Stirred into action by a Presidential Executive Order, the Interior Ministry just touched another live-wire among most Kenyans. The piloting of the National Integrated Identity Management System (NIIMS) may have also unintentionally stirred the best national debate on digitising personal information and the right to privacy ever.
While most Kenyans were holiday planning in December, a miscellaneous legal amendment established the legal framework for NIIMS. Kenyans, immigrants and refugees would be required to register their DNA, GPS home details, eye biometric information and the shape of their ears before being issued critical identification documents. Consolidating this information with our driving licences, passports, KRA PIN, NHIF and NSSF cards then generates the unique identification Huduma Namba number.
The idea of digitising and integrating registration documents is admirable. It is not unusual for the information on those databases to vary from person to person. A centralised master population database is critical for trends analysis, targeting and monitoring of essential services or the tracking and apprehension of criminals.
Despite this, the introduction of the 15 county 30-day pilot registration will probably be taught as a future case-study for communicators on how not to introduce a Government programme. A whirlwind of suspicions and superstitions have followed. Who got the billion-shilling contract and will it be placed in the public domain? Is it linked to the Huduma Mastercard already in circulation? How will the Government safeguard the mass collection of DNA and blood? Is it really linked to the mark of the devil (666)? How will the Government safeguard our personal information in one huge database? Within days, the Government was easily but unnecessarily placed on its defence. In the eyes of the public, the legitimacy of the programme is now in tatters.
NIIMS comes at a pivotal time. The world now transfers the same amount of digital data every two days as it did in the entire period of humanity up to 2003. Over the last four years, over 13 million Kenyans have doubled our internet traffic to share their deepest thoughts, find love, buy and sell ideas, goods and services. Without our consent or knowledge, CCTV cameras, cell phone towers and website browser cookies monitor our movements off and on the net.
NIIMS is only the latest attempt to join others who are hungry to mine our personal data.
For those tempted to threaten citizens with the withdrawal of services and prosecution, they need to stop digging this hole any further. Chapters 3 and 4 on citizenship and the Bill of Rights confer an obligation on the state to issue citizenship documents and provide essential services. Facing rising #IAmNotBoarding calls, the Ministry’s declaration that DNA testing is off the table is welcome. However, the broader questions of purpose, process and privacy remain.
Following 700 submissions from the public, the Parliament was on the verge of debating a Data Protection Bill and Data Protection Policy. Both are already being discussed internationally as world-class pieces of legislation. The Bill frames the rights of citizens to their data and the duty of the state to notify and seek consent for the processing of this data. It provides an enforcement framework for rectifying data breaches and the conditions under which our information could end up overseas. It proposes an Independent Commissioner to regulate both state and citizens in accordance with Article 31 and the Right to Privacy.
As designed, NIIMS has huge security vulnerabilities. The Government have yet to demonstrate strong security measures for data protection in the light of IFMISS and other data related breaches. As some have pointed out, DNA or retina data are not like passwords or tokens that can be reset. Secondly, given our history of illegal surveillance and intelligence sharing, how are we confident that all this data will not also be used to target democratic opposition, corruption whistle-blowers or specific ethnic communities?
The invasive NIIMS exercise falls short of standards set by the African Union Cyber Security Convention and European Union General Data Protection Regulations. If the Government steamrolls over this, we will lose any certification that allows for other countries’ data to be processed here or our companies to enter other markets.
In the light of the poor public participation in its design, the very real public concerns and the constitutional challenge that NIIMS now faces, it would be prudent to abandon the pilot exercise, accelerate the passing of the Data Protection Bill and then revisit NIIMS. If this happens, I will be first in line.
First published Saturday Standard, February 23, 2019. Kindly reproduced here with permission from the Standard Group
Five days after this article, the Kenyan Senate suspended the NIIMS exercise.