Is Huduma Namba finally compliant with the Constitution?

In a matter of days this week, two things that are related to National Integrated Identity Management System (NIIMS) — popularly known as Huduma Namba — happened: Immaculate Kassait was sworn in as Data Commissioner. Second, the government announced that Huduma Namba cards will replace the national ID cards come December next year.

These developments mark the end of several months of Kenyans raising questions about Huduma Namba, mainly how it will help them or how their data will be protected.

Earlier in the year, the High Court gave the green light for the rollout of the Huduma Namba by ruling that the collection of DNA and GPS co-ordinates for purposes of identification was intrusive, unnecessary, unconstitutional and a violation of the Constitution on the right to privacy.

The court also allowed the government to proceed with Huduma Namba’s implementation. But it said the implementation is to be done on condition that there is an appropriate and comprehensive regulatory framework that is compliant with the Constitution.

The government has described Huduma Namba as a framework aimed at registration of persons using a harmonised approach to address duplication of efforts and to cut costs in registration processes. The framework is deployed with the consolidation of data from primary population registration agencies.

The government says the framework will create and manage a central master population database which will be the ‘single source of truth’ on a person’s identity as it will contain information of all Kenyan citizens and foreigners residing in Kenya. It will serve as a reference point for ease of service delivery to Kenyans.

Without a doubt, it is important to have a central master population database such that one does not have to make multiple and tedious applications to access public services. If the information provided by the government is anything to go by, one would only need the Huduma Namba in place of the driving licence, national ID, NHIF and NSSF cards to mention but a few.

At the optimal operational level, the database would also facilitate the sharing of data between government agencies through a digital platform. When Huduma Namba data collection was launched, there was no concrete legal framework outlining what it was; perhaps, fueling sentiments that the initiative was not well-intentioned.

The Cabinet Secretary, Ministry of Interior and Co-ordination of National Government enacted the Registration of Persons (National Integrated Identity Management System) Rules 2020.

The NIIMS rules are meant to comply with the court’s ruling earlier in the year that Huduma Namba must be anchored within a comprehensive legal framework that complies with the Constitution.

The rules define Huduma Namba as a unique identification number assigned to a resident individual who has enrolled into the NIIMS and the card as a digital multipurpose identity card issued to a resident individual. NIIMS is comprised of the NIIMS database, Huduma Namba and the Huduma Card.

Recalling the court’s pronouncement on a collection of DNA and GPS co-ordinates, the rules provide that the database is to be composed of what it calls foundational data which is described as the basic personal data of a resident individual for attesting the individual’s identity and includes biometric and biographical data.

As per Section 5 of the Registration of Persons Act, the data is to include a registration number, name, sex, county of birth or county of residence, date of birth or apparent age, place of birth, occupation, profession, trade or employment, place of residence and postal address, finger and thumb impressions, palm or toe impressions in physical form, biometric data and date of registration.

The rules outline the Huduma Namba registration process, assignment of Huduma Namba and issuance of Huduma cards. They also provide that the Data Protection Act, 2019 is to apply to how personal data is handled in relation to the framework and processes.

What is curious from the rules is that they do not provide that Huduma Namba will be the only ‘Identity Card’ one will have to move around with. Rule 6 of the NIIMS Rules states that the database shall support access and issuance of electronically generated copies of identity documents. This means that we are not going to do away with the multiple identity documents we carry on us.

By the time the court was making its decision on the whether Huduma Namba complied with provisions of the Constitution, the Data Protection Act 2019 had already been enacted.

One of the constitutional challenges to the deployment of the Huduma Numba was that Kenya did not have a comprehensive data protection law that operationalised Article 31 of the Constitution on the right to privacy. On matters data protection vis-a-vis Huduma Namba, the ICT Cabinet Secretary enacted the Data Protection (Civil Registration) Regulations 2020.

The regulations state that the purpose for collection of personal data would be for registration in relation to the registration of persons, births and deaths, Kenya citizenship and immigration, marriages, children and refugees.

They also provide for the rights of individuals in relation to their personal data, the manner through which they are to consent to the collection of their data, general obligations and securing of data and by civil registration entities.

One gap within the regulations is that they provide for the need for consent before one’s data is collected for civil registration. They state that one will be informed of the implications of withholding or withdrawing consent, but the implications are not outlined as should be in any law of this nature.

Data Protection (Civil Registration) Regulations 2020 generally mirror the provisions of the Data Protection Act 2019. The Data Protection Commissioner who is the regulatory authority on data protection matters is in office, but it is a wait-and-see situation on how she will handle complaints relating to how the data is collected, stored, secured and shared.

Will the commissioner take decisive action against public civil registration entities that do not comply with Article 31 of the Constitution and the Data Protection Act? Will she have the resources and capacity to conduct monitoring and evaluation of security safeguards employed by civil registration entity and private sector entities at the same time?

-Mr Mugambi is an Advocate of the High Court of Kenya and a Privacy and Data Protection Specialist. [email protected]