For Immaculate Kassait, this week not only marked the start of her senior-most ever public job, but she also became Kenya’s first-ever data commissioner.
Conventionally, such a feat would come with accolades but the mixed reactions to her appointment point to “baptism of fire” for the elections specialist.
While some celebrate her rise in a predominantly patriarchal society, others were quick to question her suitability for the sensitive role given her history as an official of the Independent Electoral and Boundaries Commission (IEBC), which has the past been criticised for inaccurate data management in the disputed 2017 General Election.
Parliament was even served with a memorandum by the International Commission of Jurists questioning her suitability, but the MPs rejected it because the lobby failed to demonstrate her culpability.
The reactions to her appointment aside, Ms Kassait faces a huge task of winning the public confidence in terms of data safety and confidentiality.
Imagine finding yourself belonging to a nondescript political party or as we head to the campaigning period, an aspirant sending you messages asking you to vote for him or her.
What strikes you first is how you ended up at the party, when you have never filled any forms or joined the launch.
As for the unsolicited messages from aspirants, many wonder how they got your mobile phone numbers and know that you are a voter in a certain constituency.
The suspects are usually money mobile agents or security guards placed at the entrances of buildings with a book collecting all your details, including identity card and mobile phone numbers.
Ms Kassait has now pledged to deal with such. She has promised to guarantee the protection of personal data and fight against cybercrime.
“I am willing and ready to work to ensure that regulations are in place to ensure that data protection in Kenya becomes a reality. Kenya is placed in Africa second after Ghana as a trailblazer in ensuring personal data is protected,” she said when she appeared before the Communication and Innovation committee of Parliament for vetting in October.
The Data Protection Act 2019 gives the commissioner sweeping powers on the investigation of data breaches, including powers of entry and search and issuing administrative fines.
Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the owner of this data, a data controller is required to notify the commissioner. Offences under the Act attract a fine of up to Sh5 million and or imprisonment for a term not exceeding to 10 years or both.
Technology giants like Twitter, Facebook and Google have in the past been accused of improperly sharing personal data, an example being in 2018 when Facebook said the personal information of up to 87 million users might have been improperly shared with political consultancy Cambridge Analytica.
The Act gives effect to Article 31 (c) and (d) of the Constitution, which proclaims the right to privacy, meaning that every Kenyan has a right not to have information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communications infringed.
The Act further checks against the misuse of data. The Data Commissioner is empowered to maintain a register of data controllers and regulate the processing of personal data — health, biometric and personal data.
This means that Ms Kassait will be in charge of the security of data submitted by Kenyans to various public and private data controllers and processors.
The law, therefore, gives the Data Commissioner the powers to ensure the security of the three types of data submitted by Kenyans to various data processors and controllers- health data, biometrics data and personal data.
State agencies have been accessing personal data at will, but this will now require the consent of the data subject or a court order to avoid abuse of people’s rights to privacy.
The data processors and controllers, whose data activities will now be under the Data Commissioner include IEBC, National Registration Bureau, hospitals, National Hospital Insurance Fund and the National Social Security Fund.
Already, MPs allied to Deputy President William Ruto had opposed the use of Huduma Namba, arguing that the government intends to use it to rig the 2022 General Election.
The government had enlisted 38 million Kenyans for Huduma Namba and plans are underway to register those who did not have a chance to get to register.
Before Ms Kassait was appointed Data Commissioner, she was the director in-charge of voter education and partnerships at the IEBC since 2019. She had previously served as Director Voter Registration and Electoral Operations at IEBC since 2010.
Prior to joining the electoral commission, the trained lawyer was a programme manager at the Institute for Education in Democracy tasked with managing electoral process programme which included lobbying and advocating electoral law reform and recruitment, training and deployment of observers.