Recently the President signed the Miscellaneous Amendment Act (18 of 2018) which, among other things, updated the Registration of Persons Act by establishing the National Integrated Identity Management System (NIIMS).
The functions of NIIMS are many but the first three, as inscribed in the Act are of interest and state are as follows:
9A. (I) There is hereby established the National Integrated Identity Management System
(2) The functions of the system are:-
(a) to create, manage, maintain and operate a national population register as a single source of personal information of all Kenyan citizens and registered foreigners resident in Kenya;
(b) to assign a unique national identification number to every person registered in the register;
(c) to harmonise, incorporate and collate into the register, information from other databases in Government agencies relating to registration of persons;
Essentially NIIMS will connect all the disjointed registration systems about Kenya citizens by providing a unique number that would be used to link them together. The various identification systems to be linked together include, but not limited to, the national IDs, passport IDs, voter IDs, birth & death IDs amongst others.
The benefits and risks of a having a single identification number that can integrate with the rest of other registries were well articulated by the lawyer Mr. Gatuyu Justus and so there is very little to add.
Perhaps I would simply emphasis that the Kenyan digital economy will only rise to its full potential once Kenyans have a unique number that is traceable across different service sectors such as health, education, commerce and entertainment.
What is of concern however is the expansion of the registration process to include very sensitive information - deoxyribonucleic acid – otherwise commonly known as DNA data. The new clause explains "Biometric" to mean ''unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves and Deoxyribonucleic Acid in digital form.''
Whereas Kenya would not be the first country to collect very sensitive personal data, it is notable that those countries that do so such as US, UK and India have very strong legal frameworks for protecting the privacy of individuals as well as securing the said data from abuse or potential hacks.
Furthermore, with regard to DNA data, they do not collect every citizen’s DNA, but restricts this to only those suspected, charged or convicted. In other words, the purpose for DNA collection is very clear and related to crime investigations.
Unless everyone in Kenya is presumed to be a criminal, it will be interesting to know why all Kenyans will be expected to surrender their DNA data to government agencies – particularly in the absence of a Data Privacy and Protection law. Such a law would clearly spell out the obligations, responsibilities and penalties on the part of both government and citizens with respect to how the sensitive data is collected, secured and used.
Additionally, the new law updates section 3 of the Registration of Persons Act to allow for collection of citizen residential addresses using very precise GPS coordinates. The specific clause states as follows: "Global Positioning System coordinates" means the unique identifier of precise geographic location on the earth, expressed in alphanumeric character being a combination of latitude and longitude.''
I would be quite reluctant to surrender my pin-point residential address or location data to an agency that has no legal framework for penalties, in the event this data is traded to third parties or found in the wrong hands.
Whereas the new changes would give impetus to the fight against terrorism, we must always be wary of such developments without commensurate checks and balances. Excessive power to collect all manner of citizen data, without the comprehensive legal framework is often the slippery path many governments have chosen to walk and ended up and inevitably end up with the police state.
The enactment of the Miscellaneous Amendment Act (18 of 2018) has just turned what was previously a priority item in the name of a Data Privacy and Protection Bill into a very urgent and mandatory one.
Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT.
Email: [email protected], Twitter: @Jwalu