- Private sector data controllers would include your mobile service providers, banks, hospitals, supermarkets and insurers.
- The essence of a data privacy and protection regime is to ensure that the rights of the data subjects are secured and guaranteed.
- Often, the data controllers have no legal or regulatory obligation to protect citizens’ data.
The Ministry of ICT finally published the proposed Privacy and Data Protection Bill and is seeking public comments on the same. We seek to provide an overview of the general principles behind this bill. First we must recognise three key actors within the Data Protection regime: the data controllers, processors and subjects.
Data controllers determine the purpose for and the manner in which the data collected on citizens is processed. Typical examples of data controllers include government departments like immigration, police and agencies like Independent Electoral and Boundaries Commission (IEBC), universities and hospitals among others.
Private sector data controllers would include your mobile service providers, banks, hospitals, supermarkets and insurers.
We should not forget the smaller data controllers like your neighbourhood garbage collecting company or security agency that possess private information about you.
The second key actors are data processors. They are those entities hired by the data controllers to process personal data on their behalf.
For example, the French company hired by IEBC in the last general election to host our data in the cloud and provide the results transmission system acted as the data processors for the electoral commission. The IEBC was the data controller.
That security guard who expects you to declare your private data before granting you access into the office block would be another example of data processor - acting on behalf of that company you wish to visit.
Finally, the data subject is the person whose personal data is held by either the data controllers or processors. The essence of a data privacy and protection regime is to ensure that the rights of the data subjects are secured and guaranteed.
In jurisdictions where there is little or no data protection frameworks, the data controllers and processors tend to have a field day, doing anything and everything they may want with the data they have collected.
Often, the data controllers have no legal or regulatory obligation to protect citizens’ data. The citizens have no avenues for recourse in the event their data is abused.
The bill seeks to define the obligations of data controllers and processors with regard to protecting the rights of the subjects.