Safeguarding Processing of SOGI Data in Kenya | IGF 2023

Knowledge Graph of Debate

Session report

Jeremy Ouma

The assessment offers an exhaustive exploration of diverse facets of Kenyan society, legislation, and practice with significant emphasis being placed on LGBT rights and data protection.

A primary cause of concern emerges from the deficient legal protections for LGBT individuals against discrimination grounded in their sexual orientation or gender identity. The current Kenyan legal framework is found lacking in offering ample defence to these marginalised groups, thus fostering an environment in which the revelation of personal demographic data could invite bias and negative repercussions. This scenario is aggravated by particular practices linked to LGBT identities being outlawed in the nation.

However, this situation isn’t entirely devoid of optimism. A discernible societal shift is observed, with increasing momentum in Kenya to repeal or amend penal codes criminalising acts related to diverse gender identity. Despite hindrances to these initiatives, such as refusal of organisation registration, the identification as diverse is not outlawed. Activists highlight an ongoing case between a regulatory body and the ‘NGO board’ as a paradigm in this advocacy.

Prominent worries regarding data protection and processing standards also attract attention in the analysis. The differential handling of sexual orientation and gender identity data under current legal structures is deemed problematic. In order to address these issues, organisations need to register with the Office of the Data Protection Commissioner. They are urged to prepare and update data protection protocols and increase awareness about privacy during data management. An internal capacity building within civil organisations is particularly underscored to foster greater awareness and engagement on data protection.

Furthermore, the analysis points out persisting challenges relating to digital platforms and their content management strategies. These include the potential amplification of harmful content and a lack of understanding of local context in content moderation processes. The scarcity of transparency within these systems further exacerbates the situation, yet progress is recognised through ongoing legal cases, such as the one involving Meta and its former content moderators. This case serves as a tangible pursuit to hold platforms accountable within the Kenyan jurisdiction. Efforts are underway to bridge the gap between local users and platforms, nudging platforms to better comprehend and respond to their user base.

Finally, the study extends its purview beyond Kenya, expressing negative sentiment around homosexuality laws in Uganda. The persistent implementation of these unfair laws, resulting in adverse prosecutions based on them, is recognised as a significant violation of human rights.

In summary, the analysis identifies a complex network of obstacles within Kenyan society, but simultaneously showcases several steps taken to address and surmount these challenges. It provides a detailed account of ongoing efforts and the dire need for progress towards a more inclusive society.

Angela Minayo

Angela Minayo emphatically discusses the significance of well-regulated data management in preventing human rights violations. She emphasises that while data affords immense opportunities, if poorly regulated, it can be manipulated to facilitate human rights abridgements. Therefore, robust data regulation legislation is essential to safeguard human rights.

Minayo affirms the necessity of a harmonised protection framework for sensitive data, encompassing gender and sexual orientation. The continuing debate about data protection, confidentiality, and personal autonomy prompts her to argue for more comprehensive legislation that provides protection not just for conventional data but also for sensitive information regarding an individual’s gender identity and sexual orientation.

Conversely, Minayo voices her reservations concerning the efficacy of Kenya’s existing Data Protection Act. Despite the law’s progressive human rights perspective, she regards it as deficient in its coverage of gender identity under sensitive data and its contradictory approach in handling health data and sexual orientation.

Minayo spotlights non-profit entities and highlights the need for these organisations to comply with data protection regulations. She proposes that while data protection often associates with corporate compliance, both for-profit and non-profit entities need to ensure adherence to the regulations. Significant mishandling of personal data, especially sexual orientation and gender identity data, can result in severe human rights implications.

She goes on to emphasise the complexity of data protection and espouses an increase in the resources geared towards effective data protection, notably for non-profit entities that perhaps lack the necessary resources for comprehensive data security. Minayo further calls upon data entities in various countries to register data controllers and processors to legitimise their roles and allow for efficient allocation of budgets and responsibilities for data protection.

Minayo highly commends the use of data processing templates from Article 19, designed to assist non-profits. She affirms these templates as serving as a checklist for various data protection procedures. She also underscores the importance of organisations soliciting consent for personal data usage and documenting said consent.

In the context of protecting sensitive data, she references the severe implications for marginalised groups, pinpointing the increase in online homophobia following a Supreme Court ruling in Kenya that authorised LGBTQ organisations to be formally registered. She asserts that existing as queer in Kenya is akin to a political act, endangering individuals with stigma, and even death.

Finally, the digitisation of sectors such as sex work and resultant data protection concerns that emerge due to Kenyan users’ data being handled outside the country, leads Minayo to recommend improved awareness of data protection laws, specifically for the evolving digital economy.

In conclusion, Minayo centres her discussion on the importance of contemplating data protection from a broad spectrum, ranging from the necessity for robust regulations to protect sensitive data, the urgency for more resources for non-profit entities, the relevance of data protection across all sectors, and the significance of stakeholder awareness.

Audience

The discourse primarily centres around pressing issues related to data sensitivity and the recognition of diverse gender identities within Kenya’s legal framework. One of the main criticisms in the conversation pertains to the relatively rigid categories of gender identities officially recognised in Kenya, which currently include Male, Female, and occasionally, Intersex. This limited classification, as suggested in the discussion, disregards the broad spectrum of gender identities, leading to negative sentiment surrounding this lack of inclusivity.

Additionally, the classification and handling of sensitive information in the country are scrutinised. Specific emphasis is on the differential treatment of data regarding sexual orientation and gender identity under the Data Protection Act. Whilst the data on sexual orientation is treated as sensitive personal data, data on gender identity is viewed as general data. This discrepancy raises concerns about the absence of a specific law, offering protection against discrimination based on sexual orientation or gender identity in Kenya.

The conversation further extends to the issue of data protection measures, particularly with respect to sex workers. A unique point highlighted by the audience is the necessity to safeguard data associated with this group, emphasising non-profits’ interaction with sex workers and the requirement to guarantee adequate protection measures.

Another point of interest stemming from the dialogue pertains to the influence of Uganda’s Anti-Homosexuality Act on Kenya’s data protection laws. Particularly, concerns are raised about whether the stringent regulation enacted by neighbouring Uganda might impact the LGBT community’s data protection in Kenya.

Platform accountability in Kenya also draws concern from the audience, with particular focus on the efficiency and procedure of incident reporting in cases of data breaches. The police’s involvement in such instances is queried, implying an underlying need for more robust incident response protocols.

A significant part of the conversation is dedicated to the management and confidentiality of health data. Clarification is sought on the mechanisms for sharing health data between facilities, with additional questions being raised about whether individual consent should be obtained each time data is shared. Participants inquire about the legal coordination between the Health Privacy Act and the Data Protection Act, seeking to understand which of the two pieces of legislation primarily governs patient privacy. These discussions shed light on the evident gaps and ambiguities in the country’s data protection and privacy laws, highlighting the public’s demand for a more transparent and protective legal system.

Speakers