Privacy Scorecard

Background of the 2022 privacy score card report

The 2022 privacy score card is a buildup on the Privacy Scorecard Report of November 2021 developed by Unwanted Witness. The 2021 Privacy Scorecard was a data protection compliance monitoring tool focus- ing on Ugandan data collectors. The 2021 Privacy scorecard assessed the performance of the following sectors: Social Sector, e-commerce, financial, telecom, and government agencies against five indicators. The indicators were: Practicing robust data security, compliance with privacy best practices, disclosure of relevant information to data subjects, mentions third parties with whom personal data is shared and mentions the nature and quality of information shared with 3rd parties. From the assessment, a generally over all low index score of 35% was recorded, with thee-commerce sector scoring an average score of 50%, financial sector 36% and the telecom sector at 35%. The data security indicator scored highest at 66% across the sectors reviewed. Although the parameters adopted for the 2022 score card differ a little from the previous report, this is a great benchmark upon which to base an assessment of whether or not there has been progress in data protection across the selected sectors. The 2022 report therefore benchmarks with the findings of the previous scorecard. Further, the 2022 Privacy Scorecard report develops onto the 2021 one and expands the scope to include Kenya. The methodology adopted in the 2022 report is deeper with focus on only three sectors of telecommunication, financial services and the e-commerce sectors. The 2022 report is made possible by a collaboration between Unwanted Witness and the Centre for Intellectual Property and Information Technology Law (CIPIT). The main objective of the 2022 report is to generate research that could be used to empower data collectors/processors to adopt data protection best practices; and citizens to demand for accountability in the area of personal data protection. The report could also inform legal and policy reform for the between management of personal data of data subjects by especially non state actors. The scorecard evaluates corporate privacy policies and practices in 2022 against internationally accepted standards and national data protection laws. The 2022 report highlights the data protection performance of the three selected sectors of telecommunication, e-commerce and financial services in Kenya and Ugan- da. The assessment utilizes objective and quantifiable parameters for analyzing the policies and practices of the selected data collectors. The study assesses the publicly available policies of the selected companies to determine their compliance with applicable data protection legislation. Detailed below are the specific objectives this study sought to achieve.

Country Insights

Data privacy and protection have become crucial components in Kenya’s industries. Enacted in 2019, the DPA introduced new parameters guiding and regulating the processing of personal data. The purpose of this Act is to regulate the processing of personal data, to ensure that the processing of a data subject’s personal data adheres to the principles outlined in Section 25, and to protect the privacy of individuals. Section 25 of the Act stipulates that every data controller or data processor, in this case, a company that processes, stores, or manages personal data, must ensure that personal data is processed in accordance with the data subject’s right to privacy, in a lawful, fair, and transparent manner in relation to any data subject. In addition, the data should be collected for clear, legitimate, and specified purposes, and should not be processed in a way that is inconsistent with those purposes. The company privacy policies must clearly state this information. Since its enactment, the DPA has been operationalized through different key hallmarks, beginning with the appointment of the Data Protection Commissioner and the establishment of the Office of the Data Protection Commissioner (ODPC).20 The ODPC is the regulatory body tasked with ensuring compliance of businesses to the DPA. The ODPC’s Registration of Data Control- lers and Processors Regulations and the Compliance and Enforcement Regulations provide the terms and conditions under which data controllers and processors must register in adherence to the provisions of the DPA and the complaints handling procedure, respectively. Along with these regulations, the ODPC has also published guidance notes on: (i) consent, (ii) the registration of data controllers and processors, (iii) data protection impact assessment, and (iv) the complaints management manual. Early this year (2022), the office launched an online registration portal for data controllers and processors. The registration of data controllers and processors is one of the elements of compliance with data protection legislation. Individuals and organizations cannot act in their capacity as data controllers or processors unless they are registered with the ODPC. The registration of controllers and processors ensures transparency and accountability in the processing of data. It also aids in the regulation of data processing. Monitoring compliance through complaints is also one of the ways in which the ODPC ensures that the pro- visions of the DPA are adhered to. To date there have been a number of complaints filed with the Data Com- missioner; the complaints range from data breaches by political parties to individual complaints on misuse of personal data by service providers. It is important to note that the DPA provides for sanctions/penalties for failure to comply with the provisions of the Act. Administrative fines are issued for non-compliance - A maximum penalty of five million Kenya shillings or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, may be issued by the Data Commissioner.

Enacted in 2019, and operationalized in 2021 by the Data Protection and Privacy Regulations (DPPRs), the DPPA aims at protecting the privacy of the individual and of personal data by regulating the collection and processing of personal data; details the rights of data subjects on one hand and the obligations of data collectors, data processors and data controllers on the other hand; in addition to regulating the use and disclosure of personal data, among other related matters.21 The hallmark of the DPPA is the respect of the right to privacy that is constitutionally guaranteed as mentioned above.22 The DPPA applies to all entitles collecting, processing, holding or using personal data within Uganda or outside Uganda if the data relates to Ugandan citizens.23 The entities regulated include persons, (both natural and artificial), institutions and public bodies. The DPPA enunciates the principles that should guide any data collector, processor, controller, holder or user of personal data. These include accountability to the data subject; fairness in the collection and use of the data; ensuring that the collection, storage, processing, among others processes are limited to only relevant and necessary data; retention of data only for periods authorized by law or as long as the same is necessary; transparency and participation of the data subject in these processes; and lastly but no means the least the observance of security safeguards in respect the data.24 The assessment of the privacy policies of the selected companies below is based on these parameters. The DPPA additionally provides for offences for breaches and noncompliance that attract a fine of UGX 4, 900, 000 or imprisonment not exceeding 10 years or both.25 The DPPA establishes an independent personal data protection office (PDPO) under the National Information Technology Authority (NITA) which is responsible for personal data protection.26 Headed by the National Personal Data Protection Director (NPDPD), the PDPO oversees the implementation and enforcement of the Act; promotes the protection and observance of the right to privacy of a person and of personal data; monitors, investigates and reports on the observance of the right to privacy and of personal data; formulates, implements and oversees programmes intended to raise public awareness about the Act; and receives and investigates complaints related to infringement of the rights of the data subject, among others.27 The Data Protection and Privacy Regulations, 2021 create additional functions on the PDPO as well as its powers. such as providing guidance, supervision, monitoring and coordination of data collectors, processors and controllers and conducting data audits, among oth- er roles.28 The PDPO may establish a mechanism for collaborating and promotion of partnerships between various categories of players in the data protection and privacy aspects, and charging fees for services provided by the office.29 Every data collector, data processor and data controller is mandated to register with the PDPO.30 In June 2022, the PDPO launched the data protection and privacy portal to streamline data protection, by enabling stakeholder registration, breach and violation and complaint reporting. By the time of writing this report, sectors were yet to file compliance reports. What could however be established from an interaction with Ms. Stella Alibateesa the NPDPD, many of the complaints so far received are against telecommunication sector and relate to unlawful sharing of data by data collectors, and controllers that lead to unsolicited messages and mobile money related fraud.

In a special way, the DPPRs provide for data protection impact assessment where the collection or processing of personal data possess a high risk of human rights violation or abuses of individuals prior to the data collection or processing. The data protection officer is required to publicize the list of data processing operations that require such data impact assessment.32 This provision if implemented would go a long way in enabling data controllers and processors to project the likely impact of their data processing activities and put in place measures to ensure personal data protection of data subjects.

COMPANY SELECTION CRITERIA

KENYA

For this evaluation in Kenya two companies across three sectors were reviewed. These were from financial services, telecommunications and e-commerce. These sectors have had the widest transition into digitization and the utilization of different technologies. Consequently, the processing of personal data is at the center of their service delivery. The companies evaluated for each sector were selected based on the market share. We selected one company with the highest market share and another with the lowest or mid-tier market share. The results and findings of the companies evaluated across the three sectors will be presented in the sections below, however the companies have been anonymized so as to reflect an unbiased analysis of the findings presented. For financial services the report focused on Company F-S-K 1 and Company F-S-K 2. Company F-S-K 1 is a tier 1 banking institute, tier 1 are large banks with the highest cumulative assets and depositors. The banks in this tier control 49.9% of the market share. Company. F-S-K 2 is a mid-tier bank / tier 2, tier 2 banks control 41.7% of the market share. Company F-S-K 1 traces its history to the 19th Century and has been operational in Kenya for over a century. Company F-S-K 1 is operational in 7 countries in the African region with 497 branches across the region with approximately 30.1 million Customers and 8,877 employees across all its branches. Company F-S-K 2 originating from India, has been operational in Kenya for 68 years, having 14 branches across the country it holds a 3% market share with an overall ranking of 10th among 42 banks. Our evaluation of the telecommunications sector focused on companies T-C-K 1with the highest market share of 67% and T-C-K 2 with a market share of 27.2%. Company T-C-K 1 has an estimated 35.6 million subscribers, with over 42 authorized outlets in the country and over 5500 staff directly and over 500,000 indirectly and operates in 10 countries across the African Region. Company T-C-K 1 is a leading provider of telecommunications and mobile money services In 14 African nations, primarily in East Africa, Central Africa, and Western Africa. It originated in India and began operations in Kenya in 2010. Company T-C-K 2 is the second largest provider of telecommunications services in Kenya. It has an estimated 16.2 million subscribers out of a total of 59.8 million on the Kenyan market, which corresponds to a 27.2% market share.

Evaluation of the e-commerce sector focused on Company E-C-K 1 and Company E-C-K 2. Company E-CK 1 has between 201-500 employees and 6 outlets in the country. It also operates in 11 countries across the African continent and has 3.1 million active consumers. It is built around logistics, payment and marketplace services. The company is a dominant e-commerce company in Africa with a market share estimated to be over 60%. Company E-C-K 2 is Kenya’s first online pharmacy with a market share of less than 3% and has a staff of about 40 employees. The company enables consumers to purchase high quality medicine and also wellness products through an app or their website. Several people use the platform since it is estimated as having over 80,000 registered users.

As was with Kenya, two companies per sector were selected for Uganda. The demographics of the companies selected from both countries differed a little as is presented below. In the financial services and telecommunication sectors, both companies selected are the biggest with a big market share. The e-commerce sector company selection included one oldest and largest company on one hand and another that has spent two years in operation in Uganda, on the other hand. For the same reasons advanced above, the companies evaluated were anonymized and the use of codes adopted. From the telecommunication sector, the major players below were reviewed. Company T-C-U 1 which having entered into the sector in 2010 as a result of an inter country acquisition, boasts of approximately 10 million out of the 28.3 million mobile network subscribers in the Uganda. This translates into a 35.3% market share. 43Company T-C-U 2 on the other hand is the largest telecom company in Uganda, with a customer base that has grown from 11.2 million subscribers, accounting for 55% market share, as of 30 June 2017 to 47.5% of the mobile telephone market, by the end of 2021 and with a subscriber base of 16.7 million accounts and 5.7 million active data subscribers.44 Company T-C-U 2 operates in 22 countries in Africa and the middle East. In the e-commerce sector, Companies E-C-U 1 and E-C-U 2 were evaluated. The government’s efforts to strengthen the e-commerce sector has enabled its growth in the past decade. Company E-C-U 1 was founded in Nigeria in 2012 and launched in Uganda in 2014, and has grown to become Uganda’s biggest and most popular e-commerce site with over 800,000 monthly users.45 Company E-C-U 1 has partnerships with local and international brands which enhances their reach and service provision. Company E-C-U 2 on the other hand is a more recent player, with origins from Spain and presence in 21 countries, the company specializes in food deliveries.46 Company E-C-U 2 commenced operations in Uganda in October 2020. This could explain why Uganda specific performance statistics such as market share, number of customers are largely scanty. In the financial services, both companies reviewed are in the Tier 1 financial institutions category with compa- ny F-S-U 1 being the largest Tier 1 Financial Institution, with total assets of approximately UGX 8.71 trillion in 2021 and a market share of 21%.47 Company F-S-U 2 on the other hand is the 3rd largest Tier 1 Financial Institution by assets with a total of approximately 4 trillion and a market share of 9.7% by 2021.48 Company F-S-U 1 is the oldest commercial bank in Uganda tracing its history as far back as 1906 with the defunct National Bank of India. The bank evolved with several bank take overs until 2002 when Standard Bank acquired 90% of the shares in the Uganda Commercial Bank and rebranded to the current company name. Company F-S-U 2 on the other hand commenced operations in Uganda in 1927 and has equally gone through several management and name changes to date, with the most current rebranding having happened in 2019. Both companies reviewed are largely foreign owned with one being majorly South African owned and the other with its roots from Great Britain.

Analysis of Findings for Kenya

Overall, each sector scored highest in a different indicator. The financial services sector scored highest (75%) in the existence of public, publishable, notice- able and readable privacy policies, the e-commerce sector in the informed consent indicator (81%), and the telecommunication sector in data collection and third party data sharing (75%). This suggests that the companies analyzed understand the importance of protecting their customers’ personal data and that they have some data protection practices in place. Comparatively, the compliance score for the informed consent varies from sector to sector, with the highest score recorded in the e-commerce sector (81%) and the lowest in telecommunication (30%). This may indicate the need for standardized national guidelines for privacy policy statements for companies in the private and public sectors. These guidelines would clearly outline which parameters must be included in every privacy policy created by an organization. Sector specific data protection guidelines would also significantly influence the information required in a privacy policy. This would be in line with the provisions of section 26 and 27 of the DPA. Further, section 71 mandates the cabinet secretary for the ministry of ICT to develop guidelines or codes of practice that give effect to the Act. Compliance scores for the data collection and third-party data transfer indicator also vary from sector to sector. This is due to a lack of clarity of the information provided by the privacy policies of the companies analyzed on the type of personal data shared. Only one of the analyzed companies, from all three sectors, provides information on data storage limitations. Two of the six companies provide information on the type of personal data that will be collected, and five of the six companies state the purpose for which data is to be collected. Notably, all of the companies analyzed across the three sectors received a compliance score of 0% for the accountability indicator. Clearly, the practice of publishing a transparency report is not common to any of the sectors. A transparency report serves the purpose of highlighting digital and data governance enforcement measures. This document, shared with the public, builds trust and openness between businesses and their customer base. From the assessment, the need for transparency reports needs to be better championed by the ODPC.

Across the three sectors reviewed, the percentage scores as indicated in figure 1 are above 50% for all four indicators with the exception of the accountability indicator. This is indicative of a trend in trying to com- ply with existing data protection regulations, specifi- cally the DPA. However, it is also indicative of the gaps that exist in terms of compliance and implementation of data protection rights particularly as they relate to ensuring the exercise of the rights of the data sub- jects, data processing practices as relates to storage, and third party data transfer. These key areas must be re-evaluated across all three sectors in order to strengthen implementation and compliance processes within the sectors developing best practices.

A comparative analysis between Kenya and Uganda

Before the conclusion and recommendations, the 2022 Privacy Scorecard for Kenya and Uganda makes a comparison between the findings regarding personal data protection in both countries. This is done by comparing the overall compliance assessment and the sector specific performances. The chart below presents the overall compliance assessment evaluation for all sectors reviewed in Kenya and Uganda. Although Kenya (73%) performed slightly better in the existence of public, published, readable and noticeable privacy policies, as com- pared to Uganda (70.8), the difference is negligible. Uganda scored a higher percentage score (66.7) on the informed consent indicator, with Kenya (60%). There was a big difference on the data collection and third party data sharing with Kenya (63%) scoring higher than Uganda (41.7) whose score was below aver- age. Both Kenya and Uganda scored below average on the data security indicator at 41% and 38.9% respectively. Lastly both countries scored a 0% on the accountability indicator. The overall compliance of Kenya stood at 47.4% with Uganda closely following at 43.6%. This is an indication that a lot has to be done to ensure privacy policies adhere to the legally acceptable parameters of personal data protection. This could be achieved if this is taken as a legal obligation rather than a matter of charity. Below the report reviews the sector specific performances in both countries. In the Financial services sector, both Kenya and Uganda scored 75% and 50% on the existence of public, publish- able, noticeable and readable privacy policies and data collection and sharing indicators respectively. On the other indicators, both countries had high scores for the informed consent at 70% and 81.3% for Kenya and Uganda respectively. On the data security indicator, Kenya scored an average performance of 50% while Uganda scored an 83.3%. Both countries scored 0% on the accountability indicator. Overall, Kenya scored 49% in the financial services sector with Uganda scoring 57.9%. The slightly better performance by Uganda could partly be explained by methodological difference since Uganda’s sample space included only Tier 1 biggest banking financial institutions with regional and international presence and have been in the sector for many decades. This is as compared to Kenya which had one company from Tier 1 and another from mid-Tier 2. In the e-commerce sector, both Kenya and Uganda scored 75% in the existence of public, published, noticeable and readable policies. On the informed consent indicator, Kenya had an 81% score as compared to the 93.8% Ugandan rating. On the data collection and third party sharing indicator, Kenya had a 63% score compared to Uganda’s 62.5% performance. The greatest difference was in the data security indicator with Kenya 50% against Uganda’s 16.7%. Both countries scored 0% on the accountability indicator. In the overall performance for the e-commerce sector, Kenya stood at 53.8% while Uganda stood at a 49.6%. This is performance is indicative of a situation that is not much different in the two countries. In the telecommunication sector, Kenya scored higher scores in the four parameters of assessment, with the exception of the accountability indicator where both countries scored 0%. Kenya scored 70% on the existence of public, publishable, noticeable and readable privacy policies, against Uganda’s 62.5%, 30% on the informed consent indicator, against Uganda’s 25%, 75% on the data collection and third party sharing indicator, against Uganda’s 37.5% and 22% on the data security indicator, against Uganda’s 16.7%. The telecommunication sector had the lowest scores in both Kenya (39.4%) and Uganda (29.2%). This is concerning given the large volume of data that telecommunication companies hold in both countries. The second lowest parameter score, after the accountability indicator where all sectors and countries stood at 0%, being in data security for both countries is equally a cause for alarm. The regulators in both countries need to devise means of making private actors accountable for the realization of the right to privacy for personal data in their possession.

For data controllers or processors to be entrusted with handling personal data they must illustrate capacity to comply with the applicable laws in the countries. The rights of a data subject should be adequately provided for in the companies’ privacy policies so that they can feel comfortable when sharing their personal data. This should not be taken as a matter of charity but a legal obligation. Privacy policies play a vital role in illustrating to data subjects that the platforms that they share their information with can be trusted and that the procedures put in place by these companies will protect their personal data, in accordance with the law. It is also important that although, Kenya performed slightly better than Uganda, the abuses relating to personal data protection in both countries are largely the same. As a matter of fact, the performance difference was small. There is thus a call on both countries to benchmark best practices internationally and in the region to ensure better personal data compliance by companies through appropriate privacy policies. This study’s findings indicate that there is an under- standing by business entities on the importance of protecting users’ data. All the companies analyzed had at least some measures in place to protect the personal data of its users. Across all the sectors analyzed, our findings showed that data processors need to put greater effort to ensure all appropriate measures are employed to protect personal data from misuse, loss, theft, or unauthorized action. Failure to do so can result in malicious interference of users’ personal data by cybercriminals. One way of achieving this could be by the legal framework making it imperative for all undertakings that collect or control personal data to have in place privacy policies that conform with the legal framework. Similar obligations have been seen in other legislations in Uganda such as the Employment Act, 2006 and the Persons with Disabilities Act, 2019.