Data

Data produced or collected by government institutions is necessary for measuring effectiveness and developing public services. In that sense, institutions are expected to perform the following:

Data discovery and metadata capture.
Search and filtering.
Business Glossary.
Data Quality Monitoring.

This shall allow public institutions to reduce the time it takes to find the right data and to facilitate more data-informed decisions. Data shall also be classified by access level, specifying which data is accessible to the public, government institutions, Private and other partners.

The value in data sharing between government institutions lies in the ability to use the data for meaningful insights. For guidelines on data sharing, refer to the data sharing policy.
Categories of data to be protected shall include but not limited to applications and databases, email, websites, operating systems, data on personal computers among other data. Encrypt sensitive data both in transit and at rest, using strong encryption algorithms and ensure that encryption keys are securely managed and stored.
All government data shall be hosted locally at the institution or within Rwanda and the institution owning it shall determine who to share the data with based on access levels. Depending on the type of data, the duration of retention shall be determined by the institution owning the data.
Data and data storage breaches shall be avoided, and security safeguards shall be put in place by the institution holding the data. For effectiveness, personal and sensitive data shall be classified to cater for security and use by putting into consideration measures to conduct and have data backups to prevent data loss by all government institutions.
All institutions shall also be obliged to enforce the requirements of the Data Protection and Privacy Law Nº 058/2021 of 13/10/2021.
The Data Protection Law shall be used as a guide to determine the processing of Personal data and sensitive data, and all institutions shall be obliged to comply with this law. Under this law,
processing of data is an operation or set of operations which shall be performed on personal data or on sets of personal data and sensitive data whether or not by automated means, such as access to, obtaining, collection, recording, structuring, storage, adaptation or alteration, retrieval, reconstruction, concealment, consultation, use, disclosure by transmission, sharing, transfer, or otherwise making available, sale, restriction, erasure or destruction.
The Data protection and Privacy law also provides safeguards to process sensitive and personal data. In other words, security of processing this involves the ability to ensure confidentiality, integrity and availability of data. It is recommended to all public institutions to perform a Data Protection Impact Assessment (DPIA).
Data protection impact assessment helps to assess the impact of a process or project more specifically a processing that an institution is going to carry out. DPIA aimed at two important understandings; the understanding of the risks to individuals (data) as well as the understanding if the processing is necessary and proportionate and most importantly identifying security measures in place or needed and their adequacy level.

Objectives

Benefits

Scope

Network design

Network Implementation

Network Management

User devices

Precaution measures

Stolen computers

User responsibilities

Hardware acquisition, maintenance

Hardware disposal

Software applications

Data

Business Continuity (BC) and Disaster Recovery (DR)

User collaboration and email service

Password Policy

Email Accounts

System access and authorization

Security Policy and Procedures

Minimizing the exposure of systems to External Networks

Access Control

Implement network segmentation

Institution awareness and Training

Audit and Accountability

Configuration Management

Identity Management and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical and Environmental Protection

Risk Assessment

System and Communications Protection

System and Information Integrity

Personally identifiable information (PII) Processing and Transparency

Contingency Planning

Supply Chain Risk Management

Passwords Protection

Assessment of the current situationge

Definition of the strategic target position

Definition of gaps

Establishing a roadmap to close the gaps.

Roles and responsibilities

Resources and Impact

Digitalization project initiation

Digitalization project documentation

Digitalization project implementation

Digitalization staff

Digitalization talent and capacity building

Challenge Definition

Ideation Stage

Prototyping

Testing Stage

Implementation

Data