This is an excellent summary of the draft bill on Data Protection. Thank you Michael. While working on platforms that hold public information and register users through 3rd party authorisation applications, I suppose those types are exempted.

But let me read the draft for myself :-D.

With the best regards,
Jimmy Gitonga


On 14 Aug 2018, at 12:00 PM, kictanet-request@lists.kictanet.or.ke wrote:

Hi Listers,



Have just finished the first read-through of this document, here are
my initial thoughts/questions/concerns (in no particular order)



Registration fee
I am concerned that the registration-fee might be prohibitive for many
startup ICT businesses - especially since this is not just a cost that
is meant to cover the actual cost of processing the application, but
is intended to cover the entire cost of the office of the data
protection regulator (as mentioned in section 12.2).

This may lead to a situation where many/most startups either stay
non-compliant with the law (in which case - then whats the point?), or
they may be unable to launch new innovation due to compliance-costs.


Reporting frequency 
As mentioned in section 11.4 the data protection officer needs to make
regular compliance reports to "the office" but I could not find any
mention of what "regular" means - is it once a year, once a month or
... It could be a rather significant administrative burden (especially
for a SME) so that there are no quantification of "regular" worries me
quite a bit.


Compliance levels
The way I see it a very high percentage of ICT startups would be
subject to this law, but I fear that very few will have the capacity
to actually become (and remain) compliant on this matter. 
If compliance levels remain low then few consumers/end-users/customers
will be requesting compliant vendors or even aware of their rights
according to this law a negative circle will be created where no-one
expect compliance and hence no-one will offer it.


No Breach notification incentive
8.2.6 and section 38.1 states that data controllers are obligated to
notify on breaches - this is good and probably the most important
element in my mind - accidents will happen but they key thing is that
affected people gets notified (and of-course that measures are taken
to prevent it happening again).
However section 70.1+2 tells us that a data-controller who "looses"
data will be committing an offense and subject to a fine of (max)
10million kes.

This sounds to me like there are absolutely NO incentive to report a
breach - in fact it kinda encourages data controllers to keep VERY
quiet about breaches and hope that no-one notices.
Would it not be smart to make so that if the breach was reported to
"the office" prior to "the office" receiving any complaints then any
subsequent fine/penalty would be discounted i.e. 50% - but it would be
100% if no reporting had happened...

I just fear that the main point of the exercise - to ensure that
people actually are aware if their data is "lost" and give them the
ability to react before someone exploits their data.


Training / capacity
I wonder what kind of training program would be available for all the
newly designated data protection officers.
How are we going to ensure that they get up to speed with this (new)
legislation fast (?)


Scope
Initially I thought that effectively every company in Kenya would have
to register (and pay registration fee) - as everyone would have
private data on their employees in some kind of "system" / HR-file.
Although my gut kinda told me that it is not the intention.

However section 56(a) sounds like it would exclude data obtained in
relation to employment - Anyone else who have reached the same
conclusion on this ?


Our own house
Looking internally I am actually in doubt if our company would need to
register or not. 
Our company builds and runs HR/Payroll management systems - and the
system does hold private data, because... that is kinda what the
system does ;-) 
The reason that I am in doubt is when I read section 49(1)(c) where it
explicitly exempts data related to assessment of taxes - and this is
exactly what our system(s) does, so depending on how I read that we
could be exempt (?) - but somehow I get the feeling that 49(1)(c) is
intended specifically for government-bodies (read KRA) not private
entities.. So am a little confused.


Security by design
Section 5.3.4 dictates that systems should incorporate "security by
design", which is an absolutely great way to approach developing such
systems.
However from what I have seen being developed while interacting with
various SME's and startups "security by design" is not a principle
that very many apply, or even have on their "radar". 
To make things worse unless you do a very close evaluation of the
actual systems and HOW they are developed it can be really hard to
determine if they utilize "security by design"... 
All in all this sounds kinda like wishful thinking - If it's meant as
a way of creating awareness of "security by design" then great - but
can't really see it as a condition.


Kind regards
Michael Pedersen