Day 2- Policy and Regulatory Framework on Privacy and Data Protection
Day 2- Rights of Data Subjects Good morning Listers, Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– You- data subject The mobile money agent- data processor The data subject is the person to whom the data concerns. Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future. 1. The right to be informed of the use to which the personal data is to be put Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for. 2. Right to access their personal data in custody of data controller Will we be able to demand from our mobile network operators to see our account details and transactional history? 3. Object to the collection or processing of all or part of their personal data Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html>? 4. Correction and deletion of false or misleading data Are we ready for a right to be forgotten? Should it be absolute? What do we think of these Listers? Are there other rights that ought to be included?
Good morning Kanini, These are good rights. Other rights should be these people who send spam SMS will now first tell us who they are and how they got our phone numbers and then let us remove ourselves from their lists. Regards, On Thu, 23 Aug 2018 at 10:57, kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
*Day 2- Rights of Data Subjects *
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– * You- data subject * * The mobile money agent- data processor *
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
*1. The right to be informed of the use to which the personal data is to be put* Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
*2. Right to access their personal data in custody of data controller* Will we be able to demand from our mobile network operators to see our account details and transactional history?
*3. Object to the collection or processing of all or part of their personal data* Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html> ?
*4. Correction and deletion of false or misleading data * Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
1.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/wagitungo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Hi listers,
The rights as provided are quite progressive and commendable. However, one cannot help to but ask, what remedies are available for a data subject? The Act criminalizes the various ways of misappropriating data which is an effective deterrent. All the same, it would be prudent in my humble opinion to include the right to compensation/ damages to the victims of such abuse of data. This would not only further deter the violation of a data subject's rights but would also provide a legislative basis for indemnifying the data subject for any damages sustained from such violations. Kind Regards, William.
A practical case: There is an ongoing case by DCI about an alleged online child pornography/sex tourism. The case was brought to DCI's attention by the public. DCI in response posts the picture, ID number, phone number, full names, workplace and residence of the suspect on their Facebook page. (Its in form of a mugshot) The reason for the post seems to be feedback to the public that the suspect they reported has been arrested. My question is, what aspects of such cases should be covered under data protection? See the post here https://mobile.facebook.com/Directorate-of-Criminal- Investigations-DCI-254903014712426/?refid=17&_ft_=top_level_post_id. 846695888866466%3Atl_objid.846695888866466%3Athrowback_ story_fbid.846695888866466%3Apage_id.254903014712426% 3Aphoto_attachments_list.%5B846747645527957%2C846747662194622% 2C846747765527945%2C846747805527941%5D%3Apage_insights.%7B% 22254903014712426%22%3A%7B%22role%22%3A1%2C%22page_id%22% 3A254903014712426%2C%22post_context%22%3A%7B%22story_fbid% 22%3A846695888866466%2C%22publish_time%22%3A1535004813%2C%22story_name% 22%3A%22EntStatusCreationStory%22%2C%22object_fbtype%22%3A266% 7D%2C%22actor_id%22%3A254903014712426%2C%22psn%22% 3A%22EntStatusCreationStory%22%2C%22sl%22%3A4%2C%22dm%22% 3A%7B%22isShare%22%3A0%2C%22originalPostOwnerID%22%3A0% 7D%2C%22targets%22%3A%5B%7B%22page_id%22%3A254903014712426%2C%22actor_ id%22%3A254903014712426%2C%22role%22%3A1%2C%22post_id%22% 3A846695888866466%2C%22share_id%22%3A0%7D%5D%7D%7D%3Athid.254903014712426% 3A306061129499414%3A2%3A0%3A1535785199%3A4873755382522269764&__tn__=C-R And here https://twitter.com/DCI_Kenya/status/1032506686957907969 Il giovedì 23 agosto 2018, william mathenge via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:
Hi listers,
The rights as provided are quite progressive and commendable. However, one cannot help to but ask, what remedies are available for a data subject? The Act criminalizes the various ways of misappropriating data which is an effective deterrent. All the same, it would be prudent in my humble opinion to include the right to compensation/ damages to the victims of such abuse of data. This would not only further deter the violation of a data subject's rights but would also provide a legislative basis for indemnifying the data subject for any damages sustained from such violations.
Kind Regards, William.
-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F
Listers, When talking about the rights of data subjects can we then discuss the list of exemptions. Lets take the example of processing personal data for research (section 53) - why is it that a data subject should not have the right to be removed (forgotten) from this research data-set. Assume for a minute that this research person/institution has a very relaxed level of data security/handling and the dataset including all the raw non-anonymized data of each data-subject is lost (maybe repeatedly). It seems a bit strange that you should not have any rights as a data-subject in cases where you loose confidence in a data-processor - just because they are exempt. All the exemptions may also be misused as loopholes for non-compliance - "oh all that data we have over here - we keep that for research purposes". Kind regards Michael Pedersen On 23/08/2018 07:37, kanini mutemi via kictanet wrote:
*Day 2- Rights of Data Subjects *
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– / You- data subject / / The mobile money agent- data processor /
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future. *1. The right to be informed of the use to which the personal data is to be put* Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
*2. Right to access their personal data in custody of data controller* Will we be able to demand from our mobile network operators to see our account details and transactional history?
*3. Object to the collection or processing of all or part of their personal data* Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html>?
*4. Correction and deletion of false or misleading data * Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
1.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.d...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
My concern is that the policy talks about ‘the right to be forgotten’ but the bill doesn’t have a section on it. One can only delete misleading information which is rather too limiting. The legal standards we are trying to catch up with included the right to be forgotten in 2014 yet our draft law doesn’t have it in 2018. The right should be there...maybe with limitations. I don’t think limiting it to ‘false or misleading data’ is in good faith. On Thu, 23 Aug 2018 at 09:55, kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
*Day 2- Rights of Data Subjects *
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– * You- data subject * * The mobile money agent- data processor *
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
*1. The right to be informed of the use to which the personal data is to be put* Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
*2. Right to access their personal data in custody of data controller* Will we be able to demand from our mobile network operators to see our account details and transactional history?
*3. Object to the collection or processing of all or part of their personal data* Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html> ?
*4. Correction and deletion of false or misleading data * Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
1.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Francis Monyango Lawyer | ICT Policy and Legal Consultant www.monyango.com
Thank you for the comments coming in so far. @Francis and @Michael what is the foundation of the right to be forgotten? Why do we need it? Should it be absolute? Should it apply to all ‘unwanted’ information? Let’s turn our attention to Clause 36 (right of rectification and erasure). The right to demand erasure extends to ‘irrelevant’ and ‘excessive’ information These parameters are not defined. Can a convict demand that kenyalaw.org <http://kenyalaw.org/> delete a case from its database? Should we be allowed to stop newspapers from running a story because of the ‘irrelevance’ or ‘lack of authorisation’? What are we trying to achieve with the right to be forgotten? Should politicians be allowed to re-invent themselves? @Kiarie, thank you for bringing up the issue of consent. Under Clause 28 we see general conditions for consent. Reading that, do you get a clear picture of what consent is? Clause 33 goes ahead to restrict the use of data for direct marketing- I imagine this is a welcome relief? @Michael I agree the definition of the rights is in the exceptions. In our next discussion we will look at the limitations to the rights of data subjects and whether the manner in which these rights have been limited conforms to the standards set in Article 24 of the Constitution. @WIlliam, I agree that the remedies should go beyond criminal sanctions. I like your proposal that the right to compensation should also be included in the rights- that's ingenious. More on this on Day 5 when we consider penalties and remedies in detail. Let’s keep talking.
On 23 Aug 2018, at 21:58, Francis Monyango via kictanet <kictanet@lists.kictanet.or.ke> wrote:
My concern is that the policy talks about ‘the right to be forgotten’ but the bill doesn’t have a section on it. One can only delete misleading information which is rather too limiting. The legal standards we are trying to catch up with included the right to be forgotten in 2014 yet our draft law doesn’t have it in 2018. The right should be there...maybe with limitations. I don’t think limiting it to ‘false or misleading data’ is in good faith.
On Thu, 23 Aug 2018 at 09:55, kanini mutemi via kictanet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote: Day 2- Rights of Data Subjects
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– You- data subject The mobile money agent- data processor
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
1. The right to be informed of the use to which the personal data is to be put Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
2. Right to access their personal data in custody of data controller Will we be able to demand from our mobile network operators to see our account details and transactional history?
3. Object to the collection or processing of all or part of their personal data Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html>?
4. Correction and deletion of false or misleading data Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/> Domain Registration sponsored by www.eacdirectory.co.ke <http://www.eacdirectory.co.ke/>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Francis Monyango
Lawyer | ICT Policy and Legal Consultant www.monyango.com <http://www.monyango.com/>
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
The foundation of the right to be forgotten is the right to privacy because the right to privacy is the right of an individual to control the extent to which personal information is disseminated to others. Therefore, it should be within your right to privacy to remove your personal information from the internet. *Why do we need it?* I am sure we have all heard of the saying that the Internet never forgets. In my view we need the right to be forgotten because first of all human beings are prone to make mistakes and sometimes it is not necessary that we keep a record of all mistakes that were made. We have all posted a tweet or a photo that on second thought we realize is not a good idea. The fact that it may There are people who have had their information disseminated without their consent in the first place. Think of all those people who have become Memes. Some have gone into depression and committed suicide. The fact that we are aware that we cannot erase anything from the internet has led some to self- sensor (I am personally guilty of this). It can be argued that failure to provide the right to be forgotten needlessly curtails our freedom of expression. *Should it be absolute?* I agree with Francis that the right should not be absolute. Limitations are necessary for example under the GDPR personal data must be erased immediately where the data is no longer needed for the original processing purpose, or the data subject has withdrawn their consent and their is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for processing, or erasure is required to fulfill a statutory obligation under the law. The right to be forgotten should also be balanced with the right to information. On Fri, Aug 24, 2018 at 7:22 AM kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Thank you for the comments coming in so far.
@Francis and @Michael *what is the foundation of the right to be forgotten? Why do we need it? Should it be absolute? Should it apply to all ‘unwanted’ information? *
Let’s turn our attention to Clause 36 (right of rectification and erasure). The right to demand erasure extends to ‘irrelevant’ and ‘excessive’ information These parameters are not defined. *Can a convict demand that kenyalaw.org <http://kenyalaw.org> delete a case from its database? Should we be allowed to stop newspapers from running a story because of the ‘irrelevance’ or ‘lack of authorisation’? What are we trying to achieve with the right to be forgotten? Should politicians be allowed to re-invent themselves? *
@Kiarie, thank you for bringing up the issue of consent. Under Clause 28 we see general conditions for consent. Reading that, do you get a clear picture of what consent is? Clause 33 goes ahead to restrict the use of data for direct marketing- I imagine this is a welcome relief?
@Michael I agree the definition of the rights is in the exceptions. In our next discussion we will look at the limitations to the rights of data subjects and whether the manner in which these rights have been limited conforms to the standards set in Article 24 of the Constitution.
@WIlliam, I agree that the remedies should go beyond criminal sanctions. I like your proposal that the right to compensation should also be included in the rights- that's ingenious. More on this on Day 5 when we consider penalties and remedies in detail.
Let’s keep talking.
On 23 Aug 2018, at 21:58, Francis Monyango via kictanet < kictanet@lists.kictanet.or.ke> wrote:
My concern is that the policy talks about ‘the right to be forgotten’ but the bill doesn’t have a section on it. One can only delete misleading information which is rather too limiting. The legal standards we are trying to catch up with included the right to be forgotten in 2014 yet our draft law doesn’t have it in 2018. The right should be there...maybe with limitations. I don’t think limiting it to ‘false or misleading data’ is in good faith.
On Thu, 23 Aug 2018 at 09:55, kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
*Day 2- Rights of Data Subjects *
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– * You- data subject * * The mobile money agent- data processor *
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
*1. The right to be informed of the use to which the personal data is to be put* Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
*2. Right to access their personal data in custody of data controller* Will we be able to demand from our mobile network operators to see our account details and transactional history?
*3. Object to the collection or processing of all or part of their personal data* Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html> ?
*4. Correction and deletion of false or misleading data * Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
1.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Francis Monyango
Lawyer | ICT Policy and Legal Consultant www.monyango.com
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/moturiliz%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Kind regards, Elizabeth Moturi
Thank you Elizabeth for shedding light on this. Following your direction, perhaps we can list legitimate interests the right to be forgotten should protect. You have given the example of information that has been disseminated without consent, say the circulation of nude photos without permission, which in itself is a grave violation of the right to privacy. Are there other instances that call for such protection? Listers, allow me to double back to the issue of consent. How should we handle data collection by AI (Artificial Intelligence?)
On 24 Aug 2018, at 09:51, Elizabeth Moturi <moturiliz@gmail.com> wrote:
The foundation of the right to be forgotten is the right to privacy because the right to privacy is the right of an individual to control the extent to which personal information is disseminated to others. Therefore, it should be within your right to privacy to remove your personal information from the internet.
Why do we need it? I am sure we have all heard of the saying that the Internet never forgets. In my view we need the right to be forgotten because first of all human beings are prone to make mistakes and sometimes it is not necessary that we keep a record of all mistakes that were made. We have all posted a tweet or a photo that on second thought we realize is not a good idea. The fact that it may
There are people who have had their information disseminated without their consent in the first place. Think of all those people who have become Memes. Some have gone into depression and committed suicide.
The fact that we are aware that we cannot erase anything from the internet has led some to self- sensor (I am personally guilty of this). It can be argued that failure to provide the right to be forgotten needlessly curtails our freedom of expression.
Should it be absolute? I agree with Francis that the right should not be absolute. Limitations are necessary for example under the GDPR personal data must be erased immediately where the data is no longer needed for the original processing purpose, or the data subject has withdrawn their consent and their is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for processing, or erasure is required to fulfill a statutory obligation under the law. The right to be forgotten should also be balanced with the right to information.
On Fri, Aug 24, 2018 at 7:22 AM kanini mutemi via kictanet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote: Thank you for the comments coming in so far.
@Francis and @Michael what is the foundation of the right to be forgotten? Why do we need it? Should it be absolute? Should it apply to all ‘unwanted’ information?
Let’s turn our attention to Clause 36 (right of rectification and erasure). The right to demand erasure extends to ‘irrelevant’ and ‘excessive’ information These parameters are not defined. Can a convict demand that kenyalaw.org <http://kenyalaw.org/> delete a case from its database? Should we be allowed to stop newspapers from running a story because of the ‘irrelevance’ or ‘lack of authorisation’? What are we trying to achieve with the right to be forgotten? Should politicians be allowed to re-invent themselves?
@Kiarie, thank you for bringing up the issue of consent. Under Clause 28 we see general conditions for consent. Reading that, do you get a clear picture of what consent is? Clause 33 goes ahead to restrict the use of data for direct marketing- I imagine this is a welcome relief?
@Michael I agree the definition of the rights is in the exceptions. In our next discussion we will look at the limitations to the rights of data subjects and whether the manner in which these rights have been limited conforms to the standards set in Article 24 of the Constitution.
@WIlliam, I agree that the remedies should go beyond criminal sanctions. I like your proposal that the right to compensation should also be included in the rights- that's ingenious. More on this on Day 5 when we consider penalties and remedies in detail.
Let’s keep talking.
On 23 Aug 2018, at 21:58, Francis Monyango via kictanet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote:
My concern is that the policy talks about ‘the right to be forgotten’ but the bill doesn’t have a section on it. One can only delete misleading information which is rather too limiting. The legal standards we are trying to catch up with included the right to be forgotten in 2014 yet our draft law doesn’t have it in 2018. The right should be there...maybe with limitations. I don’t think limiting it to ‘false or misleading data’ is in good faith.
On Thu, 23 Aug 2018 at 09:55, kanini mutemi via kictanet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote: Day 2- Rights of Data Subjects
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– You- data subject The mobile money agent- data processor
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
1. The right to be informed of the use to which the personal data is to be put Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
2. Right to access their personal data in custody of data controller Will we be able to demand from our mobile network operators to see our account details and transactional history?
3. Object to the collection or processing of all or part of their personal data Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html>?
4. Correction and deletion of false or misleading data Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/> Domain Registration sponsored by www.eacdirectory.co.ke <http://www.eacdirectory.co.ke/>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Francis Monyango
Lawyer | ICT Policy and Legal Consultant www.monyango.com <http://www.monyango.com/>
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/> Domain Registration sponsored by www.eacdirectory.co.ke <http://www.eacdirectory.co.ke/>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c... <https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/> Domain Registration sponsored by www.eacdirectory.co.ke <http://www.eacdirectory.co.ke/>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/moturiliz%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/moturiliz%40gmail.com>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Kind regards, Elizabeth Moturi
Hi Mercy, Lest we forget Artificial Intelligence is Subject to Human Intelligence. AI is simply programming a tool that can then enhance efficiency within a particular environment. The Programmers are subject to the Laws of a certain jurisdiction within which they operate and in the case of cross border work subject to International Instruments. Assuming the act being debated is enacted , it will affect those developing or deploying Artificial Intelligence within our Jurisdiction. Best Regards On Sat, Aug 25, 2018 at 12:01 AM kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Thank you Elizabeth for shedding light on this. Following your direction, perhaps we can list legitimate interests the right to be forgotten should protect. You have given the example of information that has been disseminated without consent, say the circulation of nude photos without permission, which in itself is a grave violation of the right to privacy. Are there other instances that call for such protection?
Listers, allow me to double back to the issue of consent. *How should we handle data collection by AI (Artificial Intelligence?)*
On 24 Aug 2018, at 09:51, Elizabeth Moturi <moturiliz@gmail.com> wrote:
The foundation of the right to be forgotten is the right to privacy because the right to privacy is the right of an individual to control the extent to which personal information is disseminated to others. Therefore, it should be within your right to privacy to remove your personal information from the internet.
*Why do we need it?* I am sure we have all heard of the saying that the Internet never forgets. In my view we need the right to be forgotten because first of all human beings are prone to make mistakes and sometimes it is not necessary that we keep a record of all mistakes that were made. We have all posted a tweet or a photo that on second thought we realize is not a good idea. The fact that it may
There are people who have had their information disseminated without their consent in the first place. Think of all those people who have become Memes. Some have gone into depression and committed suicide.
The fact that we are aware that we cannot erase anything from the internet has led some to self- sensor (I am personally guilty of this). It can be argued that failure to provide the right to be forgotten needlessly curtails our freedom of expression.
*Should it be absolute?* I agree with Francis that the right should not be absolute. Limitations are necessary for example under the GDPR personal data must be erased immediately where the data is no longer needed for the original processing purpose, or the data subject has withdrawn their consent and their is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for processing, or erasure is required to fulfill a statutory obligation under the law. The right to be forgotten should also be balanced with the right to information.
On Fri, Aug 24, 2018 at 7:22 AM kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Thank you for the comments coming in so far.
@Francis and @Michael *what is the foundation of the right to be forgotten? Why do we need it? Should it be absolute? Should it apply to all ‘unwanted’ information? *
Let’s turn our attention to Clause 36 (right of rectification and erasure). The right to demand erasure extends to ‘irrelevant’ and ‘excessive’ information These parameters are not defined. *Can a convict demand that kenyalaw.org <http://kenyalaw.org/> delete a case from its database? Should we be allowed to stop newspapers from running a story because of the ‘irrelevance’ or ‘lack of authorisation’? What are we trying to achieve with the right to be forgotten? Should politicians be allowed to re-invent themselves? *
@Kiarie, thank you for bringing up the issue of consent. Under Clause 28 we see general conditions for consent. Reading that, do you get a clear picture of what consent is? Clause 33 goes ahead to restrict the use of data for direct marketing- I imagine this is a welcome relief?
@Michael I agree the definition of the rights is in the exceptions. In our next discussion we will look at the limitations to the rights of data subjects and whether the manner in which these rights have been limited conforms to the standards set in Article 24 of the Constitution.
@WIlliam, I agree that the remedies should go beyond criminal sanctions. I like your proposal that the right to compensation should also be included in the rights- that's ingenious. More on this on Day 5 when we consider penalties and remedies in detail.
Let’s keep talking.
On 23 Aug 2018, at 21:58, Francis Monyango via kictanet < kictanet@lists.kictanet.or.ke> wrote:
My concern is that the policy talks about ‘the right to be forgotten’ but the bill doesn’t have a section on it. One can only delete misleading information which is rather too limiting. The legal standards we are trying to catch up with included the right to be forgotten in 2014 yet our draft law doesn’t have it in 2018. The right should be there...maybe with limitations. I don’t think limiting it to ‘false or misleading data’ is in good faith.
On Thu, 23 Aug 2018 at 09:55, kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
*Day 2- Rights of Data Subjects *
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– * You- data subject * * The mobile money agent- data processor *
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
*1. The right to be informed of the use to which the personal data is to be put* Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
*2. Right to access their personal data in custody of data controller* Will we be able to demand from our mobile network operators to see our account details and transactional history?
*3. Object to the collection or processing of all or part of their personal data* Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html> ?
*4. Correction and deletion of false or misleading data * Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
1.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Francis Monyango
Lawyer | ICT Policy and Legal Consultant www.monyango.com
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/moturiliz%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Kind regards, Elizabeth Moturi
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A
On Fri, Aug 24, 2018 at 7:23 AM kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Thank you for the comments coming in so far.
@Francis and @Michael *what is the foundation of the right to be forgotten? Why do we need it? Should it be absolute? Should it apply to all ‘unwanted’ information? *
BO: Mercy, i think it will be good to Juxtapose the foundation of the right to be forgoten to the foundation of the Internet. The Internet was developed ostensibly to share information. If you think the information you have should not be on the internet, that is it is not supposed to be shared , then don't upload it. Erasing information from the Internet can be laborius depending on the extent has been shared and can cost a lot. This right should therefore not be absolute. We have to be carefull with how the right to be forgotten is handled since it can affect Whistle Blowing.
Let’s turn our attention to Clause 36 (right of rectification and erasure). The right to demand erasure extends to ‘irrelevant’ and ‘excessive’ information These parameters are not defined. *Can a convict demand that kenyalaw.org <http://kenyalaw.org> delete a case from its database? Should we be allowed to stop newspapers from running a story because of the ‘irrelevance’ or ‘lack of authorisation’? What are we trying to achieve with the right to be forgotten? Should politicians be allowed to re-invent themselves? *
@Kiarie, thank you for bringing up the issue of consent. Under Clause 28 we see general conditions for consent. Reading that, do you get a clear picture of what consent is? Clause 33 goes ahead to restrict the use of data for direct marketing- I imagine this is a welcome relief?
@Michael I agree the definition of the rights is in the exceptions. In our next discussion we will look at the limitations to the rights of data subjects and whether the manner in which these rights have been limited conforms to the standards set in Article 24 of the Constitution.
@WIlliam, I agree that the remedies should go beyond criminal sanctions. I like your proposal that the right to compensation should also be included in the rights- that's ingenious. More on this on Day 5 when we consider penalties and remedies in detail.
Let’s keep talking.
On 23 Aug 2018, at 21:58, Francis Monyango via kictanet < kictanet@lists.kictanet.or.ke> wrote:
My concern is that the policy talks about ‘the right to be forgotten’ but the bill doesn’t have a section on it. One can only delete misleading information which is rather too limiting. The legal standards we are trying to catch up with included the right to be forgotten in 2014 yet our draft law doesn’t have it in 2018. The right should be there...maybe with limitations. I don’t think limiting it to ‘false or misleading data’ is in good faith.
On Thu, 23 Aug 2018 at 09:55, kanini mutemi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
*Day 2- Rights of Data Subjects *
Good morning Listers,
Day 1 we commented on the principles of data protection mentioned in the draft policy and bill. Today, we will look at the rights of data subjects. For demonstration purpose, when you fill in your details at a mobile money agent’s shop– * You- data subject * * The mobile money agent- data processor *
The data subject is the person to whom the data concerns.
Here are the rights as listed in Clause 23 of the Bill. I have added comments underneath to help us visualise what these rights would mean in the future.
*1. The right to be informed of the use to which the personal data is to be put* Eg. When we leave our details at the entrance to buildings, I expect that they will explain what the data will be used for.
*2. Right to access their personal data in custody of data controller* Will we be able to demand from our mobile network operators to see our account details and transactional history?
*3. Object to the collection or processing of all or part of their personal data* Will we be able to opt out of the biometric ID registration proposed by the Ministry of ICT here <https://www.businessdailyafrica.com/economy/Biometric-IDs-listing-set-for-this-year-after-secret-tender/3946234-4694828-v50ngv/index.html> ?
*4. Correction and deletion of false or misleading data * Are we ready for a right to be forgotten? Should it be absolute?
What do we think of these Listers? Are there other rights that ought to be included?
1.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/monyango93%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Francis Monyango
Lawyer | ICT Policy and Legal Consultant www.monyango.com
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A
participants (8)
-
Barrack Otieno -
Elizabeth Moturi -
Francis Monyango -
Grace Bomu -
kanini mutemi -
Kiarie Wagitungo -
Michael Pedersen -
william mathenge