7.2 Policies and Regulations
The implementation of Digital Rehabilitation in the East African region will be guided by the existing legal framework informed by country-specific policies and regulations governing the protection of data. Since there is lack of a harmonized sub-regional level legislation by the East African Community (EAC), each member state uses the same data protection recommendations that are aligned to the global best practices and were adopted by the EAC [3]. Digital Rehabilitation interventions will therefore be guided by the national laws and policies of the respective member states that are participating in the project [4–6].
7.2.1. Policies
The existing country-level policies outline the minimum requirements principles and procedures governing the collection, collation, storage, processing, sharing and disposal of data by public and private organizations. The specific elements include:
- Data classification: There should be a definite scheme in which data will be categorized based on its sensitivity level. The classification will help to determine the appropriate handling procedures and security controls for different types of data.
- Access controls: Data should be accessible to authorized individuals only and hence user authentication measures should be put in place. Implementation of this will control and protect access to data for designated personnel. Some measures to be put in place include the use of strong passwords, multifactor authentication and role/institution-based access control to limit data to a need-to-know basis.
- Data encryption: It entails the use of encryption techniques to protect data stored or in transit.
- Data handling and disposal: A guideline should be put in place to secure handling, storage and disposal of data. This will include rules for data retention, secure deletion methods and proper disposal of physical media.
- Data backup and recovery: Regular data backup procedures should be done to ensure data can be recovered in the event of data loss or system failures. Periodically the backup system should be checked and periodically also the restoration process should be tested to ensure data recoverability.
The existing policies are essential to ensure that data is handled in a responsible, ethical and legally compliant manner. They serve as a framework for promoting responsible data management, protecting individual privacy and ensuring the integrity and security of organizational data.
7.2.2. Administrative Guidelines
Additionally, administrative guidelines are equally important and include a set of rules that provide a guidance on how best the responsible personnel can be equipped into becoming competent in data management, use and protection. These guidelines relate in particular to increasing knowledge and competencies by creating security awareness and providing training including regular trainings on data security among the authorized personnel on matters relating to network security, access by third party users, and compliance to laws and policies."
7.2.3. Regulations
The regulations of personal data protection in this project are aligned with article five of the General Data Protection Regulation (GDPR) [7], which sets out key principles that inform the general data protection regime universally. These principles include:
- Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose Limitation: Personal data must be collected and processed for specified, explicit and legitimate purposes.
- Data Minimization: Personal data should be limited to what is necessary for the specified, explicit and legitimate purposes.
- Accuracy: Personal data should be accurate and, where necessary, kept up to date.
- Storage Limitation: Personal data should be stored for no longer than is necessary for the specified, explicit and legitimate purposes.
- Accountability and Transparency: The principle of accountability requires organizations to take responsibility for personal data and ensure individuals can exercise their rights, while transparency obligates organizations to provide clear information on data processing. Together, they ensure responsible data protection and understanding of data use.
- Integrity and Confidentiality: Personal data should be secured and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Within the East African sub-region, considering the lack of a harmonized legal framework, data protection regulations vary, however in all countries, the national Data Commission established by respective data protection act/law has the mandate and is responsible for ensuring compliance with data protection laws. As such, individuals have a right to secrecy and privacy of their personal data, and these data rights include the right to access, correct, and delete their personal information.
In all the three participating countries (Kenya, Tanzania and Rwanda), the laws provide for the following data subject rights: the right to access to personal data, the right to object to processing carried out for commercial advertising purposes, the right not to be subject to automatic decision making under some circumstances, the right to corrections, blocking and erasure of personal data.
In particular, the Rwanda's supervisory authority, the National Cybersecurity Authority (NCSA), provides a number of guidelines after the enactment of the Law No. 058/2021 of 13 October 2021 relating to the Protection of Personal Data and Privacy, 2021 [8]. The guidelines include registration of a data protection officer, privacy policies, right to object, right to portability, rectification and erasure, protection of children's data, key principles for processing personal data, and identifying the role as controller or processor.