28 January is World Privacy Day. The day provides a crucial opportunity to raise global awareness about the importance of safeguarding public and personal data. This week, Kenya’s data privacy watchdog the Office of the Data Protection Commissioner, celebrated the day with the ICT Cabinet Secretary in Kisumu County. With Victor Ndede, we review how far has Kenya gone in terms of implementing data protection laws over the last year.
Over the last four years, the public has been shocked by several large data breaches. This has included data breaches with Safaricom 11.9 million clients (2019), 3 NTSA million clients (2020), KRA taxpayers (2020) and e-Citizen, WorldCoin and Kenya Airways users (2023) among others. Big data breaches are not unique to Kenya. Last year IBM reported that global data breaches amounted to Ksh 700 million last year, a 15% increase over 3 years.
Data Privacy Day also offers Kenyans a moment to reflect on the progress towards Kenya Kwanza’s Maisha Namba digital ID and service digitization programme introduced in 2023. The ghost of and the lessons from the abortive Huduma Namba project remain clear for most state officers and data privacy activists.
In 2021, the High Court ruled on a petition filed by Nubian Rights Forum that the Data Protection Act must apply to biometric data and biographical information collected for Huduma Namba. Ignoring this judgement, the Jubilee administration proceeded to roll out registration without completing a Data Protection Impact Assessment (DPIA). This promptly earned a second petition by Katiba Institute which effectively secured prayers to stop registration and instruct Government to complete a DPIA.
Over 2023, the State Department for Immigration and Citizen Services consulted severally with religious, business, and civic organizations on how to design a human-rights data protection compliant digital identity system for 56 million Kenyans. It was these privacy design considerations that led to the postponement of the Presidential launch in September 2023.
In October, unsatisfied with whether the DPIA and the regulations developed were sufficient, Katiba Institute returned to the courts and secured a temporary stay. This case is the third time that the High Court will be adjudicating on the mandatory nature of data protection impact assessments prior to roll out of digital ID systems. As the nation approaches the 2 February court hearing next week, introspection is needed to how to get this right for once.
Digital ID programmes remain emotive. A history of data breaches and the exclusion and denial of marginalized communities from fully participating in economic and social life, drive most concerns. With the opportunity to migrate to a third-generation digital ID, the moment presents itself onve again to transform the injustices of previous identity systems.
The digital identity project remains a key deliverable in Kenya Kwanza’s digital transformation agenda and critical for the digitisation of government services. Hopefully, the government will be able to clearly demonstrate that this digital identity project complies with the Data Protection Act and that they intend to implement affirmative action measures that ensure no person is left without a legal identity as a result.
Our personal privacy is not only government business. Data ownership and cyber-security are not just matters of risk compliance but increasingly critical for our institutional and personal health. A culture of privacy is necessary for public trust, our prosperity and safety online. All of us must actively limit who accesses our data, which cookies we allow, invest in encryption and anti-malware apps, declutter regularly and practice password and WiFi hygiene. Failure to do this and we may find ourselves like 84 per cent of Americans who now feel they have lost control of their personal data, according to the Pew Institute.
We have strong laws, an independent Data Protection Commissioner and a government committed to service digitization, let is not enable any actor or action that threatens or diverts us from our right to privacy.
Victor Ndede is the Amnesty International Kenya Technology and Human Rights Manager and can be reached at email@example.com
This opinion was also published in the Saturday Standard, 27 January 2024.