Financial Crime World

Data Policy Provision: Clear and Unambiguous

A recent study has shed light on the data policies of commercial banks operating in Kenya, revealing that many provisions are unclear or incomplete.

Methodology

The research evaluated the adequacy of seven sub-indicators pertaining to data collection and seven sub-indinders related to the rights of data subjects.

Findings

  • The most frequent provision was the purpose of processing data, with 25 out of 32 banks having clear and complete provisions.
  • Data breach notification provisions were the least frequent, present in only five policies. However, four of these policies had clear and unambiguous provisions.
  • Many banks took one of two approaches: either providing clear and unambiguous provisions for data subjects’ rights or lacking any such provisions altogether.

Rights of Data Subjects

  • The most frequently recited right was the right to rectification, followed closely by the right to access information.
  • Notable absentees included:
    • Right to object to automated decision-making (present in only four policies)
    • Right to data portability (found in nine policies, but with seven providing clear and unambiguous provisions)

Best-Performing Bank

The best-performing bank in terms of data policy provision was Bank 1, whose policy fully and clearly provided all but one of the data subjects’ rights.

Key Findings

  • Purpose of processing data was the most frequent provision, present in 25 out of 32 banks.
  • Data breach notification provisions were the least frequent, present in only five policies.
  • Many banks took one of two approaches: clear and unambiguous provisions or no provisions at all.
  • The right to rectification was the most frequently recited right, followed by the right to access information.
  • The right to object to automated decision-making was absent from 28 out of 32 bank policies.
  • The right to data portability was present in nine policies but with seven providing clear and unambiguous provisions.

Conclusion

The study highlights the importance of clear and unambiguous data policy provisions to ensure transparency and compliance with data protection regulations. Banks operating in Kenya must prioritize providing comprehensive and easily understandable data policies to their customers and stakeholders.