Listers, I would have hoped for more views on this topic as it is one of the key differences between this draft bill and the Senate data protection bill. Should there be a harmonisation of the two bills, your input on how the data protection regime will be enforced will be useful for the nation. I therefore really hope that we find time to consider this matter and give our views. Tomorrow we shall look at issues we missed out while going through the draft, key among them being exemptions from certain provisions of the law. Goodnight, Il mercoledì 29 agosto 2018, kanini mutemi <kaninimutemi@gmail.com> ha scritto:

Good morning Grace,

I don’t think the Office of the DPC is set up to be an independent office. That the DPC will be appointed by the CS is comparable to the elusive ‘independence of the Communication Authority’. The obvious concern is that this will water down the DPC’s watchdog powers when it comes to regulating the government as a controller and processor. The best the Office will be able to do is make recommendations to other government offices to comply with the Act.

Setting up a new body may also be a problem in the case of data protection. For context purposes, Acts that were passed in 2016 are just now being fully operationalised. Anything that requires the setting up of yet another government office has grave budgetary implications and unfortunately the restructuring takes quite some time. A legal framework on data protection is urgent- we don’t have the luxury of time.

Good discussion!

On 29 Aug 2018, at 08:20, Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Good morning listers, The office of the data protection commissioner (DPC) is established as a state office and is expected to be independent. The DPC will however be appointed by the Cabinet Secretary, ICT. To qualify for the office, one needs to have extensive knowledge in data science, law, IT and related fields and meet requirements on leadership and integrity(Chapter six of the Katiba) The functions of the DPC include: oversight and enforcement of the Act; registration of data processors and controllers; control over data processing activities; promotion of self regulation of actors; investigation of complaints; creation of awareness on the Act; ensure compliance with international obligations; research and related functions from other laws.

Powers of the DPC include: investigations; obtain professional assistance if need be; facilitate alternative dispute resolution; issue witness summons; request for information from persons governed by the bill. Further, the DPC may request for data audits (clause 20); appointment of guardian for child online services (clause 29)

Apart from the usual sources of funds (allocation by Parliament, donations, grants etc) the bill also states that the office of DPC may be funded by funds accrued in performance of its functions.

Some public fears on creation of yet another public body are based on concerns about funding the body, an expectation that registration will mean paying for licences and that there is not sufficient capacity in the country to oversee data protection. The bill however only proposes that DPC issues certificates and does not mention registration fees.

To guide our discussion today, questions include:

1. Are the functions and powers of the DPC adequate to implement the law? Are there any overboard provisions? 2. Considering that the government is a major data processor and controller, is the office of the DPC as structured in the bill sufficiently independent?

As usual, please point out any good or problematic clauses. Welcome to the discussion

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/kaninimutemi%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

Thank you Liz for the comparison with access to information, which was initially meant to twin with data protection. Your concerns on funding and sustaining the office of the DPC are not far fetched. We have also noted your contribution on transition to the data protection regime and enhancing the independence of the office by separating it from control of the executive. Il giorno gio 30 ago 2018 alle ore 13:29 Liz Orembo <lizorembo@gmail.com> ha scritto:

Grace,

Considering that commissions like the Judiciary and the KNHRC are getting very little allocations (and the rumors that *sirkal* is broke), DPC will mostly rely on license fees from data processors. Perhaps we should ask if that's enough to sustain the office and to discharge all the duties outlined in this policy. How many data processing entities are we going to license? And at what reasonable fee?

I’m still trying to figure out DPCs level of independence given that the commissioners are appointed from the ministry. Can it independently handle data protection issues between citizens and other state agencies? and who should give exemptions? Lastly, to avoid the challenges experienced with the ATI, the policy should give guidelines on the initial works of the DPP in promoting the policy. And how long is the transition period?

My quick thoughts.

On Wed, Aug 29, 2018 at 10:22 PM Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

Listers, I would have hoped for more views on this topic as it is one of the key differences between this draft bill and the Senate data protection bill. Should there be a harmonisation of the two bills, your input on how the data protection regime will be enforced will be useful for the nation. I therefore really hope that we find time to consider this matter and give our views.

Tomorrow we shall look at issues we missed out while going through the draft, key among them being exemptions from certain provisions of the law.

Goodnight,

Il mercoledì 29 agosto 2018, kanini mutemi <kaninimutemi@gmail.com> ha scritto:

...

Good morning Grace,

I don’t think the Office of the DPC is set up to be an independent office. That the DPC will be appointed by the CS is comparable to the elusive ‘independence of the Communication Authority’. The obvious concern is that this will water down the DPC’s watchdog powers when it comes to regulating the government as a controller and processor. The best the Office will be able to do is make recommendations to other government offices to comply with the Act.

Setting up a new body may also be a problem in the case of data protection. For context purposes, Acts that were passed in 2016 are just now being fully operationalised. Anything that requires the setting up of yet another government office has grave budgetary implications and unfortunately the restructuring takes quite some time. A legal framework on data protection is urgent- we don’t have the luxury of time.

Good discussion!

On 29 Aug 2018, at 08:20, Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Good morning listers, The office of the data protection commissioner (DPC) is established as a state office and is expected to be independent. The DPC will however be appointed by the Cabinet Secretary, ICT. To qualify for the office, one needs to have extensive knowledge in data science, law, IT and related fields and meet requirements on leadership and integrity(Chapter six of the Katiba) The functions of the DPC include: oversight and enforcement of the Act; registration of data processors and controllers; control over data processing activities; promotion of self regulation of actors; investigation of complaints; creation of awareness on the Act; ensure compliance with international obligations; research and related functions from other laws.

Powers of the DPC include: investigations; obtain professional assistance if need be; facilitate alternative dispute resolution; issue witness summons; request for information from persons governed by the bill. Further, the DPC may request for data audits (clause 20); appointment of guardian for child online services (clause 29)

Apart from the usual sources of funds (allocation by Parliament, donations, grants etc) the bill also states that the office of DPC may be funded by funds accrued in performance of its functions.

Some public fears on creation of yet another public body are based on concerns about funding the body, an expectation that registration will mean paying for licences and that there is not sufficient capacity in the country to oversee data protection. The bill however only proposes that DPC issues certificates and does not mention registration fees.

To guide our discussion today, questions include:

1. Are the functions and powers of the DPC adequate to implement the law? Are there any overboard provisions? 2. Considering that the government is a major data processor and controller, is the office of the DPC as structured in the bill sufficiently independent?

As usual, please point out any good or problematic clauses. Welcome to the discussion

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c...

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F