Huduma: How not to roll-out a state drive
By Irungu Houghton | February 23rd 2019
Stirred into action by a Presidential Executive Order, the Interior Ministry just touched another live-wire among most Kenyans. The piloting of the National Integrated Identity Management System (NIIMS) may have unintentionally stirred the best national debate on digitising personal information and the right to privacy.
Kenyans, immigrants and refugees would be required to register their DNA, GPS home details, eye biometric information and shape of their ears before being issued critical identification documents. Consolidating this information with our driving licences, passports, KRA PIN, NHIF and NSSF cards then generates the unique identification Huduma Namba.
The idea of digitising and integrating registration documents is admirable. A centralised master population database is critical for trends analysis, monitoring essential services or the tracking and apprehension of criminals.
Despite this, introduction of the 15 county 30-day pilot registration is a future case-study for communicators on how not to introduce a government programme. A whirlwind of suspicions and superstitions have followed.
Who got the billion-shilling contract and will it be placed in the public domain? Is it linked to the Huduma Mastercard already in circulation? How will the government safeguard the mass collection of DNA and blood? Is it really linked to the mark of the devil (666)? How will our personal information in one huge database be safeguarded?
Within days, the government was easily but unnecessarily placed on its defence. In eyes of the public, legitimacy of the programme is now in tatters.
NIIMS comes at a pivotal time. The world now transfers the same amount of digital data every two days as it did in the entire period of humanity up to 2003. Over the last four years, more than 13 million Kenyans have doubled our internet traffic. Without our consent or knowledge, CCTV cameras, cell phone towers and website browser cookies monitor our movements off and on the net. NIIMS is only the latest attempt to join others who are hungry to mine our personal data.
For those tempted to threaten citizens with withdrawal of services and prosecution, they need to stop digging this hole any further. Chapters 3 and 4 on citizenship and the Bill of Rights confer an obligation on the state to issue citizenship documents and provide essential services. Facing rising #IAmNotBoarding calls, the Ministry’s declaration that DNA testing is off the table is welcome. However, the broader questions of purpose, process and privacy remain.
Following 700 submissions from the public, Parliament was on the verge of debating a Data Protection Bill and Data Protection Policy. Both are already being discussed internationally as world-class pieces of legislation. The Bill frames the rights of citizens to their data and the duty of the state to notify and seek consent for the processing of this data. It proposes an independent commissioner to regulate state and citizens in accordance with Article 31 and the Right to Privacy.
As designed, NIIMS has huge security vulnerabilities. The government is yet to demonstrate strong security measures for data protection in the light of IFMISS and other data related breaches. As some have pointed out, DNA or retina data are not like passwords or tokens that can be reset. How are we confident that all this data will not also be used to target democratic opposition, corruption whistle-blowers or ethnic communities?
The invasive NIIMS exercise falls short of standards set by the African Union Cyber Security Convention and European Union General Data Protection Regulations. If the government steamrolls over this, we will lose any certification that allows for other countries’ data to be processed here or our companies to enter other markets.
In the light of the poor public participation in its design, the very real public concerns and the constitutional challenge that NIIMS now faces, it would be prudent to abandon the pilot exercise, accelerate the passing of the Data Protection Bill and then revisit NIIMS. If this happens, I will be first in line.
-The writer is Amnesty International Executive Director. He writes in his personal capacity. [email protected]
Where is my kidney?
- Kenyans give new-look Standard newspaper warm reception [Photos]
- How KBC staffer’s killing occurred
By Brian Okoth
- Revealed: Raila's offer to DP Ruto
- Three-minute burial shocker in Turkana
By Mike Ekutan
- Kenei: Twists and turns of high-profile murder