Kenyans who opt to have their personal data excluded from the National Information Integrated System (NIIMS) and the Huduma Namba registration will have to write to the government giving reasons why they object.
New regulations published by the Ministry of Information, Communication and Technology further say the government will have to seek consent from the public before collecting personal data.
“A civil registration entity shall seek consent from a data subject for processing of personal data at the time the personal data is collected,” says the Data Protection Civil Registration Regulations, 2020 released yesterday.
Kenyans who object to having their data processed will fill a request form restricting or objecting to the processing of their information.
“A civil registration entity shall…collect personal data which it is permitted to collect by the data subject, undertake steps to ensure the quality of personal data and undertake processes to secure personal data,” the regulations say.
The regulations are one of two sets of draft legislation introduced by the ministries of ICT and Interior that seek to correct flaws in the Huduma Namba registration conducted last year that was halted by a court challenge from civil rights organisations.
The Registration of Persons (National Integrated Identity Management System) Regulations, 2020, on the other hand, give the scope and objectives of the NIIMS database, Huduma Namba and Huduma Card.
Once enrolled into NIIMS, the country’s residents will have the option of registering for the Huduma Card under one of four categories; minors above the age of six, adults above 16 years, foreigners and refugees.
“For purposes of establishing proof of identity, the presentation of the Huduma Card or Huduma Namba authenticated by biometrics shall constitute sufficient proof,” the regulations say.
The High Court last month said there was need for a clear regulatory framework to address the possibility of exclusion in NIIMS before the Huduma Namba registration programme kicked off.
“An inadequate legislative framework for the protection and security of the data is clearly a limitation to the right to privacy in light of the risks it invites for unauthorised access and other data breaches,” ruled a three-judge bench.
In the case, the State was hard-pressed to explain the necessity of spending Sh6 billion on a fresh registration process without enacting the data protection law as had been advised by experts in the public and private sectors.
Anand Venkatanatayanan, an expert witness in the case, said centralisation of personal data would be a threat, inviting cyber-criminals and hackers to attempt to access valuable data sets on citizens.