Every day, we willingly or unwillingly disclose our personal information to individuals or organisations, often without awareness of how this data may be utilised. At the Open Institute, we have been educating Kenyans on how to handle their personal data more carefully, and what their data rights are, through a social media campaign dubbed #FichaUchi.

In 2021, we ran the first Ficha Uchi campaign, aimed at raising awareness about data privacy and data protection while also bringing to the fore the existence of the Office of the Data Protection Commissioner. #FichaUchi demystified the Data Protection concept by providing factual, age-appropriate information about Data Protection, reaching an overall audience of 55 million across social media. Driven by the realisation that there was a widespread lack of awareness on data and its protection, we begun the second phase of the campaign in May 2023 with a new vigour: we would do more to engage citizens on the topic.

This time, we wanted to engage our target group of young people in a lower-middle income group where they were: through focus group discussions and community radio shows in 9 counties. The aim is to increase our knowledge on the perceptions that citizens have of data and data protection. The biggest thing that we are learning through the focus group discussions is that, although citizens care about protecting their personal data, they often feel powerless. This powerlessness is brought about by: – 

1. A Lack of Alternatives: In most cases, people feel that they have no choice but to give their personal data if they want to access specific products, services, or platforms. This obligation to surrender their information without options not to cause them to feel trapped. Frustrated and eventually, hopeless. 
2. An imbalance of Power: There is an imbalance of power between users and the companies or organisations that collect their data. We have found that the prevailing perception is that people have little negotiating power or influence over how their data is handled, especially when dealing with large corporations or government entities.
3. Inadequate Control over Data: Once personal data is submitted, individuals told us that they feel they lose control over it. It becomes the will of the collecting entity. They might not know how to access, edit, or delete their data, or they might face obstacles in doing so which will discourage them from pursuing further. 
4. Complex and Lengthy Terms of Service: All the people we have spoken to have told us that they don’t read terms and conditions or privacy policies. Many companies present users with lengthy and complex terms of service or privacy policies that are often difficult to understand. Users might feel overwhelmed or discouraged from reading through these documents, leading them to accept the terms without grasping the full implications.
5. A Lack of Transparency: Companies may not be fully transparent about how they use the collected data. Many of the people we spoke to told us that the main reasons why companies collect their data is because of security and record keeping. However, when we asked how they knew these, they told us that “it is obvious.” Many people are unsure about the specific purposes for which their data will be used, who it will be shared with, or how long it will be retained.
6. A Lack of Awareness: many citizens we have spoken to are not aware of their right to privacy. Most have not heard of the Data Protection Act, or of the Office of the Data Protection Commissioner. Largely, the citizens we spoke to are unaware of their rights as data subjects and the obligations of data processors and controllers in safeguarding their data.

We have many more findings, including the fact that citizens trust social media’s “cancel culture” more than they trust the police to deal with companies or individuals who misuse their data. Additionally, we found that people’s resistance to sharing their personal information depends on who the person represents (a government body, a well-known organisation, etc), how the person asking for the data looks (facial features, dress code), how well they speak and how well organised they appear to be. Someone presenting a staff ID, a government employee, family or friends are more likely to be trusted with a person’s details. The rest of the time, people just rely on their gut feelings. 

We successfully completed the exercise in July, and as we delve deeper into the findings from citizens, we will share more insights on our blog and social media platforms. We are keen to work together with our partners to craft interventions to make Kenyan citizens champion their data protection better.