Safety, security, accuracy, reliability and confidentiality of personal information remain at the top of the priority list of African countries working on improving their data governance frameworks.
This statement was originally published on cipesa.org on 19 August 2024.
Data governance policies and practices in many African countries have continued to attract attention due to their inadequacy in ensuring the protection and respect for the rights of individual data subjects. Key concerns have been raised regarding the data management practices, particularly related to biometrics, that have undermined the safety, confidentiality, accuracy, accessibility, and reliability of personal data, which are critical principles in data governance.
Several studies have documented cases of misuse of digitalised personal data, including data breaches, surveillance, misuse of personal information, unwarranted intrusion, and financial harm. Despite these misgivings, digitisation of data has been recognised within the African Union’s Digital Transformation Strategy for Africa (2020-2030) as critical in promoting and building confidence for the continent’s digital economy. For many governments, the desire to transform service delivery and enhance public participation has been a key driver for the adoption of biometric data collection and digital identities for purposes of issuing National Identity cards and updating of biometric voter registration and identification programmes.
In this blog, we highlight the critical areas in which advances in digital technologies can enhance data governance practices in Africa.
Understanding Data Governance
Data governance refers to the holistic approach to data management that entails the development and implementation of relevant norms, procedures, and standards to ensure that data is secure, accurate, reliable and consistently available, particularly spelling out clear standards and protocols that govern data collection, storage, and management, resulting in accurate, consistent, and up-to-date data. There is a growing concern that without a robust data governance framework, the continent risks missing out on maximising the benefits from its own datasets as they would be prone to abuse and misuse by poorly regulated data collectors and controllers.
Demand for a Robust Data Governance Framework
In Africa, the demand for a robust data governance framework has gained traction as a response to several countries moving away from paper-based to more digitised data management practices, raising concerns about the rights of data subjects, particularly the safety and confidentiality of user data.
While progress has been registered normatively – with the adoption of regional instruments such as the African Union Convention on Cyber Security and Personal Data Protection and the AU Data Policy Framework, both of which provide frameworks for rights’ respecting data protection practices, and with several countries adopting relevant privacy and data protection laws – full implementation remains a challenge.
In addition, the African Union’s Digital Transformation Strategy for Africa (2020-2030) calls upon states to “promote open data policies that can ensure the mandate and sustainability of data exchange platforms or initiatives to enable new local business models, while ensuring data protection and cyber resilience to protect citizens from misuse of data and businesses from cybercrime.”
Unfortunately, several laws contain problematic and vague provisions that provide for sharing of sensitive information and data localisation that are prone to abuse and misinterpretation. For example, provisions such as section 18 of Algeria’s Law No. 18-07 of 2018 on the protection of personal data, sections 44-47 of Kenya’s Data Protection Act 2019, and section 9 of Uganda’s Data Protection and Privacy Act, 2019, provide for circumstances under which sensitive personal information can be accessed, such as safeguarding national security, public interest, enforcement of the law, and conduct of criminal investigations. In addition, in many countries, biometric data collection programmes were initiated before the enactment of relevant data protection laws.
Leveraging Digital Technologies
While for the most part digital technologies have been used by various states to undermine the legitimacy and enjoyment of digital rights through surveillance and interception of communication, internet shutdowns, and data breaches, there is a growing belief that these technologies can be instrumental in building a robust data governance framework if applied correctly.
Ease of Authentication
Recent technological advancements including the multi-factor authentications (MFA) that enable secure access to services on the go are critical in facilitating seamless data collection, processing, verification and enhancing the authenticity and reliability of data compared to paper-based identifiers. Data subjects can easily request access to and verify their digitised data in the possession of data controllers. As technology becomes more accessible and affordable, governments and private entities can leverage biometrics and biometric technologies for functional and foundational identity purposes, and for an expanding array of applications.
Improving Data Storage and Confidentiality
Data storage is a key pillar within the data governance framework as it easily allows data subjects to exercise their individual rights to request and obtain their personal data in the hands of data controllers in a structured, commonly used, and machine-readable format, as well as request that their data be transferred directly to another organisation. With advances in technology, data controllers can easily encrypt, de-identify and destroy personal data in their possession. Technologies such as the Identity Management Systems (IDMS) facilitate interoperability, allowing seamless integration between different data management systems used by data controllers. In addition, new technologies such as blockchain facilitate the secure storage of datasets in blocks that are connected through cryptography.
Ease of Data Rectification
One of the fundamental rights of data subjects is the right to request data controllers to correct any inaccurate and incomplete data the data controller may have collected. Under Principles 5 and 16 of the European Union’s General Data Protection Regulation (GDPR), data controllers are required to keep personal data accurate and up-to-date, and to take “every reasonable step” to ensure that inaccurate personal data is erased or rectified.
In many countries, data controllers have been accused of collecting and processing inaccurate and incomplete personal data due to the analogue way data is collected. The adoption of digital technologies and use of biometric data identifiers such as fingerprint, facial, or iris recognition become critical forms of authentication in issuing different forms of identities as well as easing on the verification and rectification processes by both data subjects and controllers.
As Africa strives to improve its data governance framework, it is important that we leverage on the new and emerging technologies such as biometric data collection, blockchain, and identify management systems to enhance the safety, security, accuracy, reliability and confidentiality of personal data.