BO: As mentioned in my first intervention, i still think we are at a nascent stage as country in so far as developing our information society is concerned. For example we don't have a proper national addressing system. KRA has tried to register Landlords and it has been an uphill task. Restrictions on processing personal data are likely to be misused. The end result would be preference for manual processes that are easy to manipulate as we have seen with the electoral system.
- the protection of data subjects from profiling (clause 31). While we have seen negative effects of profiling during the political season, are there positives of profiling that could benefit the data subject and does this bill adequately balance both ends?
BO: Profiling is critical for the information economy especially in so far as big data analytics is concerned. You need to Know Your Customer before Investing. There is no problem with profiling provided consent is provided. I think the bill is balanced in this respect.
- the bill makes it mandatory to notify data subjects in case of breach. How will this change sectors such as banking where issues of data breaches are never discussed with customers or the public in order to protect the confidence of the industry?
BO: I don't see this affecting the Industry very much. In the past, we had all buried our heads in the sand. I am seeing cases in which local companies are increasingly notifying their customers whenever they have downtime and system challenges. Banks have started following suit and being proactive. Users play a part in many Cyber Security Incidences and as such they will need to be involved in any efforts geared towards addressing the Cyber Security challenges faced by banks.
- Finally, on the issue of sensitive personal data, which is subject to higher protection. Sensitive personal data includes person’s race, health status, ethnic social origin, political opinion, belief, personal preferences, location, genetic data, biometrics, sex life or sexual orientation. What are the practical implications for existing data sets held by for instance the registrar of persons, universities, schools, insurance companies etc? Is the list proposed by the bill exhaustive? The Senate bill for example defines categories such as trade union membership as sensitive data.
BO: I find the term sensitive sensational. Broadly personal data should be handled respectfully and within prescribed guidelines provided there is consent from the owner or user. In the long term we need more awareness on why personal data should be respected and less regulation around the same otherwise the end result will be endless tension between the state and citizens and vice versa considering the kind of litigous society we have become. That said, i beleive the list may not be exhaustive at this point. Once the bill comes into effect, it might need some amendments.