As per the Kenya Kwanza “Plan,” President William Ruto launched the Hustler Fund, and millions of Kenyans have been onboarded and borrowed over 8 billion shillings so far.
The Hustler Fund is a savings and loan digital product that allows registered members to save and apply for loans based on their calculated credit limits and future repayment behaviour.
Registered users access the funds through any of the three mobile networks in Kenya, namely Safaricom, Airtel or Telkom Kenya, which are well-versed in operating digital financial services based on mobile platforms.
Whereas this is an excellent product for providing and extending access to credit and saving facilities to millions of Kenyans, questions still linger. Some of the questions are financially related but are not the subject of this article. Instead, this article looks at the Hustler fund from data protection or privacy point of view.
Is the Hustler Fund Registered as a Data Controller?
Based on provisions of the Kenyan Data Protection Act (2019), the owners of the Hustler Fund must be identified and registered as a Data Controller or a Data Processor – given that they are collecting the personal data of Kenyan Citizens.
A quick search on the Data Commissioner’s list of registered data entities could not establish whether Hustler Fund was registered. Part of the challenge is that it needs to be clarified whether the Hustler Fund is being run under the Ministry of Finance, the Ministry of Cooperatives, or some other government agency.
Indeed, there is no online authoritative, single point of data about the Hustler Fund. Instead, what one gets when they search for ‘Hustler Fund’ is information scattered across different third-party stakeholders, partners, and data processors such as Banks and Mobile Network Operators.
One key data protection principle revolves around being transparent about your data practices to your customers. This transparency principle is implemented through publishing privacy notices on your enterprise or organisational website.
The Privacy Notice is less a ‘service charter’ or a promise to the customer detailing how the entity – legally known as the Data controller – will collect, process, secure, store and subsequently retire customer data. The Privacy Notice also explains how and to whom the customers can reach out in case of personal data-related complaints and breaches.
The Privacy Notice is missing because there is no formally designated Data Controller for the Hustler Fund. Instead, one finds a few clauses hidden in the Terms and Conditions (T&C) of 3rd Parties such as Banks, Mobile operators and other stakeholders.
From a privacy perspective, the few privacy clauses in third-party T&C are neither sufficient nor adequate to represent the Privacy Notice of the missing and substantive entity that would have been registered as the ‘Hustler Fund Data Controller.
Data Protection Impact Assessment
The final observation is whether a Data Protection Impact Assessment(DPIA) for the Hustler Fund was carried out. The KE Data Protection Act (2019) mandates that any new product with a significant high privacy risk must undertake a Data Protection Impact Assessment.
Again, whereas the third-party partners (Data Processors) may or may not have undertaken their DPIA on the new product, the ultimate responsibility to carry out a DPIA lies with the missing or un-announced Hustler Fund Data Controller.
The DPIA would build on the data mapping document that details the personal data sets collected, the purpose of the collection, their corresponding data processes, and their storage location and interrogates the extent to which these present privacy risks. It subsequently ranks the risks and identifies their mitigation measures.
It remains to be clear if this was done. In the absence of a substantive Data Controller for the Hustler Fund, only the Data Commissioner can tell us about the correct position for this and other privacy issues raised here.
2,410 total views, 6 views today