Kenya: Consortium Applauds Court Judgement Declaring Huduma Cards Illegal; Calls for Further Reforms
Source: Katiba Institute and 9 others
On 14 October, the High Court struck down the Government of Kenya’s decision to roll out Huduma Cards due to violations of the Data Protection Act, 2019. The Court found that the government had started collecting personal data from Kenyans without first determining how it would protect that data and that the Government has “not appreciated the import and the extent of the application of the Data Protection Act with respect to the collection and processing of data under the National Integrated Identity Management System” (NIIMS).
The court has compelled the Government to complete a data protection impact assessment, as required by the Data Protection Act (2019), prior to processing of data or rolling out Huduma Cards.
As a consortium of organizations working on citizenship, identification, human rights, and data protection, we applaud this judgment and the enforcement of the Data Protection Act by the courts. It is paramount that relevant legal frameworks are in place and followed before collecting and managing data. We call on the Government of Kenya to comply with this judgement by conducting a robust and thorough Data Protection Impact Assessment to protect the rights of all citizens and residents in Kenya.
A Data Protection Impact Assessment is designed to identify risks that may occur through processing of data and put in place proper mitigation measures. A Data Protection Impact Assessment is critical to ensure compliance with both data protection laws as well as human rights obligations. Such assessments should involve mapping of all data processing and data flows, conducting consultation with stakeholders – which for a national initiative like NIIMS should include widespread public consultation on the purpose and risks of the system, completing a detailed risk assessment, and developing a range of measures to address the risks and ensure compliance with the law. If designed and implemented properly, a Data Protection Impact Assessment can reduce the risk of data breaches and intrusion of privacy.
We call on the Government of Kenya to follow legal requirements and international best practices on Data Protection Impact Assessments as they complete the exercise.
In addition to carrying out a proper Data Protection Impact Assessment, Kenya’s identification system and data protection regime must be reformed and strengthened in several other ways to protect the rights and serve the needs of all Kenyans. In particular, we call on the Government of Kenya to:
- Ensure a fully inclusive identification system: The Government must ensure all Kenyans can access identification documents such as birth certificates and national identity cards prior to moving forward with Huduma Namba. If Huduma Namba is rolled out, it must be done in phases, with a clear transition period to eliminate discriminatory treatment and expand access to documentation under the current system. There must be options for all to enroll and safeguards to protect against denial of services for those within and outside the system. By focusing on reform and access to the identification system first, the Government will reduce the risk that millions of Kenyan citizens will be left behind in the transition to digital.
- Establish a robust legal framework and governance body via country-wide public participation: Given the extensive nature of Huduma Namba and the impact it will have on the lives of all Kenyans, there is need for a national discussion about the future of identification in Kenya, including public input into the development of anchoring legislation, the system design, a governing body for NIIMS that can be held accountable for implementation and give effect to rights enshrined in the Constitution and other applicable laws.
- Ensure the full realization of the right to privacy and data protection: The Government must ensure Kenya has a financially independent and well-resourced data protection authority, capable of discharging its mandate under the Data Protection Act. The government ought to ensure the swift adoption of the draft Data Protection Regulations (2021). Likewise, the government must realize its responsibility to comply with the Act by guaranteeing threats to human rights are sufficiently mitigated and all necessary data protection safeguards have been implemented.
In conclusion, the Government of Kenya should not push Huduma Namba forward in blatant disrespect of the law but instead ensure the creation of an identification system and data protection scheme that protects and gives effect to all Kenyans’ rights enshrined in our Constitution.
- Katiba Institute
- Kenya Human Rights Commission
- Heralding Development Organization (Paranet)
- ARTICLE 19 Eastern Africa
- Centre for Minority Rights Development (CEMIRIDE)
- Defenders Coalition
- Namati Kenya
- Nubian Rights Forum
- Access Now
- Haki Centre