Category: Uncategorized

Not once have I seen a man fidgeting trying to remember their date of birth or that of their spouse or child at the hospital registration desk. With so much difficulty to an extent you would imagine that the data is being retrieved from a fortified banker with a double verification security system. Most women are gifted differently though, at a snap of the finger they will tell those dates of birth and identification details as if they are reading from a teleprompter.

Working as a care manager has made me cognizant of the secrecy with which patients require their personal data handled with. The escalating ills in society, targeting personal information tootle behind every person handling personal data in any institution setting, but much more in the hospital setup where emotional drain from the suffering of patients can easily distract even the most alert data handler.

Linking patients with healthcare providers, social services, and support programs requires a care manager to assess patient needs, track progress, and adjusting care plans accordingly. These adjustments ensure that the patient has access to necessary medication, treatment, and financial assistance as well as their rights being upheld, including access to healthcare and fair treatment. The patient support extends beyond the health facility, to offering information on disease management, preventive care, and mental health support along with how to manage emergencies and ensure timely medical response as well as ensuring compliance with healthcare policies and ethical guidelines during sickness, in their recovery journey and even past recovery. This level of interaction leaves behind undeletable footprints of patient’s data in the custody of care managers.

Data protection in Kenya is guided by the Data Protection Act, 2019, which aligns with global best practices in safeguarding personal information, including health records. Confidentiality is a key principle enshrined in the act. Healthcare providers and Care Managers must protect patient data from unauthorized disclosure. The relative who walks behind the admission table and requests for additional information on the patient, yet the patient has not signed them up as recipients of uncensored data is a threat to this principle. An employer who authoritatively calls seeking a brief on patient data must be professionally and with ultimate etiquette be advised that the information they seek, will be shared after relevant consultation. Some basic information on case management or financial plans which look unharmful at face value can be detrimental to the patient when shared with the wrong audience.

Patient data should only be collected and processed with informed consent or for legal and medical purposes. There are circumstances, however, where the patient’s condition

necessitates the health worker, or the care giver obtains unconsented information for medical purposes especially in case of medical emergencies. This information should be shared with

the patient or the next of kin at the earliest opportunity and must be concealed from any other third party at all costs. Health care institutions should limit access to patient’s data by ensuring that only authorized personnel handle patient records, and that strict access control measures are in place. Casually many health workers have asked an unauthorized person to pass over a report file or even a prescription sheet to the next person in the care giving chain. Such innocent acts can lad the concerned persons in a lot of trouble incase of a data breach.

To enhance data security, healthcare institutions must implement encryption, cybersecurity measures, and secure storage for patient information. It is also important to minimize data capture by ensuring that only necessary patient data is collected and avoiding excessive or irrelevant information. A health care worker who plugs in an external storage device like a flash disk on computers hosting the institution core system whether to download personal things or play music poses a risk to the patient data security. Healthcare institutions should have a policy in place for ensuring their data management systems are not vulnerable. If a hacker gains access to the institution database and accesses patient’s personal data including insurance policy and even at times details of money transfer towards settling the bill, such a breach potentially exposes the client to extortion, malicious release of such data to public domain of even money swindling.

The Office of Data Protection Commissioner (ODPC) oversees compliance to Data Protection Act, 2019. Any health care worker who experiences an incident should report data breaches to the ODPC to avoid legal consequences.

Rachael Kasura
Care Manager – AAR Hospital

As data becomes the new oil in the digital age, the importance of safeguarding this valuable resource cannot be overstated. With data breaches, cyber-attacks, and privacy concerns escalating worldwide, the demand for professionals skilled in data protection has surged. Kenya is no exception, especially with the Data Protection Act of 2019 now fully in effect.

On Tuesday, 23 July 2024, the Data Protection and Governance Society of Kenya held a webinar on “Jobs in Data Protection, What Employers Look For,” which shed light on the critical certifications and skills necessary to thrive in this emerging field. This blog post captures the key takeaways from the event, offering a roadmap for those aspiring to build a career in data protection.

The digital revolution has brought about an unprecedented exchange of information, making data privacy a crucial concern for individuals, businesses, and governments alike. In Kenya, the enactment of the Data Protection Act in 2019 marked a significant step towards safeguarding personal information. This legislation has not only heightened the demand for data protection professionals but also expanded the scope of roles available in this field.

While lawyers have traditionally dominated the domain of data privacy due to their expertise in intellectual property law and human rights, the landscape is rapidly changing. Professionals from diverse backgrounds—such as technology, compliance, auditing, and human resources—are now carving out niches in data protection. This diversification is driven by the recognition that data privacy is not just a legal issue but a multidisciplinary challenge that requires a broad skill set.

One of the central themes of the webinar was the importance of certifications in securing employment in data protection. While hands-on experience and familiarity with local and international data privacy laws are invaluable, certifications offer a formal validation of one’s expertise, setting candidates apart in the eyes of employers.

Two certifications were highlighted as particularly valuable: the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy Professional (CIPP), both offered by the International Association of Privacy Professionals (IAPP). The IAPP is a globally recognized body in the privacy and data protection industry, and its certifications are highly regarded by employers worldwide.

• Certified Information Privacy Manager (CIPM): This certification is tailored for professionals responsible for managing data protection programs within organizations. It covers essential aspects such as privacy governance, data lifecycle management, and regulatory compliance. Earning a CIPM demonstrates a candidate’s ability to establish and maintain comprehensive data protection strategies.
• Certified Information Privacy Professional (CIPP): The CIPP certification focuses on the legal and regulatory aspects of data privacy. It is particularly useful for those involved in ensuring that organizations comply with various data protection laws. The CIPP offers different specializations, including CIPP/E (Europe), CIPP/US (United States), and CIPP/A (Asia), among others, allowing professionals to tailor their expertise to specific jurisdictions.

Another certification mentioned during the webinar was the CompTIA Security+. While not exclusively focused on data privacy, this entry-level certification in cybersecurity is valuable for those looking to build a foundation in information security, which is closely related to data protection. The certification covers essential topics such as threat management, network security, and cryptography, providing a solid base for more advanced data protection roles.

The General Data Protection Regulation (GDPR) of the European Union was frequently referenced during the webinar as a cornerstone of data protection laws worldwide. The GDPR has set a high standard for data privacy, influencing legislation in many countries, including Kenya. As a result, a deep understanding of the GDPR is essential for anyone pursuing a career in data protection.

The GDPR’s impact extends beyond Europe, as it has become the model for many data protection laws globally. Consequently, certifications like the CIPM and CIPP, which incorporate GDPR principles, are particularly relevant. Professionals with a solid grasp of the GDPR are better equipped to navigate the complexities of data privacy regulations in various jurisdictions.

Obtaining certifications in data protection is no small feat. The exams are rigorous and require thorough preparation. During the webinar, several strategies were recommended to help aspiring data protection professionals succeed.

One of the most effective ways to prepare for certification exams is by joining study groups or enrolling in classes. Collaborative learning allows candidates to share knowledge, clarify doubts, and stay motivated throughout the preparation process. In Kenya, organizations like Lawyerhub Kenya and Techhive Africa offer classes specifically designed to help candidates prepare for data protection certification exams. These classes provide structured guidance, access to study materials, and opportunities to engage with experienced professionals.

The internet is a treasure trove of resources for certification exam preparation. Numerous websites, forums, and online courses offer study guides, practice tests, and tips for passing data protection exams. It’s important to choose reputable sources and stay updated on the latest developments in data privacy laws and practices.

Experience is a valuable asset in the field of data protection. Even before obtaining certifications, gaining practical experience through internships, mentorship, or consultation can provide insights into the day-to-day activities of data protection professionals. This experience not only enhances your understanding of the field but also makes you a more attractive candidate to potential employers.

While certifications are crucial, they are not the only factors employers consider when hiring data protection professionals. The webinar also emphasized the importance of soft skills and practical knowledge.

Sensitive personal data of a population in the wrong hands is dangerous data; a tool for genocide. Minimisation principle of data. protection implies that a Data Controller or Data Processor processes only that data, necessary to fulfil the purpose for which it was collected. It is a technical and organizational measure that ensures privacy by design and default.

In his 1996 book Ethnic Cleansing, Andrew Bell-Fialkoff locates genocide and ethnic cleansing within a continuum of eliminationist population policies, offering a definition of ‘population cleansing’: “Population cleansing is a planned, deliberate removal from a certain territory of an undesirable population distinguished by one or more characteristics such as ethnicity, religion, race, class, or sexual preference. These characteristics must serve as the basis for removal for it to qualify as cleansing.

Just to mention, the genocide against the Tutsis in Rwanda was seriously aided by uncontrolled and unfettered access to sensitive personal data of the population particularly on tribe on “indangamuntu”-ID. During the 1994 genocide in Rwanda, ID cards identifying people by their so-called “ethnic group” served, for some, as an effective death sentence. The post-colonial Rwandan authority’s decision to include “ethnic group identities” on ID cards, which had originally been introduced back in 1933 by the Belgian colonial government, not only brought the very idea of rigid racial group identities to the fore, but it also “facilitated the identification of victims” and meant that the genocide took place in a terrifyingly systematic and organized way. Data gathering around sensitive topics has a long history of being used in malicious and dangerous ways including genocides. Accordingly, ethnic cleavage through IDs can act as a tool for genocide. An estimated over one million Tutsis were killed while thousands suffered crimes against humanity. The sanctity of the right to life is a non-derogable norm and cannot be sold at the altar of ethnic data. Identification of individual members of a targeted population group is a necessary task for perpetrators of genocide and ethnic cleansing. To accomplish this task, perpetrators either adapt existing administrative structures to their new purposes or create new structures. Identity cards are often the key element in a larger identification system. Their central position in such a system is due to their role in attaching the identity of the targeted group onto individual persons, combining individual identity information with a group profile. Notably, the current national IDs in Rwanda do not bear ethnicity details.

In Germany, Nazi authorities sought new ways to publicly identify Jews during the late 1930s. Under the “Law on Alteration of Family and Personal Names” of 1938, Jewish women and girls were forced to take the name “Sara” as their legal middle names. Jewish men were forced to adopt the middle name “Israel.” Nazi authorities also stamped the letter “J” on all Jews’ passports and issued the Jewish population new identity cards with the letter “J” to be carried on their persons at all times. Signs of these discriminatory measures were embedded in the identity card.

Ethnicity data is sensitive personal data. Ethnicity as a death sentence witnessed in massacres and genocides is a trend that must be ebbed. If the 1994 genocide against the Tutsis and the 1938 genocide against the Jews in Nazi Germany is anything to go by. The underlying denominator that facilitated the genocides is ethnicity data.

History confirms that lack of minimisation of sensitive data of a population can be a root-cause for genocide. Practising data minimisation is a keystone of a rights-based, responsible data protection approach. EU Policy Framework on Transitional Justice provides principles that advocate for a Rights-Based Approach to

Kenyan banks are using artificial intelligence (AI) to monitor their employees closely as part of their efforts to combat internal fraud.n Kenya, banks are increasingly adopting artificial intelligence (AI) to monitor employee activities as part of their strategy to combat fraud and insider threats. With fraud losses on the rise, including substantial amounts from internal theft, financial institutions are leveraging AI tools to track electronic communications and assess network usage among staff. This represents a notable shift from previous AI applications, which primarily focused on enhancing customer service. The move underscores the critical importance of risk management in the banking sector.

For more insights, read the full article here.