Kenya 2 Subteam 2 CHUI Development of a Legal and Regulatory Framework for e-Government in Kenya

8/6/2019 Kenya 2 Subteam 2 CHUI Development of a Legal and Regulatory Framework for e-Government in Kenya

http://slidepdf.com/reader/full/kenya-2-subteam-2-chui-development-of-a-legal-and-regulatory-framework-for 1/43

Developing an enabling legal and regulatory frameworkfor e-Government services in Kenya

Final Presentation - Nairobi, 17th March 2011IBM Corporate Services Corps – Team Kenya 2 – Subteam Chui

Anna Choi (KR), Nimeesh Kaushal (CA), Luan Nio (CH), Dave Sloan (US)



2

Legal and regulatory framework for e-Government services in Kenya

IBM CSC – Team Kenya 2 – Subteam Chui

Agenda

• Project Overview and Approach

• Current state of Kenya e-Government

• Recommendations

– Global best practices and Key Principles in e-Government legalframeworks

– Sample legislation that highlights critical e-Government elements – Implementation action plan

• Q&A



3



Agenda



• Recommendations



• Q&A



4



IBMs view on a Smarter Government

Source: IBM Institute for Business Value, The State of Smarter Government, 2010



5



Getting Kenya to the next maturity level in eGovernment

Source: Booz Allen Hamilton, Beyond e-Government, 2005

Kenya Today

Kenya Tomorrow



6



Objectives and Scope of this assignment

• Develop legal and regulatory framework tosupport e-Government services Facilitate the adoption of e-Government

servicesMaximize their effectiveness Ensure their sustainability

WHAT

• Gap analysis on international best practiceson data access framework

• Focus on elements of the identified NationalData and Public Services challenges• Review of the current state of the art• Identify unique opportunities or constraints

that exist in Kenya via interviews• Distill inputs into key principles that can be

enshrined in legal and regulatory policy

HOW

• 2 months preparation in home countries(December – February)

• 1 month in-country, based in Nyeri, meetingsin Nyeri and Nairobi (February – March)

• Presentation and Final Deliverables on March17th

WHEN

• Vision 2030

• Constitution• Relevant statutes

(e.g. KenyaCommunications Act)



7



Top 10 e-Government countries

Source: United Nations eGovernment Survey 2010

The e-Government Development Index is the UN’s ranking system, from 0 to 1, used toindicate the level of maturity of e-government services.

The above 4 countries are well represented in our team composition



8



Focus Areas

Universal primary

keys to uniquelyidentify people,

companies, assets,etc. across all

government dataholdings

Centralized,

exhaustivesystems for

people,companies, assets,

etc. available foruniversal referenceand cross-cutting

analytics

Require systems to

refer to andcoordinate withNational Data

Warehouses whenthey exist

Shifting from data

ownership to datastewardship,

facilitating re-useof public sector

information

Standard

identification,permission andenforcement ofprotected data,and guaranteedcitizen access to

data

Authority to require

adherence to acommon data

security standard,including audit

Standard KeysNational DataWarehouses

PreventingRedundantSystems

PublicOwnership ofPublic Data

Definition of,access to and

penalties forillegal access

to privateversus public

data

Security ofpublic data

Based on our analysis, we have identified 6 major areas you need to focus on



9



Interviews and Visits

1. Dr. Katherine Getao, ICT Secretary, Director ofeGovernment

2. Mary Muchene, District Commissioner, District ofNyeri

3. Jane Otoko, Head of ICT, Ministry of Immigration& Registration of Persons

4. Patrick Njoroge, Assistant Director ICT in StateLaw Office, Office of Attorney General

5. Zeba Nyikal

6. James Opundo and Nicholas Ongeri - LegalOfficers, Ministry of Immigration & Registration ofPersons

7. Javan Bonaya, Passport Registration Office,Nyayo House, Nairobi

8. Tony Onyango and Maxim Itur, NationalRegistration Bureau, Makadara Station, Nairobi

9. Samuel Lukanu and Bente Were, Birth/DeathRegistration Office, Sheria House, Nairobi

10.Samuel N. Kimotho, District Civil Registrar,Birth/Death Registration Office, Nyeri

11.Michael A. Kana, District Administrative PoliceCommander, Nyeri

12.Vivian Ashioya, IBM Account Manager

13.Citizens

1. Ministry of Immigration and Registration of Persons

2. Department of Immigration, Passport Registration

Office, Nyayo House, Nairobi

3. National Registration Bureau, Makadara Station,Nairobi

4. Civil Registration Department, Sheria House,

Nairobi

5. Civil Registration Department, Nyeri District

VisitsInterviews

1. Stakeholder´s Workshop on e-Government

Strategic Plan, Kenya Institute of Education, 9th

March 2011

Meetings



10



Agenda



• Recommendations



• Q&A



11



Department of Immigration – HQ Nyayo HousePassport application process

National Registration Bureau – Makadara StationNational ID card application process

Civil Registration Department – Sheria HouseBirth Certificate application process

Because of these time-

consuming, redundant and manual processes, the

criticality for a solid legal framework for e-Government is even more urgent



12



Focus Areas – Summary of Findings

Potential SharedKeys

•Lack of keys will inhibit interoperability

without entity disambiguation exercises•No consistent shared keys exist across

systems

•IPRS Integrated PIN universal for all

registered Kenyans and registeredforeigners, but largely unknown outside of

IPRS

Citizen andCorporate

Registry

•IPRS represents best current NDW•Lack of universal and real-timecoordination with other repositories leaves

room for fraud and manipulation

•IPRS collects data from many systems•Data exchanges occur ad hoc, in bulk andwith infrequent updates

•No or immature NDW exist in Kenya, butpotential candidates exist

•Finding correct information is time-consuming•Ministries operate inefficiently with

duplicate information collected, often withthe same purpose

InformationRedundancy and

silos / DigitizedInfo.

•Physical sources are distributed acrossministries and districts and are redundantlyarchived

•Requests for information betweenministries are manual, on paper

Shifting from

data ownershipto data

stewardship

•Ownership is asserted in such a way thatit inhibits collaboration and informationsharing•Time-consuming efforts to identifystructures around data governance

•No legislation states who owns data, whoacts as data steward or how public datashould be shared

•No culture of sharing public data

Adherence to a

common data

security standardincl. auditing

•Differing or absent standards for securing

public data risks compromised security at

all times•Security violations go undiscovered

•No uniform mechanism or auditing in

Kenya to protect public data

•Existing legislation KCA 2009 83U and83V, not observed by agencies

Definition,Access control,

Penalties

•Unclear categories yield coarse-graineddata controls which can allow illegal accessto the data

•Unenforced penalties increase the risk ofillegal access

•No definition, distinction or classification ofPII, Sensitive data, Public data•Identified violations are handled in an adhoc fashion, with varying penalties

Security of

public data

Definition of,access to andpenalties for

illegal access toprivate versus

public data

PublicOwnership ofPublic Data

National DataWarehouses

Standard Keys

PreventingRedundantSystems

ConclusionsFindings



13



Agenda



• Recommendations



• Q&A

= Best in Class



14



Require adherence to standard data formats

Adopt shared formats

• An electronic GovernmentInteroperability Framework (e-GIF) or Data Reference Model(DRM) designates shared keysand standard models for core

entity types• Many existing open standards can

be adopted or customized• Advanced systems will allow for

cancelable identifiers to minimizeimpact of compromise

• In NL, Citizen Service Numbers

(CSN) and Chamber ofCommerce Numbers (CCN) areused for data exchange andsearches in the Key Register ofPersons (MPRD) or KeyCommercial Register

• In KR, a central authority canissue, cancel and re-issue

surrogate keys to identifyindividuals.

Mandate compatibility

• All existing systems are requiredto be interoperable with datastandards within a designatedtimeframe

• All newly procured systems are

required to comply with datastandards

• In UK, the e-GIF set the standard

for many other countries asadoption is mandatory for allpublic information systems

• In US, the Director of the Office ofManagement and Budget isempowered to enforce standardsfor all government systems

Designate an authority toupdate standards

• While core standard fields rarelychange, identification of a role forupdating standards ensuresexpansion to unforeseen fields ofvalue and controls for

technological change

• In EU, Interoperability Solutions

for European PublicAdministrations (ISA) createdEuropean InteroperabilityFramework (EIF) to unify multiplegovernments and is maintained byan identified committee from manymember countries

Global Best Practices and Key Principles

Focus Area 1 – Standard Keys



18



Eliminate duplicate collection and storage

Share information acrossministries and prohibitredundant digital data

• All government agencies must vettheir information needs againstexisting government holdings

before it can collect or retaininformation

• Information cannot be collectedindependently if it existsaccessibly in any other agency.

• In KR e-Government Law No.10303 Chapter 4, details sharingof administrative information.Article 36 governs theadministration, efficientmanagement and use ofinformation

Integrated registry ofinformation systems

• Ministries must register the typeand extent of information theycollect and provide points of

contact for those collections• Ministries which cannot share

data directly must providemethods by which the informationcan be integrated with otherministries

• In a KR e-Government case, withthe integration of informationresources, USD 100 million inequipment replacement costswere saved between 2009 and2010. Additional USD 400 millionis expected to be saved by 2014.

Organizational structureto plan, manage, andcontrol data across

government

• A role for a central decisionmaking body must be designatedto promote sharing strategy,

enforcing policies throughapproval and budgets andresolving conflicts

• The organizational structureshould be placed in the e-Government directorate in order tosit across ministries and agencies.

• In UK, MOI (Ministry ofInformation) is the organization forthe information subject area.

• In US, OIRA (Office of Informationand Regulatory Affairs)

• In KR, MOPAS (Ministry of PublicAdministration and Security)

Focus Area 3 - Preventing Redundant Systems




19




Sample Legislation

SOUTH KOREA - ELECTRONIC GOVERNMENT ACT

• All government agencies must vet their information needs against existing government holdings before itcan collect or retain information

• Information cannot be collected independently if it exists accessibly in any other agency.

• A role for a central decision making body must be designated to promote sharing strategy, enforcingpolicies through approval and budgets and resolving conflicts

SOUTH KOREA - ELECTRONIC GOVERNMENT ACT

• All government agencies must vet their information needs against existing government holdings before itcan collect or retain information

• Information cannot be collected independently if it exists accessibly in any other agency.

• A role for a central decision making body must be designated to promote sharing strategy, enforcingpolicies through approval and budgets and resolving conflicts

Article 36 (Administration of the efficient management and use of information) ① A minister or principle of any ministries

should provide administrative information which the ministry collect and retain inside to other ministry who require that

information. If they can receive and access trusted data from any other ministry, they should not collect duplicated data independently.

② A minister or principle of any ministries which collect and retain administrative information can permit to share the

information between other ministries and any banks which have a permission of bank business according to Act on Bank,private corporate organizations or agencies which are granted by Presidential Dec Policies.

③ The Minister of the Ministry of Public Administration and Security should develop the list of administrative information which

is hold by any ministry by investigation and distribute it across government ministries and investigate requirement for new administrative information.

Article 37 (sharing of administrative information centers) ① For the sake of effective sharing of administrative information, The

Minister of the Ministry of Public Administration and Security can deploy administrative information center as a center of information sharing across ministries as a subsidiary of his ministry and promote to utilize the center from each ministry in accordance with Presidential Dec Policies



20



Public data is owned by the people

Data is available to thewidest range of users forthe widest range of

purposes

• Data should be usable forpurposes it was not originallycaptured for

• Involve citizens to make sense ofdata

• Encourage transparency,participation and collaboration

• In US, Open Government

Directive• In UK, interactive portal wherecitizens are asked to come up withinnovative ideas and mobileapplications how they could usepublic data

Make exposed data thedefault and protected data

the exception

• By default, data captured bygovernment bodies should bemade available to the public

• Release key datasets(data.go.ke?)

• Only sensitive or private datashould be protected

• In UK, Transparency Board to

make transparency a core part ofall government business• In KR, Act mandates that

information held and managed bypublic institutions shall bedisclosed

Do not establish dataowners, but assign data

stewards

• Data does not belong to theperson or agency that capturedthe data

• Center of Excellence in datastewardship, directing otheragencies in governing, collecting,managing, storing and distributingdata.

• In UK, Public Data Corporation

• In NZ, Government departmentsare stewards of Government-heldinformation, and it is theirresponsibility to implement goodinformation management.

Focus Area 4 - Public Ownership of Public Data




22



Categorize data appropriately to maximizeproper protection and access

Clear definition andclassification of private

and public data

• The authority to define private andpublic data should be clearlystated in legislation

• All definition and classificationshould be unified across ministries,preferably tied to a data standard.

• In US, FEA DRM (Data ReferenceModel) categorizes governmentinformation in detail level withprivacy designation.

• In UK, e-GIF (e-GovernmentInteroperability Framework) setsout the government's technical

policies and standard datacategories.

Accessibility forauthorized data

• Access to citizen information heldby public institutions should begoverned uniformly by data

category• Authority to determine appropriate

access (e.g. national security,statistical) should be declared inAct

• Individuals should be guaranteedaccess to data about them

• In FI, Personal Data Act - section26 - Right of Access

• In Canada, Privacy Act - Accessto Personal Information - Right ofAccess

• In US, under FOIA, individual hasaccess to the information

government hold

Exclusively definedpenalties and

enforcement role

• Penalties for illegal access shouldbe specified once and appliedbroadly

• An independent enforcement rolewith authority to carry outpenalties must be defined

• In FI, Personal Data Act, chapter38, section 9

• In KR, Act on the Protection ofPersonal Information Chapter 5

Focus Area 5 - Definition of, access to and penalties for illegal

access to private versus public data




24



Secure data while maximizing public access

Control policies owned,supported and practiced to

address risks

• Management, Operator andTechnical control policies are thefoundations for an information

security risk managementprogram.

• Policies are necessary to definerisk management requirementsthat help make reasonable andappropriate risk managementdecisions.

• In US, State of Minnesota,Enterprise Security ControlPolicies

• In EU, Regulation (EC) No45/2001 defines particularmeasures to prevent unauthoriseddisclosure or access, accidental or

unlawful destruction or accidentalloss, or alteration

Utilize uniform standards ofprotection and encryption

• Standards should govern dataacquisition, storage anddisposition, eg.,Data erasure

• Security solutions are required tooffer strong protection againsttampering and unauthorizedaccess

• In UK, the Data Protection Act isused to ensure that personal datais accessible to those whom itconcerns, and provides redress to

individuals if there areinaccuracies

Independent auditingrequired

• Independent chains of commandto guarantee adherence

• Private auditing firms to be given

authority to conduct completeauditing practices

• Real-time auditing is emerging asthe new global best practice

• In US, FISMA (FederalInformation Security ManagementAct) establishes securityguidelines that federal agenciesmust adhere to.

• Agencies are graded on resultsfrom FISMA compliance auditing

Focus Area 6 - Security of Public Data




26



Global Best Practices on Mobile Applications Legislation

1. Expanding legal definitions – Include different types of electronic devices in definitions for

existing and future legislation• e.g. Mobile phones, laptops, smart-phones etc

– Classical definitions in existing legislation may miss new mobile devices

2. New types of information collected about people (location and personal preference)- Collection of information of an individual- GBP: No person may collect, use, or provide the location information of a person or

mobile object without the consent of the person or the

owner of the object (KR act on the protection, use, etc. of location information)- Exceptions when info is to be used for emergency rescue/relief purposes- GBP: A subject of personal location information may withdraw his/her consent for part of the scope of thecollection of personal location information and the terms and conditions, when he/she has given consentunder above point

3. Structure that allows applications of authorization or verification down to mobile devices for conductingany business

- Processes to identify identity for individual authorization from mobile devices- Step-by-step procedure in place to conduct transactions securely using these mobile devices- Mobile e-Signature to satisfy legal requirements as a handwritten signature.- GBP: Directive 1999/93/EC of EU establishes legal framework for e-Signature and certification services.The main provision of the Directive states that an advanced electronic signature based on a qualifiedcertificate satisfies the same legal requirements as a handwritten signature. It is also admissible as evidencein legal proceedings.



27



Review of draft Kenya´

s Data Protection Act

• Elements of the Draft Data Protection Act may aid in e-Government adoption efforts – Sections 6(a-b) require data security at rest and in transit

• Responsibility assigned to Freedom of Information Act Commission

– Sections 7(1)(a-b) guarantee personal access to personal data

– Section 9 requires that data be up-to-date, complete and accurate – Section 22 protects against agency liability for data disclosed in good faith

• Elements of the Draft Data Protection Act pose serious concerns to e-Government adoption efforts

– Sections 3(1)(a)(ii)(b) requires all personal data be collected from individuals

• May prevent lookup from existing data stores – Sections 11 prevents data collected for one purpose being used for another• May prevent creation of National Data Warehouses

– Section 12 Prohibits sharing data with other agencies unless authorized• Directly inhibits data sharing• Authorization schemes are not yet in place• Unclear status of data collected prior to the existence of authorization schemes

– Section 13 prevents unique IDs from being used across agencies• Prohibits the use of shared keys, inhibiting data sharing

• No exemptions or processes are made for interagency government data sharing – Many countries adopt these caveats to the OECD Privacy Principles



28



Agenda



• Recommendations



• Q&A



29



Implementation Strategy SummaryObtaining new authority

Constitution Legislation RegulationLong processMost rigid

Put in place immediately

More easily discarded

Silo´́́́ed versus cross-cutting

E-Gov

M

i n i s t r y A

M

i n i s t r y B

M

i n i s t r y C

M

i n i s t r y D

M

i n i s t r y E

Legisla tion

Regul at io n

Incremental versus Plenary implementation

Big BangOne e-Government Act

Separate components

Elements in various Acts

Solo versus Partnership in Public Service provision

Per department Public-Private PartnershipPublic-Public Partnership

L l d l t f k f G t i i K



30



1. Amend currentauthorities in theKenyaCommunications

Act to point toDeG

2. Include DeG´sauthorities innew legislation

3. Include coredata entity types,standard keysand categories in

new legislation

4. Per data entitytype, define thefields, format andsensitivity level

5. Designatesystems to serveas centralrepositories foreach data asset

6. Makeinventory ofdata andsystems across

ministries

7. Pilot datacentralizationefforts for aselected regionand selectedfunction

8. Include datastewardship andopengovernment

directives in newlegislation

9. Create a pilotwebsite whereselected keypublic data setsare published

10. Allow bylaw for privateorganisationsto participate in

providinggovernmentservices

The following steps should be implemented immediately

Partnerships Data

availability

Single source Define &

Designate

Obtain the

mandate

”Monday Morning” Action Plan

Legal and regulatory framework for e Government services in Kenya



31



Long term roadmap for further e-Government development

Establish IPRS as the

central NDWMove Adoptions & Marriages

registry

Collect data into central repositories with

synchronization or update policiesEstablish electronic verification methods that

link into the NDW

Establish securityguidelines

Establish security solutions

Establish a risk managementprogram

Establish auditing practices

Establish training procedures on securitypractices

Build partnerships with private organisationsin providing government services

Establish a CoE for datastewardship

Digitize information

Establish ACP fordifferent data

categories

Define cross-cutting

penalties

Establish an independent partywith authority to apply and enforce

the defined penalties

Revise ministry-specific Acts Establish an e-GovernmentAdvisory Group

Make old Acts obsolete

Implement new regulation across ministries




32



Agenda



• Recommendations


– Sample legislation that highlights critical e-Government elements

– Implementation action plan

• Q&A



Thank You

Asante Sana

What is the point in having allthese different licenses?

eGovernment office has

insufficient authority and likelyneeds to be semi-autonomous

The eGovernmentDirectorate should step up

IT has really helped inenforcement. There is noway to cook it

eGovernment should createthe obligation for governmentdepartments to be under one

umbrella

We need a one-stop-shopfor citizens

Most fraud is because otherarms of government cannot

check. Everything is a

manual process.

This is the fifth day in a rowthat I am here waiting in thequeue. Every day costs me

300 Ksh for transport. I haveno more money for food.

There are 254 forms ofregistration in Kenya. We

managed to reduce to 185.

The reality of eGovernmentis not with us yet

Quotes by interviewees:



Developing an enabling legal and regulatory frameworkfor e-Government services in Kenya

APPENDIX SLIDES




35

g g y y


IBM´s Corporate Service Corps

China

Egypt India

Nigeria

Ghana

Philippines

Romania

S. Africa

Tanzania

Turkey

Vietnam

MalaysiaBrazil

Indonesia

SriLanka

Morocco

Kenya

Russia

• Part of IBM’s Corporate SocialResponsibility Program

• Employee leadership development

program• Launched July, 2008• Global IBM initiative designed to

provide government, small business,educational institutions, and non-profit organizations in growth

markets with pro bono consultingwork to help improve local conditionsand foster job creation

• +1000 IBM employees deployedfrom 50 countries on 100 teams to18 countries since inception




36


Nimeesh KaushalStaff SoftwareDeveloper

IBM Canada

Reporting and Query Stack Integration inBusiness Intelligence, Software Verification, Testmanagement and execution, Facts and data

gathering, Client problem resolution

Anna ChoiInformation AgendaArchitectIBM South Korea

Industrial / Distribution/ Retail industry,Information Agenda business architect,Build information solution architecturefor information quality, information governance,master data management, business analytics.

Luan NioSenior ConsultantIBM Switzerland

Pharmaceutical and Life Science industry,Consulting, Project management, Data gatheringand analysis, Workshop facilitation, Stakeholdermanagement

David SloanPractice ManagerIBM United States

Information Management tools, RealtimeBusiness Analytics Expertise: Data Integration,Government Industry Solutions

Introduction to the IBM team


IBM CSC T K S b Ch i



37


Requirements and needs expressed by interviewees

New(Service / System / Legislation)

Enhance(Service / System / Legislation)

•Create the obligation to be under

one umbrella• It should be possible to look at datafor other purposes than for what itwas captured for

•Better enforcement of laws that arecutting across ministries anddepartments. These laws shouldsupersede the individual ministrylaws.

•A one-stop-shop for citizens•Online application•A multipurpose card•A National Identification / Verification

System•A National /Online Payment System•Technology training to registrationofficers

•Need eGovernment to step up anddefine the standards

• It should be possible to look at datafor other purposes than for what itwas

•Better ways to identify persons

•Less Forms, Less Acts

•Less late registrations for birth

• IPRS should contain all informationand should be better accessible

•More computers for the registrationofficers

•Data should be marketable and should be used to benefit each other, bu

t in a directed manner


IBM CSC T K 2 S bt Ch i

Current State



38


• Limited Authority under KenyaCommunications Act 2009 Section83S(2) states “The Minister [MOIC]

may ... by regulations prescribe (a)the manner and format in which suchelectronic records shall be filed,created or used"

Focus Area 1 – Standard Keys

Conclusions

Current

Authority

Potential

Shared Keys

• National ID is commonly used acrossmany systems, but is limited toregistered Kenyan citizens over 18years of age

• Integrated Population RegistrationServices (IPRS) Integrated PersonalNumber (PIN) universal for all

registered Kenyans and registeredforeigners, but largely unknownoutside of IPRS

• Draft key standard for land providedby Ministry of Lands adheres tointernational GIS standards

Findings

• Authority for National Data

Warehouses exists under KCA, butdoes not assign the authority to the e-Government Directorate

• Lack of keys will inhibit interoperabilitywithout resource-intensive entitydisambiguation exercises

• No consistent shared keys existacross systems

• Candidate keys are flawed either

because they are not universal, notknown or are still in progress

Current State


IBM CSC Team Kenya 2 Subteam Chui Current State



39


Focus Area 2 - National Data Warehouses

Current

Authority

• Kenya Communications Act of 2009Section 83G and 83H both state “suchdocuments, records or information are

(rendered/retained) in electronic formif (a) the information contained thereinremains accessible so as to be usablefor subsequent reference”

• Greater authority than currently underKCA will be required to either

assemble or compel participation in aNational Data Warehouse (NDW)

CitizenRegistry

• IPRS collects data from manysystems

• Only represents digital data collectedby Ministry of Immigration• Goals to share with the Kenya

Revenue Authority, Kenya NationalBureau of Statistics, InterimIndependent Electoral Commission ofKenya, National Social Security Fund

and security forces

• IPRS represents best current NDW• IPRS needs to collect from and sharewith all relevant entities to be a trueNDW

• Methods of exchange must bebroadened

CorporateRegistry

• State Law Office maintains acorporate registry

• All businesses must register with theState Law Office

• Data exchanges occur intermittently,

in bulk and with infrequent updates

• Corporate registry may be an idealNDW candidate

• Lack of universal and real-timecoordination with other repositoriesleaves room for fraud and

manipulation

Current State

ConclusionsFindings


IBM CSC – Team Kenya 2 – Subteam Chui Current State



40


• Physical sources are distributedacross ministries and districts and areredundantly archived

• No legislation to enforce singlerepositories and sharing of data• IPRS can be used to verify national ID

and name, but is not used exclusively• No system catalog exists to identify

information type, location or points ofcontact to verify redundancy


InformationRedundancy

and silos

Seamless

process,digitized

information

• Current lack of digitized information• Requests for information between

ministries are manual, often on paper• Procurements for new systems are

de-centralized, not under commoncontrol

• Information searching processes aremanual and ad hoc to the individualdoing the searching

• Finding correct information is time-consuming

• Ministries operate inefficiently with

duplicate information collected, oftenwith the same purpose• Resources are invested in multiple

projects to build same informationrepository

• To prevent ministries from initiatingredundant stores, legal enforcement

is required

• Information cannot be searchedexhaustively or verified definitivelydue to dispersion and paper format

• Lots of information unused because

awaiting digitization• Less opportunity to leverage core

information across ministry• Dependencies to individual officers

rather than a defined process

Current State

ConclusionsFindings





41

IBM CSC Team Kenya 2 Subteam Chui

Focus Area 4 - Public Ownership of Public Data

• Insufficient legislation in place thatstates who owns which data, whoshould act as data steward or how

public data should be shared• Each department creates own Actsand processes to collect the data theyrequire. Opacity of what acts are inplace and what processes should befollowed.

• No legal principles in place confirming

public ownership or governmentstewardship of public data

Shifting fromdata

ownership todata

stewardship

• Ownership is asserted in such a waythat it inhibits collaboration andinformation sharing

• Time-consuming efforts to identifystructures around data governance

• Generally, the ministry or departmentwho captures the data keeps the data

• The public has no transparency aboutwhere what data is stored or how toaccess it

Facilitatingre-use of

public sectorinformation

• Data is not being re-used in anoptimal way. Its utility is notmaximized.

ConclusionsFindings





42

y

Focus Area 5 - Definition of, access to and penalties for illegal

access to private versus public data

Definition of

private,public data

• No definition, distinction orclassification of PII (Personallyidentifying information, e.g. NationalID, name, birth date), Sensitive data(e.g. medical history), Public data (e.g.aggregate statistical data)

• Unclear categories yield coarse-grained data controls which can allowillegal access to the data

• Increased difficulty and inconsistentstandards when applying legal policyfor different classification levels ofdata

Access

Control todata

• In electronic systems, access controlsare role-based (boundary) by user,but manual systems have onlyphysical access controls

• Lack of consistent business conductguidelines

• Access education is only given at hire• Lack of any defined protocol for

citizen access to personal data

• Departments are reluctant to sharedata without legal protection for thirdparty misuse of data

• Special provisions should be made forcases affecting national security

• Citizens unaware of rights to accesstheir own data, and have no processby which to exercise those rights

Penalties forillegal

access to

data

• Existing relevant legislation, such asKCA 2009 83U and 83V, is not widelyobserved by agencies

• Identified violations are handled in anad hoc fashion, with varying penalties

• Unenforced penalties increase therisk of illegal access

• Poor application makes corruption inparallel processes more likely

• Inconsistent policies reduce the

deterrent effect of penalties

ConclusionsFindings





43

y

Focus Area 6 - Security of Public Data

Authority torequire

adherence toa common

data security

standard

Auditing

• There is no such uniform mechanismin Kenya to protect public data

• No legislation on protection of data• Scope of KCA 83R(d) is too

restrictive as it only points toregulation of e-Signatures

• Each agency has its respective ITdepartment implementing their ownstandards for securing public data

• Data sharing happens manually and

ad hoc through the exchange of CD-roms, paper copies etc

• No universal formal training procedurein place for staff on security practices

• No auditing practice exists currently• Ad-hoc auditing takes place within the

supervision chain of system owners

• Different standards for securing publicdata with varied security levels riskscompromised security at all times

• Manual sharing of public data throughunofficial processes could lead torelease of private data, violating theKenyan Constitution

• In absence of universal auditing,

processes cannot adhere to properstandards and security violationsmight go unnoticed

• No checks in place could promotemis-use or mis-appropriation of highlysensitive data

ConclusionsFindings

Kenya 2 Subteam 2 CHUI Development of a Legal and Regulatory Framework for e-Government in Kenya

Documents

Transcript of Kenya 2 Subteam 2 CHUI Development of a Legal and Regulatory Framework for e-Government in Kenya