Poverty should not stand in the way of anyone exercising their data rights.
On automated processing
Section 22 of the Regulations covers automated individual decision-making; in other words, the use of ‘artificial intelligence’ to process personal data. Although this is a highly complex and emerging area, we believe that the Regulations are not as clear as they should be on this point. The regulations do not, for example, define such words as “logic”, “bias”, “appropriateness” and “discriminatory effects”.
In our view, section 22 is the least precise section of the Regulations. Given the potentially skewed and harmful effects on data subjects of automated processing – exemplified in fact by the terms ‘bias’ and ‘discriminatory effects’ used in the Regulations themselves – we believe that the Regulations require clearer definitions of these terms.
On sensitive personal data
Our final area of concern relates to sensitive personal data. Part V of the Data Protection Act of 2019 sets out clauses relating to the grounds for processing sensitive personal data in Kenya. It grants the Data Commissioner the right to prescribe categories of sensitive personal data (s. 47(1)) and specifically makes reference to the processing of personal data relating to health (s. 46), including a specification that health-related data may only be processed “by or under the responsibility of a health care provider” (s. 46(1)(a)).
Our contention on the issue of sensitive data emanates from two issues. Firstly, as it stands, it is unclear what categories of data the Data Commissioner has to date prescribed as constituting ‘sensitive personal data’. We request clarification on this point. Secondly, we are concerned about the lack of reference to sensitive personal data within the Regulations.
We have discussed these issues substantively in our submissions and we call upon all Kenyans to follow the issues around these regulations closely.
Special thanks to our friends at DataReady UK, for the research and independent legal study that enabled us to make this submission in a credible way.