Blog by Cephas Okoth.
The recent protests in Nairobi against the Finance Bill 2024, which began with online mobilization and organization, highlighted the need for digital security and privacy protection for protesters and human rights champions. This underscores the importance of security and data protection training for digital security trainers who work with human rights defenders (HRDs) and other activists.
On June 13th and 14th, Defenders Coalition organized a training session for digital security trainers from civil society. The trainers were introduced to a framework for assessing security for Social Justice Organizations (SJOs), identifying risks, and defining applicable, capacity-aware, and pragmatic next steps to mitigate them.
Audit Framework
The framework, called SAFETAG, is a professional audit framework that adapts traditional security testing and risk assessment methodologies to be relevant to smaller non-profit organizations with constrained budgets, resources, and human capital. SAFETAG combines assessment activities from the security auditing world with best practices for working with small-scale at-risk organizations.
SAFETAG auditors lead a risk modeling process that helps staff and leadership take an institutional look at their digital security problems, expose vulnerabilities that impact their critical processes and assets, and provide clear reporting and follow-up to help the organization strategically move forward and identify the support that they need.
In brief, with SAFETAG, you can prepare for an audit; conduct context research and inventory assets and processes in the SJOs; undertake a SWOT assessment; do actual audit work; debrief, and report with recommendations.
The resource website for the Framework is: https://safetag.org/
Data Protection
KICTANet, through the Tatua Digital Resilience Centre, took participants through the fundamentals of privacy and data protection through the lens of the Kenya Data Protection Act 2019. The session covered principles, personal data types, legal bases, subject rights, collection of personal data, and penalties.
Importantly, organizational privacy outlook was considered, with a privacy strategy and program as a starting point of a formal privacy initiative; building a privacy management workstream, and translating the components of the law into privacy operations practice.
Privacy operations were emphasized since they involve the daily privacy work in an organization, covering components like consent, breach, cookie, rights, vendor management, and more. Leveraging privacy technology to enable privacy work was emphasized, with opportunities for speed, lower cost, and overall effectiveness of compliance.
The trainees appreciated privacy objectives versus security objectives, understanding the context and nuances that privacy comes with. They also considered how privacy threats, violations, and harms can impact HRDs. Personal privacy was considered too, with digital tools offered for individual use by HRDs to enable and preserve their privacy across their digital presence.
The call to action was to have more data privacy and protection capacity-building engagements and to build nuanced privacy knowledge and experience for the HRD community.