Self-sovereign Identity for the National Data Protection Act, Kenya
A Review of The Data Protection Act, Kenya (2019) and how SSI can help make it a reality
By Daniel Olamide, and Eddie Kago
The Ministry of ICT in Kenya rolled out a National Data Protection Act in November, 2019. This was a first for the nation. A great step towards promoting innovation in a country christened ‘The Silicon Savannah’ due to past innovations such as M-Pesa and Ushahidi. Before the Act was passed, citizens were in a state of limbo in how data they generated and owned was being managed. With seemingly almost no control, if any, over their personal data. According to a report released by Privacy International, data such as personal records from telecommunication networks were being accessed by government security agencies outside the confines of the law.
What does the National Data Protection Act (2019) mean for the regular mwananchi? Data controllers who are constantly mentioned in the act refers to the individuals or organisations that are in charge of determining the required data to allow one to use digital services as well as the means to process the data by data processors. The Act classifies users of digital devices as data subjects as they are the source of data. With the main purpose of this act being to protect personal data, heavy fines were legislated for data controllers and processors who don’t comply. The Act outlines the following rights of data subjects to protect personal data:
- To access their personal data in custody of a data controller or data processor.
- To object to the processing of all or part of their personal data.
- To correct false or misleading data.
- To delete false or misleading data about them.
The Data Subject is also granted the right to data portability. This means they should be able to get all their personal data from one data controller and move it to another. All these structured regulations would indeed serve well but one of the greatest issues with most legal Acts of this nature, especially in loosely regulated data jurisdictions like the African scenario is in implementation. So you may ask, what will assist in implementing such a user-centred Data Protection Act?
The Case for Self-sovereign Identity (SSI)
Self-sovereign identity, also referred to as decentralised identity, is a term used to describe the core role that a person holds in relation to their data. It recognises that an individual (the data subject) can always transfer personal data held by a data controller or data processor to another data controller, or even hold own custody of their data. Hence the model applies a user-first degree of freedom in terms of the user’s control of his or her identity without lock-in to administrative issuers, verifiers or other forms of data controllers.
In a digital sense, this would mean the same sense of control that one holds on their physical wallet which contains their identification records such as their driving license, school ID or national ID. Presenting the credentials where required and each of them containing the specific information required by the verifier is the same way they would control their identification across in the digital world. SSI is a major boost in assisting in the implementation of the Data Protection Act by giving each data subject full control as to the movement of their identity data and other personal data.
Self-sovereign identity would allow individuals to exercise their Right to Privacy through data portability where they can at their desire move data from one controller to another or change their personal data held by data controllers for the purpose of updating it or even deleting it. Best of all, the ability to withdraw their personal data from data controllers the same way one would pick a physical ID and return it to their wallets. This gives data subjects complete control over their personal data without depending on other sources to assist in managing it. A properly implemented decentralised identity wallet would thus abide by the National Data Protection Act by design, giving the user freedom over their data.
To provide a means to securely access your personal identity data, Vibranium Identity is committed to best software security practices and regulations on data protection and privacy including the Data Protection Act (Kenya) 2019 and the Personal Data Protection Guidelines for Africa (2018) outlined by the Internet Society and the Commission of the African Union (AU).
Stay up to date with our work in Pan-African decentralised ID here: Vibranium ID
