The High Court of Kenya has declared that the rollout of Huduma Namba registration cards, on which the country’s government spent more than $90-million (Ksh10-billion), is illegal for being in breach of Kenya’s Data Protection Act.
Joe Mucheru, Cabinet Secretary for Kenya’s ICT Authority, said that the cards would be the primary source of data on every citizen and foreigner during an announcement of the planned rollout of Huduma Namba in 2019.
Now, according to Business Daily, Justice Jairus Ngaah has ruled that the government should have conducted a data protection impact assessment before the rollout of the cards. The judge further ordered the government to conduct this assessment and create new safeguards to protect the personal data of Kenyans as many cards have already been issued.
The initial suit was brought to the high court by the Katiba Institute, an organisation founded to defend and facilitate the implementation of the Constitution of Kenya, and Prof. Yash Pal Ghai, a legal scholar. They argued that it was wrong for the government to roll out the Huduma cards before conducting an impact assessment.
According to the plaintiffs, the assessment would identify any risks to privacy, such as breaches or data loss, that could negatively affect Kenyans.
“Order of mandamus is hereby issued compelling the government to conduct a data protection impact assessment in accordance with section 31 of the data protection act before processing of data and rolling out the Huduma cards,” said Judge Ngaah.
The Katiba Institute argued that the move is a threat to the right to privacy under Article 31 of the Constitution. The same article requires the government to conduct a data protection impact assessment where a processing operation is likely to result in “high risk to the rights and freedoms of the people.” The government, of course, seems to have failed to do so.
Katiba also said that the High Court has ruled that the processing of personal information through the government’s National Integrated Identity Management System (NIIMS), including the processing of biometrics and data of children, is a high risk to the rights of data subjects.
One of the issues with NIIMS is a lack of publically available information on the system. It is currently unclear what, where and how personal data is stored and processed between the Huduma cards themselves and the system proper.
Current fears are that personal data is not being adequately protected on the system and Kenyans could suffer from identity fraud, from losing important personal information due to faults in the system or even having this information leak through cybercrime.