DATA PRIVACY

What Kenya needs to do to get it right on Huduma Namba

The need to ensure privacy by design approach and safeguards to human rights with digital IDs has never been clearer

In Summary

• Through the Huduma Namba, the government aims to create and manage a database for all Kenyan citizens and foreign nationals residing in Kenya

• But Justice Jairus Ngaah said the government “had not fully appreciated the import and the extent of the application of the Data Protection Act"

President Uhuru Kenyatta and First Lady Margaret Kenyatta showcasing their Huduma Namba Cards.
President Uhuru Kenyatta and First Lady Margaret Kenyatta showcasing their Huduma Namba Cards.
Image: PSCU

The High Court on October 14 ordered that the government conducts a data protection impact assessment before rolling out the Huduma cards as required by the Data Protection Act.

In finding that the Data Protection Act applied retrospectively to all the data that had been collected in the Huduma Namba exercise, Justice Jairus Ngaah said the government “had not fully appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the National Integrated Identity Management System.”  

This adds to the long line of litigation that has engulfed the Huduma Namba rollout since amendments were made to introduce NIIMS in 2018.

Through the Huduma Namba, the government aims to create and manage a database for all Kenyan citizens and foreign nationals residing in Kenya that will be the single source of the truth on a person’s identity.

Indeed, Kenyans are tired of unnecessary duplication of identity registration, providing different data points to multiple government agencies. In addition to identity, Huduma Namba also aims to provide critical data for planning and decision-making to realise Kenya’s development agenda. Governments across Africa are digitising identity to do this.

Mid this year, the African Union Commission unveiled its draft a framework to create an interoperable Digital ID framework for Africa to drive trust, financial inclusion and realise the aims of AU Agenda 2063 and the digital transformation strategy.

Unfortunately, the concerns on exclusion, privacy and surveillance around digital ID presented to the AU and raised by civil society organisations globally are replicated in Kenya.

An earlier petition filed in 2019 by the Nubian Rights Forum and the Kenya Human Rights Commission highlighted risks of discrimination and exclusion of some marginalised communities from enrolment of Huduma Namba.

These groups have to undergo a highly securitised vetting in addition to providing extra documentation to prove their nationality before being granted a national ID. In 2013, the African Committee of Experts on the Rights and Welfare of the Child recommended that Kenya ought to make legislative and administrative reforms to ensure children of Nubian descent, one such group, can acquire Kenyan nationality. This is yet to be done.

In August 2021, Haki na Sheria initiative filed a petition seeking to have the government complete the de-registration of Kenyans in the refugee database and issue them with IDs.

In 2016, the government pledged to undertake the de-registation, although this has not been completed.  

Following the outbreak of Somalia’s civil war in 1991 and prolonged drought in the Northeastern at the time, many Kenyans were “double registered” as refugees to take advantage of the free rations, free education and other opportunities available to refugees. Some were even registered by family members without their consent.

Decades later, these decisions have come back to hunt them, as the ID is the documentary proof needed to enroll for Huduma Namba. Those without cannot enroll and are at risk of statelessness.  

Privacy concerns around digital ID are well illustrated by the situation in Afghanistan, where the Taliban, now in control of biometric identity systems could use them to target specific groups allied to previous governments such as journalists, human rights defenders or Afghan security forces .

Recent research by Human Rights Watch put the UNHCR under fire for poor data processing practices, including failure to conduct a data protection Impact assessment as required by internal policies.  

In the report, UNHCR shared data with Bangladesh, which in turn gave it to Mynmar, the country from which Rohignya refugees fled. While UNHCR has disputed these claims, the point to note is the need for data protection impact assessment.

While Kenya’s political situation is not as dire, the need to ensure privacy by design approach and safeguards to human rights with digital IDs has never been clearer.

Debates on whether Kenya should adopt a centralised or decentralised digital ID design were raised during the Nubian rights petition in 2019, though specific aspects of design were not addressed by the court.  

The court stated: “It is beyond the court’s jurisdiction and capabalities to prescribe the choices that can be made in the architecture and design of a biometric system”.

The case by Katiba Institute also raises serious questions of the confidence Kenyans have in the Office of the Data Protection Commissioner to handle protection complaints. The office created a year after the Act has to date published manuals and draft regulations necessary to fully operationalise it.

These regulations are yet to come into force. As Kenya moves towards a digitalised economy and e-government, the need to have a well resourced and independent commission increases daily.  

So what should the government do?

The government must comply with the court decision to conduct a data protection Impact Assessment. A DPIA will help it identify the risks posed by the digital ID system and put in place measures to mitigate them.

Second, there is a need for a transitional period from the current ID to Huduma Namba. This will allow the government to address complex issues of inclusion from refugee double registration to universal birth registration and ensure no one is left behind.

Third, there is a need to support the Office of the Data Protection Commission with adequate finance and human resources. This also includes passing regulations that will allow the office to deliver its mandate such as investigating complaints or creating awareness on data protection.

We must do this in a way that doesn’t leave others behind, the true test of our humanity. 

Catherine Muya is the digital programme officer at Article 19 Eastern Africa