Development of a Legal and Regulatory Framework for e-Government in Kenya

IBM Corporate Service Corps

Kenya Team 2 Sub-Team 2:

Development of a Legal and Regulatory Framework for e-Government in Kenya

17 March, 2011

IBM Corporate Service Corps , Kenya Team2, Sub-Team 2 Development of a Legal and Regulatory Framework for e-Government in Kenya

March 17, 2011 2 of 48 IBM Corporation

Table of Contents

1. EXECUTIVE SUMMARY............................................................................................................................ 4 1.1 KEY FINDINGS .............................................................................................................................................................4 1.2 RECOMMENDATIONS AND STRATEGIES..........................................................................................................................4 1.3 IMPLICATIONS .............................................................................................................................................................5

2. PROGRAM BACKGROUND...................................................................................................................... 6 2.1 IBM CORPORATE SERVICE CORPS ..............................................................................................................................6 2.2 IBM CSC KENYA TEAM 2, SUB TEAM 2 “CHUI” .............................................................................................................6 2.3 IBM IN KENYA.............................................................................................................................................................7 2.4 DIRECTORATE OF E-GOVERNMENT...............................................................................................................................7 2.5 E-GOVERNMENT IN KENYA...........................................................................................................................................8 2.6 DIGITAL OPPORTUNITY TRUST (DOT).........................................................................................................................8

3. PROJECT BACKGROUND...................................................................................................................... 10 3.1 KEY OBJECTIVE........................................................................................................................................................10 3.2 APPROACH ...............................................................................................................................................................10 3.3 TIMELINE .................................................................................................................................................................. 11 3.4 INTERVIEWS & VISITS ................................................................................................................................................12

4. ANALYSIS AND CONCLUSIONS............................................................................................................ 14 4.1 STANDARD KEYS.......................................................................................................................................................15 4.2 NATIONAL DATA WAREHOUSES ..................................................................................................................................16 4.3 PREVENTING REDUNDANT SYSTEMS..........................................................................................................................17 4.4 PUBLIC OWNERSHIP OF PUBLIC DATA.........................................................................................................................19 4.5 DEFINITION OF, ACCESS TO AND PENALTIES FOR ILLEGAL ACCESS TO PRIVATE VERSUS PUBLIC DATA ...............................20 4.6 SECURITY OF PUBLIC DATA.........................................................................................................................................21

5. RECOMMENDATIONS ............................................................................................................................ 24 5.1 STANDARD KEYS.......................................................................................................................................................24 5.2 NATIONAL DATA WAREHOUSES ..................................................................................................................................25 5.3 PREVENTING REDUNDANT SYSTEMS..........................................................................................................................26 5.4 PUBLIC OWNERSHIP OF PUBLIC DATA.........................................................................................................................26 5.5 DEFINITION OF, ACCESS TO AND PENALTIES FOR ILLEGAL ACCESS TO PRIVATE VERSUS PUBLIC DATA ...............................27 5.6 SECURITY OF PUBLIC DATA.........................................................................................................................................28 5.7 GLOBAL BEST PRACTICES ON MOBILE APPLICATIONS .................................................................................................29

6. IMPLEMENTATION ACTION PLAN......................................................................................................... 31 6.1 IMPLEMENTATION STRATEGY SUMMARY......................................................................................................................31 6.2 QUICK WINS..............................................................................................................................................................32 6.3 LONG TERM ROADMAP..............................................................................................................................................34



7. APPENDIX 1. SAMPLE LEGISLATIONS................................................................................................. 37 7.1 STANDARD KEYS.......................................................................................................................................................37 7.2 NATIONAL DATA WAREHOUSES ..................................................................................................................................37 7.3 PREVENTING REDUNDANT SYSTEMS..........................................................................................................................38 7.4 PUBLIC OWNERSHIP OF PUBLIC DATA.........................................................................................................................39 7.5 DEFINITION OF, ACCESS TO AND PENALTIES FOR ILLEGAL ACCESS TO PRIVATE VERSUS PUBLIC DATA ...............................41 7.6 SECURITY OF PUBLIC DATA.........................................................................................................................................42

8. APPENDIX 2 DRAFT DATA PROTECTION ACT..................................................................................... 44 9. APPENDIX 3. DEFINITION OF DATA STEWARD.................................................................................... 46

9.1 DATA STEWARDSHIP DISCIPLINE DEFINITION ..............................................................................................................46 9.2 ROLE OF DATA STEWARD ...........................................................................................................................................46

10. APPENDIX 4 ISSUE DIAGRAM ........................................................................................................... 47 11. APPENDIX 5. ACKNOWLEDGEMENTS .............................................................................................. 48



1. Executive Summary

Kenya is in the midst of an ICT revolution, in both the public and private sectors. As with many rapid

changes, legal frameworks struggle to keep up with the issues that state of the art technology brings. The

Kenyan government is offering some services online already, and has many more services in development,

but these services are not offered on the same firm legal or regulatory footing as the manual processes that

they are replacing or supplementing. The challenge presented to our team by the ICT Secretary, Dr. Getao,

was to characterize the current state of the Kenyan e-government legal framework, study global best practices

for e-Government, determine key principles from those practices, adopt them to the Kenyan environment, and

propose legal initiatives. These initiatives were to be targeted to facilitate adoption of e-Government services,

maximize their effectiveness and ensure their sustainability.

1.1 Key findings ▪ Our findings centered around 6 key focus areas which are common best practices across global e-

Government initiatives. ▪ Shared Keys are universal keys that uniquely identify people, companies, land, assets, etc. across all

government data holdings. ▪ National Data Warehouses are centralized, exhaustive systems for the entity types listed above made

available for universal reference and cross-cutting analytics. ▪ Preventing Redundant Systems requires systems to refer to and coordinate with National Data

Warehouses when they exist, eliminating the repetitive expense, inconvenience and potential

inaccuracy of capture multiple copies of data. ▪ Public Ownership of Public Data involves shifting from a concept of data ownership to data

stewardship and facilitating the re-use of public sector information. ▪ Definition of, access to and penalties for illegal access to private versus public data involves the

standard identification, permission and enforcement of protected data and guarantees citizens access

to the government held copies of their personal data. ▪ Security of Public Data establishes the authority to require adherence to a common data security

standard and includes auditing government systems against that standard.

In each of these focus areas, our report describes the current state of the Kenyan government’s progress,

identifies avatar countries which can serve as examples of global best practices, extracts key principles that

characterize those best practices, and recommends them as part of Kenyan legal and regulatory framework.

The best practices are gleaned from such countries as South Korea, Canada, the United States, the United

Kingdom and Denmark, all of which rate at the top of global surveys of e-Government practices.

1.2 Recommendations and strategies

Our recommendations lay out key principles to be enshrined in Kenyan legislation and regulation in

accordance with the focus areas above. These include publishing and requiring adherence to standard data

formats, compelling concentration or coordination of national data assets, eliminating duplicate collection

and storage of data, confirming the ownership of public data by the people of Kenya, categorizing data

appropriately to maximize proper protection and access and securing data while maximizing public access.

In each of these areas, model legislation illustrating these points has been gathered from around the world

and presented for use by Kenyan legislative drafters. The report also contains a roadmap for progress

indicating tasks which can be undertaken immediately and those which will mature over time.

For example, legislation is needed to authorize the Directorate of e-Government to set government-wide



data standards that can be enforced on both newly procured and legacy systems. This interoperability will

allow for government agencies to more accurately, securely and efficiently exchange information, even

enabling the offering of certain services electronically that currently require face-to-face interaction. This

increased level of service will not only reduce the administrative burden on beleaguered citizens and help to

provide more equitable services across all of Kenya’s regions, but also create a rigid infrastructure of

accountability and immutable electronic audit trail, reducing or eliminating opportunities for graft and

corruption. These sentiments were echoed in data collected in our research including quotes from

interviewees such as “IT has really helped in enforcement. There is no way to cook it.”, “Most fraud is

because other arms of government cannot check. Everything is a manual process.” And and “There is a

minority that is benefiting from the status quo, but the majority are suffering.“ Templates for these data

standards are widely available in the global marketplace and can be adopted and implemented quickly,

even over a six-month time frame for selected systems.

1.3 Implications

As Kenya strives to reach the economic, political and social goals of the Vision 2030 framework, and as it

works to realize the guarantees of equality of access to responsive public services under the Kenyan

Constitution, modernizing the tools of government to be more effective and equitable assumes a critical role.

The status quo, involving manual practices, redundant collection, paper storage, and hours or days of lost

productivity by citizens seeking even the most basic interactions with government will not serve Kenya’s

future goals. It is our hope that a strong legal and regulatory framework will create a solid and sustainable

foundation for the critical work that lies ahead. The capability of the Government of Kenya to affect change

in the country will be governed in part by the processes by which it seeks to implement that change, and

Kenyan citizens should be able to expect no less than the most modern, efficient, accountable and effective

government services that can be found on the global stage today.



2. Program Background

2.1 IBM Corporate Service Corps

The Corporate Service Corps is an IBM leadership social give-back initiative. It is designed to expose

high performing IBM employees to doing business in emerging markets, diverse cultures, global teams, and

complex policy environments. The Corporate Service Corps (CSC) Program is integrated with IBM's

global business strategy and is intended to help enhance global economic and social development and

build the leadership skills of IBM employees as global citizens. The CSC program focuses on several

priorities including but not limited to:

1. Economic Development and Innovation

2. Raising Global Standards in Education

3. Broadening Cultural Awareness

4. Promoting Openness and Transparency

The Corporate Service Corps program brings together teams of IBM Leaders with a diverse set of skills

from around the world and different business units. These teams are placed in growth markets to tackle

important social and economic issues in collaboration with Non-Government Organization (NGO) partners

from around the world. These IBMers are assigned to work on projects of significant value in different

countries with four weeks of the project taking place in country. These teams are expected to tackle real

societal, educational and economic challenges, while at the same time experiencing a diverse cultural

perspective and enhancing their skills and leadership competencies.

The first CSC team in Kenya was deployed in September - October 2010. The team worked on

developing an enabling environment for the establishment of Information Communication Technology (ICT)

Digital Villages in Kenya, focusing on rural areas as centers for sustainable, economic and social

development and empowerment.

This Kenya 2 team consists of 12 persons from 9 different countries and is divided into three sub teams.

The sub teams work on assignments for the Postal Corporation of Kenya, the Directorate of e-Government

and the Kenya ICT Board respectively. Team Kenya 2 is based in Nyeri for the duration of in-country

assignment.

2.2 IBM CSC Kenya Team 2, Sub team 2 “Chui”

Nimeesh Kaushal Staff Software Developer IBM Canada Reporting and Query Stack Integration in Business

Intelligence, Software Verification, Test management and

execution, Facts and data gathering, Client problem

resolution

Anna Choi Information Agenda Architect IBM South Korea Industrial / Distribution/ Retail industry, Information

Agenda business architect, Build information solution

architecture for information quality, information

governance, master data management, business

analytics.



Luan Nio Senior Consultant IBM Switzerland Pharmaceutical and Life Science industry, Consulting,

Project management, Data gathering and analysis,

Workshop facilitation, Stakeholder management

David Sloan Practice Manager IBM United States Information Management tools, Realtime Business

Analytics Expertise: Data Integration, Government

Industry Solutions

2.3 IBM in Kenya

Kenya is the fastest growing country in East Africa, with a predicted GDP growth of 6.1% for 2011. The

Kenyan government has a pro-business stance, with foreign investors receiving the same treatment as

locals. This has helped Kenya show better resilience to the otherwise tough economic conditions of the

recent past, compared to its other sub-Saharan African neighbors.

IBM Kenya is the regional hub of IBM East Africa, which is a fully fledged subsidiary of IBM Corporation

and constitutes of Kenya, Tanzania, Uganda, Ethiopia, Rwanda and Burundi. The East African team has

about 40 people across GTS, SWG, STG and S&D.

The main industries for IBM Kenya are:

1. Telco: Mobile telecommunications operators are actively involved in the growth of other sub sectors in

the ICT industry in Kenya

2. Government: The Kenyan Government aims to digitize all government departments in order to improve

operational efficiency and service delivery to citizens.

3. Financial Services Sector: Kenya has a well developed banking sector and a fast growing insurance

sector.

2.4 Directorate of e-Government

The Directorate of e-Government (DeG) was established in June 2004 as a Government commitment to

make e-Government a reality and to ensure that it provides better services to Kenyans. DeG is headed by

the ICT Secretary, dr. Katherine Getao, at the Presidency and Cabinet Affairs Office, Office of the President.

The mandate of DeG is to provide leadership, facilitation and coordination of e-Government services

across ministries and accounting units. DeG further coordinates and prepares of the e-Government

Strategy including the implementation plan, and monitoring and evaluation of the process.

Kenyans, like other citizens if the world, are increasingly turning to online transactional services to

conduct their day-to-day affairs. The Directorate of e-Government ’s goal is to increasingly contribute to

developing e-Services for Government; Services that are easy to use, meet the real needs of people and

ensure security and privacy.

The Directorate of e-Government discharges the following functions:



1. Develop, coordinate and define ways so that electronic and information technology business strategies

assist government to operate more effectively and efficiently in delivering services to citizens;

2. Provide coordination and advice on issues pertaining to electronic business, telecommunications and

technology;

3. Plan and develop strategies and direct government wide activities to support other agencies;

4. Participate in the development, analysis and evaluation of government wide technology issues, policies

and legislation.

The overall goal of e-Government is to make the Government more result oriented, efficient and citizen

centred. E-Government should enable citizens to access Government Services and Information as

efficiently and as effectively as possible through the use of internet and other channels of communication.

The specific objectives of e-Government are to:

1. Improve collaboration between government agencies through reduction in the duplication of efforts, and

enhance efficiency and effectiveness of resource utilization;

2. Improve Kenya’s competitiveness by providing timely information and delivery of government services;

3. Reduce transaction costs for the government, citizens and the private sector through the provision of

products and services electronically

4. Provide a forum for citizens’ participation in Government activities.

2.5 e-Government in Kenya

e-Government is the use of a range of information technologies, such as the Wide Area Networks,

Internet, and Mobile Computing, by government agencies to transform government operations in order to

improve effectiveness, efficiency, service delivery and to promote democracy. It is the use of information

technology to support government operations, provide investments that are needed in people, tools,

policies, processes, engage citizens, and provide government services.

The achievement of e-Government in Kenya is one of the main priorities of the Government towards the

realization of national development goals and objectives for Wealth and Employment Creation. Effective

and operational e-Government will facilitate better and efficient delivery of information and services to the

citizens, promote productivity among public servants, encourage participation of citizens in Government and

empower all Kenyans.

Kenya has implemented a new constitution in August 2010 and now requires re-writing of many of its

laws. ICT is regarded as a major enabler in achieving Kenya´s Vision 2030. The realization of e-

Government is one of the main priorities in this transformation.

With the establishment of the e-Government Directorate, Kenya is looking for ways to raise the quality of

e-Government services to an innovative and competitive level using best practices adopted in other

countries.

2.6 Digital Opportunity Trust (DOT)

Digital Opportunity Trust (DOT) is a Canadian-based, international not-for-profit enterprise established to

build human capacity and provide the tools to promote community-based economic and social development.

Combining the power of people, technology, and innovative community solutions, DOT programs stimulate

economic opportunity and technology as an enabler of learning in schools.

DOT currently operates in 11 countries, including Kenya and has directly impacted nearly 200,000 people



through micro-entrepreneurial development, technology, education and life skills and has trained over 2,000

young ICT leaders worldwide.

In 2008, DOT was selected by IBM as Global Implementation Partner for the Corporate Service Corps

program and is now working with IBM to implement the CSC program in Kenya, Turkey, China and Egypt.



3. Project Background

Sub Team 2 will assist the Directorate of e-Government in a review of the legal, regulatory and institutional

framework enabling e-Government services. The goals are to facilitate the adoption of e-Government services,

maximize their effectiveness, ensure their sustainability and concretize them in service of the population of

Kenya. This review will take place in the context of Kenya’s Vision 2030 plan, international best practices, and

the new Kenyan constitution and relevant statutes.

Sub Team 2 will focus on elements of the National Data and Public Services challenges identified by the

client. For these elements, Sub Team 2 will provide a review of the current state of the art with regards to these

regulations globally, conduct interviews and solicit feedback to identify unique opportunities or constraints that

exist in the context of Kenya, and distill these inputs into key principles that can be enshrined in legal and

regulatory policy. The results of this research will then be presented to the client.

3.1 Key Objective ▪ Conduct a gap analysis on international best practice on data access framework, implications of the

vision 2030 and the new constitution ▪ Propose a framework to develop legal, regulatory and infrastructure to support e-Government

services on data access

3.2 Approach

IBM proposes to use the Issued-based consulting technique to complete this assignment.

Issue-Based consulting is a technique used by many business consulting firms, not just IBM. The

technique has been used in IBM since the early 90’s and thousands of IBMers have added this to their

toolkit as a useful, consistent, rigorous way to approach unstructured problems. The IBC technique

depicted here is licensed by IBM from the firm of SOE, Inc.

The Issue-Based consulting method has 5 stages as follows.

1. Definition – define client’s objective, articulate a “vision” for what the solution might be, and understand

what are the client’s expectations are. The OBQ (Objective, Barrier and Question) technique may be

used to understand the context of the project. ▪ Objective – the client objective ▪ Barrier – the constraint to solving the problem (e.g. lack of resources or expertise) ▪ Question – the critical question consultants ask, focused on overcoming the barrier

At the end of this stage, there should be a revised and final Statement of Work agreed with the client.

2. Structure – focused review of engagement issues, development of hypothesis, creation of key questions

to test hypothesis. An issue diagram, consisting of the following levels may be developed during this

stage: ▪ client objective – what the client wants to accomplish ▪ specific objective the engagement will accomplish ▪ issue questions that must be answered or topics that must be explored to achieve engagement objective (issue does not mean problem) ▪ hypothesis—tentative conclusions stated as positive assertions, informed speculations about the issues ▪ key questions that test hypothesis and drive data collection



The issue diagram will help drive the work plan. A final work plan should be developed at the end of this

stage.

3. Data Gathering – Data collected is used to confirm, reject, or modify hypothesis into conclusions that

form key messages of the engagement. A data matrix, which maps key questions to data sources and

identifies data gathering methods is developed. The data gathering process consists of the following five

steps: ▪ Define and refine data needs ▪ Plan data collection strategy ▪ Collect data ▪ Summarize and cross-check

4. Synthesis – Synthesis data collected and present project’s findings, conclusions, and recommendations.

5. Buy-in – Buy-in occurs throughout the engagement, starting with the first contact with the client.

Checkpoints along the way ensure high client satisfaction.

3.3 Timeline

Week1

Scoping, Research &

Assessment

Week2

Develop Hypotheses

& Key Questions

Week3

Data Synthesis

Week4

Recommendations & Buy-in

� Assign SOW elements,

gather and summarize

relevant reference

materials

� Analyze existing legal

and regulatory

infrastructure (Kenyan

Constitution and

Communications Act)

� Survey references for

best practices and key

principals for each SOW

element

� Focused review of

practices and principals to

determine policy

hypotheses

� Propose key questions

to customers to validate

practices and principals

� Gather feedback from

broader audience

� Synthesize research

results, responses to key

questions and stakeholder

feedback

� Generate tailored

recommendations for

principals to be enshrined

in regulatory framework

� Review and confirm

conclusions with client

� Present report and

recommendations to

stakeholders

� Integrate stakeholder

reactions into final report

� Documentation

describing as-is situation

� Inventory of relevant

best practices and key

principals with

presentation materials

� Preliminary gap analysis

� Validated, documented

policy principals

� Stakeholder feedback

review identifying

situational strengths,

weaknesses,

opportunities, or threats

� Documentation

organizing insights and

conclusions from synthesis

of data

� Produce gap analysis

� Presentation of key

policy recommendations

� Final report &

recommendations

� Presentation to key

stakeholders

19th February – 18th March 2011



3.4 Interviews & Visits

Over the course of four weeks, we met with multiple key stakeholders and visited the registration offices

for passports, national ID cards and birth certificates.

List of interviewees ▪ Dr. Katherine Getao, ICT Secretary, Director of eGovernment ▪ Mary Muchene, District Commissioner, District of Nyeri ▪ Jane Otoko, Head of ICT, Ministry of Immigration & Registration of Persons ▪ Patrick Njoroge, Assistant Director ICT in State Law Office, Office of Attorney General ▪ Zeba Nyikal ▪ James Opundo and Nicholas Ongeri - Legal Officers, Ministry of Immigration & Registration of Persons ▪ Javan Bonaya, Passport Registration Office, Nyayo House, Nairobi ▪ Tony Onyango and Maxim Itur, National Registration Bureau, Makadara Station, Nairobi ▪ Samuel Lukanu and Bente Were, Birth/Death Registration Office, Sheria House, Nairobi ▪ Samuel N. Kimotho, District Civil Registrar, Birth/Death Registration Office, Nyeri ▪ Michael A. Kana, District Administrative Police Commander, Nyeri ▪ Vivian Ashioya, IBM Account Manager ▪ Citizens

Visit to the Department of Immigration –––– HQ Nyayo House, Passport application process ▪ Passports are required for international travel ▪ Governing Act in use is Immigration Act ▪ There are 5 locations in Kenya where citizens can apply for a passport ▪ Required documents:

- Birth Certificate

- National ID Card ▪ Time between application and delivery of passport is 2 weeks. Status tracking can be done via SMS. ▪ The Passport Issuing Office in Nyayo House is open from 8am – 7 pm, decreasing waiting times ▪ Officers work with computers. All passport data is kept fully electronically. ▪ All application documents are scanned ▪ Manual data entry is done from the scanned

documents into the database, also for data items that

already exist e.g. Name and Birth Date ▪ No automated or standardized data sharing or

verification processes are in place with e.g. Civil

Registration Department or National Registration Bureau. ▪ Website: http://www.immigration.go.ke/



Visit to the National Registration Bureau –––– Makadara Station,

National ID card application process ▪ National ID cards are available for persons of age 18 and older ▪ However, not all Kenyan citizens apply for a National ID card and late registration is very common ▪ Citizens can apply for a National ID card at all district offices ▪ No computers are in use at Makadara Station ▪ 1.5 million ID cards cannot be accounted for nationally ▪ Applicants are interviewed to validate citizenship ▪ Time between application and delivery of National ID card

is 17 days for Nairobi, 37 days outside of Nairobi. Status tracking can be done via SMS. ▪ Electronic systems and smart cards are desired. A call for expression of interest is open until April 2011/ ▪ Website: http://www.identity.go.ke/

Visit to the Civil Registration Department –––– Sheria House, Birth Certification application

process ▪ Birth registration and obtaining a Birth Certificate is available for all Kenyan citizens ▪ However, only 60% of new births are

registered for birth at the Civil Registration Department, less than 30% in outlying areas ▪ Late registration is very common. The process

is lengthier when no hospital notification is in place. ▪ Governing Act in use is the Kenyan Citizenship Act ▪ A new law was put in place that a person can

only take national exams when in possession of a Birth

Certificate. As a result, the Civil Registration Department has seen a huge increase in applications. ▪ A Birth Certificate is the primary requirement in order to obtain other

documents like drivers license, National ID card or passport ▪ All data is managed manually on paper. Hardly any computers in use. ▪ Statistics are kept manually in a 70+ tabs MS

Excel spreadsheet and results are consolidated in MS ▪ WordWebsite: http://www.births.go.ke/



4. Analysis and Conclusions

We have identified 6 key focus areas which constitute the most essential areas of concentration ofr

accomplishing the outlined National Data Goals.

1. Shared Keys

Shared keys are entity type specific identifiers which can uniquely indicate an instance of that entity

(person, business, land asset) unequivocally and are used across government. This allows for seamless

sharing of data with no ambiguity and provides for a significant pre-requisite for National Data Warehouses.

Broader data standards can provide for even more synchronicity between ministries.

2. National Data Warehouses

National Data Warehouses provide single entity type specific repositories for all data held by government.

Systems which require data about these entities can refer by a shared key value to a secure, current,

accurate version of the common identifying information about the person without requiring the citizen to

provide their information again. In this way the National Data Warehouse is a strong foundation for

preventing redundant data. It also allows for centralized determination and uniform access controls around

private, sensitive and public fields.

3. Preventing Redundant Systems

Although gathering data in and of itself can be a valuable activity for analytics and providing verification,

the biggest cost savings in centralizing data is often in outsourcing the storage of these entity types from

individual systems to the central data warehouse. This allows for the collection, storage, access control,

quality improvement and other tasks to be conducted once, and eliminate the inefficiencies and

inconvenience of repetitive collection.

4. Public Ownership of Public Data

Historically, those charged with collecting data on the public behalf often acted as if the data collected

was their asset, able to be doled out or withheld as the interests of their department or ministry necessitated.

The current trend if for data collected for the public to be treated as a public asset, and therefore be made

public to the extent possible in compliance with privacy laws and national security.

5. Definition of, access to and penalties for illegal access to private versus public data

The provision of a common data structure or common data mapping makes this task even more feasible,

as it allows for a central identification of a field’s status, and the dispersion of those categorizations through

any system that subscribes to the status. Concurrent to the status of those fields being identified, access

criteria and restrictions can be placed on the categories (including exceptions for exigent circumstances)

and penalties assigned for improper access or dissemination.

6. Security of public data

The concentration of all of this data necessitates increased vigilance regarding its protection in the form

of robust data security standards that are applied broadly and consistently throughout the government. The

standards are only as good as their application however, and a muscular auditing authority which verifies

compliance with those standards is covered in this category as well.

Kenya is currently completing what might be considered "Phase 1" of e-Government, in terms of promoting

access and connectivity. Certain elements of the electronic infrastructure are still in progress, but Kenyan

government institutions have already begun to experiment with "Phase 2", deploying basic e-government



services as an add-on to existing government services. Very few institutions have actually automated there

existing processes, and any inter-departmental coordination is done through manual processes, even in the

few cases where it is fulfilled electronically.

The focus areas within this report are critical for accelerating e-government initiatives across government,

although recognizing many of the focus areas will take time. Some of these focus areas are already underway,

but often in a fragmented fashion, or in a way in which ministries do not necessarily feel bound by the

outcomes. The objective of our project is to outline a solid legal and regulatory framework for those initiatives

so that their execution will have the force of law, with authority and responsibility for their implementation

clearly outlined.

4.1 Standard Keys

Current Authority

Findings ▪ Limited Authority under Kenya Communications Act 2009 Section 83S(2) states “The Minister [MOIC] may ...

by regulations prescribe (a) the manner and format in which such electronic records shall be filed, created or used"

In examining the current authority in place for the requirement of standard keys across government data

models, we find that there is some authority currently under Kenya Communications Act 2009 Section

83S(2) which states “The Minister [of Information and Communication] may ... by regulations prescribe (a) the manner and format in which such electronic records shall be filed, created or used".

Conclusions ▪ Authority for National Data Warehouses exists under KCA, but does not assign the authority to the e-Government Directorate

Although this authority is granted and responsibility assigned, there is no evidence whatsoever that it has

been exercised. No manner or formats of electronic records have been prescribed, and no ministries are

aware of any data formats with which they are expected to comply. Assigning authority to the e-

Government Directorate, which will be engaged more generally in determining and applying standards to government data systems in a far-reaching fashion, may yield more positive results.

Potential Shared Keys

Findings ▪ National ID is commonly used across many systems, but is limited to registered Kenyan citizens over 18 years of age

Currently, National ID number is captured across many systems capturing person information. However, only a portion of the population, and none of the population under 18, has National ID numbers.

Integrated Population Registration Services (IPRS) Integrated Personal Number (PIN) universal for all registered Kenyans and registered foreigners, but largely unknown outside of IPRS

Integrated Population Registration Services (IPRS) maintains an Integrated Personal Number (PIN)

which is universal for all registered Kenyans and registered foreigners, but is largely unknown by the

population outside of IPRS. Therefore without the definition and required usage of a shared key, there is no guarantee that communicating systems will agree on the primary key used to identify an individual. ▪ Draft key standard for land provided by Ministry of Lands adheres to international GIS standards

For geographic locations, the Ministry of Lands has published a draft standard that would establish

shared keys, but it is unclear whether that standard is in use or enforced, and it is certainly not in use by other government agencies which record geography.

Conclusions



▪ Lack of keys will inhibit interoperability without resource-intensive entity disambiguation exercises ▪ No consistent shared keys exist across systems ▪ Candidate keys are flawed either because they are not universal, not known or are still in progress

. In other realms, the automatic identifiers do not exist, which emphasizes the priority of a shared key

system. The emerging National Information Architecture may include many of these standards, and

recognize many of the same benefits or even be re-dubbed upon its completion as an electronic Government Interoperability Framework (e-GIF).

4.2 National Data Warehouses

Current Authority

Findings ▪ Kenya Communications Act of 2009 Section 83G and 83H both state “such documents, records or

information are (rendered/retained) in electronic form if (a) the information contained therein remains accessible so as to be usable for subsequent reference”

In terms of the legal authority to compel creation of such data warehouses, the existing authorization is

quite weak. Kenya Communications Act of 2009 Section 83G and 83H both state “such documents,

records or information are (rendered/retained) in electronic form if (a) the information contained therein

remains accessible so as to be usable for subsequent reference”. However, this legal requirement can

likely be met with simple manual reference and retrieval, and would not be sufficient to enforce national data warehouses.

Conclusions ▪ Greater authority than currently under KCA will be required to either assemble or compel participation in a National Data Warehouse (NDW)

The most prevalent global best practice to address this requirement is the adoption of an Electronic

Governmental Interoperability Framework or e-GIF. The e-GIF is most often an XML based standard,

published on government web sites and used as a certification criteria for all new systems. The extent of

the data types governed by the e-GIF varies from country to country but the most common denominator

appears to be governing people and personal identities. Other possible candidates include assets, financial

transactions, GIS locations and government documents. Once the e-GIF is in common use, the potential

benefits can multiply quickly and without significant expenditure. The critical element is how to ensure

compliance, which is undertaken a number of different ways by various countries. Most common includes

the writing of this standard into all new procurements as a mandatory adoption. The retro-fitting of existing

systems can be achieved by withholding or limiting funding for operations and maintenance, prevention of

participation in government wide portals, preventing funding for any peer-to-peer communication outside of

the standard, thereby isolating the non-compliant system, and providing visibility into system compliance by publishing government-wide scorecards which highlight both high achievers and laggards.

Citizen Registry

Findings ▪ IPRS collects data from many systems

The system which IPRM does collect from do contain a large swath of the Kenyan population ▪ Only represents digital data collected by Ministry of Immigration

Only a few systems within Ministry of Immigration are actually collected in IPRS. ▪ Goals to share with the Kenya Revenue Authority, Kenya National Bureau of Statistics, Interim Independent Electoral Commission of Kenya, National Social Security Fund and security forces

IPRS has broad stated goals, but no current sharing partners.

Conclusions



▪ IPRS represents best current NDW

Adoption of shared keys across government would also enable the assembly of National Data

Warehouses. Some early instances of systems that could evolve into National Data Warehouses do exist.

For personal data, the IPRS provides an excellent basis of joining the most commonly encountered person registries ▪ IPRS needs to collect from and share with all relevant entities to be a true NDW

There are still many systems that hold personal identity information that are not being fed into IPRS. ▪ Methods of exchange must be broadened

IPRS does not currently share data with any systems, and it does not prevent citizens from needing to

provide the same information repetitively with each registration event. The redundant collection of

information creates a significant burden on the populace, and the lack of coordination or standard

synchronization between government agencies yields a state referred to as "enterprise amnesia", meaning

that government can be in possession of facts but not aware of them. This makes government susceptible

to impaired ability to notify - in the case of out of date information, fraud - in the case of duplicative data, and ineffectiveness - in the case of distributed data that cannot be assembled as needed.

Corporate Registry

Findings ▪ State Law Office maintains a corporate registry

Another emerging national data warehouse is the corporate registry maintained by the State Law Office. ▪ All businesses must register with the State Law Office

The fact that the State Law Office is already the single address for the registry of all businesses makes it an optimal candidate for a National Data Warehouse ▪ Data exchanges occur intermittently, in bulk and with infrequent updates

Currently, the State Law Office has a data sharing process that is different with each partner ministry it shares with. There is no standardization, nor expectation of currency.

Conclusions ▪ Corporate registry may be an ideal NDW candidate

The State Law Office seems a well-positioned option for this entity type. ▪ Lack of universal and real-time coordination with other repositories leaves room for fraud and manipulation

A mature data warehouse will not only share data, but will do so in real-time, with extraordinarily high

uptime expectations and on a transactional basis per record requirement. Data from the State Law Office is

currently being shared from this system, but in an intermittent fashion, in bulk and with infrequent updates.

Each of these characteristics yields a vulnerability leaving room for fraud and manipulation.

4.3 Preventing Redundant Systems

The third key focus area concerns preventing redundant systems across ministries. Each ministry

currently introduces new systems for their own purposes without awareness of redundant systems which

may be owned by other ministries. To prevent multiple redundant systems, we need to look into two major

areas. One area regards information redundancy and silos in Kenya e-government. Each ministry should

maintain their own status as to what they keep in their information system and what data they might require

from other ministries. The second area regards the processes require to access and exchange information

across ministries.

The following are findings and conclusions in two categories.

Information Redundancy and silos



Findings ▪ Physical sources are distributed across ministries and districts and are redundantly archived

Investigating registration processes in Passport, National ID and Birth Certification, we found that each

ministry collects information separately and stores it in their own data storage, sometimes in cabinets or on book shelves as paper documents. ▪ No legislation to enforce single repositories and sharing of data

There is no enforced policy which prevents creating information systems that contains identical or nearly

identical data as other ministry’s systems nor is there policy to encourage sharing information across ministry by using a single repository if the information is already collected and stored by another ministry. ▪ IPRS can be used to verify national ID and name, but is not used exclusively

The Ministry of Immigration could refer to IPRS data to verify national ID and name during passport registration process but it is not used consistently. ▪ No system catalogue exists to identify information type, location or points of contact to verify redundancy

To identify which information is kept by e-Government and where the information is stored, the e-

Government Directorate will have to build an information catalogue to provide information type, location or

points of contact for all data systems. Currently Kenya does not have such an information catalogue to refer to, so ministry cannot be aware of information redundancies.

Conclusions ▪ Finding correct information is time-consuming

Even if Kenyan e-Government initiatives have enough data to use, it requires a huge effort and

significant time to identify correct information because of the difficulty in querying and verifying which information is correct between several copies across ministries. ▪ Ministries operate inefficiently with duplicate information collected, often with the same purpose

Whenever citizens submit a form to a ministry, they have to provide the same information and the

ministry collects it multiple times. But information such as National ID, name, address and other mandatory

identification attributes don’t need to be collected multiple times if they have already been collected and

stored by any other ministry. As a result of duplicated information collection, ministries do not operate in an efficient way. ▪ Resources are invested in multiple projects to build same information repository

Kenyan e-Government is on a path towards achieving Kenya Vision 2030 with strategic deployment plan

for a series of projects, but resources will be invested in multiple projects to build identical information repositories unless there is a policy of preventing information redundancy. ▪ To prevent ministries from initiating redundant stores, legal enforcement is required

There is strong requirement to drive ministries to share information and not to create redundant data

stores, however it cannot be deployed without legal enforcement affecting all ministries. To prevent ministries from initiating redundant stores, appropriate legislation should be in place.

Seamless process, digitized information

Findings ▪ Current lack of digitized information

Un-digitized information constitutes the majority of information in current Kenya Government holdings. To

escape from manual collection and exchange of information, digitization of information is the top priority

initiative to accomplish. Once information is digitized and stored in electronic form, Kenya e-Government

can deploy sharing environments to each ministry and enforce ministries use thereof to prevent the creation redundant information systems. ▪ Requests for information between ministries are manual, often on paper

Information across ministry can be exchanged and verified by any ministry but the exchange is

conducted manually, often on paper. It causes long time to get a response and increases the changes of



errors. ▪ Procurements for new systems are de-centralized, not under common control

Whenever a ministry wants to introduce new information system, it has to be checked as to whether the

information intended for collection is duplicated or exists already by controlling new procurement via a

centralized process. Currently, there is no specific process or organization which can manage procurement across ministries as a centre of control. ▪ Information searching processes are manual and ad hoc to the individual doing the searching

In many ministries, they have their own way to seek information and verify it. The method of searching

information relies on personal decisions in a manual and ad hoc fashion rather than following a defined process.

Conclusions ▪ Information cannot be searched exhaustively or verified definitively due to dispersion and paper format

Documents can be kept for purposes of archiving a original one in paper form, but it must be digitized to get the full benefit of proper data access, rapid work process and correct information. ▪ Lots of information unused because awaiting digitization

As regards its utilization, un-digitized information is the biggest existing barrier to achieving Kenya e-

Government goals. As mentioned in Kenya e-Government plans, all information should be digitized first in order to maximize information sharing. ▪ Less opportunity to leverage core information across ministry

With limited information which can be referred across ministries, opportunities to leverage core

information might be lost. For example, if personal citizen information including various domains are

collected by different ministries and stored in single repository as a digitized format, a ministry may verify or identify a person in multiple views with less effort. ▪ Dependencies to individual officers rather than a defined process

Many ministries have their own way to seek information and verify it, but the method of searching

information relies on personal decisions in a manual and ad hoc way rather than a defined process. For a

newly hired officer, it takes time to acquire knowledge as to how to access correct information and there

exists a large risk of mistakes in handling information during processing without the correct awareness as to how to treat sensitive data.

4.4 Public Ownership of Public Data

Shifting from data ownership to data stewardship

Findings ▪ Currently, there is insufficient legislation in place that states who owns which data, who should act as data

steward or how public data should be shared. The Kenya Constitution mainly focuses on protecting privacy

(section 31c). The Kenya Communications Act 2009 does not detail data stewardship or sharing processes. It only states that data should be accessible for subsequent reference (section 83G(b)). ▪ Each department creates their own Acts and processes to collect the data they require. As a result, there is opacity of what acts are in place and what processes should be followed. ▪ There are no legal principles in place confirming public ownership or government stewardship of public data

Conclusions ▪ Ownership is asserted in such a way that it inhibits collaboration and information sharing. Individual departments are not encouraged in any way to share information between each other or with the public. ▪ It is a time-consuming effort to identify structures around data governance, so what information already

exists where and in what format, who is monitoring the quality of this information and what can the information be used for.



Facilitating re-use of public sector information

Findings ▪ Generally, the ministry or department who captures the data keeps the data. Data that has already been

captured is not reused across different ministries or departments. As a result, citizens are asked to provide the same information multiple times. ▪ The public has no transparency about where what data is stored or how to access it. Most data is kept

physically on paper in the registration office where the data was submitted. There is no inventory or central registry on what data is stored where.

Conclusions ▪ Data is not being re-used in an optimal way. Its utility is not maximized, as data is only used directly for the

purpose what it was captured for. No further assessments are made on what additional value the data could bring to other government agencies, to partner agencies or to the public.

4.5 Definition of, access to and penalties for illegal access to private versus public data

The data which is kept in ministry could contain wide range of information that should be categorized as a

private as well as utilized in pubic and it should be identified as standardized policy with clear definition of

permission to access the data. With clear definition of private and pubic data, Kenya e-Government should

guarantee public access to data from citizen in protected way which is applied different level of access

depending on different classification of data. To apply this policy in Kenya e-Government, the definition of

private and public data should be placed and the level of access for private and public data should be

specified and also the penalties for illegal access against data should be in legislation to enforce the policy.

Definition of private, public data

Findings ▪ No definition, distinction or classification of PII (Personally identifying information, e.g. National ID, name, birth date), Sensitive data (e.g. medical history), Public data (e.g. aggregate statistical data)

There is certain level of data which should be kept in protected like personal identity information

including national ID, name and birth date but also some information can be handled as private way like

medical history. Some information like aggregate statistical data should be shared and utilized in public

purpose. Currently Kenya e-Government has no definition, distinction or classification of these three different types of data.

Conclusions ▪ Unclear categories yield coarse-grained data controls which can allow illegal access to the data

Lack of definition of data could allow illegal access to the data because there are no clear categories to limit the access in fine-grained level. ▪ Increased difficulty and inconsistent standards when applying legal policy for different classification levels of data

Even though the legal policy is in placed, it’s difficult to enforce the policy into certain illegal access of

data with unclear classification level and it cause inconsistency of standards.

Access Control to data

Findings ▪ In electronic systems, access controls are role-based (boundary) by user, but manual systems have only physical access controls

In ministry of immigration, access control of officer is based on role or boundary of him/her in electronic

environment but in many ministry, it’s based on physical control so that any officer who has permission to



enter into office could access any information in there. ▪ Lack of consistent business conduct guidelines

Consistent business conduct guideline is very important to enforce officer to follow defined process. In many offices officer didn’t aware of business conduct guideline and penalties. ▪ Access education is only given at hire

For many offices in ministry kept information in paper form and they are just trained at hire. In most of

Kenya ministry office, there is no defined regular education process. Regular update for business conduct guideline or access policy should be delivered by education. ▪ Lack of any defined protocol for citizen access to personal data

Kenya citizen didn’t ware of their right of access to their data and there is no way to submit their request

in most of ministry. The access to personal data is citizens right and government should provide the way to access it.

Conclusions ▪ Departments are reluctant to share data without legal protection for third party misuse of data

Without clear definition of access control for data, ministry doesn’t have confidence to secure data from

illegal and misuse of it. Therefore data sharing between ministries and other third party which require it

cannot be activated and enforced. Legal policy should be in place to encourage data sharing culture and to protect data from misuse of it. ▪ Citizens unaware of rights to access their own data, and have no process by which to exercise those rights

Citizen’s right to access personal data and public data should be defined in legal legislation to make sure

that any ministry open the access from citizen to data. Also Kenya e-government should deploy the right

process to request data and provide method to access data so that citizens can use their data at any time by right method.

Penalties for illegal access to data

Findings ▪ Existing relevant legislation, such as KCA 2009 83U and 83V, is not widely observed by agencies

Defined penalties for illegal access to data is in relevant legislation of Kenya, such as KCA 2009 83U and 83V, but only few managers of ministry aware of it so that it was not observed widely. ▪ Identified violations are handled in an ad hoc fashion, with varying penalties

Even though some violation or illegal access is controlled under legal policy, it’s not consistently applied

in working environment. Sometimes it depends on ad hoc fashion with varying penalties by director who is

in charge of managing officers. Common rule of applying legal policy should be mandated by legislation and ministry should observe it.

Conclusions ▪ Unenforced penalties increase the risk of illegal access and Inconsistent policies reduce the deterrent effect of penalties

Penalty couldn’t be a preventing method of illegal access but illegal access could be reduced by increasing awareness of legal penalty and enforcing legal penalty with consistent rule. ▪ Poor application makes corruption in parallel processes more likely

4.6 Security of public data

Authority to require adherence to a common data security standard, including audit

Authority to require adherence to a common data security standard



Findings ▪ There is no uniform mechanism in Kenya to protect public data.

Many countries have mechanisms in place such as Security Standards and guidelines to protect public

data. Based on our research we found that in Kenya, there are no security standards in place to protect public data that can be adhered to uniformly. ▪ Unlike many countries, Kenya has no legislation in place on protection of data

Kenya Communications Act subsection 83R(d) seems to provide a mandate for data protection “control

of the processes and procedures to ensure adequate integrity, security and confidentiality of electronic

records or payments”. But the scope is too restrictive as the requirement is found in a section regarding regulation of e-Signatures, and is universally ignored. ▪ Each agency has its respective IT department implementing their own standards for securing public data

Each IT department from each respective agency may or may not create their own set of standards for

securing public data. This has created an environment where the same data is being secured across

agencies with diverse and ad-hoc practices. Such practices then act as obstacles when attempts are made to share data across ministries. ▪ Data sharing happens manually and ad hoc through the exchange of CD-roms, paper copies etc

After conducting research across different ministries, we found that data sharing occurs in an ad-hoc fashion. This occurs using unsecured mediums such as CD-ROMs, paper copies, memory sticks etc. ▪ Kenya has no universal formal training procedure in place for staff members on security practices and/or guidelines.

Training for new hires on security practices and/or guidelines must be put in place. This training must be

made as mandatory training for all new employees. There must also be a mandatory re-occuring training of security guidelines for all employees.

Conclusions ▪ Different standards for securing public data with varied security levels risks compromised security at all times

Security standards need to be uniformly adopted and implemented across the board agencies or departments. Having such varied standards of security compromises public data ▪ Manual sharing of public data through unofficial processes could lead to release of private data, violating the Kenyan Constitution

Sharing of public data through unsecured mediums can make such public data susceptible to accidental release

Auditing

Findings ▪ No auditing practice exists currently

Based on our research, we found that there exists no practice of security audits and/or evaluation.

System by system, application by application auditing and/or evaluation practices needs to be implemented and executed regularly. ▪ Ad-hoc auditing takes place within the supervision chain of system owners

Auditing and/or evaluation of processes in agencies take place within the supervision chain of system owners. This produces biased results and does not guarantee fair evaluation by auditing across the agency.

Conclusions ▪ In absence of universal auditing, processes cannot adhere to proper standards and security violations might go unnoticed

With no universal auditing practices in place, processes with improper standards will continue getting

executed within agencies. As a result of no auditing checks security violations such as release of sensitive



data or unauthorized access may go unnoticed. ▪ No checks in place could promote mis-use or mis-appropriation of highly sensitive data

No policies are in place to counter-check the processes that could lead to mis-usage or mis-appropriation of sensitive data.



5. Recommendations

5.1 Standard Keys

The key recommendation regarding standard keys is the government’s need to require adherence to

standard data formats.

Key Principle 1. Adopt shared formats

These formats must first be adopted, possibly in the form of an electronic Government

Interoperability Framework (e-GIF) or Data Reference Model (DRM) which designates shared keys

and standard models for each of the core entity types. There are many open standards, almost all of

which are XML based, which already exist that can be adopted or customized to minimize the

resource requirement of this task.

If Kenya is interested in not just modernizing these systems but becoming a leader in the field, the

most advanced edge of innovation in this area regards cancelable identifiers. These identifiers use

surrogate keys to minimize impact of compromise. This means that a surrogate key, which combines

your actual national identifier with some sort of personal code or PIN using a standard hashing

algorithm, can be used for all transactions, with the real identifier only being exposed in the back end

system for verification, but not deposited in every data repository. In the case of a compromise, the

PIN can be re-issued without changing the actual identifier. This will change the surrogate key, and the

illegal possessor of the original hash value now has a worthless commodity. This is currently the

practice in South Korea, and there are a few other forward-looking countries that are moving in this

direction.

The following is a sample best practice of e-Government in the Netherlands.

� Citizen Service Numbers (CSN) and Chamber of Commerce Numbers (CCN) are used for data exchange

and searches in the Key Register of Persons (MPRD) or Key Commercial Register

The following is a sample best practice of e-Government in South Korea.

� A central authority can issue, cancel and re-issue surrogate keys to identify individuals.

Key Principle 2. Mandate compatibility

Once these standards are in place, compliance must be mandated. All existing systems will be

required to be interoperable with data standards within a designated timeframe. This means they may

not have to change their underlying data structures, a process which is akin to re-writing the system

from scratch in many cases, but may instead opt to create a translation mapping layer which abstracts

the representation of the true data structure into one that is compatible with the interoperability format.

All newly procured systems, however, will be required to comply with data standards from their

inception.

The following is a sample best practice of e-Government in the United Kingdom.

� The electronic Government Interoperability Framework (e-GIF) set the standard for many other countries

as adoption is mandatory for all public information systems

The following is a sample best practice of e-Government in the United States.

� The Director of the Office of Management and Budget is empowered to enforce standards for all

government systems.



Key Principle 3. Designate an authority to update standards

While core data standards fields rarely change, it is still crucial to designate responsibility for their

maintenance. This ensures expansion of the standard to unforeseen fields of value and controls for

technological change.

The following is a sample best practice of European e-Government.

� Interoperability Solutions for European Public Administrations (ISA) created European Interoperability

Framework (EIF) to unify multiple governments and is maintained by an identified committee from many

member countries

Here is link to sample legislation of current focus area: Standard Keys


Key Principle 1. Designate central repositories for all critical data holdings

Key to any effort to creation National Data Warehouses is the ability to compel concentration or

coordination of national data warehouses. This requires first designating central repositories for the

critical data holdings for each selected entity type. This may be an existing system which is retrofitted

to its new role as a national data warehouse, or it may be a newly founded system if no appropriate

candidates are identified. Repositories may be located together with collector agencies or independent

authorities.

The following is a sample best practice of e-Government in the United Kingdom.

� The same Act that protects personal data authorizes the development of data sharing practices in citizens’

interests

The following is a sample best practice of e-Government in South Korea.

� Cancellable identifiers are administered through a common verification authority

Key Principle 2. Authorize “authentic sources” as substitutes for paper documents

Once the repositories are designated, these new “authentic sources” should be authorized to serve

substitutes for paper documents, allowing the electronic representation to suffice. Agencies can be

released from retaining paper photocopies of national identity documents when all such information

can be referenced from their centralized data warehouse.

The following is a sample best practice of e-Government in Spain.

� The Identity and Residence Verification Systems (IRDVS) provides electronic verification of all identity

documents eliminating the need for paper

Key Principle 3. Incent participation through centralized verification services

Finally, the national data warehouse must be properly equipped to deal with all of the systems that

will now be relying on it for centralized information, which means it must be equipped with a variety of

methods constituting a robust Application Programming Interface in order to incent the participation of

all of the other consulting systems.

The following is a sample best practice of e-Government in the Belgium.

� Citizens can refuse requests for data details already held in “authentic source systems” such as the

National Register (for individuals) or the Crossroads Bank for Enterprise



The following is a sample best practice of e-Government in the Denmark.

� The Det Centrale Person register has been the central source for citizen data since 1968

Here is link to sample legislation of current focus area: National Data Warehouses


By preventing redundancy among ministry systems, Kenyan e-Government can eliminate duplicate

collection and storage.

Key Principle 1. Share information across ministries and prohibit redundant digital data ▪ Any administrative information that government agencies collect or retain needs to be used by other

government agencies and others, and if trusted government information can be provided ministries should

not be collecting the information independently.

The following is a sample best practice of e-Government from Korea.

� In KR e-Government Law No. 10303 Chapter 4, details sharing of administrative information. Article 36

governs the administration, efficient management and use of information

Key Principle 2. Integrated registry of information systems ▪ Ministries must register the type and extent of information they collect and provide points of contact for those collections ▪ Ministries which cannot share data directly must provide methods by which the information can be integrated with other ministries

The following is a sample best practice of e-Government from Korea.

� In a KR e-Government case, with the integration of information resources, USD 100 million in equipment

replacement costs were saved between 2009 and 2010. Additional USD 400 million is expected to be

saved by 2014.

Key Principle 3. Organizational structures to plan, manage, and control data across

government ▪ A role for a central decision making body must be designated to promote sharing strategy, enforcing policies through approval and budgets and resolving conflicts ▪ The organizational structure should be placed in the e-Government directorate in order to sit across ministries and agencies.

The following are sample best practices of e-Government from the United Kingdom, the United

States and Korea.

� In UK, MOI (Ministry of Information) is the organization for the information subject area.

� In US, OIRA (Office of Information and Regulatory Affairs)

� In KR, MOPAS (Ministry of Public Administration and Security)

Here is link to sample legislation of current focus area: Preventing Redundant Systems


Public data is owned by the people of Kenya



Key Principle 1. Data is available to the widest range of users for the widest range of purposes ▪ Data should be usable for purposes it was not originally captured for ▪ Involve citizens to make sense of data ▪ Encourage transparency, participation and collaboration

� In the US, the Open Government Directive was established in 2009 to give government agencies a 120-

day deadline for implementation of transparency, participation and collaboration in their practices.

Required actions include 1) Publish government information online, 2) Improve the quality of government

information, 3) Create and institutionalize a culture of Open Government and 4) Create an enabling policy

framework for Open Government.

� In the UK, an interactive portal (data.gov.uk) exists where citizens are asked to come up with innovative

ideas on how they could use public data sets. Citizens can develop their own mobile applications, or can

get in touch with a developer. Over 5600 datasets and 100 applications are published and freely available

through the website.

Here is link to sample legislation of current focus area: Public Ownership of Public Data

Source: data.gov.uk homepage and List of top 5 applications based on user rating (dd. 14th March 2011)


By defining, determining access and setting penalties for illegal access to private versus public data,

Kenyan e-Government can categorize data appropriately to maximize proper protection and access.

Key Principle 1. Clear definition and classification of private and public data ▪ The authority to define private and public data should be clearly stated in legislation



▪ All definition and classification should be unified across ministries, preferably tied to a data standard.

The following are sample best practices from the United States and United Kingdom.

� In US, FEA DRM (Data Reference Model) categorizes government information in detail level with privacy

designation.

� In UK, e-GIF (e-Government Interoperability Framework) sets out the government's technical policies and

standard data categories.

Key Principle 2. Accessibility for authorized data ▪ Access to citizen information held by public institutions should be governed uniformly by data category ▪ Authority to determine appropriate access (e.g. national security, statistical) should be declared in Act ▪ Individuals should be guaranteed access to data about them

The followings are sample best practices from Finland, Canada and United States

� In FI, Personal Data Act - section 26 - Right of Access

� In Canada, Privacy Act - Access to Personal Information - Right of Access

� In US, under FOIA, individual has access to the information government hold

Key Principle 3. Exclusively defined penalties and enforcement role ▪ Penalties for illegal access should be specified once and applied broadly ▪ An independent enforcement role with authority to carry out penalties must be defined

The following are sample best practices from Finland and Korea

� In FI, Personal Data Act, chapter 38, section 9

� In KR, Act on the Protection of Personal Information Chapter 5

Here is link to sample legislation of current focus area: Definition of, access to and penalties for illegal

access to private versus public data


Authority to require adherence to a common data security standard, including audit

Key Principle 1. Control policies owned, supported and practiced to address risks ▪ Management, Operator and Technical control policies are the foundations of an information security risk

management program. ▪ Policies are necessary to define risk management requirements that help make reasonable and appropriate

risk management decisions. ▪ In many countries, samples…

� In US, State of Minnesota, Enterprise Security Control Policies

� In EU, Regulation (EC) No 45/2001 defines particular measures to prevent unauthorised disclosure or

access, accidental or unlawful destruction or accidental loss, or alteration



Key Principle 2. Utilize uniform standards of protection and encryption ▪ Standards should govern data acquisition, storage and disposition, e.g. Data erasure ▪ Security solutions are required to offer strong protection against tampering and unauthorized access ▪ In many countries, samples…

� In UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it

concerns, and provides redress to individuals if there are inaccuracies.

Key Principle 3. Independent auditing required ▪ Independent chains of command to guarantee adherence ▪ Private auditing firms to be given authority to conduct complete auditing practices ▪ In many countries, samples…

� In US, FISMA (Federal Information Security Management Act) establishes security guidelines that federal

agencies must adhere to.

� Agencies are graded on results from FISMA compliance auditing

Here is link to sample legislation of current focus area: Security of public data

5.7 Global Best Practices on Mobile Applications

1. Expanding legal definitions to include expanded methods of access ▪ Include different types of electronic devices in definitions for existing and future legislations

� e.g. Mobile phones, laptops, smart-phones etc ▪ Classical definitions in legislation of communications act may miss new mobile devices

2. New type of info about people (location and personal preference) ▪ Collection of information of an individual now includes more categories than are historically protected in legislation ▪ Global Best Practice from Korea: No person may collect, use, or provide the location information of a

person or mobile object without the consent of the person or the owner of the object (KR act on the

protection, use, etc. of location information) <Exceptions when info is to be used for emergency rescue/relief purposes> ▪ Global Best Practice from Korea: A subject of personal location information may withdraw his/her consent

for part of the scope of the collection of personal location information and the terms and conditions, when he/she has given consent under above point

3. Structures required to allows applications that need authorization or verification down to

mobile devices for conducting any government business ▪ Processes to identify identity for individual authorization from mobile devices ▪ Step-by-step procedure in place to conduct transactions securely using these mobile devices ▪ Mobile e-Signature to satisfy legal requirements as a handwritten signature.



▪ GBP: Directive 1999/93/EC of EU establishes legal framework for e-Signature and certification services.

The main provision of the Directive states that an advanced electronic signature based on a qualified

certificate satisfies the same legal requirements as a handwritten signature. It is also admissible as evidence in legal proceedings



6. Implementation Action Plan

6.1 Implementation Strategy Summary

In addition to the more detailed coverage of each of our focus areas, there are some overriding strategy

points that may affect how the legislative foundation for these initiatives is laid.

The two methods of obtaining new authority are legislation and regulation. In most countries and legal

codes, the grounds for government action are first found in the Constitution, the authority and responsibility

to act within a certain realm is then enshrined in legislation, and the actual implementation details, which

may require more nimble change than can be achieved with a legislative process are promulgate in

regulation. This hierarchy also implies the staying power of each of the vehicles, with the Constitution being

very difficult to amend, legislation only canceled by other amending legislation or by a Constitutional

challenge, and regulation being vulnerable to Constitutional challenges, legislative challenge or the

changed priorities or attitudes of the regulating body. Therefore, well grounded legislation that authorizes

robust regulation would seem to be the best option. However, there are mitigating factors, namely that the

legislative process is currently overwhelmed and can be very slow even under the best of conditions.

Regulations have much less oversight and can be put into place almost immediately as soon as they can

be published in a gazette. However, for the most sustainable change, it may be worthwhile to take full

advantage of the current legislative push precipitated by the passage of the new Constitution and leading

up to elections in 2012 which may create a unique opportunity for authorizing e-Government legislation.

Even if legislation is pursued, it may be pursued either in a large, all-encompassing “big bang” style bill,

or it might be pursued through a series of smaller acts or amendments to existing acts. We cannot handicap

the likely success of these two strategies, but it is important to note that the various components and key

principles do have positive and negative synergies that can be realized if the principles are legislated

together and harmonized or suffered if the legislation is done in an uncoordinated or piece meal fashion.

For example, putting into place a Freedom of Information Act without implementing National Data

Warehouses will create a large bureaucracy devoted to manually searching hard copy documents, which

will consume massive amounts of legal and administrative resources. As indicated earlier, passing the draft

Data Protection Act without modifications could prohibit the assignment of uniform unique identifiers

(shared keys) unless specific exception is made. Prohibiting Redundant Systems without establishing

method-rich National Data Warehouses, will force remote verification onto systems which are not yet

prepared for those purposes, lacking the APIs or sufficient infrastructure to respond to an increased volume

of requests, or might freeze existing efforts to digitize for those enterprises who are not confident that the

National Data Warehouse can sufficiently support their application. Data Privacy restrictions can be

construed to prohibit agency sharing if not harmonized, as occurred in Italy, where although an

interoperability framework was adopted, the privacy law prevented government systems from actually

interoperating. Overall, synchronization and harmonization of various e-Government initiatives is crucial

strategic concern.

One consistent finding across all of our research was that as much as the various government

information systems are stove-piped and silo-ed, the governing legislation for the ministries are also

separate. Legal requirements that are intended to affect the whole of government but are buried in “other

ministries’” acts are ignored out of ignorance or deemed irrelevance. Very few cross-cutting acts exist today.

It is essential that e-Government is seen as a global government initiative from whose stipulations no

agencies are able to defer. A good counterexample of an act that all agencies do respect is the Public

Officers Ethics Act, and e-Government should be seen in the same light or it risks failure.

Although our report does not concentrate on public service delivery, some of the service implementation

do have legal elements. The most prominent of these is that authority should be granted for flexibility of



implementation in e-Government services including authorizing public-public and public-private partnerships.

Public-Public partnerships would include offering services from diverse ministries, governed by a variety of

acts and multitude of processes, through a single portal, leveraging common authentication, sharing

common data, and generally streamlining the citizen experience. Public-Private partnerships involve

broadly expanding the access points to government services by authorizing the extension of agency

powers to Post Offices, Banks, or other commercial enterprises with wide geographic reach. These

commercial establishment would serve as e-Government kiosks and could engage some other limited

processes such as delivering hard-copy documents

6.2 Quick wins

Quick Wins are implementation actions that meet the following criteria: ▪ Can be initiated immediately ▪ Can be completed within six months ▪ Will generate high value

The Quick Win recommendations below consist of legislative changes and business changes.

Kenya is currently going through a full legal review process following the establishment of the new

Constitution in August. It is strongly recommended that the amendments in legislation that are listed below

should be part of this review process and should go through parliamentary approval along with other new or

adapted legislation.

1. Assign a strong mandate to the e-Government Directorate

Without a strong legal mandate in place, the e-Government Directorate cannot obtain the authority

across the different ministries that it requires and that is demanded. ▪ Amend current authorities in the Kenya Communications Act.

KCA Section 83S 2a states that

“The Minister may, (…), by regulations prescribe :- (a) the manner and format in which such

electronic records shall be filed, created or used;”

This authority should be transferred from the Minister (i.e. the Minister of Information and

Communications) to the Director of e-Government to allow for authority across ministries. Required

amendment:

� e-Government Directorate will have the authority to determine standard keys ▪ Include in new legislation, e.g. Freedom of Information Act (FOIA) or Data Protection Act:

e-Government Directorate will have the authority to constitute new National Data Warehouses ▪ e-Government Directorate will have authority to enforce criteria for the procurement of new government information systems ▪ e-Government Directorate will have authority to determine appropriate access rights to government-held data ▪ e-Government Directorate will have the authority to determine, enforce and audit government data security standards

2. Define the data entity types and designate standard keys and central repositories

A primary action of the e-Government Directorate is to define the core data entity types and



establish this in legislation. ▪ Include in the Data Protection Act, e.g. Definitions section:

� Distinction between public, private and sensitive data ▪ Include in new legislation, e.g. Freedom of Information Act (FOIA) or Data Protection Act:

� Define core data entity types (e.g. people, land, business) and designate standard keys (E.g. PIN)

� All existing systems and all newly procured systems are interoperable with the standard keys designated for the data entity types that they contain ▪ Per data entity type, define the fields, format and sensitivity level. This would prevent that different agencies

would capture the same information under a different field name or in different format. For example, forms

exist where the applicant is asked for Community, Tribe, Ethnical Background, and Race. Another example,

for the core data entity type “People”, a field would be “Date of Birth” in format “dd-mm-yyyy” and designated as private data. ▪ Designate systems to serve as central repositories to each data asset. Each type of core data entity type requires its own designated repository.

3. Reduce redundancy ▪ Make inventory of data and systems across ministries. Within a set number of days, ministries and

agencies should provide what data they capture and what system is used (manual or electronic) to store the data. ▪ Include in new legislation, e.g. Freedom of Information Act (FOIA) or Data Protection Act:

� Prevent collecting or storing data if data already exists elsewhere. Prohibit duplicate data sources. ▪ Pilot centralization efforts for a selected region and selection function (e.g. Birth Registration in Nairobi).

Start with a function that is mostly silo-ed and decentralized and clearly define the scope and timeline of the

pilot. This pilot can then serve as the example, showing the transformation from worst-case to best-in-class.

The experience and learning should be captured and rolled-out to other regions and functions.

4. Establish authority and platform for public data availability ▪ Include in new legislation, e.g. Freedom of Information Act (FOIA) or Data Protection Act:

� Establish government officials as data stewards

� Protect the agency that made data public against any misuse of data, but penalises the party that misuses the data

� The authentic source of data in a NDW can replace paper documents

� Mandate agencies to make public data available

� Individuals should be guaranteed access to data about them ▪ Create a pilot website where selected key public data sets are published. Take data sets that are already readily available in electronic format.

5. Establish the basis for public-private partnerships ▪ Include in new legislation, e.g. Freedom of Information Act (FOIA) or Data Protection Act:

� Allow private organisations to participate in providing government services

� Statement on how mobile phones or other new technologies may be used to access public data ▪ Create a pilot website where the public is encouraged to come up with ideas for data usage. Link this to the

website where key public data sets are published (see previous section above). Allow for discussion forums, rating of ideas and implementation of the ideas into usable applications.



6.3 Long Term Roadmap

The Long Term Roadmap contains implementation actions that meet the following criteria: ▪ Can be initiated within six months to a year ▪ Can be an evolving process for the years to come ▪ Will generate high value of return

The following points describe the long term roadmap for the specified focus areas:

0. General: ▪ Evolve past ministry-specific acts

In our research, it was determined that every ministry has its own act which it tends to follow. As a result, there is no uniformity across the ministries as each ministry is following its own sets of principles. ▪ Create government-wide acts

Due to the existence of several acts across ministries, there is a dire need of an existence of uniform and a universal act that is followed across all ministries. Hence, new acts must be regarded as universal. ▪ Establish an e-Government Advisory Group

Create an advisory group comprising of bureaucrats who are also e-Government experts with high levels

of experience and dedication. This group will be responsible for prioritizing e-Government projects for fast track implementation, and to prepare a list of legal changes necessary of smooth implementation.

The organization of such a group can be used as a tool for better coordination among e-Government projects and faster e-Government policy implementation. ▪ Implement new regulation across ministries

Once ministry-specific acts have been removed and old acts been made obsolete, a new regulation across ministries can be implemented which will promote adoption one universal act.

1. Standard Keys: ▪ There is no as such long term roadmap set up for standard keys focus area.

2. National Data Warehouses: ▪ Establish IPRS as the central NDW for Citizen Registry

Set up Integrated Population Registration Services (IPRS) as the central National Data Warehouse for

citizen registry purposes. IPRS collects data regarding citizens from different systems. To avoid redundant

collection of same pieces of citizen information, IPRS can be suitably be a central data warehouse where from citizen information can be obtained by different ministries or agencies.

Once IPRS is deployed as a National Data Warehouse, data can then be shared with the Kenya

Revenue Authority, Kenya National Bureau of Statistics, Interim Independent Electoral Commission of Kenya, National Social Security Fund and security forces

▪ Move Adoptions and Marriages registry from State Law office to National Registration Bureau

Adoptions and Marriages database is not related to the core business of State Law office and should be

moved to the National Registration Bureau, where it’s function aligns with existing lines of business Collect data into central repositories with synchronization or update policies

Collection of data from different sources should leverage the systems inventory conducted across

government, should emphasize go-forward data and then gradually absorb legacy data, and should impose

data quality standards as it ingests new sources ▪ Establish electronic verification methods that link into the NDW



o Electronic methods must be set-up that can be used for verification purposes of data onto National Data

warehouses. A rich and secure Application Programming Interface is crucial to successful adoption of a

National Data Warehouse.

3. Preventing Redundant Systems: ▪ Digitize information

On conducting our research, we found that large amounts of data exist on paper. Birth and Death

registration, National ID registration, immigration, customs records from several years all reside on paper.

As a result, all respective agencies contain years and years of archived citizen data. To further streamline

the process in collection of data in future and enable easier sharing of data that has been collected previously, data that is available on paper must be stored digitally rather than as paper records.

This practice of digitizing information should be initiated in a segmented fashion. In other words, all

paper data from a specific agency can be taken and converted into digital records. This is to avoid all of

national data that is available within the country undergoing a major overhaul from analog data into digital data all at once.

4. Public Ownership of Public Data ▪ Establish a Center of Excellence for data stewardship

Setting up of Centre of Excellence in data stewardship will be essential once put in place. This centre of

excellence can be used for directing agencies in governing, collecting, managing, storing and distributing data.

▪ Build partnerships with for example Postal Corporation Kenya and Digital Villages in providing government services

Building of Public-Private partnerships with Post Offices and Digital Villages. These partnerships can

result in Post offices and/or Digital Villages providing government services to Citizens. Due to the vast

availability of Post Offices and banks in remote areas across Kenya, access to government services will be

much simpler. One of our key findings from our research was Kenyan citizens have to travel for miles and

miles to Nairobi to obtain government services. With such partnerships in place, Post offices and/or banks

can act as e-Government kiosks and provide hard-copy documents.

5. Definition of, access to and penalties for illegal access to private versus public data ▪ Establish access control procedures for different data categories and let government officials sign these protocols

Access control procedures need to be established to ensure access of data at different levels is granted/denied. ▪ Revise other acts that contain data access penalties and define cross-cutting penalties that apply to illegal access or use of data. ▪ Establish an independent party with authority to apply and enforce the define penalties

Existence of an independent authorized party that applies and enforces set defined penalties for any illegal and/or unauthorized access of data is very important.

6. Security of Public data: ▪ Establish security guidelines that all agencies must adhere to

It is of utmost importance to establish a set of standard security guidelines that all agencies across the

board adhere to. At the moment, all agencies may have their own security guidelines that they respectively adhere to. As a result, there is a possibility of data infringement and data fraud.



▪ Establish security solutions that offer strong protection against tampering and unauthorized access

Security solutions need to be established which prevent tampering and unauthorized access. ▪ Establish a risk management program that includes following control policies:

o Management

o Technical

o Operator

Such policies are necessary to support the management of information risks in daily operations. They

help people within the organization understand their day to day security responsibilities and the threats that could impact services, public health and safety, regulatory requirements, and government data.

The analysis of these controls can be used to identify operational risks, trends, areas of improvement,

and changes. This will help identify emerging and recurring risks, and ways to mitigate new risks that

ensure information assets are protected in a manner that is cost-effective and reduces the risk of unauthorized information disclosure, modification, or destruction, whether accidental or intentional. ▪ Establish auditing practices

Practices that define controls which reflect the policies, procedures, practices and organizational

structures designed to provide reasonable assurance that objectives will be achieved. These controls in all

government computer system will ensure effectiveness and efficiency of operations, reliability of reporting and compliance with the rules and regulations. ▪ Establish training procedures on security practices

Procedures need to be put in place to train employees on security practices. These practices will ensure

members who work with government data on a day to day basis to be aware of their responsibilities in

protecting information and be adequately trained to fulfill those responsibilities.



7. Appendix 1. Sample legislations

7.1 Standard Keys

The United States Public Law 107/347 - e-Government Act of 2002 provides an excellent founding

infrastructure for standard keys and common data structures.

Section 207 (d) “(1) … the [Interagency Committee on Government Information] shall submit recommendations to the Director

on (A) the adoption of standards, which are open to the maximum extent feasible, to enable the organization and

categorization of Government information (i) in a way that is searchable electronically, including by searchable identifiers; and

(ii) in ways that are interoperable across agencies”

“(2) … the [Director of the Office of Management and Budget] shall issue policies (A) requiring that agencies use standards,

which are open to the maximum extent feasible, to enable the organization and categorization of Government information”

This provides the authority to the Office of Management and Budget to develop the open data standards,

allows the data standards themselves to be drawn up by a qualified committee and enacted as regulations,

and then names the specific party who has legal responsibility for ensuring that those standards are

enforced.

In South Korea, the Act on Promotion of Information and Communication Network Utilization and

Information Protection provides for other aspects of standards adoption.

Article 12 Construction of a System for the Joint Utilization of Information

“(1) The Government may advance the interoperability, standardization, and joint utilization of information

and communications networks to efficiently utilize the information and communications networks.… (3)

Presidential Decree shall stipulate requisite matters regarding promotion and support …”

Article 13 Projects for Promoting Utilization of Information and Communications Networks

“(1) Under conditions stipulated by Presidential Decree, the Minister of Information and Communication

may create and enact projects designed to facilitate the efficient use and distribution of technologies,

equipment, and applied services in order to facilitate information … use in the public and private sectors,

culture, and society as a whole, and end the information gap.”

This law also empowers the government authority to craft an interoperability framework but also gives the

option to fund a body to do so. Similarly, it allows the government to promulgate regulations requiring the

adoption of the interoperability framework, but gives a carrot and stick approach, conditioning financial

support on the adoption of the interoperability framework, but also allowing the government to fund projects

to encourage compliance. Finally, this law justifies all of these activities as necessary to end the information

gap.


Spain’s order PRE/3949/2006 Verification System of Identity Data (Sistema de Verificacion de Datos de

Identidad) is instructive in terms of how to legally establish the National Data Warehouse.

Second: “…sets the date of operation of the Identity Data Verification System … from which it cannot be

required by the Central Government or the agencies that link or are dependent on the provision of copies



of the Document National Identity Card or the documents proving the identity of foreigners resident in

Spain or equivalent card…”

First Annex: “Identity Data Verification System is made available to the departments and agencies of the

State Administration by the Ministry of Public Administration as a horizontal service for consultation and

verification of data from the Citizen Identification Documents in custody of General Directorate of Police and

Civil Guard”

Third Annex, Part 1: “Access to Data System Identity Verification will be … established for any public body

This order does establish the authority to consolidate identity data and assigns to a central authority, but

then defines the data sources which are compelled to participate in the National Data Warehouse by force

of law. In order to ensure that the National Data Warehouse is up to task, minimum standards are set as to

the security, availability, access methods and confidentiality of the centralized data. And finally, the law

requires the acceptance of records in the central data repository in lieu of photocopied documents.

In the United Kingdom, the Data Protection Act 1998 states,

52A “Data-sharing code (1) The Commissioner must prepare a code of practice which contains (a)

practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act,

and (b) such other guidance as the Commissioner considers appropriate to promote good practice in the

sharing of personal data. (2) For this purpose “good practice” means such practice in the sharing of

personal data as appears to the Commissioner to be desirable having regard to the interests of data

subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.”

Even though this act is largely concerned with the limitation of the government’s ability to store, access or

share citizen’s personal data, within the act, an exception was added regarding data sharing which is

conducted in the citizens’ interest. A designated body is given the authority to create data sharing codes

(regulations, procedures and process) which must be submitted for approval up to Parliament before the

data sharing can take place. However, once these regulations are in place, agencies are compelled to

share their data accordingly.


In South Korea, ELECTRONIC GOVERNMENT ACT states

Article 36 (Administration of the efficient management and use of information) ① A minister or principle

of any ministries should provide administrative information which the ministry collect and retain inside to

other ministry who require that information. If they can receive and access trusted data from any other

ministry, they should not collect duplicated data independently. ② A minister or principle of any ministries which collect and retain administrative information can permit

to share the information between other ministries and any banks which have a permission of bank business

according to Act on Bank, private corporate organizations or agencies which are granted by Presidential

Dec Policies. ③ The Minister of the Ministry of Public Administration and Security should develop the list of

administrative information which is hold by any ministry by investigation and distribute it across government

ministries and investigate requirement for new administrative information.

Article 37 (sharing of administrative information centers) ① For the sake of effective sharing of

administrative information, The Minister of the Ministry of Public Administration and Security can deploy

administrative information center as a center of information sharing across ministries as a subsidiary of his

ministry and promote to utilize the center from each ministry in accordance with Presidential Dec Policies



This Clause mandate that All government agencies must vet their information needs against existing government holdings before it can collect or retain information

This legislation prohibit to collect information independently if it exists accessibly in any other agency, and at the same time it defines that a role for a central decision making body which is MOPAS(Ministry of Public Administration and Security) must be designated to promote sharing strategy, enforcing policies through approval and budgets and resolving conflicts


In South Korea, the Public Information Disclosure Act states

1.1 “Every people hold the right to request information disclosure.”

2 “Obligations of Public Institutions

1. (1) Public institutions shall enforce this Act and abide by related Acts and subordinate

statutes so as torespect the people’s rights to request information disclosure.

2. (2) Public institutions shall create an information management system by which information

can be properly kept and speedily searched, open an office and secure staff in charge of information

disclosure and work to build an information disclosure system, etc. by making full use of the information and

communications network.”

3. “Publication of Administrative information

2. (2) The heads of public institutions shall work vigorously to make information that the people

need to know accessible to them in addition to the matters referred to in paragraph (1).”

4. “Making and Deeping of List of Information

1. (1) Public institutions shall make and keep a list of information that they hold and manage in

a manner that the people can readily understand such list of information and publish the list of information

through the information disclosure system, etc. by making full use of the information and communications

network: Provided, That in the event that any information that may not be disclosed under Article 9 (1) is

entered in the list of information, such information may not be provided and disclosed.

2. (2) Public institutions shall secure a place for information disclosure and facilities needed to

disclose information in order to speedily and smoothly perform the clerical work of information disclosure.”

This clause establishes the obligation that public institutions should work with an efficient and transparent

information management system. It also states that they should be open about what data they hold.

In the United Kingdom, the Public Sector Transparency Board was established in June 2010. During its

first official meeting, the Board has come up with a set of draft Public Data Transparency Principles.

* Public data policy and practice will be clearly driven by the public and businesses who want and

use the data, including what data is released when and in what form – and in addition to the legal Right To

Data itself this overriding principle should apply to the implementation of all the other principles.

* Public data will be published in reusable, machine-readable form – publication alone is only part of

transparency – the data needs to be reusable, and to make it reusable it needs to be machine-readable. At

the moment a lot of Government information is locked into PDFs or other unprocessable formats.

* Public data will be released under the same open license which enables free reuse, including

commercial reuse – all data should be under the same easy to understand license. Data released under the



Freedom of Information Act or the new Right to Data should be automatically released under that license.

* Public data will be available and easy to find through a single easy to use online access point

(data.gov.uk) – the public sector has a myriad of different websites, and search does not work well across

them. It’s important to have a well-known single point where people can find the data.

* Public data will be published using open standards, and following relevant recommendations of the

World Wide Web Consortium. Open, standardized formats are essential. However to increase reusability

and the ability to compare data it also means openness and standardization of the content as well as the

format.

* Public data underlying the Government’s own websites will be published in reusable form for others

to use – anything published on Government websites should be available as data for others to reuse. Public

bodies should not require people to come to their websites to obtain information.

* Public data will be timely and fine grained – Data will be released as quickly as possible after its

collection and in as fine a detail as is possible. Speed may mean that the first release may have

inaccuracies; more accurate versions will be released when available.

* Release data quickly, and then re-publish it in linked data form – Linked data standards allow the

most powerful and easiest re-use of data. However most existing internal public sector data is not in linked

data form. Rather than delay any release of the data, our recommendation is to release it ‘as is’ as soon as

possible, and then work to convert it to a better format.

* Public data will be freely available to use in any lawful way – raw public data should be available

without registration, although for API-based services a developer key may be needed. Applications should

be able to use the data in any lawful way without having to inform or obtain the permission of the public

body concerned.

* Public bodies should actively encourage the re-use of their public data – in addition to publishing

the data itself, public bodies should provide information and support to enable it to be reused easily and

effectively. The Government should also encourage and assist those using public data to share knowledge

and applications, and should work with business to help grow new, innovative uses of data and to generate

economic benefit.

* Public bodies should maintain and publish inventories of their data holdings – accurate and up-to-

date records of data collected and held, including their format, accuracy and availability.

These draft principles were published on its Opening Up Government website, allowing for the public to

comment on these principles. Multiple parties commented on the principles and their feedback was taken

into account by the Board. This way of working is in line with the objectives of the Public Sector

Transparency Board, as it is supposed to involve the public and listen to what the public wants.

In New Zealand, the Policy Framework for Government-held Information states

“This framework is concerned with the responsibility of public servants in relation to information held by

their departments. The framework takes account of the need to maintain a balance between the security

and the power of the Crown to acquire, use and disclose information on the one hand, and the protection of

individual rights and freedoms, and personal privacy on the other.

Availability: Government departments should make information available easily, widely and equitably to

the people of New Zealand (except where reasons preclude such availability as specified in legislation).

Coverage: Government departments should make the following information increasingly available on an

electronic basis:



* all published material or material already in the public domain

* all policies that could be released publicly

* all information created or collected on a statutory basis (subject to commercial sensitivity and

privacy considerations)

* all documents that the public may be required to complete, and

* corporate documentation in which the public would be interested.

Ownership: Government-held information, created or collected by any person employed or engaged by

the Crown is a strategic resource 'owned' by the Government as a steward on behalf of the public.

Stewardship: Government departments are stewards of government-held information. It is their

responsibility to implement good information management.”

This policy distinguishes between ownership and stewardship and states that government departments

are not owners, but stewards of government-held information. The government should act as steward on

behalf of the public, taking care of the data, ensuring its quality and make it available for use by others.


In Finland, Personal Data Act states

section 26 - Right of Access

(1) Regardless of secrecy provisions, everyone shall have the right of access, after having supplied

sufficient search criteria, to the data on him/her in a personal data file, or to a notice that the file contains no

such data. The controller shall at the same time provide the data subject with information of the regular

sources of data in the file, on the uses for the data in the file and the regular destinations of disclosed data.

In this legislation, Finland e-Government defines authority to determine appropriate access (e.g. national

security, statistical) and Individuals should be guaranteed access to data about them

In Canada, Privacy Act - Access to Personal Information states the right of individuals to access data

about them like following.

Right of access 12. (1) Subject to this Act, every individual who is a Canadian citizen or a permanent

resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to

and shall, on request, be given access to

(a) any personal information about the individual contained in a personal information bank; and

(b) any other personal information about the individual under the control of a government institution with

respect to which the individual is able to provide sufficiently specific information on the location of the

information as to render it reasonably retrievable by the government institution.

In South Korea, Act on the Protection of Personal Information Chapter 5 states,

Article 23 (Penal Provisions)

(1) Any person who changes or alters private information for the purpose of disrupting the operations of

private information management of a public institution shall be punished by imprisonment for not more than

ten years.



(2) Any person who illegally leaks or issues private information without consent and for the purpose of

use by others, violating what has been set forth in Article 11, shall be punished by imprisonment for not

more than three years or a fine not exceeding ten million won.

This legislation define designated penalties for illegal access for personal information


US: Federal Information Security Management Act (FISMA)

Section 3545 Part (a) (1) … agency shall have performed an independent evaluation of the information

security program and practices of that agency to determine the effectiveness of such program and

practices. (2) … evaluation under this section shall include— (A) testing of the effectiveness of information

security policies, procedures, and practices of a representative subset of the agency’s information systems;

(B) an assessment (made on the basis of the results of the testing) of compliance with— (i) the

requirements of this subchapter; and (ii) related information security policies, procedures, standards, and

guidelines; and (C) separate presentations, as appropriate, regarding information security relating to

national security systems. Part (b)(1) for each agency with an Inspector General appointed under the

Inspector General Act of 1978, the annual evaluation required by this section shall be performed by the

Inspector General or by an independent external auditor, as determined by the Inspector General of the agency ...

US Federal Information Security Management Act (also known as FISMA) states that an independent

auditor or an evaluation committee can be put in place to conduct audit or evaluation of information security

program and practices. Such audit or evaluation is crucial to determine the core effectiveness of the

information security policies and procedures.

Finland: Personal Data Act (2000)

Section 13 Data security: The controller and the processor shall by means of planned, systematic

measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in

connection with the processing of personal data. To achieve satisfactory data security, the controller and

processor shall document the data system and the security measures. Such documentation shall be

accessible to the employees of the controller and of the processor. The documentation shall also be

accessible to the Data Inspectorate and the Privacy Appeals Board. Any controller who allows other

persons to have access to personal data, e.g. a processor or other persons performing tasks in connection

with the data system, shall ensure that the said persons fulfil the requirements set out in the first and second paragraphs.

Finland’s Personal Data Act states that a data controller and the processor must ensure data security is

maintained at all times when personal data is being processed. The act shall ensure that personal data is

processed in accordance with fundamental respect for the right to privacy, including the need to protect

personal integrity and private life and ensure that personal data are of adequate quality.

European Union: REGULATION (EC) No 45/2001

Section 7 Article 22 Security of Processing:

(1) ... the controller shall implement appropriate technical and organisational measures to ensure a level

of security appropriate to the risks represented by the processing and the nature of the personal data to be

protected. Such measures shall be taken in particular to prevent any unauthorised disclosure or access,

accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing. 2. ... measures shall be taken as appropriate in view of the risks in particular with the aim of:

(a) preventing any unauthorised person from gaining access to computer systems processing personal

data; (b) preventing any unauthorised reading, copying, alteration or removal of storage media; (c)



preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure

of stored personal data; (d) preventing unauthorised persons from using data-processing systems by

means of data transmission facilities; (e) ensuring that authorised users of a data-processing system can

access no personal data other than those to which their access right refers; (f) recording which personal

data have been communicated, at what times and to whom; (g) ensuring that it will subsequently be

possible to check which personal data have been processed, at what times and by whom; (h) ensuring

that personal data being processed on behalf of third parties can be processed only in the manner

prescribed by the contracting institution or body; (i) ensuring that, during communication of personal data

and during transport of storage media, the data cannot be read, copied or erased without authorisation; (j)

designing the organisational structure within an institution or body in such a way that it will meet the special requirements of data protection.

The above section from European Union highlights measures that are implemented to prevent

unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration,

and to prevent all other unlawful forms of processing of personal data. The existence of such

measures is critical in ensuring agencies follow a uniform standard to protect data. The data controller

must then be responsible for successful implementation and execution of appropriate technical and

organizational measures in order to ensure highest levels of security of personal data. The section

also highlights any communication of personal data must always take place with appropriate

authorization. Without authorization, data when shared is easily susceptible to being illegally read,

copied and/or erased.



8. Appendix 2 Draft Data Protection Act

As part of our review of the current state of legislation, we were provided a draft of the Data Protection Bill

2010. Certain elements of the draft would be very beneficial to e-Government efforts; others raise concerns

about how e-Government principles might conflict. The Draft Act seems firmly rooted in the OECD Privacy

Principles (http://www.oecd.org/document/20/0,3746,en_2649_34255_15589524_1_1_1_1,00.html ) which

have been the governing core principles for data privacy for the past 30 years. The Draft Act lacks the

amendments regarding trans-border transmission of data which have been adopted by most OECD member

agencies. Of more pointed concern to e-Government efforts though are that the principles as initially conceived

presented significant obstacles for member countries in data sharing within and between governments. ▪ In terms of the benefits to e-Government, sections 6(a-b) of the draft act require data security at rest

and in transit, a critical underpinning element of the data security standards discussed earlier. The

responsibility for drafting and monitoring these standards is placed under the as-yet-unfounded

Freedom of Information Commission, which does not seem like a logical destination. However, if the

government’s data security efforts are to be coordinated centrally, then the concentration of security

talent in that agency should be more critical than which authority it is. ▪ Sections 7(1)(a-b) guarantee personal access to personal data, which is a Constitutional right, but the

legislation assigns authority and responsibility for executing that right. ▪ Section 9 requires that personal data be up-to-date, complete and accurate, a task which arguably can

only be achieved efficiently by use of a National Data Warehouse. However, since the authority,

responsibility or methodology for achieving this goal is not spelled out, it is by no means a guarantee

that this element would lead to implementation of warehouses. ▪ Section 22 protects against agency liability for data disclosed in good faith, which would hopefully

lower the concern of sharing agencies that wish to enable more efficient government, but are

concerned that they lack the legal protections to do so.

The concerns regarding the bill are quite serious, and many conflict directly with the e-Government principles

discussed above. ▪ Sections 3(1)(a)(ii)(b) requires all personal data be collected from individuals directly which would

seem to prevent lookup from existing data stores. While the goal is likely to prevent the government

from using third-party sources for data collection about individuals, the lack of distinction would also

seem to mitigate against efficient collection from within government data holdings. ▪ Sections 11 prevents data collected for one purpose being used for another, which would seem to run

counter to creation of National Data Warehouses, whose purposes would be plenary across

government, and explicitly welcome multiple uses of data once collected. ▪ Section 12 Prohibits sharing data with other agencies unless authorized by the citizen. Many

governments with robust e-Government infrastructure have this clause, even though it would seem to

directly inhibit data sharing. The authorization to share is typically included in all government forms,

and therefore all provided data is exempted from the restriction. However, these authorization

schemes are not yet in place in Kenya, and a significant open question remains regarding the status of

data collected prior to the existence of authorization schemes. If this data would be off-limits to data

sharing, then the entire legacy data holdings of the government are rendered out of line, this would

essentially necessitate the building of a government data warehouse from scratch, and set back the

utility of a national data warehouse significantly. ▪ Section 13 prevents unique IDs from being used across agencies which according to its plain meaning,

and without explicit exemption, would mitigate against the use of the shared keys that encourage

interoperability.



There are examples of countries which have resolved this dissonance. For instance, New Zealand’s Privacy

Act of 1993 ( http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html ) includes “Part 10

Information Matching” which allows the designated authority to weigh the public utility of data sharing with the

privacy compromise and make a decision in the country’s best interest instead of allowing one of these two

priorities to perpetually trump the other. This is yet another opportunity for Kenya to "leapfrog" past the privacy

morass and into the balance between protection of personal privacy and provision of public services that other

countries have achieved.



9. Appendix 3. Definition of Data Steward

According to IBM’s data governance framework, Stewardship is a quality control discipline designed to

ensure custodial care of information for asset enhancement, risk mitigation, and organizational control. The

Data Steward addresses specific issues and concerns on a day-to-day basis and defines data within and

across the organization.

9.1 Data Stewardship Discipline Definition

Stewardship:

The degree to which an organization is managing its information as business assets, and has implemented Executive and management roles, supporting structures, and processes to establish and sustain information accountabilities within the business. Maturity can be assessed by whether accountability is established at a very tactical or functional level, through to a more planned and strategic approach to accountability, that enables management of the assets across functional boundaries, resulting in measurable business value. The low end of the scale would be unclear accountability, and high end would be a strategic approach with clear measurable results to the organization's bottom line.

Position Statement:

Understanding the information required for the business and establishing clear accountabilities for an organization’s information assets is a critical underpinning to Data Governance. Organizations that are adopting a Stewardship approach are entrusting individuals with the ongoing care of a set of business information on behalf of the organization, and enabling those individuals with the authorities to manage the assets both vertically, and horizontally: across business function, processes and supporting technology. Stewardship differs from the concept of "ownership", in that the organization "owns" the asset, and there must be roles and processes in place to manage the asset. Stewardship is accountability for the information itself; in order to be effective, stewardship must consider the entire life-cycle of information, from its planning, acquisition/creation, through to its ultimate retention or destruction. Fully implemented, stewardship provides the clarity to each employee what their respective responsibilities are in creating, managing and using data and information throughout its life-cycle.

9.2 Role of data steward

The role of data steward can be defined like following: ▪ Responsible for assigned data, its quality, and its use; provide support and give direction to Subject Matter Experts aligned with their source systems or products ▪ Addresses specific issues and concerns on a day to day basis ▪ Works closely with the Information Governance Office to investigate and resolve issues

In Organization, Data Stewards can be a member of Data Governance council and they should have following capability and authority. ▪ Data Stewards should have a deep understanding of data in the business context ▪ Data Stewards should be aligned by key Master Data Entities such as Customer, Vendor, Product and

Materials ▪ Enterprises should have a System of Record (SOR) for key Master Data Entities ▪ Data Stewardship roles should be full-time wherever possible ▪ Data Stewards should have a strong linkage with business and technical metadata ▪ The Data Governance Council should oversee the data stewardship program to ensure consistent execution across the organization and linkage to the business



10. Appendix 4 Issue Diagram



11. Appendix 5. Acknowledgements

We would like to sincerely thank and acknowledge the valuable assistance and support from our client, e-

Government of Kenya. In addition, we would like to extend a special thank you to IBM’s global implementation

partner, DOT and to the IBM East Africa Office. Our project also gave us the opportunity to meet with many of

the citizens of Kenya. We are fortunate to have met such diverse and wonderful people.

On a professional level, we leave Kenya energized about the country’s opportunities ahead. Kenya is home

to great industry, talent and culture, and will only play a greater role in the international business landscape

moving forward.

From a personal perspective, we have all learned first hand what an amazing country Kenya is, and we

have thoroughly enjoyed the wonderful welcoming attitude and friendliness of the Kenyan people. We will

hold a special place in our hearts for Kenya and all hope to visit Kenya in the future.

Asante Sana and Kwaheri

Anna Choi (KR), Nimeesh Kaushal (CA), Luan Nio (CH), Dave Sloan (US)