Muraya, I hear you on having a real data economy with local data centres. But let me play the devil's advovate and ask, do we have the capacity to store all local data locally? In this era of cloud services, can we isolate ourselves from global giants such as AWS? On lawyers, this is a rare law where there are no commissions hence no Law Society of Kenya representative. Also, data processors and controllers are encouraged to have a data protection officer to advise them on compliance. Your recommendation on a CIO is noted. Thank you for these insights. Il lunedì 27 agosto 2018, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:

Grace, et al,

Data residency + sovereignty is most relevant here.

IT + Information professionals cannot honestly affirm or swear on oath about decency of the physical environment data (storage/servers) occupy if they cannot (physically) access the same. We know how welcome (dark) Africans are in the EU (+UK) where multi national data centers serving our region are usually situated.

(i) How do we evaluate data centers in localities where Africans must beg (pay) for visas to visit? (ii) How do our Courts summon EU/UK residents/citizens "protecting" our data in their localities? (iii) How do we prosecute EU residents/citizens handing over our data to their relevant authorities?

In short, the data processors and controllers should be subject to Kenya residency and laws especially if our data (backups) resides outside our borders.

While at it, why not use this Data Protection Bill to define some Chief Information Officer (CIO) roles?

The GDPR separates the role of the CIO and the DPO and in reality they cannot really exist without consulting each other.

The CIO role is wider than data protection. It also includes Access to Information (ACT should include/define other CIO roles).

https://enterprisersproject.com/article/2018/3/gdpr- confusion-it-puzzled-over-data-protection-officer-role

https://www.computerweekly.com/opinion/GDPR-for-the-CIO- Data-protection-is-about-more-than-GDPR-compliance

We MUST end the business/fraud of lawyers being paid more (to launder funds) than is allocated to IT projects increasing transparency and security in our communities and society.

On Mon, Aug 27, 2018 at 9:33 AM Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

Good morning listers! Welcome to data protection bill/policy discussions. Last week, we went through the principles of data protection and rights of data subjects. We covered the right to privacy in its different forms including the right to be forgotten and consent. Today, we shift gears a bit and consider the issue of data protection from the point of the *processor and controller*. The bill defines a controller as one who designs data processing and the processor as one who collects, stores, retrieves , discloses, erases etc on behalf of a controller.

General obligations for controllers and processors are listed in part IV and they include upholding the principles of data protection, protecting the rights of the data subject, duty to notify the subject about processing and breaches, acquisition of consent and security safeguards as regards personal data. It would be interesting to hear from data controllers and processors, views on:

1. restrictions on processing personal data (clause 30) where processors may not process data objected by the data subject or which has legal claims.What are the practical implications of restrictions? For example, if one company or government agency received a large number of objections in one period? 2. the protection of data subjects from profiling (clause 31). While we have seen negative effects of profiling during the political season, are there positives of profiling that could benefit the data subject and does this bill adequately balance both ends? 3. the bill makes it mandatory to notify data subjects in case of breach. How will this change sectors such as banking where issues of data breaches are never discussed with customers or the public in order to protect the confidence of the industry? 4. Finally, on the issue of sensitive personal data, which is subject to higher protection. Sensitive personal data includes person’s race, health status, ethnic social origin, political opinion, belief, personal preferences, location, genetic data, biometrics, sex life or sexual orientation. What are the practical implications for existing data sets held by for instance the registrar of persons, universities, schools, insurance companies etc? Is the list proposed by the bill exhaustive? The Senate bill for example defines categories such as trade union membership as sensitive data.

Welcome to the discussion. Please point out any issues in the bill that are either very good and should be retained or problematic and should be improved. Tujadiliane.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/murigi.muraya%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

Grace, In the 90's came across a colonial law firm in Kenya with proper computing infrastructure.. that is legit software + servers. Factoring the higher costs then, they had probably invested over KES 3 mln (at the current USD/KES rate). That was my first and last encounter with a a law firm properly invested in a server (or network storage) in Kenya. If more lawyers invested in entry servers/storage + legit software (about KES 300,000 for up to 5 users) they would have an idea of how much talent we have locally. All the information to manage data centers is available online. It is our business environment which is more of an problem. Imagine having to rely on transformers supplied by Kenya Power ): On Mon, Aug 27, 2018 at 11:46 PM Grace Bomu <nmutungu@gmail.com> wrote:

Muraya, I hear you on having a real data economy with local data centres. But let me play the devil's advovate and ask, do we have the capacity to store all local data locally? In this era of cloud services, can we isolate ourselves from global giants such as AWS?

On lawyers, this is a rare law where there are no commissions hence no Law Society of Kenya representative. Also, data processors and controllers are encouraged to have a data protection officer to advise them on compliance. Your recommendation on a CIO is noted.

Thank you for these insights.

Il lunedì 27 agosto 2018, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:

...

Grace, et al,

Data residency + sovereignty is most relevant here.

IT + Information professionals cannot honestly affirm or swear on oath about decency of the physical environment data (storage/servers) occupy if they cannot (physically) access the same. We know how welcome (dark) Africans are in the EU (+UK) where multi national data centers serving our region are usually situated.

(i) How do we evaluate data centers in localities where Africans must beg (pay) for visas to visit? (ii) How do our Courts summon EU/UK residents/citizens "protecting" our data in their localities? (iii) How do we prosecute EU residents/citizens handing over our data to their relevant authorities?

In short, the data processors and controllers should be subject to Kenya residency and laws especially if our data (backups) resides outside our borders.

While at it, why not use this Data Protection Bill to define some Chief Information Officer (CIO) roles?

The GDPR separates the role of the CIO and the DPO and in reality they cannot really exist without consulting each other.

The CIO role is wider than data protection. It also includes Access to Information (ACT should include/define other CIO roles).

https://enterprisersproject.com/article/2018/3/gdpr-confusion-it-puzzled-ove...

https://www.computerweekly.com/opinion/GDPR-for-the-CIO-Data-protection-is-a...

We MUST end the business/fraud of lawyers being paid more (to launder funds) than is allocated to IT projects increasing transparency and security in our communities and society.

On Mon, Aug 27, 2018 at 9:33 AM Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

Good morning listers! Welcome to data protection bill/policy discussions. Last week, we went through the principles of data protection and rights of data subjects. We covered the right to privacy in its different forms including the right to be forgotten and consent. Today, we shift gears a bit and consider the issue of data protection from the point of the *processor and controller*. The bill defines a controller as one who designs data processing and the processor as one who collects, stores, retrieves , discloses, erases etc on behalf of a controller.

General obligations for controllers and processors are listed in part IV and they include upholding the principles of data protection, protecting the rights of the data subject, duty to notify the subject about processing and breaches, acquisition of consent and security safeguards as regards personal data. It would be interesting to hear from data controllers and processors, views on:

1. restrictions on processing personal data (clause 30) where processors may not process data objected by the data subject or which has legal claims.What are the practical implications of restrictions? For example, if one company or government agency received a large number of objections in one period? 2. the protection of data subjects from profiling (clause 31). While we have seen negative effects of profiling during the political season, are there positives of profiling that could benefit the data subject and does this bill adequately balance both ends? 3. the bill makes it mandatory to notify data subjects in case of breach. How will this change sectors such as banking where issues of data breaches are never discussed with customers or the public in order to protect the confidence of the industry? 4. Finally, on the issue of sensitive personal data, which is subject to higher protection. Sensitive personal data includes person’s race, health status, ethnic social origin, political opinion, belief, personal preferences, location, genetic data, biometrics, sex life or sexual orientation. What are the practical implications for existing data sets held by for instance the registrar of persons, universities, schools, insurance companies etc? Is the list proposed by the bill exhaustive? The Senate bill for example defines categories such as trade union membership as sensitive data.

Welcome to the discussion. Please point out any issues in the bill that are either very good and should be retained or problematic and should be improved. Tujadiliane.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/murigi.muraya%40gmail....

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

-- SMM *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

@Michael, on the issue of transfers outside Kenya, I foresee the need for international agreement on what constitutes basic data protection. Otherwise, some data processors will be able to build different products for different jurisdictions while those who cannot will be limited in how they can expand. To balance the question of platform as a service with @Muraya's comments on building the local data economy, maybe we need more evidence to determine what our local capacity is. In addition, the policy needed to rope in other stakeholders who are important for data protection, including the power sector (KPLC etc), academia on skills gaps and KEBS et al on standards, just to mention but a few. I hear you on the lack of incentive on notification and note this under the discussion on offences as one way to remedy this wold be to create an offence of not notifying in case of a breach. Il giorno mar 28 ago 2018 alle ore 00:58 Michael Pedersen via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:

Listers,

Regarding part IV of the draft I have noted the following points.

*1. Transfers outside Kenya.*

Very many (if not most) Kenyan websites/systems are hosted internationally, AWS, Rackspace, and all the usual suspects are widely used. As a result very often personal data is currently transfered internationally.

My issue here is what constitutes "proff" that a foreign nation have "adequate" data protection laws? My first thought on this issue is that Europe due to GDPR would be considered "adequate", whereas United States would NOT be considered having "adequate" laws.

If this is the case/correct interpretation then this law will have a significant cost (money and time) for all the ones currently hosting in US who have to migrate their setup.

*2. Platform as a service*

In situations where your system is build on a global company's "platform as a service" (Google being the prime example) you have very little control of "where" the personal data is "transfered" - as Google have caching servers almost everywhere, essentially the data would/could be copied all over the globe.

The limitation on international transfers - does it in-effect kill innovations that utilize global infrastructure such as this ?

*3. Lack of incentive for notification*

As I have mentioned elsewhere I think it is great that any breach that should happen requires that the affected person(s) be notified. However I feel that the draft very much creates no incentive for data-processors to actually full-fill this requirement - In-fact the way I read it it is very very tempting for processors who are subject to a breach to keep very quiet (i.e. they are committing an offence if they are subject to a breach - so better make sure no-one ever finds out that you lost some data).

Kind regards Michael Pedersen

On 27/08/2018 08:30, Grace Bomu via kictanet wrote:

General obligations for controllers and processors are listed in part IV and they include upholding the principles of data protection, protecting the rights of the data subject, duty to notify the subject about processing and breaches, acquisition of consent and security safeguards as regards personal data. It would be interesting to hear from data controllers and processors, views on:

Welcome to the discussion. Please point out any issues in the bill that are either very good and should be retained or problematic and should be improved. Tujadiliane.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing listkictanet@lists.kictanet.or.kehttps://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.d...

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F