Kenya has struggled to transform its citizens' and residents’ identification systems for years.
In 2015, through the Integrated Population Registration System, the government created a centralised database holding registration data from various government agencies and databases such as pensions, courts, land, sim cards, driver licences, and immigration. Using a person's ID number, the system can be used to verify the accuracy of information to prevent double registration and fraud.
In 2018, an executive order gave rise to National Integrated Identity Management System (NIIMS), designed to be a biometric digital population database dubbed the one source of truth based on the unique feature of biometric data. It relies on the fact that every person's fingerprint, DNA, facial configuration or iris is totally unique.
Despite being a modern and supposedly cutting-edge ID system, there were concerns about data protection because Kenya did not have a data protection regime at the time. Other concerns included the failure to address historical marginalisation and discrimination against certain Kenyan communities such as Kenyan Somalis and Nubians, that threatened to marginalise them further. Moreover, the rollout appeared rushed, with the government seemingly using disinformation and threats about its mandatory nature.
Through strategic litigation by civil society organisations, the government was forced to put NIIMS (Huduma Namba) on hold until a proper legal and policy framework was enacted. In a subsequent case, it was established that such a system must first have a data protection impact assessment to identify risks and vulnerabilities and inform legal, policy and infrastructural interventions.
When the Kenya Kwanza administration took over, it abandoned Huduma Namba. It opted for another form of digital ID (Maisha Namba) based on a Universal Personal Identifier (UPI) to be allocated at birth as a lifelong personal identity number serving as a birth certificate, eventual death certificate and number for access to government services such as education, health, pension, taxation et cetera. Maisha is conceptualised to have four components, which include a digital (virtual) ID, a physical ID card, the number itself and the master population register.
The government must avoid the pitfalls that befell Huduma Namba by ensuring robust and meaningful public participation that includes persons previously marginalised by registration practices and other stakeholders. The government should clearly explain the purpose of the digital ID system. Data collection, processing, and use must be strictly limited to what is directly relevant and necessary to accomplish those stated purposes per data protection principles. Moreover, a comprehensive data protection impact assessment must be carried out to identify the vulnerabilities, risks and dangers the systems pose more so because the Maisha Namba will be integrated to artificial intelligence processes. The impact assessment should inform all legal and policy frameworks, cyber security policies, and infrastructure.
Per the Data Protection Act, cyber security breaches and the unauthorised access or sharing personal data must be legally accountable. In the event a data breach occurs, the State should notify the public immediately; this notification should explain the extent and potential consequences of the breach and the steps taken to minimise any harm that may result. Breach of this kind must be legally actionable.
There should be an intense programme to rope in those who have been historically marginalised by removing past policies that prevented members of certain communities from obtaining IDs. Birth registration and ID card issuance for historically marginalised groups will benefit from a workable transition period. Additionally, it would provide government officials with the opportunity for comprehensive civic education and training in using UPI, master population registers, and digital identification.