In a judgement delivered on December 5, the High Court declared the implementation of the Maisha Namba illegal, citing lack of legal basis, absence of data protection impact assessment, and insufficient public and stakeholders participation.
Down memory lane in 2021, blunders by the government have put Huduma Namba, and subsequent developments, on a guillotine and consequently pushed Sh10.6 billion taxpayers’ money to a bottomless pit.
With a budget of Sh1 billion channelled to this project, and drawing lessons from past challenges, we least expected the government to implement minimum safeguards and procedures in the collection and processing of sensitive personal and biometric information.
As we reflect on the numerous petitions in the past, what are the wider implications for the governance and regulation of digital ID systems in Kenya? What’s the government’s civil registration system’s practical ability to make operational the Maisha Namba for the entire population? Could the new digital ID system further entrench discrimination and exclusion of marginalised groups in Kenya?
The Data Protection Act 2019 lacks adequate legal provisions on data flows, data security and data privacy laws. The development of the master database that will collect and process the digital signatures should conform with global General Data Protection Regulation Laws. With limited data regulation in effect, there is a need to first amend the existing legal frameworks to accommodate the dynamics of digital applications and minimise data privacy concerns.
There is inadequate publicly available information on how the master database and the existing information held by the Kenya’s National Registration and Identity system will be integrated. It's unclear and ambiguous where and how the personal data collected, and the existing biometric information will be stored and processed, between the cards themselves and other components of the NIIMS system.
Further, the involvement of Bills and Melinda Gates Foundation raises the general public concerns that data might be destroyed, deleted or vital records lost, including cases of identity theft and fraud. They are apprehensive of malicious use of the information, wrongful entries, mismatch of information and hacks through cybercrimes.
The card is expected to include a photo image of the applicant, an ID number, a card serial number, biometric data, biographic data, residential particulars and high-end security features.
Its rollout has a high risk of excluding an entire segment of the Kenyan population. Catastrophic exclusion from the system and government services could affect people lacking documentation, people facing hurdles with biometrics and many others.
A keen analysis of the data protection impact assessment conducted in accordance with Section 31 of the Data Protection Act reveals that, as a country, we are not fully ready to collect, process and store digital ID systems securely without infringing the right to privacy and protection of Kenyans. Further, the report provides inadequate information on the associated risks and mechanisms to mitigate them.
There is ample evidence of the potential harm, which is likely to emerge if decision-making around digital identity systems from concept to design and implementation does not carefully consider the implications of such systems on the people, and communities, which interact with them, as well as those who do not or cannot do.
In the pursuit of the 'national interest' to reap the great benefits and opportunities of the digital economy and transformation, we cannot allow the Ministry of Interior to just operate outside of the constitution and violate people’s rights.
Going by the pitfalls identified by rulings of courts in other countries, where legal challenges were brought against digital ID systems, its critical for the government to develop an appropriate and comprehensive regulatory framework in place to govern the operations, data privacy and the exclusionary nature of the system.
Kenya’s journey towards digital identification systems, from the troubled Huduma Namba to the emerging Unique Personal Identifier system, encapsulates a delicate balancing act between innovation, privacy and trust.
As businesses navigate this evolving landscape, it is clear that the success of these initiatives hinges on addressing data privacy, security, legal uncertainties and public concerns. The path forward requires careful consideration and collaboration to unlock the potential benefits while safeguarding the rights and interests of all stakeholders involved.
Kenya can forge a digital identity future that enhances services, inclusion and economic growth through a comprehensive and well-considered approach.
The writer is a data scientist pursuing a MSc in Artificial Intelligence at the University of Edinburgh in Scotland. He can be reached at [email protected] @kennedykwangari