Nashilongo Gervasius-Nakale
Let me begin by stating the obvious – personal data collection is a common practice in Namibia. Justifiably so, the purposes of processing such personal data ranges from health to usage in services by both public and private handlers and processors. For most of us, leaving highly personalised information at the security front desk of government or private institutions in exchange for entry and eventual access to services, has become our one and only means.
In the event of the 41st anniversary of Convention 108, commonly known to be the “first binding international treaty addressing the need to protect personal data” (CoE), there is a need to continue engaging on personal data protection, given the absence of a legal instrument in the country during the unprecedented times we are in where large amounts of personal data flow across devices” (WEF, 2020).
Absence of a legal framework
The absence of comprehensive data protection and privacy legislation in Namibia and the many attempts dating as far back as 2007, have left us wanting. In addition, the presence of sector-specific laws in isolated areas such as health and the legal and banking/financial sector have become limited to the physical nature of such data, making the abuse of such data online real. This has been witnessed over the years through data leaks and hacking incidents in both the private and public sectors. As datafication and machine processing and learning became the focus over the years, personal data protection becomes a priority to ensuring trust, data safety and affording users privacy control.
A 4IR driven case
In mid-2020, the Namibian Government embarked on a retrospective journey of assessing the country’s position within the fourth digital revolution. It was a demonstration of President Hage Geingob and the government’s leadership responsibility in preparing the country for an unavoidable future, with the pervasiveness of technologies. With the national assessment comes the prospect of defining and charting the most probable scenarios to reap the full benefits of high impact digitalisation, where the protection of personal data becomes key in ensuring trust in a highly digitised environment.
As known, the 4th Industrial Revolution (4IR) requires big data, also commonly described in the three Vs of Volume, Variety and Velocity” (NIST, 2015). Embracing a Big Data-driven world, where machines are taught how to respond and solve problems with data (including often personal data); the privacy and protection of such data becomes even more contested for.
Personal data collection by public entities
Consultations by the Namibia 4IR Taskforce indicate preliminary evidence of highly fragmented data systems, owing to the lack of coordination and duplicity of systems that are not interoperable. Additionally, restrictions on personal data localisation by private firms have resulted in the storage of such data outside the country by local and multinational firms, often without the knowledge or consent of data owners.
For Namibia to fully benefit from the 4IR, there is a need to deal with existing challenges in data ecosystems that do not prioritise privacy and the protection of personal information, primarily. This includes overhauling current analogue data handling practices that leave tranches of personal data publicly exposed daily. To overcome this, a national policy must be in place. This policy must mirror the now internationally recognised processes which address practices of data handling, usage, storage and validity determined for public and private data collectors and handlers. In so doing, we should aim to find solutions.
Addressing data interoperability
I acknowledge that large records of personal data used for various national purposes have become digitised over the years. This is evident in the digitised services utilising personal data, which ranges from birth to death registrations, tax collection, land registration, vehicle registrations and even electoral and national planning processes. The worry, however, is that this data collection and usage is siloed, inaccessible and fragmented; (as aforementioned) requiring alternative means that place data owners at the centre of data control.
Imagine a centralised system where, as a data owner, you can exercise some control over your personal data. You are aware of the external usage of such data, and personal consent is sought. A centralised system, especially in public service, would be most preferable and ideal, contrasted to the status quo. Arguments justifying the fragmentation and siloed information management systems such as protection from multiple accessibility and possible exploitation, seem to be self-serving in the interest of those who donated or sold these systems. A citizen whose data is in a system that can only be updated in India or the UK as well as five other international locations, has reason to be concerned about how such data is protected and used.
The Challenges with Data Re-use
While data re-use could also pose a challenge, especially in dealing with personal data in highly datafied systems, perhaps we could borrow from international best practices on ensuring privacy in an Artificial Intelligence-dominated world, as shared by the Brookings Institute (2020),
• Transparency in how personal data is used should be priority
• Explainability involving the use of algorithms in specific decisions
• Managing risks through frequently privacy impact assessments
• And finally, carrying out Privacy audits.
Shaping data governance and protection calls for trustworthy data policy frameworks that “accelerate the responsible use of data” (WEF, 2020). This is nothing short of what Namibia should desire with the long-awaited Personal Data Protection law. With that comes instituting a data-regulating authority that will enforce accountability both at individual and institutional level.
As we mark Data Protection Day, think of how much of your personal data is owned and used, by which institution, for how long and for what purposes, then reflect on the control you have over such personal information.
*Nashilongo Gervasius-Nakale is a researcher and consultant in Technology Policy. She is a member of the Namibia 4IR Taskforce, serving as chairperson of the sub-committee: Infrastructure & National Data.