Professional Documents
Culture Documents
Room 5 - Human Aspects in IS
Room 5 - Human Aspects in IS
Room 5 - Human Aspects in IS
Social Cognitive Theory: A model on human behavior which argues that environmental
influences, personal factors, and behavior are determined reciprocally.
Socio-Technical Systems Theory: An approach that considers organizations as the combination
of both social and technical systems in order to increase the productivity.
Self-Efficacy: People’s judgments of their capabilities to organize and execute courses of action
required to attain designated types of performances.
Computer Security Model: A multilayer model which shows the steps in computer security
including the measures and the next actions of the security abusers after being successful against
a security measure.
Activity Theory: An approach which proposes that human activity aims at accomplishing
certain outcomes through the help of artifacts and other resources.?
General Deterrence Theory: A term adopted from the discipline of criminology, which is about
the disincentives and sanctions to prevent a criminal act in security.
2. Discuss the laws that affect the Information and Communications Technology
[15Marks]
The Act enables timely and effective detection, prohibition, prevention, response, investigation
and prosecution of computer and cybercrimes; to facilitate international co-operation in dealing
with computer and cybercrime matters and connected purposes
Unauthorized access
A person who causes, whether temporarily or permanently, a computer system to perform a
function, by infringing security measures, with intent to gain access, and knowing such access is
unauthorized, commits an offence and is liable on conviction, to a fine not exceeding five million
shillings or to imprisonment for a term not exceeding three years, or to both.
Unauthorized interference
A person who intentionally and without authorization does any act which causes an unauthorized
interference, to a computer system, program or data, commits an offence and is liable on
conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not
exceeding five years, or to both
Child pornography
(1) A person who, intentionally
(b) produces child pornography for the purpose of its publication through a computer system;
(c) downloads, distributes, transmits, disseminates, circulates, delivers, exhibits, lends for gain,
exchanges, barters, sells or offers for sale, lets on hire or offers to let on hire, offers in another
way, or make available in any way from a telecommunications apparatus pornography; or
(d) possesses child pornography in a computer system or on a computer data storage medium,
commits an offence and is liable, on conviction, to a fine not exceeding twenty million or to
imprisonment for a term not exceeding twenty-five years, or both
Computer fraud
(1) A person who, with fraudulent or dishonest intent
(c) obtains an economic benefit for oneself or for another person, through
any of the means described in subsection (2), commits an offence and is liable, on conviction, to
a fine not exceeding twenty million shillings or imprisonment term for a term not exceeding ten
years, or to both.
Phishing
A person who creates or operates a website or sends a message through a computer system with
the intention to induce the user of a website or the recipient of the message to disclose personal
information for an unlawful purpose or to gain unauthorized access to a computer system,
commits an offence and is liable upon conviction to a fine not exceeding three hundred thousand
shillings or to imprisonment for a term not exceeding three years or both
Cyber terrorism
A person who accesses or causes to be accessed a computer or computer system or network for
purposes of carrying out a terrorist act, commits an offence and shall on conviction, be liable to a
fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years,
or to both.
Cyber harassment
A person who, individually or with other persons, willfully communicates, either directly or
indirectly, with another person or anyone known to that person, commits an offence, if they
know or ought to know that their conduct
(a) is likely to cause those people’s apprehension or fear of violence to them or damage or loss
on that persons' property; or
(c) is in whole or part, of an indecent or grossly offensive nature and affects the person.
A person who commits an offence under subsection (1) is liable, on conviction, to a fine not
exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to
both.
It embraces the principles of data protection such as necessity of collecting information, data
subjects’ right to access information about them, imposition of duty to ensure information is
accurate, updated and complete.
This Act gives effect to Article 31(c) and (d) of the Constitution; to establish the Office of the
Data Protection Commissioner
The Act makes provision for the regulation of the processing of personal data; to provide for the
rights of data subjects and obligations of data controllers and processors; and for connected
purposes
Data controller means a natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purpose and means of processing of personal data.
Data processor means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the data controller.
(3) A data controller or data processor who knowingly supplies any false or misleading detail
under sub-section commits an offence.
(4) A data controller or data processor shall collect, store or use personal data for a purpose
which is lawful, specific and explicitly defined.
(a) processed in accordance with the right to privacy of the data subject;
(b) processed lawfully, fairly and in a transparent manner in relation to any data subject;
(c) collected for explicit, specified and legitimate purposes and not further processed in a manner
incompatible with those purposes;
(d) adequate, relevant, limited to what is necessary in relation to the purposes for which it is
processed
(e) collected only where a valid explanation is provided whenever information relating to family
(f) accurate and, where necessary, kept up to date, with every reasonable step being taken to
ensure that any inaccurate personal data is erased or rectified without delay;
(g) kept in a form which identifies the data subjects for no longer than is necessary for the
purposes which it was collected; and
(h) not transferred outside Kenya, unless there is proof of adequate data protection safeguards or
consent from the data subject.
(2) A data controller or data processor shall incorporate appropriate mechanisms for age
verification and consent in order to process personal data of a child.
OBJECTING TO PROCESSING
36. A data subject has a right to object to the processing of their personal data, unless the data
controller or data processor demonstrates compelling legitimate interest for the processing which
overrides the data subject's interests, or for the establishment, exercise or defense of a legal
claim.
COMMERCIAL USE
37 (1) A person shall not use, for commercial purposes, personal data obtained pursuant to the
provisions of this Act unless the person -
(a) has sought and obtained express consent from a data subject; or
(b) is authorized to do so under any written law and the data subject has been informed of such
use when collecting the data from the data subject.
(d) for historical, statistical, journalistic literature and art or research purposes.
NOTIFICATION AND COMMUNICATION OF BREACH
43. (1) Where personal data has been accessed or acquired by an unauthorized person, and there
is a real risk of harm to the data subject whose personal data has been subjected to the
unauthorized access, a data controller shall-
(a) notify the Data Commissioner without delay, within seventy-two hours of becoming aware of
such breach; and
(b) subject to subsection (3), communicate to the data subject in writing within a reasonably
practical period, unless the identity of the data subject cannot be established.
(a) obstructs or impedes the Data Commissioner in the exercise of their powers;
(c) refuses to allow the Data Commissioner to enter any premises or to take any person with
them in the exercise of their functions;
(d) gives to the Data Commissioner any information which is false or misleading in any material
aspect, commits an offence and is liable on conviction to a fine not exceeding five million
shillings or to imprisonment for a term not exceeding two years, or to both.
(2) A data processor who, without lawful excuse, discloses personal data processed by the data
processor without the prior authority of the data controller commits an offence.
GENERAL PENALTY
73. (1) A person who commits an offence under this Act for which no specific penalty is
provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not
exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.
Privacy is a fundamental human right set forth in many international human rights documents. It
is the center of protection of human dignity and forms the basis of all democratic societies. It
also supports and strengthens other rights such as freedom of expression, information and
association. Activities that limit the right to privacy, such as surveillance and censorship, can
only be justified when they are prescribed by law to be necessary to achieve legitimate goals
which are proportional to the goals pursued.
(5) The general rules of international law shall form part of the law of Kenya.
(6) Any treaty or convention ratified by Kenya shall form part of the law of
have—
(c) information relating to their family or private affairs unnecessarily required or revealed;
or
provisions:
Article 31
of his business—
(b) discloses to any person the contents of a message intercepted under paragraph; or,
(c) discloses to any person the contents of any statement or account specifying the
telecommunication services provided by means of that statement or account, commits an
offence and shall be liable on conviction to a fine not exceeding three hundred thousand
shillings or, to imprisonment for a term not exceeding three years, or to both.
Article 83
(1) Subject to subsection (3), any person who by any means knowingly: —
(a) secures access to any computer system for the purpose of obtaining, directly or
indirectly, any computer service;
(b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data
within a computer system, shall commit an offence.
Article 93 (1)
(a) has been obtained under or by virtue of the provisions of this Act; and
(b) relates to the private affairs of any individual or to any particular business, shall, during
the lifetime of that individual or so long as that business continues to be carried on be
disclosed by the Commission or by any other person without the consent of that individual
or the person for the time being carrying on that business.
Protection) Regulations, 2010, states that; Subject to the provisions of the Act or any other
written law, a licensee shall not monitor, disclose or allow any person to monitor or disclose, the
content of any information of any subscriber transmitted through the licensed systems by
listening, tapping, storage, or other kinds of interception or surveillance of communications and
related data.”