Sensitive Data Sovereignity Conference CPIT Thematic Group Summary Report

1. Strategic Context and the F³JA Vision

African data governance currently faces a structural triple crisis that threatens the continent’s digital sovereignty. This crisis is defined by: formalism, where consent is obtained without technical or linguistic comprehension; extraction, where sensitive data is treated as an exported raw material by foreign entities-an extension of historical extractive models; and security vulnerability, caused by centralized, foreign-controlled infrastructures that create single points of failure.

We must recognize that without a sovereign framework, Africa risks a descent into “Digital Slavery,” where our narratives, body-politic, and health records are harvested and controlled by external powers. Data Must be handled from a Federated depository stand point, which can be FAIR- repositories. From a legal stand point, The F³JA (FAIR–Federated–Solid–Justice Architecture) model can be adopted as an option for a foundational continental trust infrastructure:

• FAIR (FAIR-OLR): Data must be Findable, Accessible, Interoperable, and Reusable. We specifically enforce the FAIR-OLR (Open, Locally Retained) doctrine, establishing “Local Retention” not merely as a technical preference, but as a non-negotiable legal mandate to keep data within its jurisdiction of origin.
• Federated: Implementation of architectures that allow for AI processing and insights to occur at the source. This ensures that raw data never leaves its secure node, preserving national security and ownership.
• Solid: The utilization of personal and community-controlled “Data Pods.” These pods empower data producers to enforce individual and collective consent, providing the technical means to revoke access and audit usage.
• Justice: The integration of a forensic and judicial layer into the technical stack. This ensures that ethical violations are not just guidelines but are court-admissible, prosecutable, and legally enforceable.
  
  

2. Thematic Area Analysis and Leadership
   • Digital Fraud Prevention in Humanitarian and Health Data Ecosystems

• Leadership: Nicholas Odhiambo Goody, Head of Program Technology and Innovation, CPIT.
• Implementation-Grade Questions:
  • How can Africa strengthen governance frameworks to prevent identity theft and aid misuse in fragile contexts?
  • How can blockchain and AI be leveraged to secure services for marginalized groups?
  • What protocols are required to ensure “human-in-the-loop” verification for sensitive aid transactions?
• Core Recommendations: We must prioritize the deployment of blockchain-based ledger systems to secure the chain of custody for digital evidence in fraud investigations. Implementation should focus on technologies that fit the African humanitarian context, ensuring high-integrity audit trails for every transaction.

• Ethical AI Governance and the Protection of Vulnerable Populations

• Leadership: Dr. Bishop Charles Ware, Director of Cyber Crime and Anti-Fraud, CPIT.
• Implementation-Grade Questions:
  • How do we transition from voluntary “ethics-by-guideline” to Justice-Embedded Ethical AI (J-EAI)?
  • Can collective community consent be legally formalized to prevent algorithmic weaponization?
• Core Recommendations: Adopt the five-layer J-EAI stack. Crucially, Layer 1 (Ethical Semantic Modelling) must be established as the basis for “FAIR-explainability,” ensuring that AI decisions are bias-traceable and legally interpretable. This stack transforms ethical failures into prosecutable legal violations.

• . Africa-Led Certification Framework for Sensitive Data Handling (ALCF-SDH)

• Leadership: Ms. Alivitsa Kituku, Director of Strategic Planning and Program Development, CPIT.
• Implementation-Grade Questions:
  • What legal gaps prevent African data systems from being court-admissible and sovereign?
  • What capacity building is required for auditors and judges to oversee the African Certification Authority for Sensitive Data (ACASD)?
• Core Recommendations: Establish the ACASD to move Africa from a consumer of foreign standards (GDPR/ISO) to a producer of digital trust. The 2026–2027 pilot at Tangaza University will focus on creating graduated trust levels that culminate in “Court-Admissible” status.

• Edge Computing for Data Autonomy in African Health & Humanitarian Systems

• Leadership: Mr. John Ochieng Auma, Director of Governance and Procurement Integrity, CPIT.
• Implementation-Grade Questions:
  • How can FAIR-OLR compliance be audited across decentralized edge nodes?
  • How do federated systems alter national security risk models for sensitive datasets?
• Core Recommendations: Mandate a shift toward local edge processing. All systems must be “Forensic-by-Design,” ensuring that data retained at the edge remains legally traceable with a clear chain of custody, preventing unauthorized foreign extraction.

• .Community Consent, Data Ownership & National Security Considerations

• Leadership: Kevin Obware, Head of Election Programs and Data.
• Implementation-Grade Questions:
  • Who truly owns African humanitarian data under donor-funded programs?
  • How can intergenerational consent be applied to genetic and mobility data?
• Core Recommendations: Formalize the three-layer consent model: Individual (personal), Collective (community structures), and Intergenerational (future stewardship). We must legally distinguish between Data Producers (owners), Data Custodians (fiduciary storage), and Data Users (authorized researchers) to prevent secondary use “consent decay.”
  
  

3. Institutional Partner Mandate & Engagement Matrix

4. Strategic Collaboration Roadmap (2026–2027)

1. Deployment of Solid Community Data Pods: Initial rollout in hospitals and refugee/IDP centers to test local encrypted storage, consent revocation, and purpose limitation.
2. Forensic-Admissibility Testing: Pilot testing of Federated AI to demonstrate the generation of insights without raw data movement, specifically ensuring results meet legal evidentiary standards in African courts.
3. Certification Standardization & Manuals: Development of graduated trust-level certification manuals and the establishment of the African Certification Authority for Sensitive Data (ACASD).
4. Capacity Building for Justice Actors: Comprehensive training for auditors, regulators, and judges in “Consent Forensics” and the oversight of federated data audits.
5. Issuance of Sovereign Certificates: Issuance of the first court-recognized sensitive data certificates and implementation of annual forensic security audits to maintain the digital chain of custody.
   
   

5. Concluding Recommendations for Partner Inputs

Adoption of the F³JA Model as a Continental Trust Infrastructure We mandate that partners formally adopt the FAIR–Federated–Solid–Justice framework as the standard for all multi-institutional digital projects. This ensures that African data sovereignty is embedded at the architectural level, preventing “extraction-by-design.”

Harmonization of National Laws with the ALCF-SDH Collaborative efforts must align national data protection laws with a unified African certification regime. This will ensure cross-border data validity and the judicial recognition of African-certified systems, reducing dependency on external ISO/GDPR regimes.

Institutional Investment in Forensic-Grade AI Accountability Partners, led by CPIT, must invest in “Algorithmic Forensics.” We must move beyond “ethical guidelines” to a state where any harm caused by automated systems is traceable, auditable, and prosecutable within African jurisdictions.

Transformation of Universities into AI Constitutional Courts We establish the AUN-FOS network (including Grand Bassa, Great Zimbabwe, Mekelle, and Equator University) as the implementation vehicle for “AI Constitutional Courts.” These institutions will serve as governance hubs that provide the epistemic foundation for African-led digital justice.

6. Reference and Legal Anchors

• AU Malabo Convention on Cybersecurity and Personal Data Protection (2014): The foundational continental framework for sovereign data standards.
• Kenya Data Protection Act (2019) & Nigeria Data Protection Act (2023): Primary legislative anchors for informed consent and regional benchmarks for localization duties.
• Communications Authority of Kenya v Okiya Omtata Okoiti [2020]: Judicial precedent affirming state obligations for lawful, secure, and accountable processing of citizen data.
• Nubian Rights Forum v Attorney General [2020]: Judicial precedent requiring digital identity systems to respect proportionality, consent, and community impact.
• Kenya Computer Misuse and Cybercrimes Act (2018) & Evidence Act (Cap 80): The legal basis for digital evidence and forensic accountability in East Africa.
• South Africa Protection of Personal Information Act (POPIA): Benchmark for community-level accountability and sensitive data processing.
• AU Data Policy Framework (2022) & Agenda 2063: Strategic mandates for continental digital sovereignty and the “African Data Space.”