NIIMS is legally flawed, offers no protection against cyber crime

A section of Huduma Centre in Nairobi on July 16 2018.[David Njaaga,Standard]

President Uhuru Kenyatta recently signed a law establishing the National Integrated Identification Management System (NIIMS), as a platform that will digitise and centralise records of vital life events of citizens and of foreigners’ resident in Kenya. The Statute Law (Miscellaneous Amendments) Act 2018 amends the Registration of Persons Act (RPA), inserting a clause that provides the legal basis for NIIMS.

The digitisation of records can improve efficiencies in registration and increase data quality while lowering cost of data management. This can, in turn increase registration coverage, thus bringing more people into registration. However, the processing of the Statute Law (Miscellaneous Amendment) Act, as well as the drafting of the text of the law, is flawed and is unlikely to provide a reliable foundation for what the government proposes to do.       

Traditionally, Kenya uses miscellaneous amendment statutes as a mechanism through which omnibus legislation touching on many unrelated subjects is enacted. Given the important role that this law is meant to play, it deserved the kind of processing that would have allowed more debate than was possible when it came as part of omnibus legislation. Omnibus legislation represents an “all or nothing” approach that is surely inappropriate for a law of this nature. In the event, while the government has achieved the law it desired it has done so in a manner that employed stealth and minimised participation.

Secondly, the drafting of the law is defective. The law in question establishes “the National Integrated Identity Management System.” The “National Integrated Identity Management System” is a database, a thing.  However, the law proceeds to confer on the “system” functions that are ordinarily performed by persons or corporations, for example the power to print and issue identity documents. And so, the drafting is to the effect that “the functions of the system are …” which it then enumerates. As a matter of elementary law, a “system” cannot be the recipient of legislative power to perform a function. Only persons, whether natural or corporate, receives power to perform functions in law. To the extent that the drafting treats a thing as a person on which it purports to confer functions, it is legally defective and incompetent.

Thirdly, where legislation establishes a role, it necessarily designates role players and also provides for incidental matters like the manner in which the players are to act in their role. As a complete regime governing the registration of citizens who have reached 18 years, the RPA establishes, as the main role players in that regime, the minister who has power to appoint a principal registrar who, in turn, is empowered to appoint other officers. The Act then provides for their functions and powers and also establishes a register, into which they must enter the names of all citizens they register.  

By contrast, the responsibility of establishing a digital registration regime is not assigned to a person but to a thing called NIIMS. As a result, nobody is accountable for the roles that the amendment Act establishes. It is also not clear what powers are available for use to ensure that the objectives of NIIMS are met.

While establishing NIIMS, the amending law leaves intact pre-existing scheme under the RPA. It does not link NIIMS with the register under the RPA or with the existing role players. Further, the RPA is not the only legislation that provides for registration. For example, a separate regime governs the registration of births and deaths. That regime confers power on the minister, establishes a principal registrar together with other registrars, and also registers of births and deaths. As the amendment legislation does not relate itself to the system of registering births and deaths, there is no legal mechanism linking NIIMS with the regime for registration of births and deaths.

The matters raised here are not just legal niceties. Digitisation comes with great promises but also risks. Digitisation can facilitate identity fraud, and is also associated with privacy violations, even if unintended, since it is easier to obtain unauthorised disclosure of networked data. The decision to digitise also ignores the politics of registration. In a country with so many political grievances about how registration is manipulated for political ends, processing this type of legislation without an accompanying political debate was not wise. Finally, a registration system can be the means of excluding sections of the population. Parts of the country where, for political or logistical reasons, manual registration has been less successful can be marginalised further when going digital. Also, sections of the population, principally stateless persons for whom there currently is no manual registration system of any kind, can be further excluded.

It is difficult to establish something like NIIMS without a standalone law and an accompanying political consultation. Because the processing of NIIMS has been hurried and is legally incompetent, it offers no protection against the risks of digitisation. 

- The writer is the Executive Director at KHRC. [email protected]