In July 2020, we began a partnership with Amnesty International Kenya. Our partnership brought together our expertise and networks on data for development and data protection for human rights to form the data governance programme that has now been running for 2 years.  The project sought to achieve three main outcomes: 

1. To put into operation a human rights compliant Data Protection Act through citizen responsive guidelines, budgets and policies. 
2. To have citizens gain more awareness to monitor and even demand their data rights and have governments be accountable to the use of their personal data.
3. To initiate and steer a continental movement through policy dialogues on data governance actively engaging governments and regional bodies such as the African Union and the relevant United Nations bodies.

What we’ve achieved

We are happy that we managed to engage with 8 county governments in Kenya, engaging with chief Officers from Makueni, Nakuru, Nairobi, Mandera, Nakuru, Nandi, West Pokot and Turkana who were sensitized on the connections between Access to Information, the Open Government Partnership and the Kenya Data Protection Act, 2019. 

We also undertook a public awareness campaign, as well as held a number of workshops that brought together civil society actors working in the space in order to sensitize them on data protection and privacy. At both national and regional levels, we undertook applied research around data rights and data for development themes  so as to document practices (including good post-COVID-19 practices) and provide practical evidence-based recommendations to our government counterparts targeting Kenya, Ghana, South Africa and Nigeria. 

What worked

1. We successfully launched the Restore Data Rights movement on 11th November 2020 with calls to citizens, civil society, governments and development partners to help ensure that human rights in cyberspace and over personal data are upheld during and after the pandemic by signing and endorsing the #RestoreDataRights declaration. We managed to get 63 signatories and endorsements from from 21 countries, namely: Kenya, Nigeria, Canada, South Africa, Zimbabwe, Malawi, Yemen, Uganda, USA, Somalia, Nepal, Netherlands, Morocco, Liberia, Ireland, UK, Spain, Democratic Republic of Congo, Botswana, Mauritius and Bangladesh.
2. Amnesty International Kenya undertook a baseline study, a first of its kind exploring the level of awareness for Kenyan citizens on data rights. The study took the form of an opinion poll administered to 1,521 diverse respondents across 30 counties. The report outlined that the majority of Kenyans still largely remained unaware of their data and privacy rights more than 1 year after the launch of the DPA 2019. 
3. The Data Protection Awareness campaign in Kenya – dubbed #FichaUchi (translates to “hide your nakedness”) was a six week campaign run by the Open Institute from 10th May 2021 on social media which sought to raise awareness on data protection and to demystify the Data Protection Act to young Kenyans. The Data Protection Act of 2019 (Kenya) is fairly new and through the campaign it was clear that many Kenyans were not aware of these rights. The online campaign had a total reach of 6,952,085 and 55,290,058 impressions. The campaign was quite successful with local media stations picking up on the conversation.
4.  Open Institute and Amnesty International provided thought leadership on Data Protection at the Regional and National Level through research and related knowledge products. Together, we examined good data protection practices in Kenya and beyond, resulting in the creation of two reports that were launched on 1st December 2021 in Nairobi, Kenya. 
   1. The Subnational Data Practices In Kenya Study by the Open Institute, and 
   2. The Comparative Data Regimes Report by Amnesty International Kenya.

5. We fostered relationships with the Offices of the Data Protection Commissioners in Kenya and Mauritius; thereby working towards identifying ways in which we could provide technological and other technical support for strengthening them. 
6. DataReady Limited, as part of the #RestoreDataRights movement,  produced a series of briefs that explored how key provisions of the #RestoreDataRights Declaration have been translated into law and practice in Kenya, South Africa, Nigeria and Ghana. The four country-specific, in-depth research pieces looked into the rules and regulations that govern the use of data as part of the COVID-19 response in Kenya, Nigeria, Ghana and South Africa. These pieces of research have provided a framework that informs the backbone of the ‘accountability matrix’ against which government policies and actions have and will continue to be assessed moving forward. 

Some positive surprises

Some good surprises that emerged throughout the process were: 

An appreciation and interest in digital rights as well as involvement of the ODPC Kenya: 

The ODPC involvement with the private sector and strategic CSOs have given the ODPC and the DPC Opportunities for visibility and provided an opportunity to partner with them. This was timely given that Data Protection has been thrust to the fore as a topic globally and locally.  

Subnational interest and focus: 

There has been increased interest in usage of data for decision making at the subnational level and the dialogue on data protection and privacy policy was complimentary to these efforts. From August to December 2021, the Open Institute ran a Data Leaders Fellowship Programme which was the perfect platform for us to facilitate and increase knowledge around data management and data protection in the 8 aforementioned counties. This is even as the counties seek to invest in sustainable data structures for data collection, analysis, visualisation and storage of the data to support decision-making. 

We held several events too

We held a series of meetings and workshops to deepen understandings and share knowledge on data protection and privacy both locally and regionally as follows: 

What didn’t work

1. The uptake/endorsement of the Restore Data Rights Declaration especially by African governments has been slow. Similarly, on the part of Civil Society Organisations, 2020 and 2021 were tough years occasioned by the COVID-19 pandemic and most had to struggle to stay afloat by prioritising staff time and meagre resources they had. We found this as one of the main reasons why there was asymmetry between the Declaration’s call to action and the actual activities in-country as most countries (both state and non-state actors) were not prioritising data protection and data privacy.
2. The coordination of continent-wide advocacy during the pandemic was enormously challenging – especially when trying to connect across communities of practice that have not previously worked together; and also without physical meetups. Although there was early momentum around the RDR Steering Committee, the movement has been struggling to adopt a common agenda due to the difficulty of working across communities for the first time during a period when many people were stressed, over-worked and unable to travel. Loss experienced due to COVID-19 within our organisations, teams  and families meant that there was a period between November 2020 and April/May 2021 where progress was especially slow due to staff trauma and grief.
3. National and community level engagement on data governance is more effective than continent-level engagement. When we started the program, the desire was to engage more with continental-level stakeholders such as the United Nations (UN) and African Union (AU).  However, as the project progressed, we realized that one of the unique value propositions of our organisations was that our competencies aligned more with “development professionals desirous for actualization of digital rights”, as opposed to that of “digital rights activists” which occurs in other parts of the world. This means we identify the most impact of our work being through our engagement with policy makers and institutions that work more at the implementation level, as well as with citizens directly.
4. We also acknowledge that the round table discussions and workshops we held during the past year could also be deemed “Elitist”. Initially, we witnessed low turnouts, attributable to the COVID-19 pandemic. But as we moved along, it has come to our realisation that we are inviting the same crowd of people to the discussions as well as webinars; some might deem these people as elitist and it might inadvertently hinder transmission and packaging of messaging on data and digital rights to citizens affected by this issue. Hence a need to switch towards community-based roundtable discussions.
5. We also realised that as much as we had the #FichaUchi campaign, we did not reach a larger group of people because of the time frame and the medium which was mainly social media i.e Twitter, Facebook, and Instagram. There is a need to do more to message and package communication to the grassroots.  

Going forward

Admittedly, despite the aforementioned successes, the work that was cut out for this programme ended up not being straight forward. All in all, we remain committed to ensure that any further work in subsequent phases of the programme focuses on: 

1. Awareness creation on data protection and data rights both through digital and non-digital media so that no one is left behind.
2. Implementing recommendations of the Subnational Data Practices in at least 8 partner counties mentioned above.
3. Strengthening grassroots civil society organisations information rights and data governance programmes by conducting focus group discussions in selected counties geared towards demystifying data and steps to protect it.
4. Rebranding of the ‘restore data’ rights movement to a ‘building of data rights’ in Africa; which is a more sustained data protection and privacy practices initiative.

As we jointly plan for the next phase of the project starting in 2023, we hope to work with more collaboration, share more lessons and achieve even more impact.

Read more about the project: