Strict data protection laws in Kenya have kept private sector data processors on their toes, making them the most compliant in East Africa. But the State – which ought to lead in safeguarding citizens’ data – continues to lag.

A new index ranking the quality of personal data protection across public and private institutions in East Africa places Kenya at the top, but points out that government departments and agencies remain the weakest link, particularly in their lack of transparency and safeguards.

The index, developed by Uganda-based digital rights non-profit Unwanted Witness, assessed 189 organisations in Kenya, Uganda, Tanzania, and Rwanda, including banks, telecom firms, health providers, tax authorities, and national identity management bodies.

It focused on their data privacy practices in compliance with national laws and global standards.

Kenya scored the highest overall, except for state-linked organisations, where it fell behind. Uganda came second, Mauritius third, Rwanda fourth, then Tanzania and Zimbabwe.

The index assessed institutions based on the accessibility of privacy policies, clarity of consent collection, third-party data transfer policies, data security practices, availability of transparency reports and how the firms resolve internal data breaches.

It also checked for registration with the national data protection regulator, which is mandatory in Kenya.“While Kenya stands out as the leader in data protection practices, many other countries, including Mauritius, Uganda, Rwanda, and Tanzania, face difficulties in strengthening or maintaining their data protection frameworks,” noted Unwanted Witness in a report on the region’s data privacy scorecard.“These countries need to focus on enhancing regulatory enforcement, updating privacy laws, and ensuring that their frameworks are aligned with international standards to improve their scores and foster greater trust in data privacy.”While Kenya tops the overall ranking, Uganda outperforms it certain areas.

Kenyan firms perform best in registration with the national regulator, tying with Uganda at 63 percent. They also do better in accessibility of privacy policy (74 percent), transparency in pre-collection of data (54 percent), restriction of third-party data transfer (20 percent), and internal breach resolution (11 percent).

They, however, trail Ugandan and Mauritian companies in having robust data security frameworks and regular publication of transparency reports.

Generally, companies in the banking, insurance and telecommunication sectors across the region do better in data privacy, while government ad health sector organisations perform worst.

In telecommunication, for instance, Kenyan companies scored an average of 45 percent in 2024, while Zimbabwean and Mauritian companies’ compliance levels were at 34.5 percent and 36 percent respectively on average. In this sector, only Ugandan companies do better with an average compliance rate of 48 percent.

Kenyan firms also outshine the others in banking, insurance, e-commerce, betting, digital lending and health, with Ugandan firms closely following behind, and in some cases, slightly ahead.

Government entities, however, perform much poorer than both private firms in Kenya and their peers in the region. State-linked data handlers such as e-Citizen and Huduma Kenya have been outshone by government entities across Uganda, Zimbabwe, Mauritius, Tanzania, and Rwanda.

While Kenya Revenue Authority is the most compliant across the region with 47 percent compliance rate, the Rwandan Information Society Authority, Uganda National Bureau of Statistics, Zimbabwe Revenue Authority, and the Rwandan Social Security Board beat the other Kenyan public entities in compliance.

Huduma Kenya is one of the worst performers overall, with a compliance rate of just 3 percent, while the Rwandan equivalent, IremboGov, scored 33 percent.“The low scores in several Kenyan agencies point to critical weaknesses in data protection, which could lead to privacy risks such as unauthorized access and misuse of personal data,” said Unwanted Witness.

Other than the state agencies polled by Unwanted Witness, many that handle Kenyans’ personal data are yet to even register with the national regulator, six years after enactment of the new laws that require mandatory registration.

A study by the Kenya ICT Action Network last year revealed that nearly two thirds of State agencies and corporations are yet to register with the Office of the Data Protection Commissioner.

© Copyright 2022 Nation Media Group. All Rights Reserved. Provided by SyndiGate Media Inc. (Syndigate.info).