Last week I discussed the need to protect data owners from having their data collected, collated, analysed, stored and used without their express consent. Ideally, calling for protection of the right to privacy and dignity of the individual. I made the case for concrete data protection regulations that would ensure a data owner is empowered to access their data, have their data corrected or deleted and provide for an effective data use related dispute resolution mechanism.  With that background certain issues arise, one, is a case for public use of data without deference to a data owner. Two, is a business case for data use (in this article I use the “data use” to denote the collection, collation, analysis and storage of data).

For this post, I shall delve into the case for public data use. A certain curious situation was reported in the media this week. Apparently, around 100 schools have installed systems to monitor attendance of students. Parents receive messages on their phones and essentially, teachers and parents can track students. From face value this seems like a very noble idea. Which parents would not wish to have real time information on whether their children are attending school or not? It may further be argued that such a system would make it easier to deal with situations where students play truant. The kind of data that the above system requires includes: Names of students; Students’ fingerprints; Students’ age; Students’ places of residence; Students’ parents details and contacts e.t.c.

On the above, one commentator on Twitter, @keyboysteve observed – ‘The parents AND teachers are the immediate low hanging fruits. Those, marketers will pay for quick. The real payout is the teenagers. Holy f***! Imagine having biodata for hundreds of thousands of kids as they go through high school, college, work. A digital marketer’s wet dream.’

Another situation, the headline – “Revealed: Sh3bn ‘top secret’ tender for identity data” appeared in the press in the last week. According to this report, “The government is on the verge of awarding a secret restricted tender for procurement of a Sh3 billion digital registration system that will create a national population register.” Apparently, the state has identified possible service providers to establish a national population register in a process shrouded in great secrecy and devoid of any public participation. The report further states ”The national register will not only bring all personal information scattered across various institutions and entities under one system, but also capture details of national IDs, personal identification numbers (PIN), dates of birth, nuclear family, biometrics, contact information and all other information held by various government bodies. It will also eliminate the proliferation of fake IDs.”

A project such as a national register must be transparent and inclusive from the outset. The conceptualisation, implementation and review of it must also be undertaken in an accountable manner. At the very least, public participation and involvement of both Houses of Parliament is necessary. For example, Parliament and the Executive must be clear on the credentials of the service providers, the kind of data they are to collect, how they are to collect it, how the data is to be analysed and stored, who is legally permitted to have access to the data and why plus how to deal with potential or actual data breaches. Without such key issues publicly addressed, the project will leave citizens’ data in limbo and susceptible to abuse by political, economic and social interests. But, without a data protection law to provide for such guidelines, the State will act in a haphazard and irresponsible manner.

It may be appreciated that there is need for the State to have a certain measure of unfettered data use. In fact, for the State to meet its constitutional, statutory and policy obligations, it must have access to reliable and real time data. Kenya’s Programme Based Budgeting is a case in point, where key verifiable data is vital for ensuring objective planning, budgeting and reporting. Further, the State ought to have powers to seamlessly seek, store and analyse certain information. This is not to say that the State should have a carte blanche including unsanctioned and illegal surveillance.

The Kenya Bureau of Statistics (KNBS) which is established under the Statistics Act, 2016 is the principal agency of the government for collecting, analysing and disseminating statistical data in Kenya. It also acts as the custodian of official statistics. KNBS has data related to the population, economic surveys, health data, household budget surveys, business and investment surveys among others. Essentially without such data that is instrumental to both public and private institutions, planning processes would be highly challenged. Of note however, is the fact that the Statistics Act does not provide for any public data protection mechanisms. Kenya’s key statistical data provider has no guidelines to ensure the protection and promotion of the privacy of data owners.

Ideally, we require data protection regulations that target public institutions to provide for among issues –

–  a set of responsibilities for public institutions, their servants and agents when engaging in data use;

–  public data should only be used for the constitutional or statutory purpose it was sought in the first place;

–  outlawing use, sharing and sale of public data for political, commercial or other nefarious reasons; and

–  security of public data.