Background of the 2022 privacy score card report
The 2022 privacy score card is a buildup on the Privacy Scorecard Report of November 2021 developed by Unwanted Witness.
The 2021 Privacy Scorecard was a data protection compliance monitoring tool focus- ing on Ugandan data collectors.The 2021 Privacy scorecard assessed the performance of the following sectors: Social Sector, e-commerce, financial, telecom, and government agencies against five indicators.
The indicators were: Practicing robust data security, compliance with privacy best practices, disclosure of relevant information to data subjects, mentions third parties with whom personal data is shared and mentions the nature and quality of information shared with 3rd parties. From the assessment, a generally over all low index score of 35% was recorded, with thee-commerce sector scoring an average score of 50%, financial sector 36% and the telecom sector at 35%.
The data security indicator scored highest at 66% across the sectors reviewed. Although the parameters adopted for the 2022 score card differ a little from the previous report, this is a great benchmark upon which to base an assessment of whether or not there has been progress in data protection across the selected sectors. The 2022 report therefore benchmarks with the findings of the previous scorecard.
Further, the 2022 Privacy Scorecard report develops onto the 2021 one and expands the scope to include Kenya. The methodology adopted in the 2022 report is deeper with focus on only three sectors of telecommunication, financial services and the e-commerce sectors. The 2022 report is made possible by a collaboration between Unwanted Witness and the Centre for Intellectual Property and Information Technology Law (CIPIT).
The main objective of the 2022 report is to generate research that could be used to empower data collectors/processors to adopt data protection best practices; and citizens to demand for accountability in the area of personal data protection. The report could also inform legal and policy reform for the between management of personal data of data subjects by especially non state actors.
The scorecard evaluates corporate privacy policies and practices in 2022 against internationally accepted standards and national data protection laws. The 2022 report highlights the data protection performance of the three selected sectors of telecommunication, e-commerce and financial services in Kenya and Uganda. The assessment utilizes objective and quantifiable parameters for analyzing the policies and practices of the selected data collectors. The study assesses the publicly available policies of the selected companies to determine their compliance with applicable data protection legislation. Detailed below are the specific objectives this study sought to achieve.
Data privacy and protection have become crucial components in Kenya’s industries. Enacted in 2019, the DPA introduced new parameters guiding and regulating the processing of personal data. The purpose of this Act is to regulate the processing of personal data, to ensure that the processing of a data subject’s personal data adheres to the principles outlined in Section 25, and to protect the privacy of individuals.
Section 25 of the Act stipulates that every data controller or data processor, in this case, a company that processes, stores, or manages personal data, must ensure that personal data is processed in accordance with the data subject’s right to privacy, in a lawful, fair, and transparent manner in relation to any data subject. In addition, the data should be collected for clear, legitimate, and specified purposes, and should not be processed in a way that is inconsistent with those purposes. The company privacy policies must clearly state this information.
Since its enactment, the DPA has been operationalized through different key hallmarks, beginning with the appointment of the Data Protection Commissioner and the establishment of the Office of the Data Protection Commissioner (ODPC).20 The ODPC is the regulatory body tasked with ensuring compliance of businesses to the DPA. The ODPC’s Registration of Data Control- lers and Processors Regulations and the Compliance and Enforcement Regulations provide the terms and conditions under which data controllers and processors must register in adherence to the provisions of the DPA and the complaints handling procedure, respectively.
Along with these regulations, the ODPC has also published guidance notes on: (i) consent, (ii) the registration of data controllers and processors, (iii) data protection impact assessment, and (iv) the complaints management manual. Early this year (2022), the office launched an online registration portal for data controllers and processors.
The registration of data controllers and processors is one of the elements of compliance with data protection legislation. Individuals and organizations cannot act in their capacity as data controllers or processors unless they are registered with the ODPC. The registration of controllers and processors ensures transparency and accountability in the processing of data. It also aids in the regulation of data processing.
Monitoring compliance through complaints is also one of the ways in which the ODPC ensures that the pro- visions of the DPA are adhered to. To date there have been a number of complaints filed with the Data Com- missioner; the complaints range from data breaches by political parties to individual complaints on misuse of personal data by service providers. It is important to note that the DPA provides for sanctions/penalties for failure to comply with the provisions of the Act.
Administrative fines are issued for non-compliance
- A maximum penalty of five million Kenya shillings or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, may be issued by the Data Commissioner.
Enacted in 2019, and operationalized in 2021 by the Data Protection and Privacy Regulations (DPPRs), the DPPA aims at protecting the privacy of the individual and of personal data by regulating the collection and processing of personal data; details the rights of data subjects on one hand and the obligations of data collectors, data processors and data controllers on the other hand; in addition to regulating the use and disclosure of personal data, among other related matters.21 The hallmark of the DPPA is the respect of the right to privacy that is constitutionally guaranteed as mentioned above.22 The DPPA applies to all entitles collecting, processing, holding or using personal data within Uganda or outside Uganda if the data relates to Ugandan citizens.23 The entities regulated include persons, (both natural and artificial), institutions and public bodies.
The DPPA enunciates the principles that should guide any data collector, processor, controller, holder or user of personal data. These include accountability to the data subject; fairness in the collection and use of the data; ensuring that the collection, storage, processing, among others processes are limited to only relevant and necessary data; retention of data only for periods authorized by law or as long as the same is necessary; transparency and participation of the data subject in these processes; and lastly but no means the least the observance of security safeguards in respect the data.24 The assessment of the privacy policies of the selected companies below is based on these parameters. The DPPA additionally provides for offences for breaches and noncompliance that attract a fine of UGX 4, 900, 000 or imprisonment not exceeding 10 years or both.25
The DPPA establishes an independent personal data protection office (PDPO) under the National Information Technology Authority (NITA) which is responsible for personal data protection.26 Headed by the National Personal Data Protection Director (NPDPD), the PDPO oversees the implementation and enforcement of the Act; promotes the protection and observance of the right to privacy of a person and of personal data; monitors, investigates and reports on the observance of the right to privacy and of personal data; formulates, implements and oversees programmes intended to raise public awareness about the Act; and receives and investigates complaints related to infringement of the rights of the data subject, among others.27 The Data Protection and Privacy Regulations, 2021 create additional functions on the PDPO as well as its powers.
such as providing guidance, supervision, monitoring and coordination of data collectors, processors and controllers and conducting data audits, among oth- er roles.28 The PDPO may establish a mechanism for collaborating and promotion of partnerships between various categories of players in the data protection and privacy aspects, and charging fees for services provided by the office.29 Every data collector, data processor and data controller is mandated to register with the PDPO.30 In June 2022, the PDPO launched the data protection and privacy portal to streamline data protection, by enabling stakeholder registration, breach and violation and complaint reporting.
By the time of writing this report, sectors were yet to file compliance reports. What could however be established from an interaction with Ms. Stella Alibateesa the NPDPD, many of the complaints so far received are against telecommunication sector and relate to unlawful sharing of data by data collectors, and controllers that lead to unsolicited messages and mobile money related fraud.
In a special way, the DPPRs provide for data protection impact assessment where the collection or processing of personal data possess a high risk of human rights violation or abuses of individuals prior to the data collection or processing.
The data protection officer is required to publicize the list of data processing operations that require such data impact assessment.32 This provision if implemented would go a long way in enabling data controllers and processors to project the likely impact of their data processing activities and put in place measures to ensure personal data protection of data subjects.