By Winnie Kamau
A recent forum that was held in Nairobi to discuss critical issues surrounding the Huduma Namba Bill has expressed fear over data security.
The meeting which brought together data experts, lawyers, activists, and other experts noted with concern about data protection gaps facing the country in recent times.
During the discussions, Ephraim Kenyanito, Program Officer, Article 19 narrated how he recently visited the National Museums of Kenya in Nairobi. “As part of the security check-ins, I was told to produce my identity card. The security personnel then went into key-in my details in the Integrated Population Registry System Database which displayed all my information including details of my parents and where I came from.”
“I was dumbfounded and went ahead to ask questions, why does security personnel need to know where I come from? Why would they need to know the details of my parents? How secure is my data bearing in mind this is not the police getting access to my data?” Kenyanito said.
Kenyanito went further to talk about his worries about data protection during the discussion about the Huduma Bill, “In 2014 there was a partnership with Pakistani Government to come up with Biometric passports. So our data goes to servers in Pakistan. What if there’s a data breach in Pakistan then we are at a loss unless we have Data Protection in place before the Huduma Number Bill is passed.”
Adding that “In Kenya, there have been several data breaches in Government offices like the Ministry of Foreign Affairs where there was an email breach. “We need to demonstrate how we can secure what we have first before getting more data from Kenyans.”
Another great concern from the proposed draft of the Huduma Bill 2019 is that Kenyans will not be able to access government services – which they are constitutionally entitled to – without a Huduma Namba.
The Bill that is currently out for public participation debate calls for the Huduma Namba, also known as the National Integrated Identity Management System (NIIMS), to go into effect immediately for many different forms of Identity that we currently have.
In questioning the proposed Bill, Alice Munyua Mozilla’s Africa Policy Advisor raised, “We need to ask these questions, why is there such a huge push for this data? Who is benefitting? Who is waiting to use this data? Who are the vendors in the digital Identity (ID) implementers do they have the ability to secure our data?” She questioned.
“Earlier in the year, the Huduma Number registration took place and allegedly over 30 Million Kenyans’ data was collected. This exercise was done in the absence of necessary and critical safeguards, including a Data Protection Law that has been pending since 2018.” Munyua asked.
Munyua pointed out that the Bill does not include national security, prevention/ investigation/ prosecution of crime, or some other purpose that could be used to justify access to the data NIIMS database for surveillance.
“It would, however, be good to strengthen the language elsewhere in the bill to make clear that these purposes are the only lawful purposes for which the NIIMS database may be accessed.
Similarly, Mustafa Ahmed, from the Nubian Community and a Citizenship Rights Activist noted. “I come from a minority group that’s the Nubian and we struggle with citizenship identification documents. While everyone gets their Identity Cards (IDs) at 18, we struggle as the documents we are asked for are ridiculous, we are asked for our grandparents’ IDs and you need an Elder who will certify that you belong to your grandparents and your parents.” Adding “You need an ID to register for the Huduma Number and the biggest challenge is in getting the ID. Stateless persons in Kenya are desperate for an entry point into the system and the Huduma Number was seen as a great opportunity.” says Mustafa.
Gaps in the Huduma Namba government project remain a worry to many who still wonder how the initiative will succeed without proper legislation around it. Huduma Number is taunted to violate the Digital rights defined as having the right and freedom to use all types of digital technology while using the technology in an acceptable and appropriate manner. The Digital Identity (DI) is a unique identifier that is used to recognize you by computer systems.
For example, Munyua from Mozilla pointed out“The Huduma Number will attract punitive repercussions such as jail term for a year and exorbitant fines such as One Million Ksh for a transaction without the Number and months in prison or 500,000 Ksh fine for a general penalty.”
The Data Protection Bill 2018, will need to be enacted very soon experts said, noting that a good protection framework must include strong protections for individual rights, responsibilities placed on data processors and controllers and an empowered, independent data protection authority.
CEO of East Africa Data Handlers, George Njoroge, CEO East Africa Data Handlers says, “I personally have strong reservations on this Bill as my biggest view is on digital identity theft. The biggest challenge is tech abuse.”
Frank Odhiambo an analyst from Omidyar’s Digital Identity gave his views about the five fundamental components for a good Digital Identity, “Inclusion, Privacy of information and user information , Security of Digital Identity Database, User value of the Digital Identity systems, and User control -how much control do you have on the data and access.”
A good Digital ID and the Data Protection Bill are what Kenyans expect to have to entrust their data with government.