This comfort in nocturnal obscurity, while partaking of drinks that the vicar wouldn’t approve of either, used to be sufficient, until the lounges, in their wisdom or lack of it, introduced roving cameramen within the premises, to spice up their social media handles with heavily filtered pictures of healthy (and mostly beautiful) patrons having a good time. There is a demographic for which this exposure is all fine. But that demographic does not include the middle-aged Kenyan man with delicate domestic encumbrances back home.
It is worth noting that what these bars do, by taking pictures of patrons and using them for promotions, amounts to advertising. In the real world, advertising is a service that an entity should pay for, and in this case where the pictured patrons basically become advertising models, a legally binding agreement has to exist in which they get paid for this service. These fancy clubs, for all intents and purposes, have been procuring this service by false pretence and at no cost to them.
Which is why I was overjoyed when on September 26 the Office of the Data Protection Commissioner slapped several establishments, including a famous Nairobi lounge, with fines totalling Sh9.375 million, for a breach of the Data Protection Act.
Even more satisfying was the fact that the fined organisations cut across different sectors; a school, a digital lender and an entertainment lounge. It’s a drop in the ocean, given the runaway data privacy infringements in this country, but it was one massive step in the right direction.
All the three organisations punished by the ODPC were from the private sector, but I hold that most private citizens data is held by state agencies, and they therefore often remain more culpable, by sins of omission of commission.
A lot of these actually have to do with data aligned to identity card numbers. For instance, anyone who knows your identity card number, searching from any phone, is able to use the National Hospital Insurance Fund platform to see details of your employer, NHIF status and dependants, with their full names.
The NHIF is not alone in this. Most state and independent agencies, including the IEBC, Kenya Power and KNEC have “open search” status, where anyone with the relevant account number or identity card, can freely access details of bills, exam results and identity data of anyone else.
Nevertheless, much younger private organisations like Naivas Supermarkets, are already moving to address this by ensuring certain information can only be accessed through one registered telephone number. For example, to redeem loyalty points to pay for goods at the supermarket, a One Time Password is sent to the registered line, upon which the redemption of points follows. I can’t understand why public institutions are unable to follow suit and make private data available only on designated phone lines via OTP, rather than to the whole world.
Recently, a sitting MP went public with what she considered pure harassment by a local bank, or the latter’s agents. They had been inundating her phone with demands to pay back a loan she had supposedly taken from the institution.
After going public and asking the bank to desist from any more harassment, or talk to her lawyers, she provided an update that indicated the lender had called her and they had ironed out the misunderstanding.
The honourable member may have had the benefit of a quick resolution, but generally for ordinary citizens, it is a more hectic process. Usually, collection agencies in the country approach banks, seeking deals over non-performing or written off loans, with an eye on the commission, should they succeed to collect.
Because banks are respected institutions, they therefore unwittingly transfer this rampant data privacy breaches and harassment to the said collection agencies, who start an extravaganza of searches through the platforms of the usual suspects; NHIF, NSSF, IEBC, Kenya Power and the water companies. From there, data privacy be damned.
To make an already bad situation worse, we are referring to mainstream lending institutions here. Anyone who has had to deal with digital lenders, especially following payment delays, will agree that this particular one is a mafia world. Thankfully, one of them made the cut for the data commissioner’s hammer last month. What this variety of lenders does is to access a client’s phone data, mainly contacts and messages.
From there, they pick contacts who, when informed that the subject has refused to pay back a loan, would cause maximum embarrassment to the said client. These usually happen to be girlfriends, wives, mothers and close friends. The methods of accessing these private contacts and other phone data, as well as the blatant invasion of the privacy of third parties in debt collection, go beyond just data privacy violation into the realms of regulation failures and possible criminal acts. If the ODPC is looking for areas to bring the hammer down hard on, this would be its real gold mine, where some of the worst breaches exist.
There is another sector that acts without regulation. It is the private investigations sector. I am told by knowledgeable sources that it now thrives on rampant marital conflict, because spouses are not averse to hiring private eyes to determine whether their partners are keeping their vows or not.
But the typical private investigator doesn’t do much more than paying off unscrupulous mobile service providers’ staff to access private data of their subjects, as well as paying security staff in hotels and bars for CCTV clips that confirm that the subjects of their investigations are indeed compromising their vows. When not chasing marital matters, the PI’s are also readily available for hire in this never-ending data privacy breaches that have become a short-cut to solve many perceived problems.
Every new regime in this country usually arrives with overhyped “new generation” projects. The more predictable ones are new generation identity cards, passports, forensic labs and the perennial “one number identifier”, which the Uhuru government called Huduma Number, which the Ruto regime prefers to name Maisha Namba. Many of them fall within the security docket, where any unwanted scrutiny would be waved down with the national security badge.
The problem is that these projects are essentially tender-driven, such that many who propose them have an eye on the procurement juices that flow their way with the implementation of these projects. However, the more crucial factor that remains undressed is how the data so centralised by the Huduma Number or Maisha Namba would be secured.
Data security must ultimately precede the arrival of new data systems that seek to centralise an individual’s private information around a lifetime unique identifier. In fact, for security purposes, possible avenues for data breaches must worry everyone who takes part in setting up and implementing these proposed projects.
Political commentator
