NIIMs is a noble idea, but protect our data

Last week, the High Court delivered a decision on the constitutionality of the National Integrated Identity Management System (NIIMS), popularly known as Huduma Namba. The court found that some of its provisions such as the collection of DNA and GPS were overly invasive and unnecessary for national registration purposes hence, unconstitutional. The court, however, found that the collection of other biometric information such as facial data, iris and fingerprints was sufficient for purposes of national registration.

The court allowed the government to continue the roll-out of Huduma Namba on condition that it sets up an appropriate and comprehensive regulatory framework on data protection. It added that the framework must meet international standards on data protection which include publishing of appropriate rules and regulations, the appointment of an independent Data Protection Commissioner and formation of a secretariat.

The major reason NIIMS survived the legal challenge was because in November 2019, the National Assembly passed a Data Protection Law. When the case was lodged and the first rollout was done, Kenya did not have a legal framework for the protection of personal data. Kenya joins India and Jamaica, countries where legal challenges have been filed against a biometric registration system on account of the right to privacy. In Jamaica, the Supreme Court found the system unconstitutional because it violated the right to privacy.

Affect rights

In India, the Supreme Court upheld the ‘Aadhaar’ system on condition that India comes up with a strong data protection framework. As per the Huduma Bill, enrolment would be required in order to access over 17 services that affect rights such as education, a passport, healthcare et cetera.

Moreover, failure to register would attract a prison term and hefty fines running into the millions of shillings. Increasingly, our lives are ending up on digital platforms: From movements being tracked by GPS systems and CCTV cameras, shopping habits through tracking digital payments, communications and internet searches, who we speak to via phone records to our very identity in terms of biometric data which once breached, cannot be changed or reclaimed.

Integrated databases are easy targets for hackers. Other governments such as the USA and UK have abandoned plans like NIIMS because of the potential danger centralised biometric data poses to its citizens. The danger simply outweighs the benefits of the convenience of the systems.

A less risky model is the utilisation of ‘data silos’ which involve the use of separate systems for different purposes that are not integrated with others. An example is where the KRA data, passport data and national identity registration data are all kept in separate databases.

Automate services

If one body requires data from another, a physical process might be required as opposed to the click of a button. A breach of such systems would therefore only compromise the data therein - whereas breaches in integrated systems such as NIIMS jeopardises all the data that is within or connected.


As we move further into the digital age, more of our data as a matter of necessity will be collected, collated and processed in digital form as governments, corporate bodies, scientists, researchers and other fields endeavour to utilise digital data to automate services and to improve systems, services, policies and programmes. The downside is that many countries lack the technical, policy and regulatory frameworks that allow for the use of data in a manner conscious to rights issues. Worse still, citizens simply do not know their digital rights or simply do not care.

Sadly, 66 per cent of Kenyans today do not know or care about digital security as per the 2019 Global Survey on Internet Security. This means that Kenyans, due to ignorance and apathy, are incapable of holding their government and businesses that operate in Kenya to account.

Instead, meaningful consultations should be held to explore open and transparent approaches that ensure that data is used and processed within agreeable legal and policy frameworks that respect the privacy and dignity of the citizenry.

Mr Kiprono is a Constitutional and Human Rights Lawyer. [email protected]