The arrival of Covid-19 has disrupted the way we do things in virtually every sector of the economy. Business and companies have had to change tack, learning to use technology as fast as possible. Saccos have not been left behind as they seek to align their operations to this state of affairs brought about by the pandemic.

Saccos have been compelled to digitise their operations, introducing online services such banking apps unstructured supplementary service data (USSD), to enable provision of uninterrupted services to customers.

This switch to digital services is meant to ensure that operations of the firms continue in an environment where in-person visits to physical offices and banking halls have been significantly scaled down as part of the measures to curb the spread of coronavirus.

The move to online, however, brought about a new set of challenges, particularly surrounding the safety of customers’ personal data.

One area prone to abuse is when downloading an app that needs sensitive personal data. Customers usually disregard terms and conditions that would allow firms to share their personal information with third parties for marketing or other purposes. Others just accept the conditions without clearly understanding the terms.  Once the terms are accepted, any Sacco or a bank can use the data legally even if it means sharing with other parties.

The enactment of the 2019’s Data Protection Act, which is the anchor law for privacy rights, is meant to safeguard personal data from being misused.

 Established under the office of the Data Commissioner, the law sets out the requirements for the protection of personal data under the custody of both public and private entities.

As they increasingly adopt use of technology, Saccos are now grappling with how to protect the massive amount of data in their possession from infringements. The data law stipulates stiff penalties for organisations or individuals breaching personal data.  

“This has big implications for Saccos since they control detailed information about members including biometric data, property details, marital status, health status among other parameters mentioned in the act. Thus the threshold for protecting personal data for Saccos is high,” says George Ototo, Kenya Union of Savings and Credit Co-operatives Limited (Kuscco) Managing Director.

Kuscco has spelt out guidelines that will govern data processing, set out the rights of data subjects and assigns duties to data controllers and data processors.

“Our research and consultancy department is ready to guide you through the process of putting in place a Data Protection Framework with the recommended policies,” Mr Ototo notes.

Another challenge for Saccos is when personal data is compromised through cyber-attacks. Members whose data has been misused can seek legal redress, a move that potentially leads to hefty fines and compensations.

“Further, the Act gives the Data Commissioner Authority to make impromptu visits to any office and do audits to establish measures and policies put in place for data protection. Failure to produce necessary policies and documents may cost up to Sh5 million,” Mr Ototo says.

Cyber criminals are increasingly taking advantage of digital transformation in sectors such as banks, learning institutions, and workplaces amid Covid-19 restriction measures.

For instance, cyber-attacks on Kenyan organisations rose by nearly 50 percent in the last three months of 2020 compared to a similar period the previous year, new data shows.

The Communications Authority of Kenya (CA) data shows that more than 56 million cyber threats were detected nationwide in comparison to 37.1 million in 2019.

“A majority of the threats were malware attacks at 46 million, followed by web application attacks at 7.8 million while 2.2 million Distributed Denial of Service (DDos) threats were detected during the same period,” the CA said in a statement.

In addition to setting the conditions for the transfer of personal data outside Kenya, the Act provides for the exemptions to processing of data such as processing of personal data by an individual in the course of a purely personal or household activity, if it is necessary for national security or public interest and disclosure is required by or under any written law or by an order of the court.