You are on page 1of 43

Developing an enabling legal and regulatory framework for e-Government services in Kenya

Final Presentation - Nairobi, 17th March 2011


IBM Corporate Services Corps Team Kenya 2 Subteam Chui Anna Choi (KR), Nimeesh Kaushal (CA), Luan Nio (CH), Dave Sloan (US)

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan

Q&A

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan

Q&A

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

IBMs view on a Smarter Government

Source: IBM Institute for Business Value, The State of Smarter Government, 2010 4

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Getting Kenya to the next maturity level in eGovernment

Kenya Tomorrow

Kenya Today

Source: Booz Allen Hamilton, Beyond e-Government, 2005 5

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Objectives and Scope of this assignment


Develop legal and regulatory framework to support e-Government services Facilitate the adoption of e-Government services Maximize their effectiveness Ensure their sustainability Gap analysis on international best practices on data access framework Focus on elements of the identified National Data and Public Services challenges Review of the current state of the art Identify unique opportunities or constraints that exist in Kenya via interviews Distill inputs into key principles that can be enshrined in legal and regulatory policy 2 months preparation in home countries (December February) 1 month in-country, based in Nyeri, meetings in Nyeri and Nairobi (February March) Presentation and Final Deliverables on March 17th
6

WHAT

HOW

Vision 2030 Constitution Relevant statutes (e.g. Kenya Communications Act)

WHEN

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Top 10 e-Government countries

The e-Government Development Index is the UNs ranking system, from 0 to 1, used to indicate the level of maturity of e-government services. The above 4 countries are well represented in our team composition
Source: United Nations eGovernment Survey 2010 7

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Focus Areas
Based on our analysis, we have identified 6 major areas you need to focus on

Standard Keys

National Data Warehouses

Preventing Redundant Systems

Public Ownership of Public Data

Definition of, access to and penalties for illegal access to private versus public data
Standard identification, permission and enforcement of protected data, and guaranteed citizen access to data

Security of public data

Universal primary Centralized, keys to uniquely exhaustive identify people, systems for companies, assets, people, etc. across all companies, assets, government data etc. available for holdings universal reference and cross-cutting analytics

Require systems to refer to and coordinate with National Data Warehouses when they exist

Shifting from data ownership to data stewardship, facilitating re-use of public sector information

Authority to require adherence to a common data security standard, including audit

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Interviews and Visits


Interviews
1. Dr. Katherine Getao, ICT Secretary, Director of eGovernment 2. Mary Muchene, District Commissioner, District of Nyeri 3. Jane Otoko, Head of ICT, Ministry of Immigration & Registration of Persons 4. Patrick Njoroge, Assistant Director ICT in State Law Office, Office of Attorney General 5. Zeba Nyikal 6. James Opundo and Nicholas Ongeri - Legal Officers, Ministry of Immigration & Registration of Persons 7. Javan Bonaya, Passport Registration Office, Nyayo House, Nairobi 8. Tony Onyango and Maxim Itur, National Registration Bureau, Makadara Station, Nairobi 9. Samuel Lukanu and Bente Were, Birth/Death Registration Office, Sheria House, Nairobi 10.Samuel N. Kimotho, District Civil Registrar, Birth/Death Registration Office, Nyeri 11.Michael A. Kana, District Administrative Police Commander, Nyeri 12.Vivian Ashioya, IBM Account Manager 13.Citizens

Visits
1. Ministry of Immigration and Registration of Persons 2. Department of Immigration, Passport Registration Office, Nyayo House, Nairobi 3. National Registration Bureau, Makadara Station, Nairobi 4. Civil Registration Department, Sheria House, Nairobi 5. Civil Registration Department, Nyeri District

Meetings
1. Stakeholders Workshop on e-Government Strategic Plan, Kenya Institute of Education, 9th March 2011

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan

Q&A

10

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Department of Immigration HQ Nyayo House Passport application process

National Registration Bureau Makadara Station National ID card application process

Because of these timeconsuming, redundant and manual processes, the criticality for a solid legal framework for e-Government is even more urgent
Civil Registration Department Sheria House Birth Certificate application process 11

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Focus Areas Summary of Findings


Findings
Standard Keys
Potential Shared Keys IPRS Integrated PIN universal for all registered Kenyans and registered foreigners, but largely unknown outside of IPRS IPRS collects data from many systems Data exchanges occur ad hoc, in bulk and with infrequent updates No or immature NDW exist in Kenya, but potential candidates exist Physical sources are distributed across ministries and districts and are redundantly archived Requests for information between ministries are manual, on paper No legislation states who owns data, who acts as data steward or how public data should be shared No culture of sharing public data

Conclusions
Lack of keys will inhibit interoperability without entity disambiguation exercises No consistent shared keys exist across systems

National Data Warehouses

Citizen and Corporate Registry

IPRS represents best current NDW Lack of universal and real-time coordination with other repositories leaves room for fraud and manipulation Finding correct information is timeconsuming Ministries operate inefficiently with duplicate information collected, often with the same purpose Ownership is asserted in such a way that it inhibits collaboration and information sharing Time-consuming efforts to identify structures around data governance Unclear categories yield coarse-grained data controls which can allow illegal access to the data Unenforced penalties increase the risk of illegal access Differing or absent standards for securing public data risks compromised security at all times Security violations go undiscovered

Preventing Redundant Systems

Information Redundancy and silos / Digitized Info.

Public Ownership of Public Data Definition of, access to and penalties for illegal access to private versus public data Security of public data

Shifting from data ownership to data stewardship

Definition, Access control, Penalties

No definition, distinction or classification of PII, Sensitive data, Public data Identified violations are handled in an ad hoc fashion, with varying penalties

Adherence to a common data security standard incl. auditing

No uniform mechanism or auditing in Kenya to protect public data Existing legislation KCA 2009 83U and 83V, not observed by agencies

12

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan

Q&A

= Best in Class

13

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices and Key Principles

Focus Area 1 Standard Keys


Require adherence to standard data formats

Adopt shared formats


An electronic Government Interoperability Framework (eGIF) or Data Reference Model (DRM) designates shared keys and standard models for core entity types Many existing open standards can be adopted or customized Advanced systems will allow for cancelable identifiers to minimize impact of compromise In NL, Citizen Service Numbers (CSN) and Chamber of Commerce Numbers (CCN) are used for data exchange and searches in the Key Register of Persons (MPRD) or Key Commercial Register In KR, a central authority can issue, cancel and re-issue surrogate keys to identify individuals.

Mandate compatibility
All existing systems are required to be interoperable with data standards within a designated timeframe All newly procured systems are required to comply with data standards

Designate an authority to update standards


While core standard fields rarely change, identification of a role for updating standards ensures expansion to unforeseen fields of value and controls for technological change

In UK, the e-GIF set the standard for many other countries as adoption is mandatory for all public information systems In US, the Director of the Office of Management and Budget is empowered to enforce standards for all government systems

In EU, Interoperability Solutions for European Public Administrations (ISA) created European Interoperability Framework (EIF) to unify multiple governments and is maintained by an identified committee from many member countries

14

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Sample Legislation

Focus Area 1 Standard Keys


UNITED STATES Public Law 107/347 -- e-Government Act of 2002 UNITED STATES Public Law 107/347 e-Government Act of 2002
Section 207 (d) (1) the [Interagency Committee on Government Information] shall submit recommendations to the Director on (A) the adoption of standards, which are open to the maximum extent feasible, to enable the organization and categorization of Government information (i) in a way that is searchable electronically, including by searchable identifiers; and (ii) in ways that are interoperable across agencies (2) the [Director of the Office of Management and Budget] shall issue policies (A) requiring that agencies use standards, which are open to the maximum extent feasible, to enable the organization and categorization of Government information

Authority to develop open data standards is delegated to a central authority Authority to develop open data standards is delegated to a central authority The data standards themselves are drawn up by a qualified committee and passed as regulations The data standards themselves are drawn up by a qualified committee and passed as regulations Separately, the enforcement of those standards is a legal responsibility of a named party Separately, the enforcement of those standards is a legal responsibility of a named party

SOUTH KOREA Act on Promotion of Information and Communication SOUTH KOREA Act on Promotion of Information and Communication Network Utilization and Information Protection Network Utilization and Information Protection
Article 12 Construction of a System for the Joint Utilization of Information (1) The Government may advance the interoperability, standardization, and joint utilization of information and communications networks to efficiently utilize the information and communications networks. (3) Presidential Decree shall stipulate requisite matters regarding promotion and support Article 13 Projects for Promoting Utilization of Information and Communications Networks (1) Under conditions stipulated by Presidential Decree, the Minister of Information and Communication may create and enact projects designed to facilitate the efficient use and distribution of technologies, equipment, and applied services in order to facilitate information use in the public and private sectors, culture, and society as a whole, and end the information gap.

Empowers the government authority to craft an interoperability framework or fund a body to do so Empowers the government authority to craft an interoperability framework or fund a body to do so Allows the government authority to promulgate regulations requiring the adoption of the interoperability framework Allows the government authority to promulgate regulations requiring the adoption of the interoperability framework Encourages the government to condition financial support based on the adoption of the interoperability framework Encourages the government to condition financial support based on the adoption of the interoperability framework Justifies all of these activities as necessary to close the information gap Justifies all of these activities as necessary to close the information gap

15

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices and Key Principles

Focus Area 2 - National Data Warehouses


Compel concentration or coordination of National Data Assets

Designate central repositories for all critical data holdings


Each type of data asset (individuals, property, businesses, etc) requires a designated repository Repositories may be located together with collector agencies or independent authorities Optimal citizen protection will encrypt identifiers prior to use to minimize impact of compromise In UK, the same Act that protects personal data authorizes the development of data sharing practices in citizens interests In KR, cancelable identifiers are administered through a common verification authority

Authorize authentic sources as substitutes for paper documents


Empower citizens with legal rights to leverage data held in NDW

Incent participation through centralized verification services


Varied methods should be provided to allow remote systems to verify the relevant details of data held in the NDW. Suspension of funding or other penalties may be levied on systems which do not rely upon, or minimally coordinate, with the NDW Harmonize with data privacy statutes to prevent conflict In ES, the Identity and Residence Verification Systems (IRDVS) provides electronic verification of all identity documents eliminating the need for paper

In BE, citizens can refuse requests for data details already held in authentic source systems such as the National Register (for individuals), the Crossroads Bank for Enterprise In DK, the Det Centrale Personregister has been the central source for citizen data since 1968 16

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Sample Legislation

Focus Area 2 - National Data Warehouses


SPAIN PRE/3949/2006 Verification System of Identity Data SPAIN PRE/3949/2006 Verification System of Identity Data (Sistema de Verificacion de Datos de Identidad) (Sistema de Verificacion de Datos de Identidad)
Second: sets the date of operation of the Identity Data Verification System from which it cannot be required by the Central Government or the agencies that link or are dependent on the provision of copies of the Document National Identity Card or the documents proving the identity of foreigners resident in Spain or equivalent card First Annex: Identity Data Verification System is made available to the departments and agencies of the State Administration by the Ministry of Public Administration as a horizontal service for consultation and verification of data from the Citizen Identification Documents in custody of General Directorate of Police and Civil Guard Third Annex, Part 1: Access to Data System Identity Verification will be established for any public body

Authority to consolidate identity data is assigned to a central authority Authority to consolidate identity data is assigned to a central authority The regulation defines the data sources which are compelled to participate by force of law The regulation defines the data sources which are compelled to participate by force of law Minimum standards are set as to the security, availability, access methods and confidentiality of the centralized data Minimum standards are set as to the security, availability, access methods and confidentiality of the centralized data Requires the acceptance of records in the central data repository in lieu of photocopied documents Requires the acceptance of records in the central data repository in lieu of photocopied documents

UNITED KINGDOM Data Protection Act 1998 UNITED KINGDOM Data Protection Act 1998
52A Data-sharing code (1) The Commissioner must prepare a code of practice which contains (a) practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act, and (b) such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data. (2) For this purpose good practice means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.

The Data Protection Act is largely concerned with the limitation of the governments ability to store, access or share The Data Protection Act is largely concerned with the limitation of the governments ability to store, access or share citizens personal data citizens personal data Within the act, exceptions regarding data sharing in the citizens interest is made Within the act, exceptions regarding data sharing in the citizens interest is made A designated body is given the authority to create data sharing codes (regulations) which must be submitted for approval A designated body is given the authority to create data sharing codes (regulations) which must be submitted for approval up to Parliament up to Parliament Once these regulations are in place, agencies are compelled to share their data accordingly Once these regulations are in place, agencies are compelled to share their data accordingly

17

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices and Key Principles

Focus Area 3 - Preventing Redundant Systems


Eliminate duplicate collection and storage

Share information across ministries and prohibit redundant digital data


All government agencies must vet their information needs against existing government holdings before it can collect or retain information Information cannot be collected independently if it exists accessibly in any other agency.

Integrated registry of information systems


Ministries must register the type and extent of information they collect and provide points of contact for those collections Ministries which cannot share data directly must provide methods by which the information can be integrated with other ministries In a KR e-Government case, with the integration of information resources, USD 100 million in equipment replacement costs were saved between 2009 and 2010. Additional USD 400 million is expected to be saved by 2014.

Organizational structure to plan, manage, and control data across government


A role for a central decision making body must be designated to promote sharing strategy, enforcing policies through approval and budgets and resolving conflicts The organizational structure should be placed in the eGovernment directorate in order to sit across ministries and agencies. In UK, MOI (Ministry of Information) is the organization for the information subject area. In US, OIRA (Office of Information and Regulatory Affairs) In KR, MOPAS (Ministry of Public Administration and Security)

In KR e-Government Law No. 10303 Chapter 4, details sharing of administrative information. Article 36 governs the administration, efficient management and use of information

18

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Sample Legislation

Focus Area 3 - Preventing Redundant Systems


SOUTH KOREA -- ELECTRONIC GOVERNMENT ACT SOUTH KOREA ELECTRONIC GOVERNMENT ACT

Article 36 (Administration of the efficient management and use of information) A minister or principle of any ministries should provide administrative information which the ministry collect and retain inside to other ministry who require that information. If they can receive and access trusted data from any other ministry, they should not collect duplicated data independently. A minister or principle of any ministries which collect and retain administrative information can permit to share the information between other ministries and any banks which have a permission of bank business according to Act on Bank, private corporate organizations or agencies which are granted by Presidential Dec Policies. The Minister of the Ministry of Public Administration and Security should develop the list of administrative information which is hold by any ministry by investigation and distribute it across government ministries and investigate requirement for new administrative information. Article 37 (sharing of administrative information centers) For the sake of effective sharing of administrative information, The Minister of the Ministry of Public Administration and Security can deploy administrative information center as a center of information sharing across ministries as a subsidiary of his ministry and promote to utilize the center from each ministry in accordance with Presidential Dec Policies

All government agencies must vet their information needs against existing government holdings before it All government agencies must vet their information needs against existing government holdings before it can collect or retain information can collect or retain information Information cannot be collected independently if it exists accessibly in any other agency. Information cannot be collected independently if it exists accessibly in any other agency. A role for a central decision making body must be designated to promote sharing strategy, enforcing A role for a central decision making body must be designated to promote sharing strategy, enforcing policies through approval and budgets and resolving conflicts policies through approval and budgets and resolving conflicts

19

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices and Key Principles

Focus Area 4 - Public Ownership of Public Data


Public data is owned by the people

Data is available to the widest range of users for the widest range of purposes
Data should be usable for purposes it was not originally captured for Involve citizens to make sense of data Encourage transparency, participation and collaboration

Make exposed data the default and protected data the exception
By default, data captured by government bodies should be made available to the public Release key datasets (data.go.ke?) Only sensitive or private data should be protected

Do not establish data owners, but assign data stewards


Data does not belong to the person or agency that captured the data Center of Excellence in data stewardship, directing other agencies in governing, collecting, managing, storing and distributing data. In UK, Public Data Corporation In NZ, Government departments are stewards of Government-held information, and it is their responsibility to implement good information management.

In US, Open Government Directive In UK, interactive portal where citizens are asked to come up with innovative ideas and mobile applications how they could use public data

In UK, Transparency Board to make transparency a core part of all government business In KR, Act mandates that information held and managed by public institutions shall be disclosed

20

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Sample Legislation

Focus Area 4 - Public Ownership of Public Data


UNITED STATES Open Government Directive UNITED STATES Open Government Directive
() this memorandum is intended to direct executive departments and agencies to take specific actions to implement the principles of transparency, participation, and collaboration set forth in the Presidents Memorandum. () The three principles of transparency, participation, and collaboration form the cornerstone of an open government.. () This Open Government Directive establishes deadlines for action. But because of the presumption of openness that the President has endorsed, agencies are encouraged to advance their open government initiatives well ahead of those deadlines.

Requests from executive departments and agencies to take steps toward the goal of creating a more open government Requests from executive departments and agencies to take steps toward the goal of creating a more open government Provides clear actions and deadlines for implementation Provides clear actions and deadlines for implementation Key principles are transparency, participation and collaboration Key principles are transparency, participation and collaboration

SOUTH KOREA Information Disclosure Act for Public Agencies SOUTH KOREA Information Disclosure Act for Public Agencies
Every people holds the right to request information disclosure. () Public institutions shall create an information management system by which information can be properly kept and speedily searched, open an office and secure staff in charge ofinformation disclosure and work to build an information disclosure system, etc. by making full use of the information and communications network.()

Secures the peoples participation in state affairs and the transparency of the operation of state affairs Secures the peoples participation in state affairs and the transparency of the operation of state affairs Prescribes necessary matters concerning the peoples claims for the disclosure of information and the obligations of Prescribes necessary matters concerning the peoples claims for the disclosure of information and the obligations of public institutions to disclose their information in their possession public institutions to disclose their information in their possession Prescribes that public institutions shall make and keep a list of information that they hold and manage in a manner that Prescribes that public institutions shall make and keep a list of information that they hold and manage in a manner that the people can readily understand such list of information the people can readily understand such list of information

21

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices and Key Principles

Focus Area 5 - Definition of, access to and penalties for illegal access to private versus public data
Categorize data appropriately to maximize proper protection and access

Clear definition and classification of private and public data


The authority to define private and public data should be clearly stated in legislation All definition and classification should be unified across ministries, preferably tied to a data standard.

Accessibility for authorized data


Access to citizen information held by public institutions should be governed uniformly by data category Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act Individuals should be guaranteed access to data about them In FI, Personal Data Act - section 26 - Right of Access In Canada, Privacy Act - Access to Personal Information - Right of Access In US, under FOIA, individual has access to the information government hold 22

Exclusively defined penalties and enforcement role


Penalties for illegal access should be specified once and applied broadly An independent enforcement role with authority to carry out penalties must be defined

In US, FEA DRM (Data Reference Model) categorizes government information in detail level with privacy designation. In UK, e-GIF (e-Government Interoperability Framework) sets out the government's technical policies and standard data categories.

In FI, Personal Data Act, chapter 38, section 9 In KR, Act on the Protection of Personal Information Chapter 5

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Sample Legislation

Focus Area 5 - Definition of, access to and penalties for illegal access to private versus public data
FINLAND Personal Data Act FINLAND Personal Data Act
section 26 - Right of Access (1) Regardless of secrecy provisions, everyone shall have the right of access, after having supplied sufficient search criteria, to the data on him/her in a personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of disclosed data.

Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act Individuals should be guaranteed access to data about them Individuals should be guaranteed access to data about them CANADA, Privacy Act -- Access to Personal Information CANADA, Privacy Act Access to Personal Information
Right of access 12. (1) Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to (a) any personal information about the individual contained in a personal information bank; and (b) any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution.

Individuals should be guaranteed access to data about them Individuals should be guaranteed access to data about them SOUTH KOREA, Act on the Protection of Personal Information Chapter 5 SOUTH KOREA, Act on the Protection of Personal Information Chapter 5
Article 23 (Penal Provisions) (1) Any person who changes or alters private information for the purpose of disrupting the operations of private information management of a public institution shall be punished by imprisonment for not more than ten years. (2) Any person who illegally leaks or issues private information without consent and for the purpose of use by others, violating what has been set forth in Article 11, shall be punished by imprisonment for not more than three years or a fine not exceeding ten million won.

Penalties for illegal access for personal information should be specified Penalties for illegal access for personal information should be specified 23

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices and Key Principles

Focus Area 6 - Security of Public Data


Secure data while maximizing public access

Control policies owned, supported and practiced to address risks


Management, Operator and Technical control policies are the foundations for an information security risk management program. Policies are necessary to define risk management requirements that help make reasonable and appropriate risk management decisions. In US, State of Minnesota, Enterprise Security Control Policies In EU, Regulation (EC) No 45/2001 defines particular measures to prevent unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration

Utilize uniform standards of protection and encryption


Standards should govern data acquisition, storage and disposition, eg.,Data erasure Security solutions are required to offer strong protection against tampering and unauthorized access

Independent auditing required


Independent chains of command to guarantee adherence Private auditing firms to be given authority to conduct complete auditing practices Real-time auditing is emerging as the new global best practice

In UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies 24

In US, FISMA (Federal Information Security Management Act) establishes security guidelines that federal agencies must adhere to. Agencies are graded on results from FISMA compliance auditing

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Sample Legislation

Focus Area 6 - Security of Public Data


UNITED STATES: Federal Information Security Management Act (FISMA)
Section 3545 part (a) (1) agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. (2) evaluation under this section shall include (A) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agencys information systems; (B) an assessment (made on the basis of the results of the testing) of compliance with (i) the requirements of this subchapter; and (ii) related information security policies, procedures, standards, and guidelines; and (C) separate presentations, as appropriate, regarding information security relating to national security systems. part (b)(1) for each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation required by this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency ...

Authority to perform independent evaluation of security program and practices Evaluation to be performed by an independent external auditor

NORWAY: Personal Data Act (2000)


Section 13 Data security: The controller and the processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data. To achieve satisfactory data security, the controller and processor shall document the data system and the security measures. Such documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board. Any controller who allows other persons to have access to personal data, e.g. a processor or other persons performing tasks in connection with the data system, shall ensure that the said persons fulfill the requirements set out in the first and second paragraphs.

The controller and the processor of personal data to ensure satisfactory data security measures being followed Controller and processor to document and share data system and security measures. Documentation to be made accessible to the Data Inspectorate and the Privacy Appeals Board.

25

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Global Best Practices on Mobile Applications Legislation


1. Expanding legal definitions Include different types of electronic devices in definitions for existing and future legislation e.g. Mobile phones, laptops, smart-phones etc Classical definitions in existing legislation may miss new mobile devices

2. New types of information collected about people (location and personal preference) - Collection of information of an individual - GBP: No person may collect, use, or provide the location information of a person or mobile object without the consent of the person or the owner of the object (KR act on the protection, use, etc. of location information) - Exceptions when info is to be used for emergency rescue/relief purposes - GBP: A subject of personal location information may withdraw his/her consent for part of the scope of the collection of personal location information and the terms and conditions, when he/she has given consent under above point 3. Structure that allows applications of authorization or verification down to mobile devices for conducting any business - Processes to identify identity for individual authorization from mobile devices - Step-by-step procedure in place to conduct transactions securely using these mobile devices - Mobile e-Signature to satisfy legal requirements as a handwritten signature. - GBP: Directive 1999/93/EC of EU establishes legal framework for e-Signature and certification services. The main provision of the Directive states that an advanced electronic signature based on a qualified certificate satisfies the same legal requirements as a handwritten signature. It is also admissible as evidence in legal proceedings.

26

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Review of draft Kenyas Data Protection Act


Elements of the Draft Data Protection Act may aid in e-Government adoption efforts
Sections 6(a-b) require data security at rest and in transit
Responsibility assigned to Freedom of Information Act Commission

Sections 7(1)(a-b) guarantee personal access to personal data Section 9 requires that data be up-to-date, complete and accurate Section 22 protects against agency liability for data disclosed in good faith

Elements of the Draft Data Protection Act pose serious concerns to e-Government ad option efforts
Sections 3(1)(a)(ii)(b) requires all personal data be collected from individuals
May prevent lookup from existing data stores

Sections 11 prevents data collected for one purpose being used for another
May prevent creation of National Data Warehouses

Section 12 Prohibits sharing data with other agencies unless authorized


Directly inhibits data sharing Authorization schemes are not yet in place Unclear status of data collected prior to the existence of authorization schemes

Section 13 prevents unique IDs from being used across agencies


Prohibits the use of shared keys, inhibiting data sharing

No exemptions or processes are made for interagency government data sharing


Many countries adopt these caveats to the OECD Privacy Principles

27

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan

Q&A

28

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Implementation Strategy Summary


Obtaining new authority
Constitution
Long process Most rigid

Legislation

Regulation
Put in place immediately More easily discarded

Siloed versus cross-cutting


E-Gov Ministry C Ministry D Ministry A Ministry B Ministry E
Legislation

Regulation

Incremental versus Plenary implementation


Separate components Elements in various Acts Big Bang One e-Government Act

Solo versus Partnership in Public Service provision


Per department Public-Public Partnership Public-Private Partnership

29

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Monday Morning Action Plan


The following steps should be implemented immediately

Obtain the mandate 1. Amend current authorities in the Kenya Communications Act to point to DeG 2. Include DeGs authorities in new legislation

Define & Designate 3. Include core data entity types, standard keys and categories in new legislation 4. Per data entity type, define the fields, format and sensitivity level 5. Designate systems to serve as central repositories for each data asset

Single source

Data availability 8. Include data stewardship and open government directives in new legislation 9. Create a pilot website where selected key public data sets are published

Partnerships

6. Make inventory of data and systems across ministries 7. Pilot data centralization efforts for a selected region and selected function

10. Allow by law for private organisations to participate in providing government services

30

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Long term roadmap for further e-Government development


Revise ministry-specific Acts Make old Acts obsolete Implement new regulation across ministries Establish an e-Government Advisory Group

Establish IPRS as the central NDW Move Adoptions & Marriages registry Digitize information Establish a CoE for data stewardship Establish ACP for different data categories Define cross-cutting penalties Establish security guidelines

Collect data into central repositories with synchronization or update policies Establish electronic verification methods that link into the NDW

Build partnerships with private organisations in providing government services

Establish an independent party with authority to apply and enforce the defined penalties

Establish auditing practices

Establish security solutions Establish a risk management program Establish training procedures on security practices 31

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Agenda Project Overview and Approach Current state of Kenya e-Government Recommendations
Global best practices and Key Principles in e-Government legal frameworks Sample legislation that highlights critical e-Government elements Implementation action plan

Q&A

32

Thank You Asante Sana


Quotes by interviewees: The reality of eGovernment is not with us yet What is the point in having all these different licenses? IT has really helped in enforcement. There is no way to cook it We need a one-stop-shop for citizens

eGovernment office has insufficient authority and likely needs to be semi-autonomous

There are 254 forms of registration in Kenya. We managed to reduce to 185.

eGovernment should create the obligation for government departments to be under one umbrella

Most fraud is because other arms of government cannot check. Everything is a manual process.

This is the fifth day in a row that I am here waiting in the queue. Every day costs me 300 Ksh for transport. I have no more money for food.

The eGovernment Directorate should step up

Developing an enabling legal and regulatory framework for e-Government services in Kenya
APPENDIX SLIDES

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

IBMs Corporate Service Corps

Part of IBMs Corporate Social Responsibility Program Employee leadership development program Launched July, 2008 Global IBM initiative designed to provide government, small business, educational institutions, and nonprofit organizations in growth markets with pro bono consulting work to help improve local conditions and foster job creation +1000 IBM employees deployed from 50 countries on 100 teams to 18 countries since inception

Russia Romania Turkey Morocco Egypt Nigeria Ghana Kenya Tanzania Brazil S. Africa Sri Lanka India Philippines Vietnam Indonesia China

Malaysia

35

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Introduction to the IBM team


Nimeesh Kaushal Staff Software Developer IBM Canada Anna Choi Information Agenda Architect IBM South Korea Luan Nio Senior Consultant IBM Switzerland Reporting and Query Stack Integration in Business Intelligence, Software Verification, Test management and execution, Facts and data gathering, Client problem resolution Industrial / Distribution/ Retail industry, Information Agenda business architect, Build information solution architecture for information quality, information governance, master data management, business analytics. Pharmaceutical and Life Science industry, Consulting, Project management, Data gathering and analysis, Workshop facilitation, Stakeholder management Information Management tools, Realtime Business Analytics Expertise: Data Integration, Government Industry Solutions

David Sloan Practice Manager IBM United States

36

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Requirements and needs expressed by interviewees


New
(Service / System / Legislation) Create the obligation to be under one umbrella It should be possible to look at data for other purposes than for what it was captured for Better enforcement of laws that are cutting across ministries and departments. These laws should supersede the individual ministry laws. A one-stop-shop for citizens Online application A multipurpose card A National Identification / Verification System A National /Online Payment System Technology training to registration officers

Enhance
(Service / System / Legislation) Need eGovernment to step up and define the standards It should be possible to look at data for other purposes than for what it was Better ways to identify persons Less Forms, Less Acts Less late registrations for birth IPRS should contain all information and should be better accessible More computers for the registration officers Data should be marketable and sho uld be used to benefit each other, bu t in a directed manner

37

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Current State

Focus Area 1 Standard Keys


Findings
Limited Authority under Kenya Communications Act 2009 Section 83S(2) states The Minister [MOIC] may ... by regulations prescribe (a) the manner and format in which such electronic records shall be filed, created or used"

Conclusions

Current Authority

Authority for National Data Warehouses exists under KCA, but does not assign the authority to the eGovernment Directorate

National ID is commonly used across many systems, but is limited to registered Kenyan citizens over 18 years of age Integrated Population Registration Services (IPRS) Integrated Personal Potential Number (PIN) universal for all Shared Keys registered Kenyans and registered foreigners, but largely unknown outside of IPRS Draft key standard for land provided by Ministry of Lands adheres to international GIS standards
38

Lack of keys will inhibit interoperability without resource-intensive entity disambiguation exercises No consistent shared keys exist across systems Candidate keys are flawed either because they are not universal, not known or are still in progress

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Current State

Focus Area 2 - National Data Warehouses


Findings
Kenya Communications Act of 2009 Section 83G and 83H both state such documents, records or information are (rendered/retained) in electronic form if (a) the information contained therein remains accessible so as to be usable for subsequent reference IPRS collects data from many systems Only represents digital data collected by Ministry of Immigration Goals to share with the Kenya Revenue Authority, Kenya National Bureau of Statistics, Interim Independent Electoral Commission of Kenya, National Social Security Fund and security forces State Law Office maintains a corporate registry All businesses must register with the State Law Office Data exchanges occur intermittently, in bulk and with infrequent updates
39

Conclusions
Greater authority than currently under KCA will be required to either assemble or compel participation in a National Data Warehouse (NDW)

Current Authority

Citizen Registry

IPRS represents best current NDW IPRS needs to collect from and share with all relevant entities to be a true NDW Methods of exchange must be broadened

Corporate Registry

Corporate registry may be an ideal NDW candidate Lack of universal and real-time coordination with other repositories leaves room for fraud and manipulation

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Current State

Focus Area 3 - Preventing Redundant Systems


Findings
Physical sources are distributed across ministries and districts and are redundantly archived No legislation to enforce single repositories and sharing of data Information Redundancy IPRS can be used to verify national ID and name, but is not used exclusively and silos No system catalog exists to identify information type, location or points of contact to verify redundancy

Conclusions
Finding correct information is timeconsuming Ministries operate inefficiently with duplicate information collected, often with the same purpose Resources are invested in multiple projects to build same information repository To prevent ministries from initiating redundant stores, legal enforcement is required Information cannot be searched exhaustively or verified definitively due to dispersion and paper format Lots of information unused because awaiting digitization Less opportunity to leverage core information across ministry Dependencies to individual officers rather than a defined process

Current lack of digitized information Requests for information between ministries are manual, often on paper Seamless Procurements for new systems are process, de-centralized, not under common digitized control information Information searching processes are manual and ad hoc to the individual doing the searching

40

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Current State

Focus Area 4 - Public Ownership of Public Data


Findings
Insufficient legislation in place that states who owns which data, who should act as data steward or how public data should be shared Shifting from Each department creates own Acts and processes to collect the data they data ownership to require. Opacity of what acts are in place and what processes should be data followed. stewardship No legal principles in place confirming public ownership or government stewardship of public data

Conclusions

Ownership is asserted in such a way that it inhibits collaboration and information sharing Time-consuming efforts to identify structures around data governance

Facilitating who captures the data keeps the data re-use of The public has no transparency about public sector where what data is stored or how to information access it

Generally, the ministry or department

Data is not being re-used in an optimal way. Its utility is not maximized.

41

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Current State

Focus Area 5 - Definition of, access to and penalties for illegal access to private versus public data
Findings
No definition, distinction or classification of PII (Personally Definition of identifying information, e.g. National ID, name, birth date), Sensitive data private, (e.g. medical history), Public data (e.g. public data aggregate statistical data) In electronic systems, access controls are role-based (boundary) by user, but manual systems have only physical access controls Lack of consistent business conduct guidelines Access education is only given at hire Lack of any defined protocol for citizen access to personal data Existing relevant legislation, such as

Conclusions
Unclear categories yield coarsegrained data controls which can allow illegal access to the data Increased difficulty and inconsistent standards when applying legal policy for different classification levels of data Departments are reluctant to share data without legal protection for third party misuse of data Special provisions should be made for cases affecting national security Citizens unaware of rights to access their own data, and have no process by which to exercise those rights Unenforced penalties increase the risk of illegal access Poor application makes corruption in parallel processes more likely Inconsistent policies reduce the deterrent effect of penalties

Access Control to data

Penalties for KCA 2009 83U and 83V, is not widely illegal observed by agencies access to Identified violations are handled in an ad hoc fashion, with varying penalties data
42

Legal and regulatory framework for e-Government services in Kenya IBM CSC Team Kenya 2 Subteam Chui

Current State

Focus Area 6 - Security of Public Data


Findings
There is no such uniform mechanism in Kenya to protect public data No legislation on protection of data Scope of KCA 83R(d) is too Authority to restrictive as it only points to require regulation of e-Signatures adherence to Each agency has its respective IT department implementing their own a common data security standards for securing public data Data sharing happens manually and standard ad hoc through the exchange of CDroms, paper copies etc No universal formal training procedure in place for staff on security practices

Conclusions

Different standards for securing public data with varied security levels risks compromised security at all times Manual sharing of public data through unofficial processes could lead to release of private data, violating the Kenyan Constitution

Auditing

No auditing practice exists currently Ad-hoc auditing takes place within the supervision chain of system owners

In absence of universal auditing, processes cannot adhere to proper standards and security violations might go unnoticed No checks in place could promote mis-use or mis-appropriation of highly sensitive data

43