On 18 October 2021, a consortium of civil society organisations (CSOs) in Kenya published a joint press statement applauding a court judgement that requires the Government to undertake a Data Protection Impact Assessment before issuing digital identity cards, known as Huduma Namba. The CSOs, which work on digital identity issues, also called for further reforms in the implementation of the Huduma Namba.
On 14 October 2021, the High Court found that the Data Protection Act applied retrospectively to data collected under the National Integrated Identity Management System (NIIMS), including the Huduma Namba. The court stated that “the Government had not fully appreciated the import and extent of application of the Data Protection Act with respect to collection and processing of data collected under NIIMS.” It further required the Government to complete a data protection impact assessment prior to processing of data or rolling out Huduma Cards.
A Data Protection Impact Assessment is designed to identify risks that may occur through the processing of data and put in place proper mitigation measures. Such an assessment is critical to ensure compliance with both data protection laws as well as human rights obligations and is standard practice globally when implementing digital ID systems.
Kenya’s Data Protection Act came into force in November 2019. Since then, the Data Protection Commissioner, appointed in November 2020, has appointed a task force to help in the development of draft regulations necessary to operationalise the Act. These draft regulations released in May 2021 are yet to come into force.
In its joint statement, the consortium called on the Government to:
- Ensure a fully inclusive identification system. This includes implementing Huduma Namba in phases with clear transition periods to enable all Kenyans to access identification documents, such as birth certificates and national identity cards, prior to moving forward with Huduma Namba.
- Establish a robust legal framework and governance body via countrywide public consultations and through encouraging citizens to participate.
- Ensure the full realisation of the right to privacy and data protection by ensuring Kenya has an independent and well-resourced Data Protection Authority capable of discharging its mandate.
“As Kenya looks to implement its digital ID system, we must ensure such initiatives are inclusive to minority and marginalised communities. Digital ID systems must also respect our right to data protection and privacy; therefore, the government must comply with the principles of data protection by design and default,” said Mugambi Kiai, Regional Director, ARTICLE 19 Eastern Africa.
Article 19 urges the Government of Kenya to comply with the decision of the court and conduct a Data Protection Impact Assessment before further processing any data under NIIMS.
For more information
Mugambi Kiai, Regional Director for ARTICLE 19 Eastern Africa firstname.lastname@example.org
Catherine Muya, Digital Program Officer