Privacy acid test in State’s Covid-19 data tracing bid

The State has in the past few years put up an aggressive fight to have greater access to data on phones and other digital devices Kenyans own.

In an age where criminals have become sophisticated, taking to the cyber space to wreak economic havoc and others planning the most heinous executions, government agencies argue that gaining access to such devices is crucial to successfully prosecuting perpetrators and consequently maintaining law and order.

Others, however see the government plans as infringing on constitutionally guaranteed privacy rights, and have taken the fight to the highest court in the land.

It started a few years ago when the Communications Authority of Kenya (CA) announced it would require mobile service providers to give it access to their systems in a bid to guard against fake gadgets, seemingly used to plan and execute crimes.

Legal safeguards

In anticipation of their full compliance, the regulator had in 2017 acquired a device which can collect text, voice and identity data from mobile phones. However, the telecoms foresaw the privacy rights pitfall and opposed the plan until full legal safeguards were put in place.

Besides the CA push, investigative agencies have been using their own devices to access personal information. Using US made Sumuri Talino Forensic Workstation, a mid-level desktop processor system, detectives are able to restore deleted call logs, text messages, video images as well as still photographs on mobile phones.

The mobile phones and laptops as well as desktop computers are scrutinised by forensic examiners who unlock and restore deleted files for onward processing into digitally signed PDF copies that can be used in court. When presented in court, suspects have in the past claimed infringement on their rights in a bid to thwart their prosecutions and their pleas have on occasions found receptive ears in the Judiciary.

In 2018 the High Court declared unconstitutional the CA plan requiring mobile service providers to give it access to their systems. The case was filed by activist Okiya Omtatah who argued that the move allows CA to access Kenyans' private information such as mobile money transactions.

However, CA appealed and in April last year, a bench of three judges quashed the High Court judgment which prompted a suit in June in which the Law Society of Kenya appealed to the Supreme Court, faulting the Court of Appeal judges for their law interpretion.

The lawyers’ umbrella organisation said that public participation, as argued by Mr Omtatah, is a national value and principle of governance which binds all state organs, state officers and public officers.

The Supreme Court is yet to consider the appeal.

Meanwhile, to remedy some of the concerns already raised in the lengthy litigation, the State drafted and passed the Data Protection Act, 2019, which safeguards the data rights of Kenyans. Last year the Data Protection Commission was formed and former Independent Electoral and Boundaries Commission director of voter education and partnership Immaculate Kassait named as the head to oversee implementations.

And now, the Commission has given Kenyans 21 days from January 12 to comment on draft guidelines that will see information about them shared with agencies in the fight against the Covid-19 pandemic.

Such information, the State believes could change the tide following a resurgence of infections from September last year.

“Interested members of the public and private organisations are hereby invited to submit substantive comments with specific proposals for amendments of the raft strategy to [email protected] ,” said Ms Kassait.

The development follows a presidential decree that sanctioned formation of the Covid-19 ICT Advisory Committee that will aid contact tracing via mobile phones, while ensuring that personal data is safeguarded.

Major boon

To achieve this, the commission has developed a consent form which will form the basis of collecting information from individuals.

Using technology to trace would-be asymptomatic cases has been touted as a major boon to fighting the deadly coronavirus via tracing and eventual treatment of people found to have contracted the disease.

Public health staff accessing the information will then begin contact tracing to warn individuals (contacts) that were unknowingly suffered potential exposure.

“Any personal data sharing between parties has to be guided by a valid agreement including non-disclosure, data confidentiality provisions, data protection safeguard provisions including the data destruction technique to be used… and should be approved by the Office of the Data Protection Commissioner,” the notice read.

Critics, however equate giving consent to opening the Pandora’s box. They are concerned that it will open the door to a plethora of agencies and other non-State organisations to snoop into their personal affairs. In the Covid-19 fight plan, agencies will be able to access such data as mobile money transactions and location through a cashless fares payment system whose usage will become mandatory for all operators and commuters once the government bans use of cash.

The push to prohibit use of hard currency stems from the belief that cash is facilitating the fast spread of the disease through contact.

The National Transport and Safety Authority has already licensed 29 firms including Safaricom, KCB Group, Craft Silicon (behind taxi-hailing App-Little), JamboPay, Cellulant (a pan-African payments gateway firm), and CBA Bank, now NCBA to install mobile software and web applications for the nearly 200,000 matatus in the country.

“Innovations built in response to pandemic including apps and related services, may request some access to personal data from a government or private entities to enable the development of a product,” noted the Data Commissioner in the notice.

The private firms stand to gain through fees to be charged on the incomes from the sector that grosses over Sh420 billion annually.

Critics are particularly sceptical about the Data Commission’s independence, citing its ties to the CA.

ICT Consumers Association of Kenya Secretary General Kamotho Njenga urged constraint on permitted access, saying data processors and controllers (regulators) should be closely monitored to ensure the data once availed to third parties is anonymous but useful.

“Express consent must be sought from owner and the same encrypted to avert instances where their relations, payments and text messages are published. Data sourced must be purposely used for fighting Covid-19 pandemic and not otherwise,” he said.

Independence doubts

Mr Njenga added the office of the Data Commissioner should be made independent instead of the current situation where it is a department within the CA.

Matatu Owners Association (MOA) chairman Simon Kimutai called for inclusion of all stakeholders before the cashless fare platform is launched to avoid the failures of similar systems launched in the past.

“I tried to introduce a cashless card payment service, but it flopped since there was no goodwill from lenders, regulators and matatu industry,” he said.

“If personal data is to be harnessed to aid the war against Covid-19 pandemic it is welcome, but any detected breach should be punished,” he urged.

Mr Kimutai added that matatu operators want assurance that any information on their earnings will not be shared with the taxman, forming the basis of tax crackdowns.

The Data Commission, however sought to allay fears of possible information breach, noting that there is a stiff fine- up to Sh5 million -to be paid by anyone or organisation found culpable.

She said public and private data handlers will be required to enforce strict operational guidelines that will secure personal data that should only be released for health-related purposes.

“An access to personal data must be limited to those who need the information to conduct treatment, research or other responses that are addressing the crisis or any other relevant exemption,” she said.

Anonymisation of data in a manner that individuals cannot be re-identified is expected of the data handlers adding to the layers of privacy protection, the Data Commissioner noted.