Charting the Course: Navigating Data Privacy in Africa’s data ecosystem

January 26, 2024


Bonface Butichi Ingumba

Data Governance Officer

Daniel Mtai Mwanga

Senior Data Scientist

Phyllis Mungai

Legal and Grants Officer


Africa’s data ecosystem is undergoing rapid transformation driven by increasingly complex digital infrastructure, technological advancement, and the growing need for data to inform decision-making. This dynamic environment facilitates collaboration and streamlining data sharing for enhanced evidence-informed decision-making (EIDM). However, it also presents challenges regarding the effective management, storage, and secure data sharing while safeguarding data subjects against data privacy breaches. In this dynamic landscape of the digital era, the emergence of advanced electronic data collection and processing technologies has necessitated the development of comprehensive legal frameworks to protect individual privacy rights. [1]

The introduction of the General Data Protection Regulation (GDPR) in 2018 marked a significant milestone, establishing a global data protection and ethical compliance standard. The European Union enforced the General Data Protection Regulation (GDPR), which codified a mandatory data privacy protection baseline.[2] East African countries, including Kenya, Uganda, Rwanda, and Tanzania, have established and enacted Data Protection Acts (DPAs), and Burundi is in the process of developing one. Further, there is a need for research organizations and other entities interfacing with data subjects to create and implement data privacy frameworks that respond to national and regional data protection regulations. Failure to comply with data privacy regulations can lead to significant losses and breaches of the privacy rights of the data subjects. Ensuring data privacy involves setting access controls to protect information from unauthorized parties, getting consent from data subjects when necessary, and maintaining data integrity[3]

African Population and Health Research Center, a leading African research institution and think-tank in population, health, and development issues and a go-to partner for African-led EIDM, gives data privacy a pride of place as an overarching principle in managing its data ecosystem. The Center recognizes that handling personal data appropriately is critical in safeguarding the rights of data subjects and minimizing the risks related to violation of the Data Protection Act. It has, therefore, adopted appropriate data systems, privacy, and security measures to ensure that it shall not knowingly violate the rights of data subjects through its processing and handling of data. These measures guide procedures to secure individuals’ data and regulate data collection, usage, transfer, and disclosure. The Center has developed and adopted a Data Protection Policy based on globally accepted, basic data protection principles. APHRC recognizes data privacy protection as a foundation of trustworthy relationships necessary to build the Center’s reputation as a credible organization. This policy is designed to be consistent with Kenyan and other international laws and regulations.

The Center under the Data Science Programs (DSP) is also at the forefront of developing a robust data governance framework to help solve data privacy policy issues internally and externally by working and collaborating with other research entities within the African data ecosystem. Our multifaceted work includes researching the utility of artificial intelligence, Internet of Things (IoT), and data science tools to promote data governance in Africa, data systems strengthening, the impact of digital technology on data privacy, sharing, and use, and research on good practices for handling data throughout the data value chain. We engage with multiple stakeholders to co-design and chart the path for responsible data management and data governance as we navigate both the challenges and opportunities digital technology brings

Data privacy policies are legal documents describing an organization or company’s practices in handling its users’ data. These policies are legal documents often written in extensive jargon that is complex for data producers or users to understand. The Center has identified this as a critical challenge in creating awareness and increased compliance with the data privacy policies. To fill this gap, the Center, in partnership with the Jomo Kenyatta University of Science and Technology, is developing a Data Law Companion (DLC), an innovative legal summarization tool integrated with the Large Language Model (LLM). This feature distorts intricate legal texts, encompassing various acts and legislative chapters into clear and concise summaries. This will significantly demystify the often dense and complex legal jargon, rendering the data privacy legal landscape far more accessible and understandable to a broader audience. The legal summarization tool leverages the capabilities of the LLM to parse and interpret extensive legal documents. It then effectively condenses this information into key points and summaries that retain the essence and critical details of the original texts. This process saves time and ensures that users without a legal background can grasp the fundamental aspects of legal documents without being overwhelmed by their complexity. This increases data privacy laws awareness and compliance in safeguarding data subjects.[4]

In conclusion, the integration of digital technologies has the potential to reshape our world, offering immense benefits and opportunities. However, to fully seize these advantages, it is crucial to prioritize privacy and data protection within legal and regulatory frameworks. By striking the right balance between user privacy and technological advancements, we can establish a trust-driven digital ecosystem that benefits individuals and enterprises. Comprehensive data protection laws, privacy by design principles, and strict breach notification requirements are crucial enablers in achieving this harmonious equilibrium. As the digital landscape evolves, we must remain vigilant in adapting privacy laws and regulations to address emerging challenges. Privacy should always be at the forefront, ensuring that individuals have control over their personal information while embracing the endless possibilities of digital technologies.

[1] Mwanga, D., Ingumba, B., Ngoda, M., Mbaya, N., Njeri, A., Kisiangani, I., Maina, D., Muyingo, S., & Kiragga, A. (2023). Strengthening population and public health data governance in the changing era of digital technology in Afri a. Perspectives in Public Health Journal, 11.

[2] Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134-153.

[3] Nderu, L., Ingumba, B., Oginga, R., Rono, J., Njau, F., Mogire, F., Matindo, D., & Muiruri, D. (2024). DataLawCompanion: Enhancing Data Protection Law Compliance in the Digital A e. 17. Submitted in a journal

[4] Nderu, L., Ingumba, B., Oginga, R., Rono, J., Njau, F., Mogire, F., Matindo, D., & Muiruri, D. (2024). DataLawCompanion: Enhancing Data Protection Law Compliance in the Digital A e. 17. Submitted in a journal