Kenya 2 Subteam 2 CHUI Development of A Legal and Regulatory Framework For E-Government in Kenya

Developing an enabling legal and regulatory framework for e-Government services in Kenya
Final Presentation - Nairobi, 17th March 2011

IBM Corporate Services Corps Team Kenya 2 Subteam Chui Anna Choi (KR), Nimeesh Kaushal (CA), Luan Nio (CH), Dave Sloan (US)
Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui
Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan
Q&A
Q&A
IBMs view on a Smarter Government
Source: IBM Institute for Business Value, The State of Smarter Government, 2010 4
Getting Kenya to the next maturity level in eGovernment
Kenya Tomorrow
Kenya Today
Source: Booz Allen Hamilton, Beyond e-Government, 2005 5
Objectives and Scope of this assignment

Develop legal and regulatory framework to support e-Government services Facilitate the adoption of e-Government services Maximize their effectiveness Ensure their sustainability Gap analysis on international best practices on data access framework Focus on elements of the identified National Data and Public Services challenges Review of the current state of the art Identify unique opportunities or constraints that exist in Kenya via interviews Distill inputs into key principles that can be enshrined in legal and regulatory policy 2 months preparation in home countries (December February) 1 month in-country, based in Nyeri, meetings in Nyeri and Nairobi (February March) Presentation and Final Deliverables on March 17th
6
WHAT
HOW
Vision 2030 Constitution Relevant statutes (e.g. Kenya Communications Act)
WHEN
Top 10 e-Government countries
The e-Government Development Index is the UNs ranking system, from 0 to 1, used to indicate the level of maturity of e-government services. The above 4 countries are well represented in our team composition
Source: United Nations eGovernment Survey 2010 7
Focus Areas
Based on our analysis, we have identified 6 major areas you need to focus on
Standard Keys
National Data Warehouses
Preventing Redundant Systems
Public Ownership of Public Data
Definition of, access to and penalties for illegal access to private versus public data
Standard identification, permission and enforcement of protected data, and guaranteed citizen access to data
Security of public data
Universal primary Centralized, keys to uniquely exhaustive identify people, systems for companies, assets, people, etc. across all companies, assets, government data etc. available for holdings universal reference and cross-cutting analytics
Require systems to refer to and coordinate with National Data Warehouses when they exist
Shifting from data ownership to data stewardship, facilitating re-use of public sector information
Authority to require adherence to a common data security standard, including audit
Interviews and Visits

Interviews
1. Dr. Katherine Getao, ICT Secretary, Director of eGovernment 2. Mary Muchene, District Commissioner, District of Nyeri 3. Jane Otoko, Head of ICT, Ministry of Immigration & Registration of Persons 4. Patrick Njoroge, Assistant Director ICT in State Law Office, Office of Attorney General 5. Zeba Nyikal 6. James Opundo and Nicholas Ongeri - Legal Officers, Ministry of Immigration & Registration of Persons 7. Javan Bonaya, Passport Registration Office, Nyayo House, Nairobi 8. Tony Onyango and Maxim Itur, National Registration Bureau, Makadara Station, Nairobi 9. Samuel Lukanu and Bente Were, Birth/Death Registration Office, Sheria House, Nairobi 10.Samuel N. Kimotho, District Civil Registrar, Birth/Death Registration Office, Nyeri 11.Michael A. Kana, District Administrative Police Commander, Nyeri 12.Vivian Ashioya, IBM Account Manager 13.Citizens
Visits
1. Ministry of Immigration and Registration of Persons 2. Department of Immigration, Passport Registration Office, Nyayo House, Nairobi 3. National Registration Bureau, Makadara Station, Nairobi 4. Civil Registration Department, Sheria House, Nairobi 5. Civil Registration Department, Nyeri District
Meetings
1. Stakeholders Workshop on e-Government Strategic Plan, Kenya Institute of Education, 9th March 2011
Q&A
10
Department of Immigration HQ Nyayo House Passport application process
National Registration Bureau Makadara Station National ID card application process
Because of these timeconsuming, redundant and manual processes, the criticality for a solid legal framework for e-Government is even more urgent
Civil Registration Department Sheria House Birth Certificate application process 11
Focus Areas Summary of Findings

Findings
Standard Keys
Potential Shared Keys IPRS Integrated PIN universal for all registered Kenyans and registered foreigners, but largely unknown outside of IPRS IPRS collects data from many systems Data exchanges occur ad hoc, in bulk and with infrequent updates No or immature NDW exist in Kenya, but potential candidates exist Physical sources are distributed across ministries and districts and are redundantly archived Requests for information between ministries are manual, on paper No legislation states who owns data, who acts as data steward or how public data should be shared No culture of sharing public data
Conclusions
Lack of keys will inhibit interoperability without entity disambiguation exercises No consistent shared keys exist across systems
National Data Warehouses
Citizen and Corporate Registry
IPRS represents best current NDW Lack of universal and real-time coordination with other repositories leaves room for fraud and manipulation Finding correct information is timeconsuming Ministries operate inefficiently with duplicate information collected, often with the same purpose Ownership is asserted in such a way that it inhibits collaboration and information sharing Time-consuming efforts to identify structures around data governance Unclear categories yield coarse-grained data controls which can allow illegal access to the data Unenforced penalties increase the risk of illegal access Differing or absent standards for securing public data risks compromised security at all times Security violations go undiscovered
Preventing Redundant Systems
Information Redundancy and silos / Digitized Info.
Public Ownership of Public Data Definition of, access to and penalties for illegal access to private versus public data Security of public data
Shifting from data ownership to data stewardship
Definition, Access control, Penalties
No definition, distinction or classification of PII, Sensitive data, Public data Identified violations are handled in an ad hoc fashion, with varying penalties
Adherence to a common data security standard incl. auditing
No uniform mechanism or auditing in Kenya to protect public data Existing legislation KCA 2009 83U and 83V, not observed by agencies
12
Q&A
= Best in Class
13
Global Best Practices and Key Principles
Focus Area 1 Standard Keys

Require adherence to standard data formats
Adopt shared formats

An electronic Government Interoperability Framework (eGIF) or Data Reference Model (DRM) designates shared keys and standard models for core entity types Many existing open standards can be adopted or customized Advanced systems will allow for cancelable identifiers to minimize impact of compromise In NL, Citizen Service Numbers (CSN) and Chamber of Commerce Numbers (CCN) are used for data exchange and searches in the Key Register of Persons (MPRD) or Key Commercial Register In KR, a central authority can issue, cancel and re-issue surrogate keys to identify individuals.
Mandate compatibility
All existing systems are required to be interoperable with data standards within a designated timeframe All newly procured systems are required to comply with data standards
Designate an authority to update standards

While core standard fields rarely change, identification of a role for updating standards ensures expansion to unforeseen fields of value and controls for technological change
In UK, the e-GIF set the standard for many other countries as adoption is mandatory for all public information systems In US, the Director of the Office of Management and Budget is empowered to enforce standards for all government systems
In EU, Interoperability Solutions for European Public Administrations (ISA) created European Interoperability Framework (EIF) to unify multiple governments and is maintained by an identified committee from many member countries
14
Sample Legislation

UNITED STATES Public Law 107/347 -- e-Government Act of 2002 UNITED STATES Public Law 107/347 e-Government Act of 2002
Section 207 (d) (1) the [Interagency Committee on Government Information] shall submit recommendations to the Director on (A) the adoption of standards, which are open to the maximum extent feasible, to enable the organization and categorization of Government information (i) in a way that is searchable electronically, including by searchable identifiers; and (ii) in ways that are interoperable across agencies (2) the [Director of the Office of Management and Budget] shall issue policies (A) requiring that agencies use standards, which are open to the maximum extent feasible, to enable the organization and categorization of Government information
Authority to develop open data standards is delegated to a central authority Authority to develop open data standards is delegated to a central authority The data standards themselves are drawn up by a qualified committee and passed as regulations The data standards themselves are drawn up by a qualified committee and passed as regulations Separately, the enforcement of those standards is a legal responsibility of a named party Separately, the enforcement of those standards is a legal responsibility of a named party
SOUTH KOREA Act on Promotion of Information and Communication SOUTH KOREA Act on Promotion of Information and Communication Network Utilization and Information Protection Network Utilization and Information Protection
Article 12 Construction of a System for the Joint Utilization of Information (1) The Government may advance the interoperability, standardization, and joint utilization of information and communications networks to efficiently utilize the information and communications networks. (3) Presidential Decree shall stipulate requisite matters regarding promotion and support Article 13 Projects for Promoting Utilization of Information and Communications Networks (1) Under conditions stipulated by Presidential Decree, the Minister of Information and Communication may create and enact projects designed to facilitate the efficient use and distribution of technologies, equipment, and applied services in order to facilitate information use in the public and private sectors, culture, and society as a whole, and end the information gap.
Empowers the government authority to craft an interoperability framework or fund a body to do so Empowers the government authority to craft an interoperability framework or fund a body to do so Allows the government authority to promulgate regulations requiring the adoption of the interoperability framework Allows the government authority to promulgate regulations requiring the adoption of the interoperability framework Encourages the government to condition financial support based on the adoption of the interoperability framework Encourages the government to condition financial support based on the adoption of the interoperability framework Justifies all of these activities as necessary to close the information gap Justifies all of these activities as necessary to close the information gap
15
Focus Area 2 - National Data Warehouses

Compel concentration or coordination of National Data Assets
Designate central repositories for all critical data holdings

Each type of data asset (individuals, property, businesses, etc) requires a designated repository Repositories may be located together with collector agencies or independent authorities Optimal citizen protection will encrypt identifiers prior to use to minimize impact of compromise In UK, the same Act that protects personal data authorizes the development of data sharing practices in citizens interests In KR, cancelable identifiers are administered through a common verification authority
Authorize authentic sources as substitutes for paper documents

Empower citizens with legal rights to leverage data held in NDW
Incent participation through centralized verification services

Varied methods should be provided to allow remote systems to verify the relevant details of data held in the NDW. Suspension of funding or other penalties may be levied on systems which do not rely upon, or minimally coordinate, with the NDW Harmonize with data privacy statutes to prevent conflict In ES, the Identity and Residence Verification Systems (IRDVS) provides electronic verification of all identity documents eliminating the need for paper
In BE, citizens can refuse requests for data details already held in authentic source systems such as the National Register (for individuals), the Crossroads Bank for Enterprise In DK, the Det Centrale Personregister has been the central source for citizen data since 1968 16
Sample Legislation

SPAIN PRE/3949/2006 Verification System of Identity Data SPAIN PRE/3949/2006 Verification System of Identity Data (Sistema de Verificacion de Datos de Identidad) (Sistema de Verificacion de Datos de Identidad)
Second: sets the date of operation of the Identity Data Verification System from which it cannot be required by the Central Government or the agencies that link or are dependent on the provision of copies of the Document National Identity Card or the documents proving the identity of foreigners resident in Spain or equivalent card First Annex: Identity Data Verification System is made available to the departments and agencies of the State Administration by the Ministry of Public Administration as a horizontal service for consultation and verification of data from the Citizen Identification Documents in custody of General Directorate of Police and Civil Guard Third Annex, Part 1: Access to Data System Identity Verification will be established for any public body
Authority to consolidate identity data is assigned to a central authority Authority to consolidate identity data is assigned to a central authority The regulation defines the data sources which are compelled to participate by force of law The regulation defines the data sources which are compelled to participate by force of law Minimum standards are set as to the security, availability, access methods and confidentiality of the centralized data Minimum standards are set as to the security, availability, access methods and confidentiality of the centralized data Requires the acceptance of records in the central data repository in lieu of photocopied documents Requires the acceptance of records in the central data repository in lieu of photocopied documents
UNITED KINGDOM Data Protection Act 1998 UNITED KINGDOM Data Protection Act 1998
52A Data-sharing code (1) The Commissioner must prepare a code of practice which contains (a) practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act, and (b) such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data. (2) For this purpose good practice means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.
The Data Protection Act is largely concerned with the limitation of the governments ability to store, access or share The Data Protection Act is largely concerned with the limitation of the governments ability to store, access or share citizens personal data citizens personal data Within the act, exceptions regarding data sharing in the citizens interest is made Within the act, exceptions regarding data sharing in the citizens interest is made A designated body is given the authority to create data sharing codes (regulations) which must be submitted for approval A designated body is given the authority to create data sharing codes (regulations) which must be submitted for approval up to Parliament up to Parliament Once these regulations are in place, agencies are compelled to share their data accordingly Once these regulations are in place, agencies are compelled to share their data accordingly
17
Focus Area 3 - Preventing Redundant Systems

Eliminate duplicate collection and storage
Share information across ministries and prohibit redundant digital data

All government agencies must vet their information needs against existing government holdings before it can collect or retain information Information cannot be collected independently if it exists accessibly in any other agency.
Integrated registry of information systems

Ministries must register the type and extent of information they collect and provide points of contact for those collections Ministries which cannot share data directly must provide methods by which the information can be integrated with other ministries In a KR e-Government case, with the integration of information resources, USD 100 million in equipment replacement costs were saved between 2009 and 2010. Additional USD 400 million is expected to be saved by 2014.
Organizational structure to plan, manage, and control data across government

A role for a central decision making body must be designated to promote sharing strategy, enforcing policies through approval and budgets and resolving conflicts The organizational structure should be placed in the eGovernment directorate in order to sit across ministries and agencies. In UK, MOI (Ministry of Information) is the organization for the information subject area. In US, OIRA (Office of Information and Regulatory Affairs) In KR, MOPAS (Ministry of Public Administration and Security)
In KR e-Government Law No. 10303 Chapter 4, details sharing of administrative information. Article 36 governs the administration, efficient management and use of information
18
Sample Legislation

SOUTH KOREA -- ELECTRONIC GOVERNMENT ACT SOUTH KOREA ELECTRONIC GOVERNMENT ACT
Article 36 (Administration of the efficient management and use of information) A minister or principle of any ministries should provide administrative information which the ministry collect and retain inside to other ministry who require that information. If they can receive and access trusted data from any other ministry, they should not collect duplicated data independently. A minister or principle of any ministries which collect and retain administrative information can permit to share the information between other ministries and any banks which have a permission of bank business according to Act on Bank, private corporate organizations or agencies which are granted by Presidential Dec Policies. The Minister of the Ministry of Public Administration and Security should develop the list of administrative information which is hold by any ministry by investigation and distribute it across government ministries and investigate requirement for new administrative information. Article 37 (sharing of administrative information centers) For the sake of effective sharing of administrative information, The Minister of the Ministry of Public Administration and Security can deploy administrative information center as a center of information sharing across ministries as a subsidiary of his ministry and promote to utilize the center from each ministry in accordance with Presidential Dec Policies
All government agencies must vet their information needs against existing government holdings before it All government agencies must vet their information needs against existing government holdings before it can collect or retain information can collect or retain information Information cannot be collected independently if it exists accessibly in any other agency. Information cannot be collected independently if it exists accessibly in any other agency. A role for a central decision making body must be designated to promote sharing strategy, enforcing A role for a central decision making body must be designated to promote sharing strategy, enforcing policies through approval and budgets and resolving conflicts policies through approval and budgets and resolving conflicts
19
Focus Area 4 - Public Ownership of Public Data

Public data is owned by the people
Data is available to the widest range of users for the widest range of purposes
Data should be usable for purposes it was not originally captured for Involve citizens to make sense of data Encourage transparency, participation and collaboration
Make exposed data the default and protected data the exception
By default, data captured by government bodies should be made available to the public Release key datasets (data.go.ke?) Only sensitive or private data should be protected
Do not establish data owners, but assign data stewards

Data does not belong to the person or agency that captured the data Center of Excellence in data stewardship, directing other agencies in governing, collecting, managing, storing and distributing data. In UK, Public Data Corporation In NZ, Government departments are stewards of Government-held information, and it is their responsibility to implement good information management.
In US, Open Government Directive In UK, interactive portal where citizens are asked to come up with innovative ideas and mobile applications how they could use public data
In UK, Transparency Board to make transparency a core part of all government business In KR, Act mandates that information held and managed by public institutions shall be disclosed
20
Sample Legislation

UNITED STATES Open Government Directive UNITED STATES Open Government Directive
() this memorandum is intended to direct executive departments and agencies to take specific actions to implement the principles of transparency, participation, and collaboration set forth in the Presidents Memorandum. () The three principles of transparency, participation, and collaboration form the cornerstone of an open government.. () This Open Government Directive establishes deadlines for action. But because of the presumption of openness that the President has endorsed, agencies are encouraged to advance their open government initiatives well ahead of those deadlines.
Requests from executive departments and agencies to take steps toward the goal of creating a more open government Requests from executive departments and agencies to take steps toward the goal of creating a more open government Provides clear actions and deadlines for implementation Provides clear actions and deadlines for implementation Key principles are transparency, participation and collaboration Key principles are transparency, participation and collaboration
SOUTH KOREA Information Disclosure Act for Public Agencies SOUTH KOREA Information Disclosure Act for Public Agencies
Every people holds the right to request information disclosure. () Public institutions shall create an information management system by which information can be properly kept and speedily searched, open an office and secure staff in charge ofinformation disclosure and work to build an information disclosure system, etc. by making full use of the information and communications network.()
Secures the peoples participation in state affairs and the transparency of the operation of state affairs Secures the peoples participation in state affairs and the transparency of the operation of state affairs Prescribes necessary matters concerning the peoples claims for the disclosure of information and the obligations of Prescribes necessary matters concerning the peoples claims for the disclosure of information and the obligations of public institutions to disclose their information in their possession public institutions to disclose their information in their possession Prescribes that public institutions shall make and keep a list of information that they hold and manage in a manner that Prescribes that public institutions shall make and keep a list of information that they hold and manage in a manner that the people can readily understand such list of information the people can readily understand such list of information
21
Focus Area 5 - Definition of, access to and penalties for illegal access to private versus public data
Categorize data appropriately to maximize proper protection and access
Clear definition and classification of private and public data

The authority to define private and public data should be clearly stated in legislation All definition and classification should be unified across ministries, preferably tied to a data standard.
Accessibility for authorized data

Access to citizen information held by public institutions should be governed uniformly by data category Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act Individuals should be guaranteed access to data about them In FI, Personal Data Act - section 26 - Right of Access In Canada, Privacy Act - Access to Personal Information - Right of Access In US, under FOIA, individual has access to the information government hold 22
Exclusively defined penalties and enforcement role

Penalties for illegal access should be specified once and applied broadly An independent enforcement role with authority to carry out penalties must be defined
In US, FEA DRM (Data Reference Model) categorizes government information in detail level with privacy designation. In UK, e-GIF (e-Government Interoperability Framework) sets out the government's technical policies and standard data categories.
In FI, Personal Data Act, chapter 38, section 9 In KR, Act on the Protection of Personal Information Chapter 5
Sample Legislation
FINLAND Personal Data Act FINLAND Personal Data Act
section 26 - Right of Access (1) Regardless of secrecy provisions, everyone shall have the right of access, after having supplied sufficient search criteria, to the data on him/her in a personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of disclosed data.
Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act Individuals should be guaranteed access to data about them Individuals should be guaranteed access to data about them CANADA, Privacy Act -- Access to Personal Information CANADA, Privacy Act Access to Personal Information
Right of access 12. (1) Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to (a) any personal information about the individual contained in a personal information bank; and (b) any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution.
Individuals should be guaranteed access to data about them Individuals should be guaranteed access to data about them SOUTH KOREA, Act on the Protection of Personal Information Chapter 5 SOUTH KOREA, Act on the Protection of Personal Information Chapter 5
Article 23 (Penal Provisions) (1) Any person who changes or alters private information for the purpose of disrupting the operations of private information management of a public institution shall be punished by imprisonment for not more than ten years. (2) Any person who illegally leaks or issues private information without consent and for the purpose of use by others, violating what has been set forth in Article 11, shall be punished by imprisonment for not more than three years or a fine not exceeding ten million won.
Penalties for illegal access for personal information should be specified Penalties for illegal access for personal information should be specified 23
Focus Area 6 - Security of Public Data

Secure data while maximizing public access
Control policies owned, supported and practiced to address risks

Management, Operator and Technical control policies are the foundations for an information security risk management program. Policies are necessary to define risk management requirements that help make reasonable and appropriate risk management decisions. In US, State of Minnesota, Enterprise Security Control Policies In EU, Regulation (EC) No 45/2001 defines particular measures to prevent unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration
Utilize uniform standards of protection and encryption

Standards should govern data acquisition, storage and disposition, eg.,Data erasure Security solutions are required to offer strong protection against tampering and unauthorized access
Independent auditing required

Independent chains of command to guarantee adherence Private auditing firms to be given authority to conduct complete auditing practices Real-time auditing is emerging as the new global best practice
In UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies 24
In US, FISMA (Federal Information Security Management Act) establishes security guidelines that federal agencies must adhere to. Agencies are graded on results from FISMA compliance auditing
Sample Legislation

UNITED STATES: Federal Information Security Management Act (FISMA)
Section 3545 part (a) (1) agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. (2) evaluation under this section shall include (A) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agencys information systems; (B) an assessment (made on the basis of the results of the testing) of compliance with (i) the requirements of this subchapter; and (ii) related information security policies, procedures, standards, and guidelines; and (C) separate presentations, as appropriate, regarding information security relating to national security systems. part (b)(1) for each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation required by this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency ...
Authority to perform independent evaluation of security program and practices Evaluation to be performed by an independent external auditor
NORWAY: Personal Data Act (2000)

Section 13 Data security: The controller and the processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data. To achieve satisfactory data security, the controller and processor shall document the data system and the security measures. Such documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board. Any controller who allows other persons to have access to personal data, e.g. a processor or other persons performing tasks in connection with the data system, shall ensure that the said persons fulfill the requirements set out in the first and second paragraphs.
The controller and the processor of personal data to ensure satisfactory data security measures being followed Controller and processor to document and share data system and security measures. Documentation to be made accessible to the Data Inspectorate and the Privacy Appeals Board.
25
Global Best Practices on Mobile Applications Legislation

1. Expanding legal definitions Include different types of electronic devices in definitions for existing and future legislation e.g. Mobile phones, laptops, smart-phones etc Classical definitions in existing legislation may miss new mobile devices
2. New types of information collected about people (location and personal preference) - Collection of information of an individual - GBP: No person may collect, use, or provide the location information of a person or mobile object without the consent of the person or the owner of the object (KR act on the protection, use, etc. of location information) - Exceptions when info is to be used for emergency rescue/relief purposes - GBP: A subject of personal location information may withdraw his/her consent for part of the scope of the collection of personal location information and the terms and conditions, when he/she has given consent under above point 3. Structure that allows applications of authorization or verification down to mobile devices for conducting any business - Processes to identify identity for individual authorization from mobile devices - Step-by-step procedure in place to conduct transactions securely using these mobile devices - Mobile e-Signature to satisfy legal requirements as a handwritten signature. - GBP: Directive 1999/93/EC of EU establishes legal framework for e-Signature and certification services. The main provision of the Directive states that an advanced electronic signature based on a qualified certificate satisfies the same legal requirements as a handwritten signature. It is also admissible as evidence in legal proceedings.
26
Review of draft Kenyas Data Protection Act

Elements of the Draft Data Protection Act may aid in e-Government adoption efforts
Sections 6(a-b) require data security at rest and in transit
Responsibility assigned to Freedom of Information Act Commission
Sections 7(1)(a-b) guarantee personal access to personal data Section 9 requires that data be up-to-date, complete and accurate Section 22 protects against agency liability for data disclosed in good faith
Elements of the Draft Data Protection Act pose serious concerns to e-Government ad option efforts
Sections 3(1)(a)(ii)(b) requires all personal data be collected from individuals
May prevent lookup from existing data stores
Sections 11 prevents data collected for one purpose being used for another
May prevent creation of National Data Warehouses
Section 12 Prohibits sharing data with other agencies unless authorized

Directly inhibits data sharing Authorization schemes are not yet in place Unclear status of data collected prior to the existence of authorization schemes
Section 13 prevents unique IDs from being used across agencies

Prohibits the use of shared keys, inhibiting data sharing
No exemptions or processes are made for interagency government data sharing

Many countries adopt these caveats to the OECD Privacy Principles
27
Q&A
28
Implementation Strategy Summary

Obtaining new authority
Constitution
Long process Most rigid
Legislation
Regulation
Put in place immediately More easily discarded
Siloed versus cross-cutting

E-Gov Ministry C Ministry D Ministry A Ministry B Ministry E
Legislation
Regulation
Incremental versus Plenary implementation

Separate components Elements in various Acts Big Bang One e-Government Act
Solo versus Partnership in Public Service provision

Per department Public-Public Partnership Public-Private Partnership
29
Monday Morning Action Plan

The following steps should be implemented immediately
Obtain the mandate 1. Amend current authorities in the Kenya Communications Act to point to DeG 2. Include DeGs authorities in new legislation
Define & Designate 3. Include core data entity types, standard keys and categories in new legislation 4. Per data entity type, define the fields, format and sensitivity level 5. Designate systems to serve as central repositories for each data asset
Single source
Data availability 8. Include data stewardship and open government directives in new legislation 9. Create a pilot website where selected key public data sets are published
Partnerships
6. Make inventory of data and systems across ministries 7. Pilot data centralization efforts for a selected region and selected function
10. Allow by law for private organisations to participate in providing government services
30
Long term roadmap for further e-Government development

Revise ministry-specific Acts Make old Acts obsolete Implement new regulation across ministries Establish an e-Government Advisory Group
Establish IPRS as the central NDW Move Adoptions & Marriages registry Digitize information Establish a CoE for data stewardship Establish ACP for different data categories Define cross-cutting penalties Establish security guidelines
Collect data into central repositories with synchronization or update policies Establish electronic verification methods that link into the NDW
Build partnerships with private organisations in providing government services
Establish an independent party with authority to apply and enforce the defined penalties
Establish auditing practices
Establish security solutions Establish a risk management program Establish training procedures on security practices 31
Q&A
32
Thank You Asante Sana

Quotes by interviewees: The reality of eGovernment is not with us yet What is the point in having all these different licenses? IT has really helped in enforcement. There is no way to cook it We need a one-stop-shop for citizens
eGovernment office has insufficient authority and likely needs to be semi-autonomous
There are 254 forms of registration in Kenya. We managed to reduce to 185.
eGovernment should create the obligation for government departments to be under one umbrella
Most fraud is because other arms of government cannot check. Everything is a manual process.
This is the fifth day in a row that I am here waiting in the queue. Every day costs me 300 Ksh for transport. I have no more money for food.
The eGovernment Directorate should step up
Developing an enabling legal and regulatory framework for e-Government services in Kenya
APPENDIX SLIDES
IBMs Corporate Service Corps
Part of IBMs Corporate Social Responsibility Program Employee leadership development program Launched July, 2008 Global IBM initiative designed to provide government, small business, educational institutions, and nonprofit organizations in growth markets with pro bono consulting work to help improve local conditions and foster job creation +1000 IBM employees deployed from 50 countries on 100 teams to 18 countries since inception
Russia Romania Turkey Morocco Egypt Nigeria Ghana Kenya Tanzania Brazil S. Africa Sri Lanka India Philippines Vietnam Indonesia China
Malaysia
35
Introduction to the IBM team

Nimeesh Kaushal Staff Software Developer IBM Canada Anna Choi Information Agenda Architect IBM South Korea Luan Nio Senior Consultant IBM Switzerland Reporting and Query Stack Integration in Business Intelligence, Software Verification, Test management and execution, Facts and data gathering, Client problem resolution Industrial / Distribution/ Retail industry, Information Agenda business architect, Build information solution architecture for information quality, information governance, master data management, business analytics. Pharmaceutical and Life Science industry, Consulting, Project management, Data gathering and analysis, Workshop facilitation, Stakeholder management Information Management tools, Realtime Business Analytics Expertise: Data Integration, Government Industry Solutions
David Sloan Practice Manager IBM United States
36
Requirements and needs expressed by interviewees

New
(Service / System / Legislation) Create the obligation to be under one umbrella It should be possible to look at data for other purposes than for what it was captured for Better enforcement of laws that are cutting across ministries and departments. These laws should supersede the individual ministry laws. A one-stop-shop for citizens Online application A multipurpose card A National Identification / Verification System A National /Online Payment System Technology training to registration officers
Enhance
(Service / System / Legislation) Need eGovernment to step up and define the standards It should be possible to look at data for other purposes than for what it was Better ways to identify persons Less Forms, Less Acts Less late registrations for birth IPRS should contain all information and should be better accessible More computers for the registration officers Data should be marketable and sho uld be used to benefit each other, bu t in a directed manner
37
Current State

Findings
Limited Authority under Kenya Communications Act 2009 Section 83S(2) states The Minister [MOIC] may ... by regulations prescribe (a) the manner and format in which such electronic records shall be filed, created or used"
Conclusions
Current Authority
Authority for National Data Warehouses exists under KCA, but does not assign the authority to the eGovernment Directorate
National ID is commonly used across many systems, but is limited to registered Kenyan citizens over 18 years of age Integrated Population Registration Services (IPRS) Integrated Personal Potential Number (PIN) universal for all Shared Keys registered Kenyans and registered foreigners, but largely unknown outside of IPRS Draft key standard for land provided by Ministry of Lands adheres to international GIS standards
38
Lack of keys will inhibit interoperability without resource-intensive entity disambiguation exercises No consistent shared keys exist across systems Candidate keys are flawed either because they are not universal, not known or are still in progress
Current State

Findings
Kenya Communications Act of 2009 Section 83G and 83H both state such documents, records or information are (rendered/retained) in electronic form if (a) the information contained therein remains accessible so as to be usable for subsequent reference IPRS collects data from many systems Only represents digital data collected by Ministry of Immigration Goals to share with the Kenya Revenue Authority, Kenya National Bureau of Statistics, Interim Independent Electoral Commission of Kenya, National Social Security Fund and security forces State Law Office maintains a corporate registry All businesses must register with the State Law Office Data exchanges occur intermittently, in bulk and with infrequent updates
39
Conclusions
Greater authority than currently under KCA will be required to either assemble or compel participation in a National Data Warehouse (NDW)
Current Authority
Citizen Registry
IPRS represents best current NDW IPRS needs to collect from and share with all relevant entities to be a true NDW Methods of exchange must be broadened
Corporate Registry
Corporate registry may be an ideal NDW candidate Lack of universal and real-time coordination with other repositories leaves room for fraud and manipulation
Current State

Findings
Physical sources are distributed across ministries and districts and are redundantly archived No legislation to enforce single repositories and sharing of data Information Redundancy IPRS can be used to verify national ID and name, but is not used exclusively and silos No system catalog exists to identify information type, location or points of contact to verify redundancy
Conclusions
Finding correct information is timeconsuming Ministries operate inefficiently with duplicate information collected, often with the same purpose Resources are invested in multiple projects to build same information repository To prevent ministries from initiating redundant stores, legal enforcement is required Information cannot be searched exhaustively or verified definitively due to dispersion and paper format Lots of information unused because awaiting digitization Less opportunity to leverage core information across ministry Dependencies to individual officers rather than a defined process
Current lack of digitized information Requests for information between ministries are manual, often on paper Seamless Procurements for new systems are process, de-centralized, not under common digitized control information Information searching processes are manual and ad hoc to the individual doing the searching
40
Current State

Findings
Insufficient legislation in place that states who owns which data, who should act as data steward or how public data should be shared Shifting from Each department creates own Acts and processes to collect the data they data ownership to require. Opacity of what acts are in place and what processes should be data followed. stewardship No legal principles in place confirming public ownership or government stewardship of public data
Conclusions
Ownership is asserted in such a way that it inhibits collaboration and information sharing Time-consuming efforts to identify structures around data governance
Facilitating who captures the data keeps the data re-use of The public has no transparency about public sector where what data is stored or how to information access it
Generally, the ministry or department
Data is not being re-used in an optimal way. Its utility is not maximized.
41
Current State
Findings
No definition, distinction or classification of PII (Personally Definition of identifying information, e.g. National ID, name, birth date), Sensitive data private, (e.g. medical history), Public data (e.g. public data aggregate statistical data) In electronic systems, access controls are role-based (boundary) by user, but manual systems have only physical access controls Lack of consistent business conduct guidelines Access education is only given at hire Lack of any defined protocol for citizen access to personal data Existing relevant legislation, such as
Conclusions
Unclear categories yield coarsegrained data controls which can allow illegal access to the data Increased difficulty and inconsistent standards when applying legal policy for different classification levels of data Departments are reluctant to share data without legal protection for third party misuse of data Special provisions should be made for cases affecting national security Citizens unaware of rights to access their own data, and have no process by which to exercise those rights Unenforced penalties increase the risk of illegal access Poor application makes corruption in parallel processes more likely Inconsistent policies reduce the deterrent effect of penalties
Access Control to data
Penalties for KCA 2009 83U and 83V, is not widely illegal observed by agencies access to Identified violations are handled in an ad hoc fashion, with varying penalties data
42
Current State

Findings
There is no such uniform mechanism in Kenya to protect public data No legislation on protection of data Scope of KCA 83R(d) is too Authority to restrictive as it only points to require regulation of e-Signatures adherence to Each agency has its respective IT department implementing their own a common data security standards for securing public data Data sharing happens manually and standard ad hoc through the exchange of CDroms, paper copies etc No universal formal training procedure in place for staff on security practices
Conclusions
Different standards for securing public data with varied security levels risks compromised security at all times Manual sharing of public data through unofficial processes could lead to release of private data, violating the Kenyan Constitution
Auditing
No auditing practice exists currently Ad-hoc auditing takes place within the supervision chain of system owners
In absence of universal auditing, processes cannot adhere to proper standards and security violations might go unnoticed No checks in place could promote mis-use or mis-appropriation of highly sensitive data
43

Kenya 2 Subteam 2 CHUI Development of A Legal and Regulatory Framework For E-Government in Kenya

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kenya 2 Subteam 2 CHUI Development of A Legal and Regulatory Framework For E-Government in Kenya

Uploaded by

Copyright:

Available Formats

Developing an enabling legal and regulatory framework for e-Government services in Kenya

Final Presentation - Nairobi, 17th March 2011

IBMs view on a Smarter Government

Getting Kenya to the next maturity level in eGovernment

Source: Booz Allen Hamilton, Beyond e-Government, 2005 5

Objectives and Scope of this assignment

Vision 2030 Constitution Relevant statutes (e.g. Kenya Communications Act)

Top 10 e-Government countries

National Data Warehouses

Preventing Redundant Systems

Public Ownership of Public Data

Security of public data

Authority to require adherence to a common data security standard, including audit

Interviews and Visits

Department of Immigration HQ Nyayo House Passport application process

National Registration Bureau Makadara Station National ID card application process

Focus Areas Summary of Findings

National Data Warehouses

Citizen and Corporate Registry

Preventing Redundant Systems

Information Redundancy and silos / Digitized Info.

Shifting from data ownership to data stewardship

Definition, Access control, Penalties

Adherence to a common data security standard incl. auditing

Global Best Practices and Key Principles

Focus Area 1 Standard Keys

Adopt shared formats

Designate an authority to update standards

Focus Area 1 Standard Keys

Global Best Practices and Key Principles

Focus Area 2 - National Data Warehouses

Designate central repositories for all critical data holdings

Authorize authentic sources as substitutes for paper documents

Incent participation through centralized verification services

Focus Area 2 - National Data Warehouses

Global Best Practices and Key Principles

Focus Area 3 - Preventing Redundant Systems

Share information across ministries and prohibit redundant digital data

Integrated registry of information systems

Organizational structure to plan, manage, and control data across government

Focus Area 3 - Preventing Redundant Systems

Global Best Practices and Key Principles

Focus Area 4 - Public Ownership of Public Data

Do not establish data owners, but assign data stewards

Focus Area 4 - Public Ownership of Public Data

Global Best Practices and Key Principles

Clear definition and classification of private and public data

Accessibility for authorized data

Exclusively defined penalties and enforcement role

Global Best Practices and Key Principles

Focus Area 6 - Security of Public Data

Control policies owned, supported and practiced to address risks

Utilize uniform standards of protection and encryption

Independent auditing required

Focus Area 6 - Security of Public Data

NORWAY: Personal Data Act (2000)

Global Best Practices on Mobile Applications Legislation

Review of draft Kenyas Data Protection Act

Section 12 Prohibits sharing data with other agencies unless authorized

Section 13 prevents unique IDs from being used across agencies

No exemptions or processes are made for interagency government data sharing

Implementation Strategy Summary