Kenya adopted the National Integrated Identity Management System (NIIMS) - popularly referred to as Huduma Namba - in 2019.
The system was designed to establish and maintain a national population register as a ‘single source of truth’ on Kenyan citizens and foreign residents in the country.
Several questions were raised about the system's adoption, particularly regarding security, privacy, inclusivity, and the process by which it was created and implemented.
These issues were raised in a case before the High Court of Kenya (Huduma Namba I), which highlighted two primary risks associated with a centralized identity management system of exclusion and data misuse/loss, and questioned whether adequate safeguards exist to ensure authorized access to and retention of data.
The court ruled that the collection of DNA and GPS data was unwarranted, and directed that the government of Kenya refrain from proceeding with processing the data until a suitable and comprehensive regulatory framework for the implementation of NIIMS was in place.
This had the effect of pausing, albeit temporarily, the nationwide biometric ID process, and contributed to the passage of a data protection law.
The Data Protection Act (DPA) of 2019 was enacted to regulate how data controllers and processors use, store, and manage personal data throughout the lifecycle of the data. The DPA gives effect to Article 31(c) and (d), among other provisions, of the Constitution of Kenya, which guarantee data subjects, their families, and private affairs the right to privacy.
The purpose of the DPA is to regulate personal data processing, to ensure that personal data processing is guided by data protection principles, to protect individuals' privacy, to establish legal and institutional mechanisms to protect personal data, and to provide data subjects with rights and remedies to protect their personal data from processing that is inconsistent with the DPA's provisions.
The Act established the Office of the Data Protection Commissioner (ODPC), whose primary functions include exercising oversight over data processing operations, conducting assessments of private or public bodies to determine whether information is processed in accordance with the provisions of applicable laws, and investigating and receiving complaints regarding alleged infringements of their rights under the Act.
The DPA requires that a Data Protection Impact Assessment (DPIA) be conducted where processing operations are likely to pose a high risk to the data subject's rights and freedoms due to their nature, scope, or context. Additionally, the Act's key provisions address the processing of sensitive personal data, processing of personal data pertaining to children, data protection by design or default, notification and communication in the event of a data breach, and the offenses and penalties associated with the unlawful disclosure of personal data.
The government of Kenya began the initial phase of the Huduma Namba rollout in late 2020. In March 2021, the government’s spokesman announced that the Huduma Namba cards were available and would soon be used across all the counties in the country. However, in a separate case before the High Court (Huduma Namba II), the court found the implementation to be inadequate due to the failure to conduct a data protection impact assessment prior to data collection process and rollout of the system.
The court held that the DPA applies retrospectively to the date when the State first began collecting Huduma Namba data. The State therefore violated data protection laws by processing personal data, rolling out, and distributing Huduma Namba cards.
The adoption of NIIMS has had a significant impact on Kenya's digital ID, data protection, and privacy landscapes. There are frequent discussions on security, privacy, and the rights of data subjects. Data controllers and processors, as well as data subjects, are becoming more aware of their rights and responsibilities.
While awareness is still unsatisfactory, some people are aware of their data processing rights, and many of us are aware of the pressing need to educate. Additionally, data controllers and processors are better positioned to comprehend the nature and scope of data processing.
The establishment of the Office of the Data Protection Commissioner is a recognition of the critical need for an office dedicated to data protection and a channel for filing complaints. The Office is developing additional regulations that will ultimately affect most or all sectors, since digital transformation and data processing is a widespread phenomenon.
Since the system's inception, the issues and risks associated with digital ID have not been adequately addressed. On a very fundamental level, the shift to a centralized and digitized identity system, in which participation is a prerequisite for accessing constitutionally-guaranteed rights, has yet to be fully justified.
While legislation has been enacted and additional regulations are being considered, security, privacy, and connected services require additional examination. We are attempting to understand the system backwards, which should not be the case. If anything, this only calls for further due diligence in the development of digital ID infrastructure.
*Our community articles represent the opinions of the author, and not Good ID. We welcome alternative viewpoints - if you have a perspective you would like to share, please contact us here.