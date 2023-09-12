Columnists Don’t allow personal data use to become hot potato for firms

By DEBORAH MOMANYI

Data is now a vital asset driving growth and innovation for organisations. Recent events, such as the actions of Worldcoin in Kenya have, however, brought to the fore risks associated with data harvesting.

Protecting personal privacy is now an urgent responsibility, with key stakeholders playing distinct yet interconnected roles.

On August 25, 2023, Kenya’s High Court barred Worldcoin and its associates from processing biometric data. The Office of the Data Protection Commissioner (ODPC) had filed a petition against Worldcoin, alleging violations of Kenya’s data protection laws.

The court also ordered the supervised destruction of all information held by Worldcoin and revoked its data controller licence.

At the heart of the data harvesting debate are the subjects – individuals whose personal bio is being collected and processed.

They encompass customers, employees, patients, students, job applicants, research participants, voters, and travellers. Empowered data subjects can influence how their information is used, provided they are well-informed.

To provide informed consent, data subjects must have full awareness of what data is being collected, its intended purposes, and the entities responsible for its collection and processing.

While data collectors and processors bear the responsibility of transparency, data subjects must also actively demand transparency and comprehend the implications of sharing their personal data.

Data is harvested in various situations, often for legitimate purposes such as improving services, conducting research, or enhancing user experiences.

It is associated with accessing government services, social media usage, surveys, market research, shopping, employee records, healthcare records, and financial transactions.

Organisations engaged in data harvesting bear significant responsibility for ensuring compliance with data protection laws.

Kenya’s Data Protection Act (DPA) mandates firms to safeguard personal information and use it exclusively for its intended purposes.

These include implementing robust data protection policies, maintaining data security, investing in cybersecurity measures, and appointing Data Protection Officers (DPOs) for oversight.

The DPA underscores the critical role of the Data Protection Officers (DPOs), requiring their appointment by organisations handling personal data.

They are instrumental in ensuring compliance with data protection regulations, serving as points of contact for data subjects, and monitoring and reporting data breaches to the ODPC.

Organisations can empower their DPOs with the necessary resources and authority while fostering a culture of data protection.

Addressing these challenges demands legislative action, enhanced resources for ODPC, and increased awareness/education on data protection rights and responsibilities among all stakeholders.

Collaborative action among stakeholders is vital for ethical, transparent data harvesting that obeys the law. By taking these steps, Kenya can reinforce its position as a responsible guardian of personal information.

The writer is a governance, risk and compliance specialist. Email: [email protected]